The EU AI Act, explained for AI agents.
Regulation (EU) 2024/1689 reshapes the conversation. Here's what it actually says — and the four obligations that bite hardest when your AI doesn't just produce text but takes actions.
Published 2026-05-19 · reviewed 2026-05-19 · ~7-min read
The structure
The Act is risk-tiered. Each tier carries different obligations:
| Tier | What it covers | What it demands |
|---|---|---|
| Prohibited | Social scoring by public authorities, real-time biometric ID in public spaces (with exceptions), manipulative subliminal techniques, exploitation of vulnerabilities, predictive policing based on profiling alone. | Don't build it. Penalties up to €35M or 7% of global turnover. |
| High-risk | AI in critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Plus AI as a safety component in regulated products (Annex I). | Risk management system, data governance, technical documentation, logging, transparency to user, human oversight, accuracy/robustness/cybersecurity, post-market monitoring, registration in EU database. |
| Limited risk | Chatbots, deepfakes, emotion recognition, biometric categorisation. | Transparency — tell the user they're interacting with an AI / seeing synthetic content. |
| Minimal risk | Everything else (most uses). | Voluntary codes of conduct. |
| General-purpose AI (GPAI) | Foundation models. Stricter obligations for "systemic risk" GPAI (training compute > 10^25 FLOPs). | Documentation, copyright training data summary, code of practice; systemic-risk tier adds model evaluation, adversarial testing, incident reporting. |
The four obligations that bite hardest with agents
If your AI takes actions in the world, these four obligations consume most of your compliance budget:
- Art. 12 — record-keeping. Automatically log over the lifetime of the AI's operation. For agents this means every action — not just every model invocation. KYE Protocol™'s evidence packs satisfy this at decision-time.
- Art. 13 — transparency to deployers. Instructions for use, capabilities and limitations, expected lifetime, performance under conditions. For agents: the authority boundary must be in the docs.
- Art. 14 — human oversight. Effective oversight by natural persons. Agents that act irreversibly demand dual-channel sign-off — Art. 14 makes this regulatory, not preference.
- Art. 15 — accuracy, robustness, cybersecurity. Resilience against errors, faults, inconsistencies; protection against adversarial attacks. Replay-Proof™ evidence is the natural audit path here.
Timeline
- Feb 2025 — prohibited-AI bans + AI-literacy duties applied.
- Aug 2025 — GPAI rules + governance + penalties applied.
- Aug 2026 — high-risk obligations for Annex III systems applied.
- Aug 2027 — high-risk obligations for Annex I systems applied.
Common procurement asks
If you're selling AI into the EU, vendor risk questionnaires now include:
- Risk tier classification + evidence.
- Conformity assessment record (high-risk).
- Technical documentation per Annex IV (high-risk).
- Post-market monitoring plan.
- Logging architecture + retention policy.
- Incident reporting procedure (serious incidents within 15 days).
- Human oversight design.
- Data governance — training, validation, testing data quality.
How KYE Protocol™ helps
The Act demands records, transparency, oversight, and resilience. KYE Protocol™'s engines map directly: Evidence + Replay for Art. 12 + 15, Purpose Permission™ for Art. 13, GovernedUI™ with two-person + two-person-with-legal approvals for Art. 14, the Resilience Loop™ for post-market monitoring + serious incident reporting.
See the EU AI Act control mapping for clause-by-clause bindings.