The AI Act attaches obligations to roles, not to technologies. The first legal question is therefore not "what does the system do?" but "who are you in the value chain, and into which risk class does the system fall?" Everything else — documentation, conformity, oversight, deadlines — follows from that answer.
01Role classification and risk class
Article 3 of the AI Act defines the four operator roles to which the regulation attaches its obligations. Which set of duties applies to your company depends on this classification — and the classification can change: a deployer that puts its name on a system, substantially modifies it, or changes its intended purpose can be re-characterised as a provider (Art. 25 AI Act).
Develops an AI system or GPAI model, or has one developed, and places it on the market or puts it into service under its own name or trademark.
Uses an AI system under its own authority in a professional context — the role most companies occupy without realising it.
Established in the EU and places on the market an AI system bearing the name or trademark of a person established outside the EU.
Makes an AI system available on the EU market without being its provider or importer.
High-risk classification (Art. 6, Annex III)
Whether a system is high-risk is determined by Art. 6 AI Act: either because it is a product (or the safety component of a product) covered by the EU harmonisation legislation listed in Annex I (Art. 6(1)), or because its intended use falls within one of the areas listed in Annex III — including employment and workers' management, credit scoring, education, essential private and public services, and law enforcement. The classification analysis, including the derogation in Art. 6(3) and its documentation, is the foundation of every AI Act mandate.
General-purpose AI (GPAI)
General-purpose AI models within the meaning of Art. 3(63) AI Act follow a separate track: transparency and documentation obligations under Arts. 53 et seq., and additional obligations where the model presents systemic risk (Art. 51). Companies that fine-tune or integrate third-party foundation models frequently need to determine where in this chain their own obligations begin.
02Advisory fields
- Readiness against Arts. 8–27: a structured review of the high-risk requirements — risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11, Annex IV), logging (Art. 12), transparency and instructions for use (Art. 13), human oversight (Art. 14), and the provider and deployer obligations of Arts. 16–27 — mapped against the state of your product and processes.
- AI literacy (Art. 4): Art. 4 AI Act — already applicable — requires providers and deployers to ensure a sufficient level of AI literacy in the staff dealing with AI systems. We advise on scope, documentation, and proportionate implementation.
- Conformity and documentation questions: conformity assessment routes, the structure and depth of Annex IV technical documentation, EU declarations of conformity, and registration duties.
- Contact with authorities and procedures: correspondence with market surveillance authorities, responses to information requests, and representation in administrative procedures under the AI Act.
Application timeline
The AI Act enters into application in stages. Three dates structure most compliance planning:
03Engagement structure
Where the scope of an AI Act question can be defined in advance — a role-classification memo, a high-risk analysis, a readiness review — we offer it as a fixed-fee package, so that the fee is known before the work begins. The current package structure is set out on the fees page; it includes a DSA ⇄ AI Act switch that shows the corresponding packages for each regime. Matters that cannot be scoped in advance are billed transparently by time.
04Related reading
For a doctrinal analysis of how the AI Act's risk-based architecture copes with autonomous, tool-using systems, see our article Agentic AI Systems under the EU AI Act — A Risk-Based Regime Meets Its First Stress Test.
05Authorised representative under Art. 22 / Art. 54 AI Act
Providers established outside the EU must have an authorised representative in the Union before placing high-risk AI systems (Art. 22 AI Act) or general-purpose AI models (Art. 54 AI Act) on the EU market. This is an operational compliance function, distinct from legal advice.
Named representative function: Regingada UG (haftungsbeschränkt) — separate service, no legal advice. The law firm advises on the legal questions surrounding Arts. 22 and 54; the representative function itself is contracted separately with Regingada UG.
Discuss your AI Act question
Rechtsanwalt Theo Funk advises providers, deployers, importers, and distributors on the AI Act — in German, English, French, and Japanese. Describe your system and your role in the value chain; we will identify the legal questions that should be addressed first.
Get in touch →