About AIActStack

We help companies that ship AI features under Regulation (EU) 2024/1689 figure out what they actually owe under the law, in time. What follows: who we are, how we keep the legal claims on the rest of the site honest, and where to send a correction when we get something wrong.

What AIActStack is

AIActStack is a compliance tooling project focused on one regulation: the EU AI Act, in force since 1 August 2024 and applying generally from 2 August 2026.

It ships three things:

  • A free EU AI Act scanner that classifies a system, lists the obligations attached to it, and prints citations to the article + paragraph each one comes from.
  • A curriculum on AI literacy covering the full Regulation, written so a deployer team can satisfy Art. 4 (in force since 2 February 2025).
  • Document templates and obligation tracking for the duties a deployer or provider takes on once a system is in production.

The scanner, curriculum, guides, and templates are free.

Who this is for

If your product calls a third-party model API in the EU, you are a "deployer" under Art. 3(4), and the duties under Art. 26, Art. 50, and Art. 4 attach regardless of who trained the model.

If you train or place models on the EU market under your own name, the provider duties under Art. 16 apply too. The scanner separates the two; the guides reflect the same split.

How we keep the law correct on the page

Every legal claim on this site cites the article and paragraph it came from and links to EUR-Lex. We re-verify against primary EU sources weekly and run a full review every quarter. Each page carries the date of its last review.

When we get a claim wrong, the correction propagates to every page that cited it on the next site update. Email hello@aiactstack.com with a citation we missed and we will trace it.

Where the law actually stands today

The Regulation is in force. The phased dates are real and most have already passed:

  • 2 February 2025 — Chapter I (Art. 4 AI literacy) and Chapter II (Art. 5 prohibited practices) became applicable.
  • 2 August 2025 — Chapter V (general-purpose AI models), governance, and penalties became applicable; Art. 101 Commission GPAI fines deferred separately.
  • 2 August 2026 — general application date for the rest of the Regulation, including Annex III high-risk systems.
  • 2 August 2027 — Annex I legacy high-risk systems (AI embedded in regulated products).

The Commission has proposed amendments. The "Digital Omnibus on AI" (COM(2025) 836, published 19 November 2025) would push Annex III high-risk obligations to 2 December 2027 and Annex I to 2 August 2028.

Status as of mid-April 2026: the Council adopted a general approach on 13 March 2026 endorsing those replacement dates, and the Parliament's IMCO + LIBE committees adopted a joint report (A-10-2026-0073) on 18 March 2026. Plenary vote and trilogue had not occurred at last review. The 2 August 2026 date in Art. 113 is what the law in force says today, and it is what the scanner uses.

If the Omnibus is adopted before 2 August 2026, the scanner will move to the new dates the same week. We do not pre-flip on a proposal.

What this is not

AIActStack is not a law firm and we do not give legal advice. Our claims track the Regulation text verbatim and cite primary sources; the question of how that text applies to your specific deployment, your contracts, and your sectoral obligations belongs with your counsel.

When the Regulation's language is ambiguous, or when it depends on Commission guidelines or harmonised standards that are not yet final (for example the CEN-CENELEC JTC 21 work programme targeted for Q4 2026, or the GPAI Code of Practice published 10 July 2025), we say so on the relevant page and link the source. We do not paper over gaps with confident prose.

Primary sources we cite

FAQ

Who is behind AIActStack?

A small independent team. We do not put a personal byline on the work because the trust signal that matters here is the citation: every legal claim on the site links to the article + paragraph it came from, and the correction mechanism described above means fixes are mechanical, not discretionary. If you need a named contact for a press, partnership, or correction request, write to hello@aiactstack.com.

Are you a law firm?

No. We are a compliance tooling project. We track what Regulation (EU) 2024/1689 says, cite it, and surface the duties it triggers for a given system. We do not opine on how the law applies to your specific facts; that is your counsel's job. We will not enter an attorney-client relationship and we do not represent clients before authorities.

How is this funded?

No sponsorships, no affiliate fees on the guides. We disclose this so you know nobody is paying us to soften a finding.

What is your editorial process when the law changes?

When the source text moves, every page that cited it updates accordingly. We do not keep stale numbers anywhere on the site.

How often do you re-check the law?

EUR-Lex, the European AI Office, the EP Legislative Train, and CEN-CENELEC JTC 21 signals: weekly. Full review of the underlying citations: quarterly. Every page carries the date of its last review.

Isn't the Commission's Digital Omnibus going to delay everything?

It might delay parts of it. As of mid-April 2026, COM(2025) 836 (published 19 November 2025) proposes shifting Annex III high-risk obligations to 2 December 2027 and Annex I to 2 August 2028. The Council adopted a general approach on 13 March 2026 and the Parliament's IMCO + LIBE committees adopted joint report A-10-2026-0073 on 18 March 2026, both endorsing those dates. Plenary vote and trilogue had not occurred at last review. Until adoption, the dates in Art. 113 of the law in force govern, including 2 August 2026 for general application. The scanner uses the law in force.

We just call OpenAI's API. Are we really in scope?

Yes, in most cases. Art. 3(4) defines a "deployer" as anyone using an AI system under their own authority. Calling a third-party model inside your product, under your name, makes you a deployer. At minimum you owe Art. 4 AI literacy (in force since 2 February 2025) and, if the system interacts with users or generates synthetic content, Art. 50 transparency. If the use case sits in Annex III, the full Art. 26 duty set attaches, including the 6-month log retention under Art. 26(6). The scanner walks the system through that classification.

What is the actual penalty if we ignore this?

Art. 99 sets three tiers, "whichever is higher" between the absolute amount and the percentage of total worldwide annual turnover:

  • Art. 99(3): up to EUR 35 000 000 or 7% of worldwide turnover for breach of the Art. 5 prohibitions.
  • Art. 99(4): up to EUR 15 000 000 or 3% for breach of operator obligations (provider Art. 16, deployer Art. 26, transparency Art. 50, importer Art. 23, distributor Art. 24, authorised representative Art. 22).
  • Art. 99(5): up to EUR 7 500 000 or 1% for supplying incorrect, incomplete, or misleading information to authorities.

Art. 99(6) flips the rule for SMEs and start-ups: each fine is capped at the lower of the percentage or the absolute amount, not the higher.

For general-purpose AI model providers, Art. 101(1) gives the Commission separate fining power: up to EUR 15 000 000 or 3% of worldwide turnover, enforced directly by the Commission and reviewable by the Court of Justice.

We already did GDPR and a DPIA. Do we have to do all this again?

Some of the work transfers, most of it does not. GDPR governs the processing of personal data; the AI Act governs AI systems. Where they meet (Art. 26(9) explicitly cites the GDPR DPIA as a starting point for the deployer obligations under Art. 26), reusing the existing DPIA is sensible. The AI Act adds duties that GDPR does not cover: Art. 4 AI literacy for staff, Art. 50 transparency to end users, the Art. 26(6) 6-month log retention, post-market monitoring, and serious-incident reporting. Treat the DPIA as a starting point, not a substitute.

Run a scan, or keep current

Two next steps, depending on what you came here for.

Run the EU AI Act scanner Read the AI literacy curriculum

Or write to hello@aiactstack.com with a correction.

Explore AIActStack