AI Act Obligations for the AI Office
A complete, article-by-article reference for AI Act the ai office — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 18 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.
Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.
Regulation (EU) 2024/1689 — CELEX 32024R1689
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.
Who is the AI Office?
The AI Office is the European Commission's internal functional unit, established by Commission Decision of 24 January 2024, responsible for contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and for AI governance across the Union. Under the AI Act, references to the AI Office are to be read as references to the Commission itself.
18 obligation paragraphs in the AI Act are addressed to the AI Office role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.
Jump to an article
- Article 27 - Fundamental rights impact assessment for high-risk AI systems
- Article 50 - Transparency obligations for providers and deployers of certain AI systems
- Article 55 - Obligations of providers of general-purpose AI models with systemic risk
- Article 56 - Codes of practice
- Article 57 - AI regulatory sandboxes
- Article 62 - Measures for providers and deployers, in particular SMEs, including start-ups
- Article 68 - Scientific panel of independent experts
- Article 74 - Market surveillance and control of AI systems in the Union market
- Article 75 - Mutual assistance, market surveillance and control of general-purpose AI systems
- Frequently asked questions
Article 27 - Fundamental rights impact assessment for high-risk AI systems
Art. 27(5). The AI Office is required to develop a questionnaire template, including through an automated tool, to help deployers comply with their FRIA obligations in a simplified manner.
chevron_rightSource text
Source text: “The AI Office shall develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with their obligations under this Article in a simplified manner.”
In practice: Monitor the AI Office's publication of the official FRIA questionnaire template and automated tool, and integrate it into your compliance management system once available to ensure standardised and efficient assessments.
GDPR cross-reference — AI Act Art. 27 ↔ GDPR Art. 35
The Art. 27 fundamental rights impact assessment runs alongside the GDPR data protection impact assessment — Art. 27(4) lets you build on an existing DPIA under GDPR Article 35:
chevron_rightGDPR source text
GDPR Art. 35(1): “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
GDPR Art. 35(2): “The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.”
GDPR Art. 35(3): “A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:”
GDPR Art. 35(4): “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.”
GDPR Art. 35(5): “The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.”
GDPR Art. 35(6): “Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.”
GDPR Art. 35(7): “The assessment shall contain at least:”
GDPR Art. 35(8): “Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.”
GDPR Art. 35(9): “Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.”
GDPR Art. 35(10): “Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.”
GDPR Art. 35(11): “Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.”
Article 50 - Transparency obligations for providers and deployers of certain AI systems
Art. 50(7). The AI Office must encourage and facilitate the creation of Union-level codes of practice for detecting and labelling AI-generated or manipulated content; the Commission may adopt implementing acts to approve such codes or, if inadequate, to set common rules via the examination procedure.
chevron_rightSource text
Source text: “The AI Office shall encourage and facilitate the drawing up of codes of practice at Union level to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content. The Commission may adopt implementing acts to approve those codes of practice in accordance with the procedure laid down in Article 56 (6). If it deems the code is not adequate, the Commission may adopt an implementing act specifying common rules for the implementation of those obligations in accordance with the examination procedure laid down in Article 98(2).”
In practice: Providers and deployers of AI systems generating or manipulating content should actively participate in the AI Office-led code of practice process and monitor Commission implementing acts, as approved codes or common rules will define the practical compliance standard for detection and labelling obligations.
Article 55 - Obligations of providers of general-purpose AI models with systemic risk
Art. 55(3). (effective 2 August 2025) All information and documentation obtained under Article 55, including trade secrets, must be treated in accordance with the confidentiality obligations set out in Article 78 of the AI Act.
chevron_rightSource text
Source text: “Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.”
In practice: Implement information classification and handling procedures that align with Article 78 confidentiality requirements. Ensure that any information shared with or received from the AI Office or national competent authorities under Article 55 is subject to strict access controls, non-disclosure agreements, and secure storage protocols. Train staff on trade secret protection obligations.
Article 56 - Codes of practice
Art. 56(1). (effective 2 August 2025) The AI Office is tasked with encouraging and facilitating the creation of codes of practice at EU level to help ensure proper application of the AI Act, taking into account international standards and approaches.
chevron_rightSource text
Source text: “The AI Office shall encourage and facilitate the drawing up of codes of practice at Union level in order to contribute to the proper application of this Regulation, taking into account international approaches.”
In practice: Providers of general-purpose AI models should proactively engage with the AI Office's code of practice development process to shape practical compliance standards and demonstrate early commitment to responsible AI governance.
Art. 56(2). (effective 2 August 2025) The AI Office and the Board must ensure that codes of practice cover at minimum the obligations in Articles 53 and 55, including keeping information up to date, providing adequate training data summaries, and identifying systemic risks at Union level.
chevron_rightSource text
Source text: “The AI Office and the Board shall aim to ensure that the codes of practice cover at least the obligations provided for in Articles 53 and 55, including the following issues:”
In practice: Providers of general-purpose AI models should prepare documentation covering training data summaries and systemic risk identification processes in anticipation of code of practice requirements, aligning with Articles 53 and 55 obligations.
Art. 56(4). (effective 2 August 2025) The AI Office and the Board must ensure that codes of practice clearly set out specific objectives, include commitments or measures with key performance indicators where appropriate, and take due account of the needs and interests of all interested parties including affected persons.
chevron_rightSource text
Source text: “The AI Office and the Board shall aim to ensure that the codes of practice clearly set out their specific objectives and contain commitments or measures, including key performance indicators as appropriate, to ensure the achievement of those objectives, and that they take due account of the needs and interests of all interested parties, including affected persons, at Union level.”
In practice: When participating in or implementing codes of practice, organisations should ensure their internal governance frameworks map to the specific objectives and KPIs defined in the codes, and document how affected persons' interests have been considered.
Art. 56(5). (effective 2 August 2025) The AI Office must ensure that participants in codes of practice regularly report on the implementation of their commitments, measures taken, and outcomes including against KPIs, with reporting requirements reflecting differences in size and capacity among participants.
chevron_rightSource text
Source text: “The AI Office shall aim to ensure that participants to the codes of practice report regularly to the AI Office on the implementation of the commitments and the measures taken and their outcomes, including as measured against the key performance indicators as appropriate. Key performance indicators and reporting commitments shall reflect differences in size and capacity between various participants.”
In practice: Organisations participating in codes of practice should establish internal reporting mechanisms to track KPI performance and commitment implementation, ensuring reports are proportionate to their size and capacity and submitted to the AI Office on a regular basis.
Art. 56(6). (effective 2 August 2025) The AI Office and the Board must regularly monitor and assess whether codes of practice for general-purpose AI models adequately cover obligations under Articles 53 and 55, publish their assessments, and the Commission may approve a code of practice by implementing act to give it general validity across the EU.
chevron_rightSource text
Source text: “The AI Office and the Board shall regularly monitor and evaluate the achievement of the objectives of the codes of practice by the participants and their contribution to the proper application of this Regulation. The AI Office and the Board shall assess whether the codes of practice cover the obligations provided for in Articles 53 and 55, and shall regularly monitor and evaluate the achievement of their objectives. They shall publish their assessment of the adequacy of the codes of practice. The Commission may, by way of an implementing act, approve a code of practice and give it a general validity within the Union. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2).”
In practice: Providers participating in codes of practice should track AI Office and Board assessments of adequacy and be prepared to adapt their compliance frameworks if the Commission elevates a code of practice to general validity via implementing act.
Art. 56(8). (effective 2 August 2025) The AI Office must encourage and facilitate the review and adaptation of codes of practice, particularly in light of emerging standards, and must assist in assessing available standards relevant to general-purpose AI models.
chevron_rightSource text
Source text: “The AI Office shall, as appropriate, also encourage and facilitate the review and adaptation of the codes of practice, in particular in light of emerging standards. The AI Office shall assist in the assessment of available standards.”
In practice: Compliance teams should monitor AI Office publications on standards assessments and code of practice revisions to ensure their internal policies remain aligned with the latest applicable standards and updated codes.
Art. 56(9). (effective 2025-05-02) Codes of practice must be ready by 2 May 2025; if by 2 August 2025 a code cannot be finalised or is deemed inadequate, the Commission may adopt implementing acts providing common rules for implementing the obligations under Articles 53 and 55.
chevron_rightSource text
Source text: “Codes of practice shall be ready at the latest by 2 May 2025. The AI Office shall take the necessary steps, including inviting providers pursuant to paragraph 7. If, by 2 August 2025, a code of practice cannot be finalised, or if the AI Office deems it is not adequate following its assessment under paragraph 6 of this Article, the Commission may provide, by means of implementing acts, common rules for the implementation of the obligations provided for in Articles 53 and 55, including the issues set out in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).”
In practice: Providers should actively participate in the code of practice development process before 2 May 2025 to influence the outcome; if implementing acts are adopted instead, providers must be ready to comply with those common rules by 2 August 2025.
Article 57 - AI regulatory sandboxes
Art. 57(15). National competent authorities must inform the AI Office and the Board when establishing a sandbox and may request their support and guidance. The AI Office must maintain and publicly publish an up-to-date list of planned and existing sandboxes to encourage interaction and cross-border cooperation.
chevron_rightSource text
Source text: “National competent authorities shall inform the AI Office and the Board of the establishment of a sandbox, and may ask them for support and guidance. The AI Office shall make publicly available a list of planned and existing sandboxes and keep it up to date in order to encourage more interaction in the AI regulatory sandboxes and cross-border cooperation.”
In practice: National competent authorities should establish a formal notification procedure for sandbox establishment that includes submission to the AI Office and the Board, and should monitor the AI Office's public sandbox list to identify opportunities for cross-border collaboration and alignment with other Member States' sandbox activities.
Article 62 - Measures for providers and deployers, in particular SMEs, including start-ups
Art. 62(3). The AI Office must provide standardised templates for areas covered by the AI Act, develop and maintain a single easy-to-use information platform for all operators across the Union, and organise communication campaigns to raise awareness about obligations under the Regulation.
chevron_rightSource text
Source text: “The AI Office shall undertake the following actions:”
In practice: The AI Office should coordinate with the Board to prioritise template development for the most complex compliance areas (e.g., conformity assessment documentation, risk management), and ensure the information platform is accessible, multilingual, and machine-readable to serve diverse operators across the EU.
Article 68 - Scientific panel of independent experts
Art. 68(3). (effective 2 August 2025) The scientific panel advises and supports the AI Office, particularly on implementing and enforcing rules for general-purpose AI models and systems, including supporting market surveillance authorities and cross-border activities.
chevron_rightSource text
Source text: “The scientific panel shall advise and support the AI Office, in particular with regard to the following tasks:”
In practice: Providers of general-purpose AI models should be aware that the scientific panel may be called upon to assist market surveillance authorities investigating their systems; maintain comprehensive technical documentation to facilitate such reviews.
Art. 68(4). (effective 2 August 2025) Scientific panel experts must act impartially and objectively, maintain confidentiality, not take instructions from anyone, and publicly declare their interests; the AI Office must establish systems to manage and prevent conflicts of interest.
chevron_rightSource text
Source text: “The experts on the scientific panel shall perform their tasks with impartiality and objectivity, and shall ensure the confidentiality of information and data obtained in carrying out their tasks and activities. They shall neither seek nor take instructions from anyone when exercising their tasks under paragraph 3. Each expert shall draw up a declaration of interests, which shall be made publicly available. The AI Office shall establish systems and procedures to actively manage and prevent potential conflicts of interest.”
In practice: The AI Office should implement a formal conflict-of-interest management framework including a public register of declarations of interests, periodic reviews, and recusal procedures for panel members with relevant financial or organisational ties.
Art. 68(5). (effective 2 August 2025) The implementing act establishing the scientific panel must also include provisions on the conditions, procedures, and arrangements for panel members to issue alerts and request AI Office assistance for their tasks.
chevron_rightSource text
Source text: “The implementing act referred to in paragraph 1 shall include provisions on the conditions, procedures and detailed arrangements for the scientific panel and its members to issue alerts, and to request the assistance of the AI Office for the performance of the tasks of the scientific panel.”
In practice: When the implementing act is published, compliance teams should map the alert and assistance request procedures to internal escalation workflows, ensuring that any interaction with the scientific panel or AI Office is properly documented and tracked.
Article 74 - Market surveillance and control of AI systems in the Union market
Art. 74(11). Market surveillance authorities and the Commission may propose and conduct joint activities, including investigations, to promote compliance and address serious cross-border risks from high-risk AI systems, with the AI Office providing coordination support.
chevron_rightSource text
Source text: “Market surveillance authorities and the Commission shall be able to propose joint activities, including joint investigations, to be conducted by either market surveillance authorities or market surveillance authorities jointly with the Commission, that have the aim of promoting compliance, identifying non-compliance, raising awareness or providing guidance in relation to this Regulation with respect to specific categories of high-risk AI systems that are found to present a serious risk across two or more Member States in accordance with Article 9 of Regulation (EU) 2019/1020. The AI Office shall provide coordination support for joint investigations.”
In practice: Organisations operating high-risk AI systems across multiple Member States should maintain up-to-date documentation and be prepared for coordinated cross-border investigations; designate a single compliance contact point to liaise with multiple national authorities.
Article 75 - Mutual assistance, market surveillance and control of general-purpose AI systems
Art. 75(1). When an AI system is built on a general-purpose AI model and both are developed by the same provider, the AI Office holds full market surveillance authority to monitor and enforce compliance with the AI Act, wielding all powers granted to market surveillance authorities under this Regulation and Regulation (EU) 2019/1020.
chevron_rightSource text
Source text: “Where an AI system is based on a general-purpose AI model, and the model and the system are developed by the same provider, the AI Office shall have powers to monitor and supervise compliance of that AI system with obligations under this Regulation. To carry out its monitoring and supervision tasks, the AI Office shall have all the powers of a market surveillance authority provided for in this Section and Regulation (EU) 2019/1020.”
In practice: Providers who develop both the general-purpose AI model and the AI system built on it should treat the AI Office as their primary supervisory counterpart and ensure all documentation, technical records, and compliance evidence are readily accessible to the AI Office upon request.
Art. 75(3). Where a market surveillance authority cannot complete its investigation of a high-risk AI system due to inability to access information related to the underlying general-purpose AI model, it may submit a reasoned request to the AI Office, which must supply relevant information within 30 days; the authority must keep that information confidential in accordance with Article 78, and the mutual assistance procedure of Regulation (EU) 2019/1020 Chapter VI applies mutatis mutandis.
chevron_rightSource text
Source text: “Where a market surveillance authority is unable to conclude its investigation of the high-risk AI system because of its inability to access certain information related to the general-purpose AI model despite having made all appropriate efforts to obtain that information, it may submit a reasoned request to the AI Office, by which access to that information shall be enforced. In that case, the AI Office shall supply to the applicant authority without delay, and in any event within 30 days, any information that the AI Office considers to be relevant in order to establish whether a high-risk AI system is non-compliant. Market surveillance authorities shall safeguard the confidentiality of the information that they obtain in accordance with Article 78 of this Regulation. The procedure provided for in Chapter VI of Regulation (EU) 2019/1020 shall apply mutatis mutandis.”
In practice: Market surveillance authorities should document all efforts made to obtain information before submitting a reasoned request to the AI Office, and implement confidentiality protocols aligned with Article 78 of the AI Act to handle any information received from the AI Office.
Related
This page covers the AI Act obligations of an oversight/governance role. If you build or supply AI systems, see the actor pages for providers and deployers — where the AI Act's requirements map onto the GDPR control modules RuleMesh delivers.
Frequently asked questions
What is the AI Office under the EU AI Act?
The AI Office is the European Commission's internal functional unit, established by Commission Decision of 24 January 2024, responsible for contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and for AI governance across the Union. Under the AI Act, references to the AI Office are to be read as references to the Commission itself. (Source: AI Act definitions, CELEX 32024R1689.)
How many obligations does the AI Act place on the ai office?
The RuleMesh knowledge graph identifies 18 obligation paragraphs addressed to the AI Office role, across Articles 27, 50, 55, 56, 57, 62, 68, 74, 75.
When do AI Act the ai office obligations apply?
Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.
Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.