§ EU AI Act · Article 9
AI Act Article 9: Obligations, Deadlines & Penalties
At a glance
Article 9 of the AI Act imposes 16 obligations on provider. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 9
Obligation 1
A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 2
The risk management system shall be a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 3
Identify and analyze the known and reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights when used in accordance with its intended purpose.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 4
Estimate and evaluate the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose, and under conditions of reasonably foreseeable misuse.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
evaluate
- Deadline
-
—
- Penalty
-
—
Obligation 5
Evaluate other risks possibly arising, based on the analysis of data gathered from the post-market monitoring system referred to in Article 72.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
evaluate
- Deadline
-
—
- Penalty
-
—
Obligation 6
Adopt appropriate and targeted risk management measures designed to address the risks identified pursuant to point (a).
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
adopt
- Deadline
-
—
- Penalty
-
—
Obligation 7
Risk management measures shall give due consideration to the effects and possible interaction resulting from the combined application of the requirements set out in this Section, with a view to minimising risks more effectively while achieving an appropriate balance.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
consider
- Deadline
-
—
- Penalty
-
—
Obligation 8
Ensure that the relevant residual risk associated with each hazard, as well as the overall residual risk of the high-risk AI systems is judged to be acceptable.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 9
Eliminate or reduce risks identified and evaluated pursuant to paragraph 2 in as far as technically feasible through adequate design and development of the high-risk AI system.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
eliminate
- Deadline
-
—
- Penalty
-
—
Obligation 10
Where appropriate, implement adequate mitigation and control measures addressing risks that cannot be eliminated.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 11
Provide information required pursuant to Article 13 and, where appropriate, training to deployers, giving due consideration to the technical knowledge, experience, education, and training expected by the deployer.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
provide
- Deadline
-
—
- Penalty
-
—
Obligation 12
High-risk AI systems shall be tested for the purpose of identifying the most appropriate and targeted risk management measures.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
test
- Deadline
-
—
- Penalty
-
—
Obligation 13
Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and that they are in compliance with the requirements set out in this Section.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 14
Testing of high-risk AI systems shall be performed, as appropriate, at any time throughout the development process, and, in any event, prior to their being placed on the market or put into service.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
test
- Deadline
-
prior to being placed on the market or put into service
- Penalty
-
—
Obligation 15
Testing shall be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
test
- Deadline
-
—
- Penalty
-
—
Obligation 16
When implementing the risk management system, providers shall give consideration to whether in view of its intended purpose the high-risk AI system is likely to have an adverse impact on persons under the age of 18 and, as appropriate, other vulnerable groups.
Regulation (EU) 2024/1689, Article 9, Article 9
- Obligated entity
-
provider
- Action required
-
consider
- Deadline
-
—
- Penalty
-
—
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 9
Who must comply with Article 9 of the AI Act?
+
provider.
What does Article 9 of the AI Act require?
+
establish maintain identify
What is the compliance deadline for AI Act Article 9?
+
prior to being placed on the market or put into service