The regulation applies directly
Regulation (EU) 2024/1689 of the European Parliament and of the Council (the AI Act) is an EU regulation and applies directly. No separate national implementing act is required for the regulation to apply. Public bodies, regions and municipalities are therefore covered directly to the extent that they develop or use AI systems.
In most cases, a public body acts as a deployer of AI systems procured from external providers. Note, however, Article 25: a deployer may under certain conditions be reclassified as a provider, for example upon a substantial modification of a high-risk AI system or if the system is placed under the public body's own name.
High-risk areas under Annex III in public activity
Annex III lists use cases classified as high-risk. Several of these are directly relevant to the public sector, including:
- AI systems related to access to and enjoyment of essential private and public services and benefits,
- certain AI systems in law enforcement,
- certain AI systems in migration, asylum and border control,
- certain AI systems in education and vocational training.
The obligations for providers of Annex III systems apply from 2 August 2026. There is a proposal, the Digital Omnibus, to postpone these to 2 December 2027 (Digital Omnibus proposal, not yet in force; approved by the European Parliament on 16 June 2026, but the Council is awaiting publication in the Official Journal). Until then, the date of 2 August 2026 applies.
Fundamental rights impact assessment under Article 27
For public bodies, Article 27 sets a particular requirement. Before a high-risk AI system under Annex III is put into use, certain deployers – including bodies governed by public law – must carry out a fundamental rights impact assessment of the system's impact on fundamental rights (FRIA, fundamental rights impact assessment).
Under Article 27, such an assessment includes, among other things, a description of the processes in which the system will be used, the period and frequency of use, the categories of natural persons who may be affected, specific risks of harm, and measures for human oversight and risk management. Where applicable, the result must be notified to the competent authority.
Deployer obligations under Article 26
In addition to Article 27, the general obligations for deployers in Article 26 apply to high-risk AI systems, including use in accordance with the instructions for use, human oversight, ensuring relevant input data to the extent the deployer controls it, as well as monitoring and incident reporting.
Transparency under Article 50
Article 50 (transparency) applies from 2 August 2026. For the public sector this is relevant in, for example, citizen services and conversational interfaces: natural persons must be informed that they are interacting with an AI system, unless this is obvious, and certain AI-generated content must be labelled.
Already in force since 2 February 2025 are Article 4 (AI literacy) and Article 5 (prohibited practices). Public actors must ensure sufficient AI literacy among relevant staff and may not use the practices prohibited in Article 5.
Penalties under Article 99
- Prohibited practices under Article 5: up to 35 million EUR or 7 % of global annual turnover.
- Infringements of, among others, Article 50 and the high-risk obligations: up to 15 million EUR or 3 %.
- Incorrect information to authorities: up to 7.5 million EUR or 1 %.
Before procurement
- Inventory the AI systems in the organisation and assess which fall under Annex III.
- Determine the role in each case: deployer or provider (consider Article 25).
- Plan the fundamental rights impact assessment under Article 27 for relevant high-risk systems.
- Ensure Article 50 transparency in citizen contacts ahead of 2 August 2026.
- Document AI literacy under Article 4 (cf. PowerQuant Module 1 for AI inventory and Article 4 register).
This page is general information about the AI Act and does not constitute legal advice.