Skip to main contentSkip to main content
AI
AIAuditRef
Regulation (EU) 2024/1689Art. 2 · Art. 3(1) · Art. 5 · Art. 53

Is My AI System in Scope?

Before determining what the EU AI Act requires of you, you need to answer a prior question: does it apply at all? This guide explains the Art. 3(1) definition of an “AI system,” the geographic reach of the Act under Art. 2, what definitively falls outside scope, and walks you through the four-question scope checklist.

Provisional Digital Omnibus deal — high-risk deadlines shifted

On 7 May 2026, the Council of the EU and the European Parliament reached provisional political agreement on the Digital Omnibus on AI. Key shifts:

  • Annex III high-risk obligations: 2 August 2026 → 2 December 2027
  • Annex I product-embedded high-risk: 2 August 2027 → 2 August 2028
  • New Art. 5 prohibition on AI generating child sexual abuse material or non-consensual intimate imagery: 2 December 2026
  • Art. 50(2) machine-readable watermarking ONLY: 2 August 2026 → 2 December 2026
  • Member State AI sandboxes: 2 August 2026 → 2 August 2027

What is NOT delayed by the Omnibus — still live on the original dates:

  • Art. 4 AI literacy — in force since 2 February 2025 (all organisations)
  • Art. 5 existing prohibitions — in force since 2 February 2025
  • Chapter V GPAI obligations — in force since 2 August 2025
  • Art. 50 transparency duties (chatbot disclosure 50(1), emotion recognition / biometric categorisation 50(3), deepfake disclosure 50(4), public-interest disclosure 50(5)) — still 2 August 2026. Only the machine-readable watermarking limb (50(2)) was shifted.

If you deploy a chatbot, a deepfake-generation tool, an emotion-recognition system or a biometric categoriser — your 2 August 2026 deadline is unchanged, even if your underlying AI is "minimal risk".

The Omnibus agreement is provisional. Formal adoption by Council and Parliament is expected before 2 August 2026. If formal adoption fails, the original Regulation (EU) 2024/1689 dates apply across the board.

See regulatory updates for full source citations.

Definition

Art. 3(1)

Geographic scope

Art. 2

Prohibitions in force

2 Feb 2025

Annex III high-risk

Prov. 2 Dec 2027

What is an “AI System” under Art. 3(1)?

Art. 3(1) — Legal definition

“AI system” means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, recommendations, decisions, or other outputs that can influence physical or virtual environments.

Three core elements

  • Machine-based — software or hardware system, not a human
  • Infers — derives outputs from inputs, not purely executes fixed rules
  • Influences — outputs affect physical or virtual environments

Covered output types

  • Predictions (e.g. churn likelihood)
  • Recommendations (e.g. product suggestions)
  • Decisions (e.g. loan approval)
  • Generated content (e.g. text, images, code)
  • Classifications (e.g. risk tier assignment)

Included techniques

  • Machine learning (supervised, unsupervised, reinforcement)
  • Deep learning & neural networks
  • Logic & knowledge-based approaches
  • Statistical approaches (in decision-making context)
  • Search and optimisation methods

Geographic Scope — When Non-EU Companies Must Comply

The EU AI Act has extraterritorial reach similar to the GDPR. Under Art. 2, it applies to any entity that meets one of three connection tests — even if that entity has no establishment, office, or employees in the EU.

Art. 2(1)(a)

Provider in EU market

You place an AI system on the EU market or put it into service in the EU. Applies regardless of where you are established.

Art. 2(1)(b)

Deployer in EU

You are a deployer of AI systems located in the EU. Deployers operating AI systems — even built by others — are in scope.

Art. 2(1)(c)

Output used in EU

Your AI system's outputs (decisions, content, recommendations) are used in the EU. A non-EU company whose AI affects EU persons is in scope.

What is NOT an AI System

These categories are definitively outside the Art. 3(1) definition. If your system falls here, no EU AI Act obligations apply. Document your reasoning in case of regulatory scrutiny.

CategoryExamples
Rule-based systemsDecision trees, lookup tables, hard-coded if/else logic, business rules engines with no learning component.
Simple automationRobotic process automation (RPA) that follows fixed scripts, workflow automation, macros, scheduled jobs.
Traditional search enginesKeyword-based search indexes, SQL queries, database lookups, pattern matching via regex.
Spreadsheet modelsExcel models, financial calculators, actuarial tables, formula-based forecasting with no ML component.
Classical statistical methodsLinear regression used as a pure statistical reporting tool (not for automated decision-making), frequency analysis.

Enforcement Timeline — When Rules Apply

2 February 2025Prohibitions apply

Art. 5 prohibited AI practices become enforceable. Six categories of AI are banned outright across the EU.

2 August 2025GPAI rules + governance

General-purpose AI model obligations (Chapter V), AI Office authority, and national competent authority designation requirements apply.

2 August 2026Art. 50 transparency (most limbs) — NOT shifted by Omnibus

Provider/deployer transparency duties under Art. 50(1), (3), (4) and (5) apply: chatbot disclosure to users; deployer disclosure of deepfake generation; notification of persons subject to emotion recognition or biometric categorisation; public-interest text disclosure. SMEs deploying third-party AI (Claude, ChatGPT, Gemini, Copilot) are in scope. This deadline was NOT shifted by the Omnibus.

2 December 2026Art. 50(2) watermarking + new Art. 5 prohibition (Omnibus-shifted)

ONLY the Art. 50(2) machine-readable watermarking limb was shifted by the Omnibus (was 2 August 2026). The new Art. 5 prohibition on CSAM- and NCII-generating AI introduced by the Digital Omnibus also applies from this date. Provisional pending Omnibus formal adoption.

2 December 2027High-risk AI (Annex III) — provisional

Full obligations for high-risk AI systems listed in Annex III: risk management, technical documentation, conformity assessment, CE marking, EU database registration, post-market monitoring, FRIA where applicable. Originally 2 August 2026; provisionally shifted by the Digital Omnibus political agreement of 7 May 2026 (pending formal adoption).

2 August 2028Annex I high-risk systems — provisional

AI systems that are safety components of products regulated under Annex I sectoral legislation (machinery, medical devices, vehicles, lifts, toys, etc.) must comply. Originally 2 August 2027; provisionally shifted by the Digital Omnibus.

The Four-Question Scope Checklist

Work through these four questions in order. A “No” at any stage may take you out of scope. If you reach the end without a disqualifying “No,” the Act applies to your system.

1

Is it an AI system under Art. 3(1)?

The system must be machine-based, use at least one of: machine learning (including deep learning), logic/knowledge-based approaches, or statistical approaches. It must infer from inputs how to generate outputs such as predictions, recommendations, decisions, or content. Pure rule-based or deterministic systems are not AI systems.

If YES

Continue to question 2.

If NO

Out of scope. No EU AI Act obligations apply. Document your reasoning.

2

Is it placed on the EU market or put into service in the EU?

Under Art. 2(1)(a), the Act applies to providers that place AI systems on the EU market or put them into service in the EU — regardless of whether the provider is established in the EU. A US startup selling a SaaS AI tool to EU customers is in scope.

If YES

Continue to question 3.

If NO

Likely out of scope — but check question 3 for output-based territorial reach.

3

Does it serve EU users or affect persons in the EU?

Under Art. 2(1)(c), the Act applies where the output of the AI system is used in the EU. A non-EU company whose AI system's outputs (e.g. decisions, recommendations) affect people located in the EU must comply, even without a physical EU presence.

If YES

In scope — continue to question 4.

If NO

Likely out of scope if the system has no connection to the EU.

4

Is there an applicable exemption?

Check Art. 2(3) (military/national security), Art. 2(6) (pure scientific research), Art. 2(7) (personal non-professional use), and Art. 53(2) (open-source GPAI model). Exemptions are narrow and must be applied carefully — when in doubt, assume in scope.

If YES

Out of scope or reduced obligations apply. Document the specific exemption.

If NO

In scope. Proceed to classify risk level and identify obligations.

Exemptions in Detail

Art. 2(3)

Military & national security

AI systems developed or used exclusively for military, defence, or national security purposes of Member States are entirely excluded from the Act, regardless of which entity operates them.

Art. 2(6)

Scientific research & development

AI systems developed or used solely for scientific research and development purposes are excluded. The exclusion does not apply once a system is placed on the market or put into service beyond the research context.

Art. 2(7)

Personal non-professional use

AI systems used by natural persons in the course of a purely personal non-professional activity are outside scope. Using a personal AI assistant for private tasks does not attract obligations.

Art. 2(8)

Third-country public authorities

AI systems used by public authorities of a third country or by international organisations, where acting under an international agreement for law enforcement or judicial cooperation with the EU.

Art. 53(2)

Open-source model exception

Providers of general-purpose AI models that release weights under a free and open-source licence are exempt from most GPAI obligations — unless the model presents systemic risk (Art. 51). Transparency and copyright obligations still apply.

Open-Source Model Exception — Important Nuances

Under Art. 53(2), providers of GPAI models released under a free and open-source licence are exempt from most Chapter V obligations — specifically the technical documentation, copyright policy summary, and capability evaluation requirements.

Exceptions to the exception: The open-source exemption does NOT apply if the model presents systemic risk under Art. 51 (broadly: models trained with more than 10^25 FLOPs). Even open-source systemic-risk models must comply with Art. 55 obligations.

Transparency obligations remain: Even exempt open-source models must still publish information about training data for copyright compliance purposes (Art. 53(1)(d)).

If Your System is In Scope — Next Steps

Classify risk level

Use the Risk Classifier to determine if your system is prohibited, high-risk, limited-risk, or minimal-risk.

SME? Read the SME guide

If you have fewer than 250 employees, proportionality provisions reduce your compliance burden significantly.

Build your checklist

Generate a tailored compliance checklist based on your system type and risk level.

Check your AI system's risk tier

Once you know you're in scope, the Risk Classifier tells you exactly which obligations apply.

Classify your AI system →