Requirement

Since 2 February 2025, providers and deployers are obliged to ensure that their staff and other persons involved in the operation and use of AI systems possess a sufficient level of AI competence (AI Literacy).

What Is AI Literacy?

Art. 4 requires that persons operating AI systems:

• Understand the capabilities and limitations of the AI systems
• Recognise the potential impacts on affected persons
• Are able to use AI systems as intended

The requirement is proportional — the required level of competence depends on the context, the risk level and the potential impacts.

BAUER GROUP Implementation

Training Concept

Documentation Obligation

Every training participation is documented. See: AI Literacy Training Record

AI Act Roles within the BAUER GROUP

Executive Management

• Final Go/No-Go decision for AI products in the EU market
• Strategic positioning (avoidance vs. compliance)
• Resource allocation for compliance measures

Head of Development

• Technical implementation of Art. 8–15 requirements (for high-risk)
• Integration of AI Act checks into CI/CD pipeline
• Model versioning and documentation
• Cybersecurity (coordinated with CRA responsible person)

Project Management

• Maintain AI system inventory
• Conduct risk classification per product
• Create and update technical documentation
• Coordinate conformity assessment

All Employees with AI Contact

• Complete AI Literacy training
• Use AI systems in accordance with their intended purpose
• Report anomalies and incidents

Mapping to CRA Roles

Requirement

High-risk AI systems must exhibit an appropriate level of accuracy, robustness and cybersecurity.

Accuracy

• Accuracy levels must be declared in the instructions for use
• Define and measure appropriate metrics for the respective intended purpose
• Accuracy levels must be appropriate for the intended purpose

Robustness

• Resilience against errors, faults and inconsistencies in the operating environment
• Technical redundancy (backup systems, fail-safe mechanisms)
• Robustness against adversarial attacks (Adversarial ML)

Cybersecurity

• Protection against unauthorised access and manipulation
• Address Model Poisoning, Data Poisoning and Adversarial Examples
• Measures to protect confidentiality, integrity and availability

BAUER GROUP Implementation

Regulation (EU) 2024/1689

The EU Artificial Intelligence Act (AI Act) is the world's first comprehensive regulation for Artificial Intelligence. The regulation entered into force on 1 August 2024 and will become fully applicable by 2 August 2027 in phases.

Distinction from the Cyber Resilience Act (CRA)

Core Principles

The AI Act follows a risk-based approach with four risk tiers:

1. Unacceptable risk (prohibited) — Art. 5
2. High risk (strictly regulated) — Art. 6–49, Annex I + III
3. Limited risk (transparency obligations) — Art. 50
4. Minimal risk (unregulated) — no specific obligations

Extraterritorial Applicability

The AI Act applies to:

• Providers who place AI systems on the EU market — regardless of their place of establishment
• Deployers who professionally use AI systems within the EU
• Importers and distributors in the AI value chain
• Third-country providers whose AI system output is used within the EU

Documentation Structure

This documentation is structured in 10 chapters + appendix and is available in DE/EN/ZH. It forms the regulatory counterpart to the existing CRA documentation and addresses all obligations arising from the AI Act for BAUER GROUP as provider and deployer of AI-powered systems.

Effort by Risk Level

Decision Rules

Automatic GO

• Minimal risk
• Limited risk (transparency obligations are trivial)

Go/No-Go Assessment Required

• High-risk with self-assessment (Annex VI)

Automatic NO-GO EU

• High-risk with third-party assessment (Annex VII)
• Any system where compliance effort > 15% of the 3-year contribution margin

CRA Synergies (Effort Reduction)

Where a product is already CRA-compliant, the additional AI Act effort is reduced significantly:

Obligations by Risk Level and Role

Minimal Risk

Limited Risk (Transparency)

High-Risk

* Deployer: simplified risk management per Art. 26 ** Deployer: public authorities only

GPAI (Model Providers Only)

When Is It Required?

An assessment by a Notified Body is only required for certain high-risk systems, in particular remote biometric identification and certain law enforcement AI.

Procedure (Annex VII)

The procedure comprises the assessment of:

1. Quality Management System — comprehensive review of the QMS by the Notified Body
2. Technical Documentation — review for completeness and plausibility
3. Sample Testing — tests on the system itself

The Notified Body issues a certificate upon a positive outcome.

Requirement

High-risk AI systems must bear the CE marking to indicate conformity with the AI Act.

Affixing

The CE marking shall be affixed to:

1. The AI system itself (for physical products) — visible, legible, indelible
2. The packaging — where affixing to the system is not possible
3. The accompanying documentation — as a last resort

Rules

• Must be affixed before placing on the market
• Must comply with the format pursuant to EU harmonisation legislation (minimum height 5 mm)
• For software without a physical product: in the digital documentation and, where applicable, in the UI

Synergies with CRA

Where the product already bears a CRA CE marking, the AI Act conformity is integrated into the same declaration. No duplicate CE marking is required.

Requirement

Providers of high-risk AI systems must issue an EU Declaration of Conformity confirming that the system meets the requirements of the AI Act.

Content

The declaration must contain at least:

• Name and address of the provider
• Unique identification of the AI system (name, type, serial number/version)
• Statement that the system complies with the requirements of the AI Act
• Reference to applied harmonised standards or other technical specifications
• Where applicable, name and identification number of the notified body (for Annex VII)
• Date and signature

Single Source of Truth

The EU Declaration of Conformity is generated from the machine-readable file .compliance/ai-act-statement.json. This ensures that:

• One source — JSON is the sole location where compliance data are maintained
• Consistency — Human-readable DoC, CE marking and EU database registration use the same data
• Automation — Validation and generation in the CI/CD pipeline

See: Machine-Readable Format

Retention

The EU Declaration of Conformity must be retained for 10 years after the AI system is placed on the market and presented to the competent authorities upon request.

Template

See: EU Declaration of Conformity Template

Overview

High-risk AI systems must undergo a conformity assessment before being placed on the market. The AI Act provides two paths:

Path 1: Internal Control (Annex VI) — Self-Assessment

For most high-risk AI systems, a self-assessment by the provider is sufficient. This comprises:

• Review of the QMS (Art. 17)
• Review of the technical documentation
• Confirmation of conformity with Art. 8–15

Path 2: Third-Party Assessment (Annex VII)

Only required for certain Annex III systems, in particular:

• Remote biometric identification (Annex III No. 1)
• Critical infrastructure (Annex III No. 2) — under certain conditions
• Certain law enforcement systems (Annex III No. 6–7)

Procedure for Products under EU Harmonisation Legislation

Where the AI system is a safety component of an already regulated product (Annex I), the AI Act conformity assessment is integrated into the existing product conformity assessment.

Purpose

Machine-readable compliance data enable:

• Automated publication on the compliance portal
• Programmatic validation in CI/CD pipelines
• Aggregation across all AI systems in a central dashboard
• Authority access via API for market surveillance authorities
• Generation of the human-readable EU Declaration of Conformity (Annex V)

JSON Schema

The AI Act Compliance Statement follows a defined JSON schema:

{
  "$schema": "https://ai-act.app.bauer-group.com/schemas/ai-act-statement/v1.json",
  "schema_version": "1.0.0",

  "provider": {
    "name": "BAUER GROUP",
    "address": "[Full postal address]",
    "contact_email": "compliance@bauer-group.com",
    "website": "[URL]",
    "authorised_representative": null
  },

  "ai_system": {
    "name": "[Name of the AI system]",
    "version": "[X.Y.Z]",
    "type": "[standalone|embedded|gpai_based]",
    "description": "[Brief description of the intended use]",
    "identifier": "AI-BGI-XXXX",
    "intended_purpose": "[Intended purpose pursuant to Art. 13]",
    "deployer_type": "[internal|b2b|b2c|public_authority]"
  },

  "risk_classification": {
    "risk_level": "[minimal|limited|high_risk]",
    "annex_iii_category": "[1-8 or null]",
    "annex_i_product": "[Annex I reference or null]",
    "classification_rationale": "[Rationale for the classification]"
  },

  "conformity_assessment": {
    "procedure": "[annex_vi|annex_vii]",
    "notified_body": null,
    "assessment_date": "[YYYY-MM-DD]",
    "declaration_url": "[URL to the full DoC]",
    "declaration_date": "[YYYY-MM-DD]",
    "ce_marking": true,
    "ce_marking_placement": "[product|packaging|documentation|digital]"
  },

  "compliance": {
    "art_9_risk_management": true,
    "art_10_data_governance": true,
    "art_11_technical_documentation": true,
    "art_12_record_keeping": true,
    "art_13_transparency": true,
    "art_14_human_oversight": true,
    "art_15_accuracy_robustness": true,
    "art_17_qms": true
  },

  "transparency": {
    "ai_interaction_disclosed": true,
    "synthetic_content_labelled": false,
    "deployer_instructions_provided": true,
    "eu_database_registered": true,
    "eu_database_id": "[Registration number or null]"
  },

  "support_period": {
    "start_date": "[YYYY-MM-DD]",
    "end_date": "[YYYY-MM-DD]",
    "phase": "[active|monitoring|eol]",
    "post_market_monitoring": true
  },

  "harmonised_standards": [
    {
      "identifier": "[e.g. EN XXXXX:YYYY]",
      "description": "[Description]"
    }
  ],

  "metadata": {
    "generated_at": "[ISO 8601 Timestamp]",
    "generator": "[Tool or manual]",
    "statement_version": "[Version of the statement]",
    "regulation": "(EU) 2024/1689"
  }
}

Field Overview

Required Fields

Optional Fields

Generation Flow

.compliance/ai-act-statement.json (Single Source of Truth)
    ↓
    ├─→ EU Declaration of Conformity (PDF/HTML — Annex V)
    ├─→ CE Marking (product, packaging, documentation)
    ├─→ EU Database Registration (Art. 49)
    ├─→ Compliance Dashboard (central aggregation)
    └─→ Deployer Information (instructions for use Art. 13)

Validation

CI/CD Pipeline

# Example: GitHub Actions Step
- name: Validate AI Act Statement
  run: |
    npx ajv validate \
      -s schemas/ai-act-statement-v1.schema.json \
      -d .compliance/ai-act-statement.json

Validation Rules

Complete Example

{
  "$schema": "https://ai-act.app.bauer-group.com/schemas/ai-act-statement/v1.json",
  "schema_version": "1.0.0",

  "provider": {
    "name": "BAUER GROUP",
    "address": "Musterstraße 1, 12345 Musterstadt, Deutschland",
    "contact_email": "compliance@bauer-group.com",
    "website": "https://bauer-group.com",
    "authorised_representative": null
  },

  "ai_system": {
    "name": "BAUER Predictive Maintenance Engine",
    "version": "1.2.0",
    "type": "embedded",
    "description": "AI-based predictive maintenance for construction machinery hydraulic systems",
    "identifier": "AI-BGI-0042",
    "intended_purpose": "Prediction of maintenance needs based on sensor data (vibration, temperature, pressure) to prevent unplanned downtime",
    "deployer_type": "b2b"
  },

  "risk_classification": {
    "risk_level": "high_risk",
    "annex_iii_category": 2,
    "annex_i_product": "Machinery Regulation (EU) 2023/1230",
    "classification_rationale": "Safety component in Annex I product (construction machinery) — Art. 6(1)"
  },

  "conformity_assessment": {
    "procedure": "annex_vi",
    "notified_body": null,
    "assessment_date": "2026-07-15",
    "declaration_url": "https://ai-act.app.bauer-group.com/systems/AI-BGI-0042/doc",
    "declaration_date": "2026-07-15",
    "ce_marking": true,
    "ce_marking_placement": "documentation"
  },

  "compliance": {
    "art_9_risk_management": true,
    "art_10_data_governance": true,
    "art_11_technical_documentation": true,
    "art_12_record_keeping": true,
    "art_13_transparency": true,
    "art_14_human_oversight": true,
    "art_15_accuracy_robustness": true,
    "art_17_qms": true
  },

  "transparency": {
    "ai_interaction_disclosed": false,
    "synthetic_content_labelled": false,
    "deployer_instructions_provided": true,
    "eu_database_registered": true,
    "eu_database_id": "EU-AI-DB-2026-004217"
  },

  "support_period": {
    "start_date": "2026-07-15",
    "end_date": "2031-07-15",
    "phase": "active",
    "post_market_monitoring": true
  },

  "harmonised_standards": [
    {
      "identifier": "ISO/IEC 42001:2023",
      "description": "AI Management System"
    },
    {
      "identifier": "ISO/IEC 23894:2023",
      "description": "AI Risk Management"
    }
  ],

  "metadata": {
    "generated_at": "2026-07-15T09:00:00Z",
    "generator": "manual",
    "statement_version": "1.0.0",
    "regulation": "(EU) 2024/1689"
  }
}

Schema Versioning

Cross-References

Obligation

Providers must register high-risk AI systems in the EU database (Art. 71) before placing on the market.

Registration Contents (Annex VIII)

Section A — Provider Information

• Name, address, contact details
• Where applicable, name of the authorised representative

Section B — System Information

• Designation and version of the AI system
• Status (on the market / withdrawn)
• Description of the intended purpose
• Risk classification
• Member States in which the system is offered
• URL of the instructions for use
• Reference to the EU Declaration of Conformity

Timing

• High-risk systems: Registration before placing on the market (Art. 49(1))
• Non-high-risk Annex III systems: Registration before placing on the market (Art. 49(2))

Access

The EU database is operated by the Commission and is publicly accessible (with the exception of certain law enforcement information).

Internal Control (Annex VI)

The self-assessment is the standard conformity assessment procedure for high-risk AI systems (where no third-party assessment is required).

Step 1: QMS Verification

Confirmation that the QMS (Art. 17) is implemented and meets the requirements.

Step 2: Technical Documentation

Verification that the technical documentation (Art. 11, Annex IV) is complete and up to date.

Step 3: Conformity Check

Systematic check against all requirements of Art. 8–15:

Step 4: EU Declaration of Conformity

Upon successful self-assessment: issue the EU Declaration of Conformity (Art. 47).

Step 5: CE Marking

Affix the CE marking (Art. 48).

Step 6: Registration

Register in the EU database (Art. 49).

EU AI Office

The AI Office was established on 24 January 2024 by Commission decision and has been operational since 2 August 2025.

Tasks

• Enforcement of GPAI rules (Art. 88–94)
• Coordination of the uniform application of the AI Act
• Support for Member States
• Administration of the EU database
• Monitoring of systemic risks posed by GPAI models
• Publication of guidelines and best practices

AI Board

The AI Board consists of representatives from the Member States and advises the Commission. It has been operational since August 2025.

Tasks

• Ensure consistent application of the AI Act
• Exchange best practices between Member States
• Advise the Commission on delegated acts
• Coordination of national authorities

Relevance for BAUER GROUP

The AI Office and the AI Board are primarily relevant to the regulatory infrastructure. Direct interaction between BAUER GROUP and these bodies is only expected in exceptional cases (e.g. enquiries regarding specific classification questions or GPAI-related topics).

Fine Framework

The AI Act provides for graduated sanctions applicable since 2 August 2025:

The higher amount applies in each case.

SME Privilege

For SMEs and start-ups, the lower of the stated amounts (absolute vs. percentage) applies.

Further Measures

In addition to fines, market surveillance authorities may:

• Order withdrawal of the AI system from the market
• Enforce corrective measures (remediation, retraining)
• Prohibit placing into service until conformity is achieved
• Issue warnings

BAUER GROUP Risk Assessment

The fine risk is proportional to the infringement. For BAUER GROUP:

Jurisdiction

Enforcement of the AI Act takes place at two levels:

EU Level

• AI Office (within the European Commission) — responsible for GPAI models and systemic risks
• AI Board — coordination body of the Member States

National Level

• Market surveillance authorities — responsible for high-risk AI and other obligations
• Notifying authorities — supervision of notified bodies

Each Member State was required to designate its competent authorities by 2 August 2025.

Germany

In Germany, responsibility is expected to lie with:

• Bundesnetzagentur (BNetzA) as the central market surveillance authority for the AI Act
• Potentially sector-specific authorities for particular areas of application

Powers of the Authorities (from August 2026)

• Access to AI systems and their documentation
• Access to source code (under certain conditions)
• Access to training data and test data
• Ordering corrective measures
• Market withdrawal and recall
• Imposition of fines

Structure

The BAUER GROUP integrates AI governance into the existing organisational structure. No separate governance apparatus.

Responsibilities

Processes

1. New product with AI: Assessment schema Art. 5 → Risk classification → Go/No-Go → (if Go) Compliance implementation
2. Existing product + AI extension: Same as new product, but review whether risk level changes
3. Internal AI usage: Ensure AI Literacy, observe deployer obligations
4. Annual review: Update AI inventory, review classifications, conduct training

Documentation Hierarchy

ai-act.docs.bauer-group.com  (this site)
  └── Regulatory Documentation (public)
       ├── General Compliance Presentation
       ├── Templates and Forms
       └── Reference to CRA Documentation

Internal Documents (not public)
  ├── AI System Inventory (product-specific)
  ├── Go/No-Go Decision Protocols
  ├── Risk Classifications (product-specific)
  └── Training Records

AI System Inventory

Every organisation should maintain an inventory of all AI systems it develops, deploys or distributes. This is not an explicit obligation under the AI Act, but a prerequisite for correct risk classification and compliance assessment.

Inventory Fields

Template: AI System Inventory

EU Database Registration (Art. 49)

Obligation to Register

Before placing on the market or putting into service, providers must register the following systems in the EU database:

• High-risk AI systems (Art. 49(1))
• Non-high-risk-classified Annex III systems (Art. 49(2))

Deployers must register if they are public authorities or act on behalf of public authorities.

Registration Contents

The required information is defined in Annex VIII:

• Section A: Provider information
• Section B: Information on the high-risk AI system
• Section C: Deployer information (public authorities only)

Use of GPAI Models

The BAUER GROUP uses GPAI models (LLMs) in various contexts:

Obligations as Deployer

As a professional user of AI systems, the BAUER GROUP has the following deployer obligations:

General (all AI systems)

• AI Literacy (Art. 4) — personnel with AI contact must be adequately trained

For High-Risk AI (if deployed)

• Use in accordance with intended purpose as per provider instructions
• Ensure human oversight
• Monitor input data quality
• Retain logs for at least 6 months
• Report risks and serious incidents to providers and authorities
• If deployed in the workplace: inform workers

Transparency Obligations (Art. 50)

• Labelling of AI-generated content
• Disclosure of AI interactions (chatbots)

Vendor Due Diligence

When selecting GPAI providers, the BAUER GROUP verifies:

• Is the GPAI provider registered in the EU database?
• Does the provider supply the required documentation (Annex XII)?
• Is there a designated EU authorised representative (for third-country providers)?
• Does the provider fulfil its copyright obligations?

Definition

GPAI models are AI models that can be used for a wide variety of different tasks (e.g. Large Language Models such as GPT, Claude, Gemini). They are not trained for a specific purpose but can be adapted for various downstream tasks after training.

Distinction: GPAI Model vs. GPAI System

Systemic Risk (Art. 51)

A GPAI model has systemic risk if:

• Cumulative computing power for training > 10²⁵ FLOPS, OR
• The EU Commission classifies the model accordingly (due to high capabilities/impact)

Providers of GPAI models with systemic risk have additional obligations (Art. 55).

BAUER GROUP Perspective

The BAUER GROUP is currently not a GPAI model provider. In-house model development in the future is not ruled out. Our current role is:

• GPAI deployer — we use GPAI models (Claude, GPT, etc.) as tools
• Potentially a system provider — if we integrate GPAI models into customer products

The GPAI provider obligations (Art. 53, 55) do not apply to the BAUER GROUP but to Anthropic, OpenAI, etc. Responsibility only shifts if we place a GPAI-based system on the EU market under our own name as a high-risk system.

Obligations for ALL GPAI Model Providers

Since 2 August 2025, GPAI model providers must:

1. Prepare and maintain technical documentation (Annex XI)
2. Provide information and documentation to downstream providers (Annex XII), so they can understand the model and fulfil their obligations
3. Comply with copyright directive — establish a policy for the protection of copyright
4. Publish a summary of training data (according to the EU AI Office template)

Additional Obligations for Systemic Risk (Art. 55)

Providers of GPAI models with systemic risk must additionally:

• Conduct model evaluations (including adversarial testing)
• Assess and mitigate systemic risks
• Report serious incidents to the AI Office
• Ensure cybersecurity of the model

Open-Source Exception

GPAI models under a free and open licence (parameters, architecture, and usage publicly accessible) need only fulfil points 3 and 4 — unless they present systemic risk.

Relevance for BAUER GROUP

Criterion

A GPAI model is classified as posing systemic risk if:

• The cumulative computing power for training exceeds 10²⁵ FLOPS (Annex XIII), OR
• The EU Commission classifies it by decision

Providers must notify the Commission within 2 weeks when their model meets this criterion.

Affected Models (as of March 2026)

Models that, based on current knowledge, are or may be considered as posing systemic risk:

• GPT-4/4o (OpenAI)
• Claude 3.5/4 (Anthropic)
• Gemini Ultra/Pro (Google)
• Llama 3.1 405B (Meta)

BAUER GROUP Relevance

None directly. The BAUER GROUP is a user of these models, not a provider. The obligations under Art. 55 apply to the respective model providers.

Indirect relevance: The BAUER GROUP should verify, as part of its vendor selection (vendor due diligence), whether the GPAI provider fulfils its obligations. This reduces its own liability risk when integrating into customer products.

Requirement

Training, validation and test datasets for high-risk AI systems are subject to specific Data Governance requirements.

Data Requirements

Datasets must:

• Be relevant to the intended purpose
• Be sufficiently representative, particularly for affected groups of persons
• Be as far as possible free from errors and complete
• Possess appropriate statistical properties (including with regard to geographical, behavioural and functional aspects)

Data Governance Measures

Providers must document:

• Data provenance and collection methods
• Data preparation processes (labelling, cleansing, enrichment)
• Bias assessment and countermeasures taken
• Measures for the detection and remediation of data gaps and deficiencies
• Legal basis under data protection law (GDPR compliance)

BAUER GROUP Implementation

Requirement

High-risk AI systems must be designed in such a way that they can be effectively overseen by natural persons.

Oversight Requirements

Persons to whom human oversight is assigned must be enabled to:

1. Understand the relevant capabilities and limitations of the system and properly monitor its operation
2. Remain aware of the possible tendency to automatically rely on the system output (Automation Bias)
3. Correctly interpret the output of the system
4. Decide not to use the system or to disregard, override or reverse the output
5. Safely interrupt the system using a stop mechanism

BAUER GROUP Implementation

Overview

High-risk AI systems are subject to the full set of obligations under the AI Act. Art. 8 stipulates that these systems must fulfil the requirements of Art. 9–15, taking into account their intended purpose and the generally acknowledged state of the art.

Catalogue of Requirements

Integration with CRA Compliance

Art. 8(2) explicitly permits the integration into existing compliance processes:

"in order to ensure coherence, avoid duplication and minimise additional burden, providers may integrate the necessary testing, reporting and documentation into already existing procedures"

The BAUER GROUP leverages this possibility to incorporate AI Act documentation as far as possible into the existing CRA QMS and CRA technical documentation.

Requirement

High-risk AI systems must be technically designed in such a way that events are automatically recorded (logging).

Minimum Requirements

The automatic logging must cover:

• Periods of use (start/end of each use)
• Reference database against which input data are checked
• Input data that led to a search
• Identification of the natural persons involved in human oversight

Retention Periods

• Provider: retain logs in so far as under their control
• Deployer: retain logs for at least 6 months (Art. 26(6))

BAUER GROUP Implementation

Complete Catalogue of Obligations

Art. 16 summarises all obligations that a provider of high-risk AI systems must fulfil:

Retention Periods

• Technical documentation: 10 years after placing on the market (Art. 18)
• Automatic logs: To the extent under the provider's control (Art. 19)
• EU declaration of conformity: 10 years (Art. 47)

Post-Market Monitoring

Providers must establish a post-market monitoring system (Art. 72), proportionate to the risk level. For high-risk AI, this system must actively and systematically collect and analyse relevant data on the system's performance.

Requirement

Providers of high-risk AI systems must implement and maintain a documented QMS.

QMS Components (Art. 17(1))

The QMS must cover:

1. Strategy for compliance with regulatory requirements
2. Conformity assessment procedures (design, testing, validation)
3. Technical specifications and standards
4. Data management (collection, analysis, labelling, storage, filtering, aggregation, retention)
5. Risk management (Art. 9)
6. Post-market monitoring (Art. 72)
7. Incident/vulnerability reporting (Art. 73)
8. Communication with authorities, deployers and other stakeholders
9. Change management — procedures and measures for system changes
10. Training and support programmes for personnel

BAUER GROUP Implementation

The AI Act QMS is implemented as an extension of the existing CRA QMS, not as a separate system.

Requirement

Providers of high-risk AI systems must implement a risk management system as a continuous iterative process throughout the entire lifecycle.

Mandatory Components

The risk management system must:

1. Identify and analyse known and foreseeable risks — during intended use and during reasonably foreseeable misuse
2. Assess risks that may arise during intended use and during reasonably foreseeable misuse
3. Develop and implement appropriate risk mitigation measures
4. Assess and document residual risks — taking into account the risk mitigation measures
5. Test — before placing on the market and throughout the lifecycle, to ensure the system functions as intended

Testing Requirements

• Tests against pre-defined metrics and thresholds
• Consideration of the intended purpose
• Testing for bias with regard to affected groups of persons
• Regardless of data format: structured, unstructured, mixed

BAUER GROUP Implementation (Minimal Approach)

Requirement

The technical documentation must be drawn up before placing on the market and kept up to date. It serves to demonstrate conformity to authorities.

Content According to Annex IV

The technical documentation must include at least:

General Description

• Intended purpose of the AI system
• Name and contact details of the provider
• Interaction with hardware or other software
• Versions of relevant software and firmware
• Description of interfaces (API, UI)

Design and Development

• Design specifications (architecture, algorithms, model structure)
• Design decisions and assumptions (including risk assessment)
• Description of the training, validation and testing process
• Training data documentation (origin, scope, characteristics)
• Metrics and thresholds used

Monitoring and Testing

• Test plans and results
• Validation methodology
• Cybersecurity measures (→ CRA synergies)
• Explainability/interpretability measures

Change Management

• Documentation of all material changes after placing on the market
• Versioning and change history

BAUER GROUP Implementation

The technical documentation is drawn up as an extension of the existing CRA technical documentation. Shared sections (product description, security architecture, update mechanism) are referenced, not duplicated.

Template: Provided on a product-specific basis.

Requirement

High-risk AI systems must be designed in such a way that their operation is sufficiently transparent for deployers. Providers must supply instructions for use.

Instructions for Use Must Include

• Name and contact details of the provider
• Performance characteristics, capabilities and limitations of the system
• Intended purpose
• Measures for human oversight and their implementation
• Expected lifetime and maintenance measures
• Technical specifications of the input data
• Explainability of the output where relevant
• Any known risks to health, safety, fundamental rights
• Information on accuracy (Art. 15) including metrics

BAUER GROUP Implementation

Instructions for use are drawn up as a section of the existing product documentation. For B2B customers as a technical data sheet, supplemented with AI Act-specific sections (limitations, known risks, oversight recommendations).

Starting Position

BAUER GROUP (BGI) is an IT and engineering service provider focusing on software development, infrastructure, embedded systems and AI-supported workflows for B2B customers. We are:

• Primarily a Deployer — we use third-party AI systems (LLMs, ML services) as tools within our processes
• Occasionally a Provider — when we integrate AI components into customer products and distribute them under our own name
• Currently not a GPAI model provider — however, in-house model development in the future is not ruled out

Strategic Principles

1. Avoidance Before Compliance

The most efficient path to AI Act conformity is to place no regulated AI systems on the EU market where the effort is disproportionate. Specifically:

• Products with AI components falling under Annex III (high-risk) are assessed individually
• Where compliance effort exceeds the expected 3-year contribution margin, the product is not offered on the EU internal market
• Alternative: distribution in third-country markets outside the scope of the AI Act

2. Minimal Overhead for Compliance

Where we offer AI products on the EU market:

• Maximum use of self-assessment (Annex VI) rather than third-party assessment (Annex VII)
• Integration into existing CRA compliance processes (QMS, technical documentation)
• Template-based documentation — create once, adapt for each product
• No superfluous governance bureaucracy

3. Transparency with Proportionality

• Chatbots and AI-generated content are correctly labelled
• Deepfake generation is not a business area
• AI Literacy training is delivered as part of regular onboarding processes

Affected Products (as of March 2026)

Roles Under the AI Act

The AI Act distinguishes various roles in the AI value chain, analogous to the CRA model of economic operators:

Provider — Art. 3(3)

A natural or legal person that develops an AI system or has it developed and places it on the market or puts it into service under its own name or trademark.

Obligations (summary):

• Conformity assessment before placing on the market
• Technical documentation + QMS
• CE marking + EU declaration of conformity
• Registration in EU database
• Post-market monitoring
• Corrective actions and reporting obligations

Deployer — Art. 3(4)

A natural or legal person that uses an AI system in a professional capacity (not the end consumer).

Obligations (summary):

• Use in accordance with the intended purpose as per provider instructions
• Ensure human oversight
• Ensure input data quality
• Retain logs (minimum 6 months)
• Report risks and incidents to the provider
• Inform workers about AI use (for high-risk)

Importer — Art. 23

Places AI systems from third-country providers on the EU market. Must ensure that the provider has carried out the conformity assessment.

Distributor — Art. 24

Makes AI systems available on the EU market without being a provider or importer. Due diligence obligations regarding conformity.

BAUER GROUP Role Allocation

Authorised Representatives (Art. 22)

Third-country providers must appoint an authorised representative in the EU before placing on the market. For BAUER GROUP (established in Germany) this obligation does not apply to in-house developments.

Principle

Every AI system of the BAUER GROUP undergoes a cost-benefit assessment before EU market launch. The AI Act does not prescribe such an assessment, but as an organisation we autonomously decide which products we distribute and where.

Decision Matrix

┌─────────────────────────────────────────────┐
│ Does the product contain an AI component?   │
│                                             │
│   NO  → AI Act not applicable → GO          │
│   YES ↓                                    │
├─────────────────────────────────────────────┤
│ Does the system fall under Art. 5            │
│ (prohibited)?                               │
│                                             │
│   YES → Do not develop product → STOP       │
│   NO  ↓                                    │
├─────────────────────────────────────────────┤
│ Risk classification (Art. 6, Annex III)      │
│                                             │
│   MINIMAL  → GO (no obligations)            │
│   LIMITED  → GO (transparency obligations   │
│              only)                           │
│   HIGH ↓                                   │
├─────────────────────────────────────────────┤
│ Cost-benefit assessment for high-risk        │
│                                             │
│   Compliance effort ≤ 15% of                │
│   3Y contribution margin → GO               │
│                                             │
│   Compliance effort > 15% of                │
│   3Y contribution margin → NO-GO EU         │
│   → Assess third-market distribution        │
└─────────────────────────────────────────────┘

Compliance Effort for High-Risk (estimated)

At an internal hourly rate of EUR 120 this equates to EUR 32,160–64,320 one-off plus EUR 12,480–24,960/year — excluding external consultancy and notified body costs.

Threshold Calculation

Example: product with AI component, expected 3-year contribution margin EUR 200,000.

• 15% threshold: EUR 30,000
• Estimated compliance effort (minimum): ~EUR 57,000 (3 years)
• Result: NO-GO EU — distribution in third-country markets only

Alternatives in Case of NO-GO EU

1. Remove AI component — implement a rule-based alternative
2. Third-market distribution — APAC, MENA, Latin America
3. AI component as optional feature — EU version without AI, full version for third-country markets
4. Wait for simplification — await Digital Omnibus / delegated acts

Documentation Requirement

Every Go/No-Go decision is documented and archived in the Decision Protocol Template.

What Is an AI System?

Art. 3(1) AI Act defines an AI system as:

A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the inputs it receives how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.

Delineation: What Is NOT an AI System?

The following software does not fall within the scope of the AI Act:

• Rule-based systems without a learning component (classical if-then logic)
• Simple statistical methods (regression, mean calculation)
• Conventional database systems and search functions
• Standard automation software (RPA without ML component)
• Purely mathematical optimisation algorithms

Territorial Scope

The AI Act applies to:

Exemptions

The AI Act does not apply to:

• AI systems exclusively for military or defence purposes
• AI systems for research and development (before placing on the market)
• Natural persons using AI for purely personal, non-professional activities
• AI systems from third countries whose output is not used in the EU
• Open-source AI under certain conditions (Art. 2(12)) — except for high-risk or prohibited practices

BAUER GROUP Product Screening

For each BAUER GROUP product the following must be assessed:

1. Does the product contain an AI component? → If no: AI Act not applicable, end.
2. Is the product offered on the EU market? → If no: AI Act not applicable (except where output is used in the EU).
3. What risk level? → See Risk Classification.
4. Go/No-Go? → See Decision Framework.

Phased Applicability

The AI Act becomes applicable in stages. The following deadlines are operationally relevant for the BAUER GROUP:

Operative Timeline BAUER GROUP

Already Completed (Q1 2025)

• AI Literacy: foundational training for all employees with AI exposure
• Review of the product portfolio against the prohibition catalogue (Art. 5)
• Creation of AI system inventory (draft)

Ongoing (2025–2026)

• Risk classification of all identified AI systems
• Go/No-Go assessment for high-risk candidates
• Development of transparency notices for limited-risk systems
• Documentation of this compliance site

Deadline 02.08.2026

• Conformity assessment for all high-risk systems (where a Go decision has been taken)
• EU database registration
• CE marking
• QMS evidence

Review per Ground for Prohibition

1. Subliminal Manipulation

Prohibition: AI systems that materially influence the behaviour of a person through subliminal techniques (not consciously perceivable) or deliberately manipulative techniques, such that that person or another person suffers harm.

BAUER GROUP Review: No BAUER GROUP products employ subliminal influence. AI recommendation systems (if any) are transparent and do not pursue manipulative objectives.

Status: ✅ Not affected

2. Exploitation of Vulnerabilities

Prohibition: AI systems that deliberately exploit vulnerabilities arising from age, disability, or a particular social/economic situation.

BAUER GROUP Review: B2B focus. No products targeting vulnerable groups.

Status: ✅ Not affected

3. Social Scoring

Prohibition: Evaluation or classification of natural persons on the basis of their social behaviour over a period of time, leading to unjustified or disproportionate treatment.

BAUER GROUP Review: No scoring systems for natural persons.

Status: ✅ Not affected

4–8. Further Prohibitions

Status of all further grounds for prohibition: ✅ Not affected — no products in the areas of crime prediction, facial recognition, emotion recognition in the workplace, biometric categorisation, or real-time remote biometric identification.

Overview

Since 2 February 2025, certain AI practices have been prohibited in the EU. Infringements are subject to fines of up to EUR 35 million or 7 % of total worldwide annual turnover, whichever is higher.

Catalogue of Prohibitions

Art. 5 prohibits AI systems that:

1. Employ subliminal manipulation to materially influence the behaviour of persons and cause them harm
2. Exploit vulnerabilities — on the basis of age, disability, or social/economic situation
3. Carry out social scoring — evaluation of natural persons on the basis of their social behaviour, leading to unjustified disadvantage
4. Make crime predictions solely on the basis of profiling (without concrete grounds for suspicion)
5. Build facial recognition databases through untargeted scraping from the internet or CCTV footage
6. Deploy emotion recognition in the workplace or in educational institutions (exceptions: medical/safety-related purposes)
7. Perform biometric categorisation based on sensitive characteristics (race, political opinion, trade union membership, sexual orientation, religion)
8. Use real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (narrow exceptions: missing persons, counter-terrorism, serious criminal offences)

BAUER GROUP Relevance

This assessment is reviewed annually and upon every new product development involving an AI component.

Procedure

For every new product development or material modification of an existing product with an AI component, the following screening shall be carried out:

Step 1: Art. 5 Quick Screening

For each of the eight grounds for prohibition: Could the product, under its intended use OR under reasonably foreseeable misuse, fall within this ground for prohibition?

Step 2: Result

• All "No": Product not affected by prohibitions → proceed with risk classification
• At least one "Yes": Halt product development or modify the AI component so that the ground for prohibition no longer applies

Step 3: Documentation

Archive the screening result with date, responsible person, and product identifier.

Overview

Annex I lists the EU harmonisation legislative acts under which AI systems may qualify as safety components of the regulated product (Art. 6(1)).

Section A – Relevant Legislative Acts (Selection)

Section B – Additional Legislative Acts

Section B covers additional legislative acts (civil aviation, vehicle safety, etc.) for which the high-risk classification takes effect only from 2 August 2027.

BAUER GROUP Assessment

For the BAUER GROUP, the primarily relevant items from Annex I are:

1. Machinery Regulation — only if BAUER GROUP markets autonomous robotics systems with AI control under its own name
2. Radio Equipment Directive — only if IoT devices (ESP32 etc.) contain a safety-relevant AI decision-making component

The Eight High-Risk Areas

Annex III defines eight areas in which AI systems are classified as high-risk:

1. Biometrics (where permitted under national law)

• Remote identification systems
• Biometric categorisation based on sensitive attributes
• Emotion recognition

BAUER GROUP Relevance: ❌ Not a business area

2. Critical Infrastructure

AI as a safety component in the management and operation of critical digital infrastructure, road traffic, water, gas, heating or electricity supply.

BAUER GROUP Relevance: ⚠️ Review — SCADA/infrastructure monitoring for utilities

3. Education and Vocational Training

AI for determining access to educational institutions, assessing learning outcomes, monitoring examinations.

BAUER GROUP Relevance: ❌ Not a business area

4. Employment, Workers Management, Access to Self-Employment

• AI for recruitment and personnel selection (No. 4a)
• Decisions on promotion, termination, task allocation
• Performance evaluation and behavioural monitoring

BAUER GROUP Relevance: ⚠️ If AI-assisted HR tools are developed or deployed

5. Access to Essential Private and Public Services

• Creditworthiness assessment
• Risk assessment for life/health insurance
• Evaluation of emergency calls and triage systems

BAUER GROUP Relevance: ❌ Not a business area

6. Law Enforcement

Polygraph equivalents, evidence assessment, risk assessment, profiling.

BAUER GROUP Relevance: ❌ Not a business area

7. Migration, Asylum, Border Control

Risk assessment, asylum processing, document verification.

BAUER GROUP Relevance: ❌ Not a business area

8. Administration of Justice and Democratic Processes

AI in judicial and electoral processes.

BAUER GROUP Relevance: ❌ Not a business area

BAUER GROUP Summary

Of the eight Annex III categories, at most two are potentially relevant for the BAUER GROUP:

1. No. 2 (Critical Infrastructure) — only if AI systems are deployed as safety components in the control of critical infrastructure
2. No. 4 (Employment) — only if AI-assisted HR systems are developed or marketed under the company's own name

All other categories are not relevant to the BAUER GROUP business model.

Decision Tree

For each identified AI system of the BAUER GROUP:

1. Is it an AI system pursuant to Art. 3(1)?
   │
   ├─ NO → AI Act not applicable → END
   │
   └─ YES ↓

2. Does it fall under Art. 5 (prohibited practices)?
   │
   ├─ YES → PROHIBITED → Cease development
   │
   └─ NO ↓

3. Is it a safety component of an Annex I product
   AND does it require a third-party conformity assessment?
   │
   ├─ YES → HIGH-RISK (Art. 6(1)) → Go/No-Go
   │
   └─ NO ↓

4. Does it fall under an Annex III category?
   │
   ├─ NO → Check Art. 50 (transparency obligations)
   │         │
   │         ├─ YES → LIMITED RISK
   │         └─ NO → MINIMAL RISK → END
   │
   └─ YES ↓

5. Does it perform profiling of natural persons?
   │
   ├─ YES → HIGH-RISK (always) → Go/No-Go
   │
   └─ NO ↓

6. Does the exception under Art. 6(3) apply?
   (narrow scope of tasks, no significant
    influence on human decision-making)
   │
   ├─ YES → NON-HIGH-RISK
   │        → Document the assessment (Art. 6(4))
   │        → Registration (Art. 49(2))
   │
   └─ NO → HIGH-RISK → Go/No-Go

Practical Examples – BAUER GROUP

Documentation

Every classification decision is recorded in the Risk Classification Form.

Four Risk Tiers of the AI Act

The AI Act follows a risk-based approach. Obligations scale with the level of risk:

High-Risk Classification (Art. 6)

An AI system is high-risk if:

Path 1 – Art. 6(1) (Product Safety): The system is a safety component of a product falling under EU harmonisation legislation (Annex I Section A) AND requires a third-party conformity assessment.

Path 2 – Art. 6(2) (Annex III): The system falls under one of the eight high-risk categories of Annex III.

Exception (Art. 6(3))

An Annex III system is not high-risk if it:

• Does not perform profiling of natural persons, AND
• Has a narrow procedural scope of tasks (preparatory, not decision-making), AND
• Does not significantly influence or replace human decision-making

Classification Obligation

Providers that classify an Annex III system as non-high-risk must document this assessment before placing it on the market (Art. 6(4)) and register it in the EU database (Art. 49(2)).

See: Non-High-Risk Assessment Template

Art. 6(4) – Documentation Obligation

A provider that classifies an Annex III system as non-high-risk must document this assessment before placing it on the market and make it available to the competent authority upon request.

Requirements for a Non-High-Risk Classification

All three conditions must be met cumulatively (Art. 6(3)):

1. The AI system does not perform profiling of natural persons
2. The AI system does not make autonomous decisions that significantly affect fundamental rights
3. The AI system has a narrow, preparatory scope of tasks (preparation for human decision-making, not a substitute)

Documentation Content

The non-high-risk assessment must contain at least:

• Unique identification of the AI system
• Assignment to the Annex III category
• Description of the intended purpose
• Justification as to why none of the three conditions is violated
• Date and responsible person
• Version control for amendments

See: Non-High-Risk Assessment Template

Registration Obligation

Even where a system is classified as non-high-risk, there is a registration obligation in the EU database (Art. 49(2)).

Instructions

This inventory is to be completed for every AI system within the BAUER GROUP. It serves as the basis for risk classification and the Go/No-Go decision.

Inventory Template

## AI System Entry

| Field | Value |
|---|---|
| **System ID** | AI-BGI-XXXX |
| **Name** | [Product name] |
| **Version** | [Version] |
| **Description** | [Brief description of the AI functionality] |
| **AI technology** | [ML / DL / LLM / RL / Other] |
| **Third-party AI model** | [Yes/No — if yes, which one: e.g. Claude API, GPT-4] |
| **BAUER GROUP role** | [Provider / Deployer / Distributor] |
| **Target market** | [EU / Third market / Both] |
| **Risk level** | [Prohibited / High / Limited / Minimal / Not classified] |
| **Art. 5 review** | [Passed / Failed / Pending] |
| **Annex III category** | [No. X / None / Review required] |
| **Go/No-Go EU** | [Go / No-Go / Open] |
| **Compliance deadline** | [Date] |
| **Responsible person** | [Name] |
| **Last review** | [Date] |
| **Next review** | [Date] |
| **Remarks** | [Free text] |

Notes

• Each system receives a unique ID (format: AI-BGI-XXXX)
• The inventory is updated at least annually
• For new AI products: create an entry before development begins
• This inventory is an internal document and is not published

EU DECLARATION OF CONFORMITY

No. [declaration_id]

Regulation (EU) 2024/1689 — Artificial Intelligence Act

1. AI System:

2. Name and address of the provider and, where applicable, their authorised representative:

3. This declaration of conformity is issued under the sole responsibility of the provider.

4. Risk classification:

5. The AI system described above is in conformity with the requirements of Regulation (EU) 2024/1689:

6. Reference to applied harmonised standards / technical specifications:

7. Member States in which the AI system has been placed on the market or put into service:

[List of Member States or "EU-wide"]

8. Conformity assessment procedure:

9. Transparency and registration:

10. Support period:

Signed for and on behalf of:

[provider.name]

This declaration shall be retained for 10 years after the AI system is placed on the market (Art. 47(2)).

Practical templates for AI Act compliance at BAUER GROUP. All templates are designed as starting points and should be adapted to the specific use case.

This form documents the assessment of an Annex III system as not high-risk pursuant to Art. 6(3)–(4).

System Identification

Review of Exception Criteria (Art. 6(3))

Criterion 1: No Profiling

Does the system carry out profiling of natural persons (automated processing of personal data to evaluate personal aspects)?

• [ ] No — Criterion met
• [ ] Yes — Exception does NOT apply → System is HIGH-RISK

Justification: ___

Criterion 2: No Autonomous Decision-Making

Does the system make autonomous decisions that significantly affect fundamental rights?

• [ ] No — Criterion met
• [ ] Yes — Exception does NOT apply → System is HIGH-RISK

Justification: ___

Criterion 3: Narrow, Preparatory Scope

Does the system have a narrow, preparatory scope (preparation for a human decision, not a substitute)?

• [ ] Yes — Criterion met
• [ ] No — Exception does NOT apply → System is HIGH-RISK

Justification: ___

Result

• [ ] All three criteria met → NOT HIGH-RISK → Registration pursuant to Art. 49(2) required
• [ ] At least one criterion not met → HIGH-RISK → Go/No-Go assessment

Signature

AI System Identification

Step 1: AI System Definition

Is the system an AI system pursuant to Art. 3(1)?

• [ ] Yes → Continue with Step 2
• [ ] No → AI Act not applicable → END

Justification: ___

Step 2: Prohibited Practices Review (Art. 5)

Does the system fall under one of the eight prohibited practices?

• [ ] No → Continue with Step 3
• [ ] Yes → PROHIBITED — Cease development

Step 3: High-Risk Review (Art. 6)

3a: Annex I (Product Safety)

Is the system a safety component of an Annex I product?

• [ ] No → Continue with 3b
• [ ] Yes → HIGH-RISK → Continue with Step 4

3b: Annex III (Categories)

Does the system fall under an Annex III category?

• [ ] No → Continue with 3c
• [ ] Yes, category no.: ___ → Continue with 3d

3c: Transparency Obligations (Art. 50)

Does the system interact directly with natural persons or generate synthetic content?

• [ ] No → MINIMAL RISK → END
• [ ] Yes → LIMITED RISK → END

3d: Profiling Review

Does the system carry out profiling of natural persons?

• [ ] Yes → HIGH-RISK (always) → Continue with Step 4
• [ ] No → Continue with 3e

3e: Exception under Art. 6(3)

Does the system meet ALL three exception criteria?

• [ ] Yes → NOT HIGH-RISK → Documentation + Registration → END
• [ ] No → HIGH-RISK → Continue with Step 4

Step 4: Go/No-Go (high-risk only)

Decision: [ ] GO EU / [ ] NO-GO EU / [ ] Deferred

Signature

Notice for AI-Supported Interactions (Art. 50(1))

The following notice shall be used in all BAUER GROUP products that enable direct AI interaction with natural persons:

Variant 1: Chatbot / Conversational AI

🤖 AI Assistant
You are communicating with an AI-powered assistant from BAUER GROUP.
Responses are generated automatically and may contain errors.
For important decisions, please consult a human contact person.

Variant 2: Compact (for limited space)

This assistant is powered by Artificial Intelligence.

Variant 3: AI-Generated Content (Art. 50(2))

This content was created with the assistance of Artificial Intelligence.

Technical Implementation

• Chatbots: Notice in the chat header or as the first message
• Web applications: Info badge or tooltip next to AI-powered features
• API documentation: Notice in the API description
• E-mail/Documents: Footer notice for AI-generated content

Machine-Readable Labelling

For synthetic content (Art. 50(2)), additionally:

<meta name="ai-generated" content="true">
<meta name="ai-provider" content="BAUER GROUP">
<meta name="ai-model" content="[Model designation]">

Requirement

When a BAUER GROUP product enables a direct interaction between an AI system and a natural person (e.g. chatbot, voice assistant), the person must be informed.

Implementation

Chatbots and Conversational AI

A clear notice must be placed before or at the start of the interaction:

🤖 You are communicating with an AI assistant.
The responses are automatically generated
and may contain errors.

API-based AI Services (B2B)

For B2B products that provide AI functionality via APIs, the notice is embedded in the technical documentation and terms of use.

Exception: Obviousness

If it is obvious from the context that an AI interaction is taking place (e.g. the service is called "BAUER GROUP AI Assistant"), the explicit notice may be omitted. Recommendation: label it nonetheless.

Template

See: Transparency Notice Template

Requirement

Providers of AI systems that generate synthetic audio, image, video or text content must ensure that the outputs are marked as AI-generated in a machine-readable format (Art. 50(2)).

Deployers who publish deepfakes must clearly and visually disclose this (Art. 50(4)).

BAUER GROUP Relevance

The BAUER GROUP does not produce or distribute any deepfakes. However, the following scenarios must be considered:

Technical Implementation

The following standards are suitable for machine-readable labelling of synthetic content:

• C2PA standard (Coalition for Content Provenance and Authenticity) for images/video
• IPTC metadata for images
• Custom HTTP headers or meta tags for web content

The specific technical implementation will be defined as needed when BAUER GROUP products generate synthetic content for external publication.

Overview

Art. 50 obliges providers and deployers of certain AI systems to implement transparency measures. These obligations apply from 2 August 2026 and concern AI systems with limited risk.

Obligations

1. Disclose AI Interaction (Art. 50(1))

Providers of AI systems that directly interact with natural persons (chatbots, voice assistants) must ensure that those persons are informed that they are interacting with an AI.

Exception: Where this is obvious from the circumstances.

2. Label Synthetic Content (Art. 50(2))

Providers of AI systems that generate synthetic audio, image, video or text content must label the outputs in a machine-readable format as AI-generated.

3. Deepfake Disclosure (Art. 50(4))

Deployers who publish deepfakes must disclose that the content is AI-generated or AI-manipulated.

4. Emotion Recognition / Biometric Categorisation (Art. 50(3))

Deployers must inform affected persons and comply with GDPR obligations.

BAUER GROUP Implementation

Summary of All Labelling Obligations

Not Subject to Labelling Obligations

• AI systems with minimal risk (spam filters, recommendation algorithms, etc.)
• Internal AI tools that do not publish content externally
• AI-assisted code (not "synthetic content" in the regulatory sense)

Training Attendance Confirmation

Training Content

Basic Training (all employees)

• [ ] What is Artificial Intelligence? (Key concepts)
• [ ] What AI can do — what AI cannot do (Limitations and risks)
• [ ] EU AI Act — Brief overview
• [ ] Responsible use of AI (Automation bias, hallucinations, data protection)
• [ ] BAUER GROUP guidelines on the use of AI

Developer Training (additional)

• [ ] AI Act risk classification
• [ ] Technical requirements Art. 8–15
• [ ] AI-specific security risks (Adversarial ML, Prompt Injection)
• [ ] Integration into CI/CD processes

Product Owners (additional)

• [ ] Complete AI Act obligations catalogue
• [ ] Go/No-Go decision process
• [ ] Conformity assessment and documentation
• [ ] Sanctions regime and liability

Confirmation

I confirm attendance at the above-mentioned training and acknowledge the content.

AI System Identification

Economic Assessment

Compliance Effort (estimated)

CRA Synergies

• [ ] Product is already CRA-compliant → effort reduction ~55%
• [ ] Product has no CRA compliance → full effort

Assessment

Decision

• [ ] GO EU — Start compliance implementation
• [ ] NO-GO EU — No EU distribution
• [ ] NO-GO EU + Third market — Distribution in third markets only
• [ ] NO-GO EU + AI removal — EU version without AI component
• [ ] Deferred — Await Digital Omnibus / simplification

Justification

[Free text]

Approval