1. Identification of AI Systems
Identification and documentation of all AI applications within the company. It is advisable to also collect master data such as location, responsible person/user, supplier, etc., and assess the extent to which the AI influences decision-making processes and outcomes.
2. Risk Assessment of AI Systems
Categorization of all AI systems into four risk classes (Prohibited AI, High-Risk AI, Limited-Risk AI, Minimal-Risk AI).
3. For High-Risk AI Systems (Art. 6 ff. AI Act)
The use of high-risk AI entails specific obligations. The following requirements must be met, among others: implement a risk management system, ensure data governance, create technical documentation, fulfill logging obligations, comply with transparency and information duties, ensure human oversight, and guarantee cybersecurity and robustness.
4. Establish a Reporting System
As part of incident or event management, there is an obligation to report serious incidents to the national supervisory authority within 15 calendar days. Serious incidents, as defined in Art. 62 of the AI Act, are adverse events caused by AI systems that meet at least one of the following criteria: (a) violation of fundamental rights (e.g. discrimination, breach of privacy), (b) threat to life or health, (c) significant disruption of critical functions, (d) risk to property or the environment.
5. Integration into Existing Systems
AI risks and their impact on assets and processes must be integrated into the following management systems and areas to avoid redundancies and enable centralized control: (a) Risk Management, (b) Compliance, (c) ISMS/NIS2 (Information Security Management System), (d) ESG (Environment, Social, Governance)
6. Reporting and Monitoring
Establish regular monitoring (including audits) and maintain an update management process for changes in data, algorithms, or functions. All relevant AI systems (high-risk AI), along with their changes, assessments, and implemented measures, must be reported regularly. Serious incidents must be reported immediately to executive management and the appropriate reporting bodies.
8. Training & Awareness
Set up internal training programs for developers, management, information security, data protection, and compliance officers.

1. Prohibited AI Systems
AI systems falling under Article 5 of the EU AI Act are strictly prohibited in the European Union, as they violate fundamental rights, human dignity, or democratic principles. Prohibited applications include those that subliminally manipulate people (e.g. through subliminal techniques), unlawfully influence behavior, or exploit individuals emotionally or psychologically. The use of AI for social scoring of natural persons based on behavior, personality, or social characteristics is also banned.
2. High-Risk AI Systems
According to Article 6 in conjunction with Annex III of the AI Act, AI systems are considered high-risk if their use can significantly impact the health, safety, or fundamental rights of individuals. This includes applications in critical areas such as medical diagnostics, recruitment, creditworthiness assessment, education, judiciary, or critical infrastructure. These systems are subject to strict obligations regarding development, data, and oversight.
3. Limited-Risk AI Systems
Limited-risk AI systems typically interact directly with users, such as chatbots, virtual assistants, or technologies that generate synthetic content, including deepfakes. While these systems do not pose high technical or safety risks, they can influence user autonomy and trust. Therefore, the EU AI Act mandates specific transparency obligations.
4. Minimal-Risk AI Systems
Minimal-risk AI systems represent the broadest category of AI applications—such as spam filters, product recommendations, or spell checkers. This risk class is subject to no explicit obligations and may be developed, marketed, and used without special restrictions, as they do not pose significant risks to individual rights or safety.

1. Risk Management System (Art. 9):
An effective risk management system must be established and documented, covering the entire lifecycle of the AI system.
2. Information and Data Governance (Art. 10):
Training, testing, and validation data must be (a) appropriate, representative, error-free, and complete, (b) reviewed and documented for potential bias, and (c) compliant with personal data protection regulations (especially GDPR).
3. Technical Documentation (Art. 11):
Comprehensive technical documentation is required to demonstrate compliance with legal requirements.
4. Logging Obligations (Art. 12):
The AI system must enable automatic logging for: (a) traceability, (b) incident tracking, (c) complete documentation.
5. Transparency and Information Provision (Art. 13):
Users must receive clear and understandable information about (a) functionality, (b) limitations and risks, (c) correct interpretation.
6. Human Oversight (Art. 14):
High-risk AI systems must be designed to allow for (a) human control, (b) prevention of unintended outcomes, (c) detection and interruption of malfunctions.
7. Robustness, Security, and Accuracy (Art. 15):
The system must be (a) resilient against attacks and disruptions, (b) demonstrate defined accuracy, and (c) function reliably even with faulty inputs.
8. Conformity Assessment (Art. 43 ff.):
Before market placement, a conformity assessment must be conducted—either by the provider (internal control) or by a notified body for particularly sensitive AI systems.
9. CE Marking (Art. 49):
After successful conformity assessment, the system must be labeled with a CE mark, indicating compliance with all applicable EU regulations.
10. Registration in EU Database (Art. 60):
High-risk AI systems must be registered in a central EU transparency database prior to market placement.
11. Reporting of Serious Incidents (Art. 62):
Operators must report all incidents to the competent supervisory authority within 15 days that (a) result in serious impairment of health, safety, or fundamental rights, or (b) could potentially lead to such outcomes.

1. Reporting Obligations for Serious Incidents
According to Art. 62 of the AI Act, providers and operators of high-risk AI systems are required to report serious incidents immediately and no later than 15 calendar days after becoming aware of them to the competent market surveillance authorities. A serious incident occurs particularly when the AI system (a) significantly impairs or could impair a person’s health or safety, or (b) causes a serious violation of fundamental rights (e.g. data protection, non-discrimination).
2. Oversight by Authorities
Supervisory authorities of the Member States are authorized to conduct random inspections, request evidence, and take action if necessary to remove unlawful AI systems from the market or prohibit their use. The EU Commission may also intervene, for example through entries in the central EU AI database or by initiating coordinated monitoring actions.
3. Sanctions for Violations
Violations of the AI Act may be penalized with substantial fines under Art. 71. The amount of the fines depends on the severity of the violation and the company’s global annual turnover:
- Prohibited AI practices: up to EUR 35,000,000 or 7% of global annual turnover (whichever is higher)
- Violations of requirements for high-risk AI systems: up to EUR 15,000,000 or 3% of global annual turnover
- False statements to authorities: up to EUR 7,500,000 or 1% of global annual turnover
For small and medium-sized enterprises (SMEs) and start-ups, reduced sanction levels may apply, but without exemption from fundamental responsibilities.