§ EU AI Act · Article 27
AI Act Article 27: Obligations, Deadlines & Penalties
At a glance
Article 27 of the AI Act imposes 11 obligations on AI Office, deployer. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 27
Obligation 1
Deployers that are bodies governed by public law, private entities providing public services, or deployers of high-risk AI systems in Annex III points 5(b) and (c) must perform an assessment of the impact on fundamental rights prior to deploying a high-risk AI system.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Sector scope
- public law bodies, private entities providing public services, and specific high-risk AI systems in Annex III points 5(b) and (c)
- Action required
-
assess
- Deadline
-
prior to deploying
- Penalty
-
—
- Exemptions
- high-risk AI systems intended to be used in the area listed in point 2 of Annex III
Obligation 2
The fundamental rights impact assessment must include a description of the deployer’s processes in which the high-risk AI system will be used in line with its intended purpose.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 3
The fundamental rights impact assessment must include a description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 4
The fundamental rights impact assessment must identify the categories of natural persons and groups likely to be affected by the use of the system in the specific context.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 5
The fundamental rights impact assessment must identify specific risks of harm likely to impact the identified categories of persons, taking into account information given by the provider pursuant to Article 13.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 6
The fundamental rights impact assessment must include a description of the implementation of human oversight measures according to the instructions for use.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 7
The fundamental rights impact assessment must outline measures to be taken in case of risk materialization, including arrangements for internal governance and complaint mechanisms.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 8
If the deployer considers that any element of the fundamental rights impact assessment has changed or is no longer up to date during the use of the system, they must take necessary steps to update the information.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
update
- Deadline
-
when elements change or are no longer up to date
- Penalty
-
—
Obligation 9
Once the fundamental rights impact assessment is performed, the deployer must notify the market surveillance authority of its results, submitting the filled-out template referred to in paragraph 5.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
notify
- Deadline
-
once the assessment has been performed
- Penalty
-
—
- Exemptions
- deployers referred to in Article 46(1)
Obligation 10
If obligations are already met through a data protection impact assessment under GDPR or Law Enforcement Directive, the fundamental rights impact assessment must complement that data protection impact assessment.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
deployer
- Action required
-
complement
- Deadline
-
—
- Penalty
-
—
Obligation 11
The AI Office must develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with their obligations under this Article.
Regulation (EU) 2024/1689, Article 27, Article 27
- Obligated entity
-
AI Office
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 27
Who must comply with Article 27 of the AI Act?
+
AI Office, deployer.
What does Article 27 of the AI Act require?
+
assess document update
What is the compliance deadline for AI Act Article 27?
+
once the assessment has been performed; prior to deploying; when elements change or are no longer up to date