Compliance Matrix – Requirements Mapping
Obligations by Risk Level and Role
Minimal Risk
| Obligation | Article | Provider | Deployer |
|---|---|---|---|
| AI Literacy | Art. 4 | ✅ | ✅ |
| No further obligations | — | — | — |
Limited Risk (Transparency)
| Obligation | Article | Provider | Deployer |
|---|---|---|---|
| AI Literacy | Art. 4 | ✅ | ✅ |
| Disclose AI interaction | Art. 50(1) | ✅ | ✅ |
| Label synthetic content | Art. 50(2) | ✅ | — |
| Deepfake disclosure | Art. 50(4) | — | ✅ |
High-Risk
| Obligation | Article | Provider | Deployer |
|---|---|---|---|
| AI Literacy | Art. 4 | ✅ | ✅ |
| Risk management system | Art. 9 | ✅ | ✅* |
| Data Governance | Art. 10 | ✅ | — |
| Technical documentation | Art. 11 | ✅ | — |
| Record-keeping | Art. 12 | ✅ | ✅ (retention) |
| Transparency (instructions for use) | Art. 13 | ✅ | — |
| Human oversight | Art. 14 | ✅ (design) | ✅ (implementation) |
| Accuracy, robustness, cybersecurity | Art. 15 | ✅ | — |
| QMS | Art. 17 | ✅ | — |
| Conformity assessment | Art. 43 | ✅ | — |
| EU Declaration of Conformity | Art. 47 | ✅ | — |
| CE marking | Art. 48 | ✅ | — |
| Registration (EU database) | Art. 49 | ✅ | ✅** |
| Post-market monitoring | Art. 72 | ✅ | — |
| Incident reporting | Art. 73 | ✅ | ✅ |
* Deployer: simplified risk management per Art. 26** Deployer: public authorities only
GPAI (Model Providers Only)
| Obligation | Article | All GPAI | + Systemic Risk |
|---|---|---|---|
| Technical documentation | Art. 53(1)(a) | ✅ | ✅ |
| Info to downstream providers | Art. 53(1)(b) | ✅ | ✅ |
| Copyright policy | Art. 53(1)(c) | ✅ | ✅ |
| Training data summary | Art. 53(1)(d) | ✅ | ✅ |
| Model evaluation | Art. 55(1)(a) | — | ✅ |
| Adversarial testing | Art. 55(1)(a) | — | ✅ |
| Risk mitigation | Art. 55(1)(b) | — | ✅ |
| Incident reporting | Art. 55(1)(c) | — | ✅ |
| Model cybersecurity | Art. 55(1)(d) | — | ✅ |