AI Act Obligations for Operators
A complete, article-by-article reference for AI Act operators — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 1 obligation paragraph sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.
Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.
Regulation (EU) 2024/1689 — CELEX 32024R1689
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.
Who is an operator?
An operator, in the AI Act sense, is an umbrella term encompassing any natural or legal person involved in the AI value chain in a regulated capacity — specifically: providers, product manufacturers, deployers, authorised representatives, importers, and distributors — each bearing distinct obligations depending on their role.
1 obligation paragraph in the AI Act is addressed to the Operator role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.
Jump to an article
- Article 74 - Market surveillance and control of AI systems in the Union market
- Bridge to product
- Frequently asked questions
Article 74 - Market surveillance and control of AI systems in the Union market
Art. 74(1). This paragraph extends the application of the EU Market Surveillance Regulation (2019/1020) to AI systems covered by the AI Act, ensuring that references to 'economic operators' and 'products' in that regulation are interpreted to include all AI system operators and AI systems within the AI Act's scope.
chevron_rightSource text
Source text: “Regulation (EU) 2019/1020 shall apply to AI systems covered by this Regulation. For the purposes of the effective enforcement of this Regulation:”
In practice: Operators of AI systems should familiarise themselves with Regulation (EU) 2019/1020 obligations (e.g., cooperation with market surveillance authorities, product traceability) as these now apply to them. Map your AI system supply chain roles (provider, deployer, importer, distributor) to the economic operator definitions.
Bridge to product
Across the AI Act, the obligations that touch personal data converge on the same engineering controls GDPR already requires — and RuleMesh ships those as a ready-to-implement Jira backlog today.
- Risk management (AI Act Art. 9) ↔ GDPR Art. 32 (technical & organisational measures)
- Data governance / bias detection (Art. 10) ↔ GDPR Art. 9 (special categories) + Art. 32
- Automated logging (Art. 12) ↔ GDPR Art. 32 (audit trail / breach detection)
- Human oversight (Art. 14) ↔ GDPR Art. 22 (automated-decision safeguards)
- Deployer DPIA / FRIA (Arts. 26–27) ↔ GDPR Art. 35 (data protection impact assessment)
RuleMesh is not an AI Act compliance product — it implements GDPR control modules. But because the AI Act routes you to the exact GDPR articles RuleMesh already covers, starting with GDPR is your AI Act head start.
Frequently asked questions
Who is an operator under the EU AI Act?
An operator, in the AI Act sense, is an umbrella term encompassing any natural or legal person involved in the AI value chain in a regulated capacity — specifically: providers, product manufacturers, deployers, authorised representatives, importers, and distributors — each bearing distinct obligations depending on their role. (Source: AI Act definitions, CELEX 32024R1689.)
How many obligations does the AI Act place on operators?
The RuleMesh knowledge graph identifies 1 obligation paragraph addressed to the Operator role, across Article 74.
When do AI Act operators obligations apply?
Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.
Do the AI Act operators obligations overlap with GDPR?
Yes. The AI Act repeatedly references specific GDPR articles and does not override GDPR — for example special-category data for bias detection (GDPR Art. 9), data protection impact assessments (GDPR Art. 35), and the technical and organisational measures of GDPR Art. 32. The two regulations require the same engineering controls.
Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.
GDPR Article 32 is your AI Act head start.
The AI Act and GDPR call for the same engineering work: risk management (Art. 9 ↔ GDPR Art. 32), data governance (Art. 10 ↔ GDPR Art. 9), logging (Art. 12 ↔ GDPR Art. 32), human oversight (Art. 14 ↔ GDPR Art. 22), incident reporting (Arts. 72/73 ↔ GDPR Arts. 33/34). RuleMesh delivers the GDPR side today: structured IT requirements your engineers and AI agents implement through the MCP. The AI Act's requirements are coming to the same MCP.