§ EU AI Act · Article 17
AI Act Article 17: Obligations, Deadlines & Penalties
At a glance
Article 17 of the AI Act imposes 19 obligations on provider.
§ Obligations
All obligations under Article 17
Obligation 1
Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 2
The quality management system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 3
The quality management system shall include a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 4
The quality management system shall include techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 5
The quality management system shall include techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 6
The quality management system shall include examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 7
The quality management system shall include technical specifications, including standards, to be applied and, where relevant harmonised standards are not applied in full or do not cover all requirements, the means to ensure compliance.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 8
The quality management system shall include systems and procedures for data management, including data acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, retention and other operations.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 9
The quality management system shall include the risk management system referred to in Article 9.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 10
The quality management system shall include the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 72.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 11
The quality management system shall include procedures related to the reporting of a serious incident in accordance with Article 73.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 12
The quality management system shall include the handling of communication with national competent authorities, other relevant authorities, notified bodies, other operators, customers or other interested parties.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 13
The quality management system shall include systems and procedures for record-keeping of all relevant documentation and information.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 14
The quality management system shall include resource management, including security-of-supply related measures.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 15
The quality management system shall include an accountability framework setting out the responsibilities of the management and other staff with regard to all the aspects listed in this paragraph.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
Obligation 16
The implementation of the quality management system aspects shall be proportionate to the size of the provider’s organisation.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 17
Providers shall respect the degree of rigour and the level of protection required to ensure the compliance of their high-risk AI systems with this Regulation.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 18
Providers subject to obligations regarding quality management systems under relevant sectoral Union law may include the aspects listed in paragraph 1 as part of the quality management systems pursuant to that law.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Action required
-
include
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Providers subject to sectoral Union law quality management obligations
Obligation 19
For financial institutions, the obligation to put in place a quality management system (except for points g, h, and i) shall be deemed fulfilled by complying with rules on internal governance arrangements or processes pursuant to relevant Union financial services law.
Regulation (EU) 2024/1689, Article 17, Article 17
- Obligated entity
-
provider
- Sector scope
- financial institutions
- Action required
-
comply
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Financial institutions complying with Union financial services law internal governance rules
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 17
Who must comply with Article 17 of the AI Act?
+
provider.
What does Article 17 of the AI Act require?
+
establish document include