Articles, sector deep-dives, regulation comparisons, and high-demand topical briefings. One search. Every jurisdiction.
BRIEFING
AI Act
Non-EU companies deploying AI in Europe need an authorized representative under Articles 22-25. Full obligation breakdown, country requirements, and compliance checklist.
BRIEFING
AI Act
Step-by-step guide to AI Act conformity assessment under Articles 40-43, including notified body requirements and technical documentation.
BRIEFING
AI Act
AI Act penalty structure compared across EU member states, with GDPR enforcement precedents showing likely fine levels by violation type.
BRIEFING
AI ActGDPR
Guide to AI Act fundamental rights impact assessment (FRIA) under Article 27, comparing with GDPR DPIA and covering deployer obligations.
BRIEFING
AI Act
GPAI model obligations under EU AI Act Articles 51-56, including systemic risk classification and transparency requirements for frontier models.
BRIEFING
AI Act
Is your AI system high-risk under the EU AI Act? Check Annex III categories, classification criteria, and sector-specific guidance. Free diagnostic tool included.
BRIEFING
AI Act
Comprehensive list of high-risk AI systems under EU AI Act Annex III, including biometrics, recruitment, credit scoring, and law enforcement uses.
BRIEFING
AI Act
Article 50 of the EU AI Act requires chatbot deployers to disclose AI interaction to users. Deadlines, penalties, and what your chatbot needs to show before August 2, 2026.
BRIEFING
AI ActGDPR
How AI Act Article 14 and GDPR Article 22 interact for automated decisions, with enforcement cases from 9+ EU countries.
BRIEFING
AI Act
Complete timeline of EU AI Act implementation phases from 2025 to 2027, including the August 2026 high-risk deadline and Digital Omnibus extension discussions.
COMPARISON
AI ActCRA
The Cyber Resilience Act (Regulation (EU) 2024/2847) was published in November 2024 and the substantive obligations apply from 11 December 2027. When the AI Act and CRA both apply — most commonly when…
COMPARISON
AI ActData Act
AI Act and Data Act both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the tw…
COMPARISON
AI ActData Governance Act
AI Act and Data Governance Act both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref bet…
COMPARISON
AI ActDMA
AI Act and DMA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in …
COMPARISON
AI ActDORA
DORA has been live since 17 January 2025 for all financial entities in scope. The AI Act overlays on top, primarily through Annex III §5(b) creditworthiness and §5(c) life-and-health insurance pricing…
COMPARISON
AI ActDSA
AI Act and DSA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in …
COMPARISON
AI ActePrivacy Directive
AI Act and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betw…
COMPARISON
AI ActMDRIVDR
Most clinical AI is a medical device or a safety component of one — meaning it is high-risk under AI Act Article 6(1) via Annex I, not via Annex III. Article 43(3) is the manufacturer's most important…
COMPARISON
AI ActNIS2
The AI Act and NIS2 do not conflict — they are cumulative. NIS2 governs the cybersecurity and operational resilience of essential and important entities. The AI Act governs the AI systems those entiti…
COMPARISON
Data ActData Governance Act
Data Act and Data Governance Act both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref b…
COMPARISON
Data ActDMA
Data Act and DMA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two i…
COMPARISON
Data ActDORA
Data Act and DORA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two …
COMPARISON
Data ActDSA
Data Act and DSA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two i…
COMPARISON
Data ActePrivacy Directive
Data Act and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref be…
COMPARISON
Data ActGDPR
Data Act and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two …
COMPARISON
Data ActNIS2 Directive
Data Act and NIS2 Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwee…
COMPARISON
Data Governance ActDMA
Data Governance Act and DMA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwee…
COMPARISON
Data Governance ActDORA
Data Governance Act and DORA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwe…
COMPARISON
Data Governance ActDSA
Data Governance Act and DSA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwee…
COMPARISON
Data Governance ActePrivacy Directive
Data Governance Act and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level …
COMPARISON
Data Governance ActGDPR
Data Governance Act and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwe…
COMPARISON
Data Governance ActNIS2 Directive
Data Governance Act and NIS2 Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level cros…
COMPARISON
DMADORA
DMA and DORA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in th…
COMPARISON
DMADSA
DMA and DSA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in the…
COMPARISON
DMAePrivacy Directive
DMA and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between…
COMPARISON
DMAGDPR
DMA and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in th…
COMPARISON
DMANIS2 Directive
DMA and NIS2 Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the…
COMPARISON
DORAAI Act
A financial entity deploying high-risk AI is now in scope of two parallel EU regimes. DORA (Regulation (EU) 2022/2554, in force 17 January 2025) governs ICT risk for the financial sector. The AI Act (…
COMPARISON
DORADSA
DORA and DSA both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in th…
COMPARISON
DORAePrivacy Directive
DORA and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwee…
COMPARISON
DORAGDPR
DORA and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in t…
COMPARISON
DSAePrivacy Directive
DSA and ePrivacy Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between…
COMPARISON
DSAGDPR
DSA and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the two in th…
COMPARISON
DSANIS2 Directive
DSA and NIS2 Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref between the…
COMPARISON
ePrivacy DirectiveGDPR
ePrivacy Directive and GDPR both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level crossref betwee…
COMPARISON
ePrivacy DirectiveNIS2 Directive
ePrivacy Directive and NIS2 Directive both apply across European business activity, but they were drafted at different times with different policy goals. This page summarises every article-level cross…
COMPARISON
GDPRAI Act
GDPR (Regulation (EU) 2016/679) and the AI Act (Regulation (EU) 2024/1689) both apply, in parallel, to any AI system processing personal data of EU residents. Neither replaces the other. The AI Act ex…
COMPARISON
GDPRNIS2
GDPR and NIS2 do not duplicate each other and they do not displace each other. GDPR governs the protection of personal data wherever it is processed; NIS2 governs the cybersecurity and operational res…
COMPARISON
NIS2DORA
DORA is lex specialis for financial-entity cybersecurity. NIS2 Article 4 explicitly carves financial entities out of the NIS2 substantive cybersecurity and incident-reporting obligations where DORA co…
SECTOR
AI ActGSRType-Approval
Automotive AI is high-risk through Annex I, not Annex III. The General Safety Regulation (Regulation (EU) 2019/2144) and the type-approval framework (Regulation (EU) 2018/858) are listed in AI Act Ann…
SECTOR
AI ActNIS2CER
Annex III §2 captures AI used as a safety component in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity. The framin…
SECTOR
AI ActGDPR
All four Annex III §3 sub-categories cover education AI in a way that surprises new entrants: admissions, learning outcome evaluation, level placement, and proctoring are each independently high-risk.…
SECTOR
AI ActDORAGDPR
Two of the three Annex III §5 categories sit in financial services: creditworthiness (§5(b)) and life-and-health insurance pricing (§5(c)). Both are high-risk by default. Fraud detection is explicitly…
SECTOR
AI ActMDRGDPR
AI used in clinical decision-making is almost always high-risk under the EU AI Act. There are two paths: the device path under Annex I (an AI system that is, or is a safety component of, a medical dev…
SECTOR
AI ActSolvency IIGDPR
Annex III §5(c) is precise: it covers life and health insurance pricing and risk assessment. Property, motor, travel, and other non-life lines sit outside §5(c). The boundary moves with telematics and…
SECTOR
AI ActLEDGDPR
Law-enforcement AI is the most heavily regulated category in the AI Act. Article 5 prohibits the most intrusive uses outright, Annex III §1 / §6 / §7 imposes the high-risk regime on what remains, and …
SECTOR
AI ActGDPR
Recruitment AI is one of the cleanest applications of the high-risk regime: anything that screens, ranks, scores, or selects candidates is captured by Annex III §4(a). Anything that allocates tasks, m…
TOPICAL
AI Act
AI Act Article 17 is the QMS clause for providers of high-risk AI systems. It is not a one-off artefact but a running governance system that documents design, development, testing, validation, modific…
TOPICAL
AI Act
AI Act Article 70 sets out the national supervisory architecture for the Regulation. Each Member State must designate at least one notifying authority and at least one market surveillance authority, c…
TOPICAL
AI Act
Annex VI is the internal-control conformity-assessment procedure. It is the default route for almost every Annex III high-risk system except biometric identification (§1, where Annex VII third-party a…
TOPICAL
AI Act
Probably yes — but not yet. The European Commission proposed the Digital Omnibus on AI on 19 November 2025. It amends Article 113 of the AI Act to push the substantive high-risk obligations to 2 Decem…
TOPICAL
AI ActGDPRDSA
The AI Act regulates deepfakes through one article — Article 50 — across three different actors. Providers must mark synthetic output. Deployers must disclose. Platforms hosting deepfake content sit a…
TOPICAL
AI Act
The AI Act's Article 2 looks generous on first reading. It excludes military AI, scientific R&D, personal use and pre-market testing. Open-source GPAI models get partial relief under Article 53(2). SM…
TOPICAL
AI Act
A general-purpose AI model is, under Article 3(63) of the AI Act, an AI model "trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable …
TOPICAL
AI ActGDPRDSADMA
Article 99 of the AI Act sets three EU-wide penalty ceilings. Underneath them sit eight obligation buckets. The bucket determines the tier; the tier determines the ceiling; the ceiling is the higher o…
TOPICAL
AI ActDORANIS2 Directive
Articles 72 and 73 of the AI Act split the post-market regime in two. Article 72 obliges providers to design, document and run a monitoring system across the lifetime of every high-risk AI system on t…
TOPICAL
AI ActGDPR
Article 5(1)(c) of the AI Act prohibits "the placing on the market, the putting into service, or the use of AI systems for the evaluation or classification of natural persons or groups of persons over…
TOPICAL
AI Act
The AI Act entered into force on 1 August 2024. Full application is staircased across five further dates. Article 113 sets the master calendar; Article 111 carves out grandfather periods for systems a…
TOPICAL
AI ActGDPR
Article 50 of the AI Act sits in its own band — neither prohibited (Article 5) nor high-risk (Articles 6–27), but a horizontal transparency layer that catches systems the regulator decided users have …
TOPICAL
AI Act
AI Act sets 7 obligations that apply to aviation. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrased.
Use…
TOPICAL
AI ActGDPRNIS2DORADMAePrivacy Directive
The Digital Omnibus trilogue collapsed on 28 April 2026 over Annex I architecture disputes. The package would have moved high-risk AI Act obligations to December 2027 (Annex III) and August 2028 (Anne…
TOPICAL
AI Act
Article 99 sets three statutory tiers for administrative fines, plus a separate regime for GPAI providers under Article 101. Each tier is expressed as the higher of an absolute amount and a percentage…
TOPICAL
AI Act
Provider and deployer are the two principal roles in the AI Act. The provider develops the AI system and places it on the market; the deployer uses the system in operation. Article 16 sets the provide…
TOPICAL
AI Act
Article 9 sets up the spine that holds the rest of the high-risk regime together. It is a continuous, iterative, lifecycle risk-management system — not a one-off pre-market exercise. Articles 10 (data…
TOPICAL
AI Act
Annex IV is the contents specification for the technical documentation that every high-risk AI system must have. It is nine numbered sections that map onto Articles 9 through 15, plus the post-market …
TOPICAL
NIS2 Directive
3 NIS2 Directive obligations carry 17 April 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the…
TOPICAL
AI Act
4 AI Act obligations carry 2 August 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulat…
TOPICAL
AI Act
6 AI Act obligations carry 2 August 2028 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulat…
TOPICAL
DSA
3 DSA obligations carry 17 February 2024 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulat…
TOPICAL
DORA
3 DORA obligations carry 17 January 2024 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulat…
TOPICAL
NIS2 Directive
5 NIS2 Directive obligations carry 17 January 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from t…
TOPICAL
DORA
7 DORA obligations carry 17 July 2024 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulation…
TOPICAL
GDPR
5 GDPR obligations carry 25 May 2018 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulation.…
TOPICAL
AI Act
3 AI Act obligations carry 2 November 2024 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regul…
TOPICAL
NIS2 Directive
3 NIS2 Directive obligations carry 17 October 2024 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from t…
TOPICAL
NIS2 Directive
5 NIS2 Directive obligations carry 17 October 2027 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from t…
TOPICAL
Data Governance Act
4 Data Governance Act obligations carry 24 September 2023 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim…
TOPICAL
Data Act
3 Data Act obligations carry 12 September 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the R…
TOPICAL
Data Governance Act
3 Data Governance Act obligations carry 24 September 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim…
TOPICAL
Data Act
Data Act Article 37 is the enforcement scaffolding of Regulation (EU) 2023/2854. It does not bind private operators directly — it builds the public-authority infrastructure around them, requiring ever…
TOPICAL
Data Act
Data Act sets 13 obligations that apply to data processing services. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, no…
TOPICAL
Data Governance Act
Data Governance Act Article 5 governs how public sector bodies grant third parties access to protected data they hold — personal data, statistical-confidentiality data, intellectual property, commerci…
TOPICAL
DMA
DMA sets 6 obligations that apply to digital sector. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrased.
…
TOPICAL
DMA
DMA sets 9 obligations that apply to electronic communications. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not par…
TOPICAL
DMA
DMA sets 5 obligations that apply to online advertising. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrase…
TOPICAL
DORA
DORA Article 9 is the protection-and-prevention pillar of the ICT risk-management framework for financial entities. It is continuous: every row uses continuous tense — monitor, deploy, design and proc…
TOPICAL
DORA
DORA sets 13 obligations that apply to central securities depositories. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation,…
TOPICAL
DORA
DORA sets 251 obligations that apply to financial services. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphr…
TOPICAL
DORA
DORA sets 5 obligations that apply to ICT services. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphrased.
U…
TOPICAL
DORA
DORA sets 16 obligations that apply to critical ICT third-party providers. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulati…
TOPICAL
DSA
DSA sets 18 obligations that apply to online advertising. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphras…
TOPICAL
DSA
DSA sets 44 obligations that apply to online platforms and search engines. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulati…
TOPICAL
ePrivacy Directive
ePrivacy Directive sets 35 obligations that apply to electronic communications. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Reg…
TOPICAL
GDPR
GDPR Article 58 is the powers and duties article for national supervisory authorities. The duties side is short: facilitate complaint submission, perform tasks free of charge for data subjects, and be…
TOPICAL
GDPR
GDPR sets 5 obligations that apply to recruitment and HR. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regulation, not paraphras…
TOPICAL
NIS2 Directive
NIS2 Article 14 sets up the Cooperation Group, the EU body that coordinates Member State cybersecurity policy under the Directive. The Group is composed of Member States, the Commission, and ENISA, an…
TOPICAL
NIS2 Directive
NIS2 Article 32 sets out the supervisory and enforcement powers Member States must give competent authorities over essential entities, and requires those measures to be effective, proportionate, and d…
TOPICAL
NIS2 Directive
NIS2 Article 33 sets out a lighter, ex post supervisory regime for important entities. Competent authorities must take action when there is evidence of non-compliance, and the measures imposed must be…
TOPICAL
NIS2 Directive
NIS2 Article 7 obligates each Member State to adopt a national cybersecurity strategy that sets out the strategic objectives, resources, and policy measures needed to achieve a high common level of cy…
TOPICAL
NIS2 Directive
NIS2 Directive sets 9 obligations that apply to domain name system providers. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the Regul…
TOPICAL
NIS2 Directive
NIS2 Directive sets 10 obligations that apply to online platforms and search engines. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from t…
TOPICAL
NIS2 Directive
NIS2 Directive sets 4 obligations that apply to public sector and administration. This page lists them with article references, obligated-entity language, and penalties — extracted verbatim from the R…
ARTICLE 5
AI Act
This article bans specific AI practices that manipulate or exploit individuals, including systems using subliminal or deceptive techniques to distort decision-making, or those exploiting vulnerabiliti…
ARTICLE 6
AI Act
This article establishes the criteria for classifying AI systems as high-risk. An AI system is considered high-risk if it functions as a safety component of a product or is itself a product covered by…
ARTICLE 7
AI Act
The Commission may amend Annex III by adding or modifying high-risk AI use cases if they are intended for areas listed in Annex III and pose risks to health, safety, or fundamental rights equivalent t…
ARTICLE 9
AI Act
Providers of high-risk AI systems must establish, implement, document, and maintain a continuous risk management system throughout the AI system's lifecycle. This system requires regular reviews and u…
ARTICLE 10
AI Act
Providers of high-risk AI systems must ensure training, validation, and testing datasets meet strict quality criteria, including relevance, representativeness, and completeness. They must implement ro…
ARTICLE 11
AI Act
Providers of high-risk AI systems must prepare and maintain detailed technical documentation before placing the system on the market or putting it into service. This documentation must demonstrate com…
ARTICLE 13
AI Act
This article requires providers of high-risk AI systems to ensure their systems are sufficiently transparent for deployers to interpret outputs and use them correctly. Providers must supply clear, acc…
ARTICLE 14
AI Act
This article requires providers of high-risk AI systems to design them with human oversight capabilities, ensuring natural persons can effectively monitor and intervene during use. The oversight must …
ARTICLE 15
AI Act
This article requires providers of high-risk AI systems to design and develop their systems to achieve appropriate levels of accuracy, robustness, and cybersecurity, ensuring consistent performance th…
ARTICLE 16
AI Act
This article sets out the core obligations for providers of high-risk AI systems. Providers must ensure their systems comply with the requirements outlined in Section 2 of the AI Act, including risk m…
ARTICLE 17
AI Act
Providers of high-risk AI systems must establish and maintain a documented quality management system to ensure compliance with the AI Act. The system must cover regulatory compliance strategies, desig…
ARTICLE 22
AI Act
Providers of high-risk AI systems established outside the EU must appoint a written mandate for an authorised representative within the Union before placing their systems on the market. The authorised…
ARTICLE 26
AI Act
Deployers of high-risk AI systems must use these systems strictly according to the provider's instructions and ensure human oversight is assigned to competent personnel with adequate training and auth…
ARTICLE 27
AI Act
Deployers of high-risk AI systems that are public bodies or private entities providing public services must conduct a Fundamental Rights Impact Assessment before deploying such systems. The assessment…
ARTICLE 40
AI Act
This article establishes that high-risk AI systems or general-purpose AI models compliant with harmonised standards published in the Official Journal are presumed to meet the relevant requirements of …
ARTICLE 41
AI Act
The Commission may adopt implementing acts to establish common specifications for high-risk AI systems or general-purpose AI models when harmonised standards are not delivered, insufficient, or non-co…
ARTICLE 42
AI Act
This article establishes two presumptions of conformity for high-risk AI systems. First, systems trained and tested on data representative of their intended operational context are presumed to meet th…
ARTICLE 43
AI Act
Providers of high-risk AI systems listed in Annex III must follow specific conformity assessment procedures to demonstrate compliance with regulatory requirements. For systems in Annex III, point 1, p…
ARTICLE 50
AI Act
Providers and deployers must ensure users are informed when interacting with AI systems, unless it is obvious from the context. AI systems generating synthetic content (e.g., deepfakes) must clearly l…
ARTICLE 99
AI Act
This article requires EU Member States to establish and enforce penalties for violations of the AI Act, ensuring they are effective, proportionate, and dissuasive. Fines may reach up to 35 million EUR…
No briefings match the current filters.