CELEX 32024R1689
EUR-Lex — consolidated regulation
The main legal text (CELEX 32024R1689). Freeze the language edition and the EUR-Lex or Official Journal reference your counsel relies on.
EU AI Act: operational alignment with evidence
Official sources, roles, and a browser-only checklist on this site. Practical guide—not legal advice; the first section below sets scope. Many high-risk systems face key deadlines from August 2026—confirm dates in EUR-Lex and your compliance calendar.
Why teams stall
Commentary is loud; the enforceable text is in EUR-Lex
This page is not legal advice. It is a practical guide: anchor decisions in the consolidated Regulation (EU) 2024/1689 in EUR-Lex; use the Commission’s AI Act Service Desk (Explorer and Compliance Checker) to navigate and triage next to that text; add Commission and EU AI Office updates as published — and tie internal choices to specific articles and annexes, not to slide decks or social posts.
-
No agreed text version
Teams argue about “what the Act says” without sharing the same EUR-Lex version or Official Journal reference. Fix the exact text, language, and date you rely on; then track amendments and delegated acts.
-
Annex III by anecdote
Whether something is high-risk is set out in the law and annexes — not by a vendor’s marketing label. Review Annex III and the definitions with your legal counsel, record the conclusion, and keep evidence of the assessment.
-
Slides, no technical file
Risk rises when slide decks replace technical documentation, data lineage, and logging that matches the risk level — exactly what regulators and customers will later ask for.
-
No clear RACI
Provider and deployer responsibilities shape contracts and incident handling. Without a clear RACI, conformity work, GDPR follow-up, and vendor escalations stall.
Official sources
The sources your legal and technical team should always have open
Use language switchers on EU sites; cite CELEX and retrieval dates internally. The AI Act Service Desk adds Explorer and the Compliance Checker — still read EUR-Lex as primary law.
The consolidated Regulation (EU) 2024/1689 is in EUR-Lex (CELEX 32024R1689). In EUR-Lex, pick your language in the header and note the retrieval date in your internal records. Use the AI Act Service Desk for Explorer and the Compliance Checker as you work — citations in your file set should still point to EUR-Lex. Open everything below, including the checklist workspace for a grouped view.
AI Act Service Desk — Single Information Platform
The Commission’s official hub: AI Act Explorer to browse chapters and annexes, the EU AI Act Compliance Checker, and expert support — use with EUR-Lex, not instead of it.
European Commission — AI framework
Summaries, timelines, portals to delegated and implementing acts as published — prefer this over third-party PDFs alone.
EU AI Office
Rollout communication, GPAI documentation expectations, and implementation updates — read alongside primary law.
National contacts & standards
Map market surveillance and notifying authority routes per member state guidance and, when adopted, harmonised standards cited in the Official Journal — your legal team maintains the live list.
Reading order
From binding law to what applies to your org today
From the binding rules in force to the narrower set your counsel confirms applies to you on a given date.
- 1
Regulation + annexes
Articles, definitions, Annex III high-risk use cases, prohibited practices, and GPAI chapters — your main map of obligations. The AI Act Explorer helps browse those sections interactively; your audit trail still cites the EUR-Lex edition you froze.
- 2
Delegated & implementing acts
Secondary EU acts set thresholds, templates, and procedures. Track them in EUR-Lex with the same rigour as the main regulation.
- 3
Harmonised standards (when cited)
Presumption of conformity depends on standards published in the Official Journal. Legal and engineering agree which editions apply to your products or processes.
- 4
After the law: internal evidence trail
Not a “source” on EUR-Lex — version the PDFs, Commission Q&A you relied on, and vendor DPAs so audits can show why a design decision was made.
Official entry points for step 1 below: the consolidated regulation on EUR-Lex, then the Commission’s Explorer and Service Desk (navigation — your audit still cites the EUR-Lex edition you freeze).
Step guide — from inventory to evidence kit
Six tangible deliverables — from first inventory to the file a supervisor can review. Owner roles keep legal, product, and engineering aligned.
Step 1 — Inventory & owner
Deliverable: use-case register (system, business owner, data categories, vendor or product ID). Owner: product sponsor + legal point of contact.
Step 2 — Classify against the text
Deliverable: provisional risk level, references to articles or Annex III paragraphs, and date of legal sign-off. Owner: legal, with product and engineering input.
Step 3 — Provider / deployer split
Deliverable: RACI matrix linked to procurement terms, incident SLAs, and handover of technical documentation. Owner: legal + procurement.
Step 4 — Technical documentation & logging
Deliverable: living documentation (architecture, limits, evaluations) and proportionate logs so an audit can reconstruct what happened. Owner: engineering + legal.
Step 5 — Human oversight in UX
Deliverable: wireframes or runbooks for human review, escalation, and override before irreversible actions. Owner: product/UX + legal.
Step 6 — Post-market & change control
Deliverable: monitoring KPIs, model-change log, and plan to reassess when scope or provider changes. Owner: product + engineering + legal.
Internal operating rhythm
Baseline, inventory, and the file that survives review
The three blocks below are how teams usually align legal, product, and engineering before arguing about scope. The section after that is illustrative documentation depth by risk band—examples only; your counsel defines the binding set.
- Lens A
Freeze the baseline
Download or print the EUR-Lex consolidated text you adopt internally; log CELEX, language, and retrieval date in your repository. Use AI Act Explorer only to navigate — do not substitute it for the PDF or URL your counsel treats as authoritative.
- Lens B
Map every use case
One row per AI system: business context, data, Annex III check, GPAI exposure if any, and hyperlinks to DPIA / DPIA-like records where GDPR overlaps.
- Lens C
Build the file that survives review
Pull together the technical narrative, test results, human-oversight evidence, and vendor statements so you can answer legal review and customer due diligence.
Documentation prompts by intensity
Examples only — your counsel defines the final documentation set.
Minimal / general-purpose chat
Acceptable-use policy, vendor DPA/DPIA pack, lightweight logging of enterprise prompts where proportionate.
Limited-risk transparency
Disclosure copy, UX proofs, synthetic-media labelling plan if relevant, training for staff facing customers.
High-risk posture
Quality management hooks, technical file depth, conformity strategy, FRIA where applicable, continuous post-market logs.
Primary law vs convenient narratives
What stands up when someone asks “show me the obligation”
| Topic | Secondary noise | What holds up under scrutiny |
|---|---|---|
| Source of truth | Vendor pitch decks or social threads. | EUR-Lex CELEX 32024R1689 plus memo citing articles; Service Desk orients the team, not the citation. |
| High-risk claims | "Our tool is enterprise-grade high trust." | Annex III/legal test documented per use case, not product marketing. |
| Evidence requests | Screenshots of chat answers. | Doc index, eval logs, tickets tied to model versions. |
| Timeline certainty | Vague “we’ll be ready” statements without an OJ source. | Verify deadlines in the Official Journal (e.g. high-risk August 2026)—not vague promises. |
Examples of what boards and audits often ask for
Illustrative patterns only—four sketches of what teams often maintain, not a template library or something we ship as files. Wording differs by sector; align with counsel before sharing outside the organisation.
Use-case & risk register
Single table: system, owner, data, Annex III path, GPAI touchpoints, legal reviewer, date.
Technical documentation index
Living index pointing to architecture docs, model cards, test protocols, and release evidence.
Human oversight evidence
UX flows, training logs, escalation playbooks, and tickets proving review before critical actions.
Vendor & data trail
Subprocessor maps, licensing for training/fine-tune data, DPAs, incident history, and change notices.
Your path
1 · Sources → 2 · Guide → 3 · Checklist
This page is the narrative walkthrough. The checklist is a separate, mobile-first workspace with official links at the top — use it when you’re ready to tick tasks off.
- Learn to cite EUR-Lex plus the Commission AI Act Service Desk (Explorer & Compliance Checker), the Commission AI hub, and the EU AI Office
- Read on this page how roles, risk levels, and practical steps fit together
- Work through the checklist on its own page; when finished, print or save as PDF
Documents & scope — quick clarifications
Is this legal advice?
No. It is an operational companion pointing to official EU sources. Only qualified counsel can interpret how articles apply to your facts.
Do we need every harmonised standard day one?
Depends on product class and conformity strategy. Legal + engineering tracks which standards the OJ cites and whether you claim presumption of conformity.
GDPR overlap?
Many AI systems still require DPIAs, lawful basis, and processor clauses — cross-link those records to your AI Act file set.
Which URL should everyone bookmark?
EUR-Lex CELEX 32024R1689 in your working language is the citation anchor. Add the AI Act Service Desk for Explorer and the Compliance Checker, the Commission AI policy page, and the EU AI Office for implementation updates — GPAI providers should also track the voluntary code of practice.
How does the checklist help?
It lives on its own focused page so you can work top-to-bottom on mobile. Same governance checkpoints we use in workshops; ticks stay in your browser — print or save as PDF for records elsewhere.
Get started
Your team knows what's needed. We help you build it.
Thinkia Mesh connects data, platforms, and user experience to the same evidence your lawyers rely on. August 2026 is the operative horizon for many high-risk AI systems—align timelines with EUR-Lex, then use the checklist or talk to us.