Sources & References
Hierarchical index of authoritative sources, from the regulation text down to secondary analyses. The team's shared map for navigating the regulation.
Level 1 — Primary Regulation Documents
1.1 The Regulation Text (Regulation (EU) 2024/1689)
| Resource | Format | Notes |
|---|---|---|
| EUR-Lex ELI page | HTML | Metadata, all formats, all languages |
| Full text HTML | HTML | Official Journal — English |
| Full text PDF | Authentic OJ edition (~460 pages) | |
| CELEX permalink | HTML | All EU languages |
| ELI permanent link | HTML | — |
| Consolidated version (12 Jul 2024) | HTML | Starting point for reading |
What it is: Regulation (EU) 2024/1689, adopted 13 June 2024, published in the Official Journal 12 July 2024, in force 1 August 2024. Contains 180 recitals, 113 articles, and 13 annexes.
1.2 EC Digital Strategy — AI Act Hub
| Resource | Notes |
|---|---|
| Main AI Act policy page | Official landing page — risk tiers, timeline, links to all Commission instruments |
| Governance & enforcement | AI Office, AI Board, national authorities, enforcement structure |
| Standardisation | CEN/CENELEC standards roadmap — key for conformity assessment |
| Q&A | Covers Digital Omnibus changes, GPAI, SME rules |
| AI Act Whistleblower Tool | — |
What it is: The European Commission's (DG CONNECT) official hub for the AI Act. Maintained live; updated as new guidelines and implementing acts are published. Contains the official risk pyramid, timeline, and links to all Commission-published support documents.
1.3 AI Act Service Desk (Official EC Support Platform)
| Resource | Notes |
|---|---|
| Home | Single information platform run by DG CONNECT / AI Office |
| Implementation Timeline · local summary | Official milestones; updated with Omnibus changes |
| AI Act Explorer | Interactive article-by-article navigator |
| Compliance Checker | Questionnaire → which obligations apply to you |
| FAQ | Covers Omnibus, GPAI, SME rules, sandboxes |
| High-Risk Guidelines Explorer | Clause-level navigator for Art. 6 classification guidelines |
| High-Risk AI Summaries & Examples | — |
What it is: Official EC single-information platform for AI Act compliance questions. Run by DG CONNECT / AI Office. The FAQ covers the Digital Omnibus changes.
Level 2 — Official Guidance, Implementing Acts & Regulatory Bodies
These documents interpret and operationalise the regulation. Second in authority after the regulation text itself.
2.1 EU AI Office
| Resource | Notes |
|---|---|
| AI Office overview · local summary | Mandate, role, contact |
| AI Office tasks (FLI) | Exhaustive list of Art. 88–94 responsibilities |
| GPAI enforcement overview (FLI) | How the AI Office investigates GPAI providers |
| Contact AI Office | — |
What it is: Established within DG CONNECT (European Commission), the AI Office is the EU-wide body for monitoring GPAI model compliance and coordinating enforcement across member states. Operational since early 2024.
2.2 Commission Guidelines & Published Instruments
| Resource | Topic |
|---|---|
| Guidelines — prohibited AI practices · local summary | Legal explanations + examples for all 8 banned categories |
| Guidelines — AI system definition | What is in scope; classification of software as AI |
| Guidelines — GPAI model obligations scope · local summary | Who is a "provider" vs "deployer" along the GPAI value chain |
| Draft guidelines — high-risk classification (May 2026) · local summary | Art. 6 exceptions; practical classification logic |
| Draft guidelines — transparency obligations Art. 50 (May 2026) | Chatbot disclosure, deepfake labelling requirements |
| Template — GPAI training content summary | What providers must publish about training data |
| Report — review of prohibitions & high-risk (May 2026) | Commission's first annual review; signals potential list changes |
| Three studies on Article 5 | Deep technical/legal analysis of each prohibited practice |
| Impact Assessment of the AI Act | — |
2.3 GPAI Code of Practice
| Resource | Notes |
|---|---|
| Official CoP site · EC: contents of the code · summary | Final version published 10 July 2025. Three chapters: Transparency, Copyright, Safety & Security. Providers may use an adequate Code of Practice to help demonstrate compliance with Articles 53 and 55 while harmonised standards are unavailable; do not describe it as creating a presumption of conformity. |
| EC CoP page | Official Commission landing page for the CoP |
| Signatory Taskforce | Industry/expert process that drafted the CoP |
| Introduction to the CoP (FLI) | Accessible explainer of structure and purpose |
| CoP summarised (FLI) | Chapter-by-chapter breakdown |
| GPAI Guidelines overview (FLI) | — |
What it is: Published 10 July 2025 by the Commission. Voluntary tool covering three chapters: Transparency, Copyright, and Safety & Security. Providers may use an adequate Code of Practice to help demonstrate compliance with Articles 53 and 55 while harmonised standards are unavailable; PE-CONS 30/26 says codes of practice have limited legal effect and do not create a presumption of conformity.
2.4 AI Pact
| Resource | Notes |
|---|---|
| AI Pact overview | Voluntary initiative for providers/deployers to comply with key AI Act obligations ahead of mandatory dates |
2.5 Standardisation
| Resource | Notes |
|---|---|
| AI Act standardisation page | CEN/CENELEC standards roadmap — prerequisite for harmonised conformity |
| Standard-setting overview (FLI) | — |
What it is: CEN/CENELEC and ETSI are developing harmonised standards under the AI Act. Conformity with these will grant a legal presumption of compliance for high-risk AI systems.
2.6 Notified Bodies & Conformity Assessment
| Resource | Notes |
|---|---|
| VDE guide — conformity assessment for high-risk AI · local summary | Step-by-step for high-risk AI providers |
| MedEnvoy — notified bodies | NB requirements, designation process, capacity constraints |
| arXiv 2512.13907 — technical verification | Maps each legal requirement to concrete technical checks |
What it is: Chapter III Section 4 of the Act governs notified bodies. Designation of notified bodies by national authorities became applicable 2 August 2025. Third-party conformity assessment is required for Annex I products and certain biometric systems.
2.7 EDPB / Data Protection Intersection
| Resource | Notes |
|---|---|
| EDPB homepage | — |
| Stephenson Harwood — enforcement overview · local summary | Covers EDPB's recommended role as market surveillance authority |
What it is: The EDPB recommended that national data protection authorities (DPAs) be designated as market surveillance authorities for high-risk AI systems that impact personal data rights. No standalone EDPB opinion has been published on the AI Act yet (as of mid-2026).
2.8 Digital Omnibus (Simplification Package)
| Resource | Notes |
|---|---|
| Omnibus proposal | The amendment text; proposed Nov 2025 |
| Political agreement (7 May 2026) | Political-agreement announcement: extended timelines, intimate-material/CSAM prohibition, AI Office powers |
| Final act text, PE-CONS 30/26 | Final Digital Omnibus on AI text after Parliament first reading; use until OJ publication and CELEX citation are available. |
| Council I/A item note, ST 10752/26 | Explains adoption mechanics: if Council approves Parliament's position, the legislative act is adopted, then signed and published in the OJ. |
| Digital Package on Simplification | — |
What it is: Proposed by the Commission on 19 November 2025; provisional agreement reached 6–7 May 2026; Coreper confirmed the agreement on 13 May 2026; Parliament adopted its first-reading position on 16 June 2026; Council gave final approval on 29 June 2026. During this audit no EUR-Lex/OJ publication was found. Key final-text changes include Chapter III high-risk deferrals (Annex III → 2 December 2027, Annex I → 2 August 2028), Article 5 intimate-material/CSAM prohibitions applying from 2 December 2026, national sandbox deadline moved to 2 August 2027, an optional EU-level AI Office sandbox, and SME/SMC simplification measures.
Level 3 — High-Quality Secondary Sources
Interpretations, analyses, and practical guides. Authoritative but not legally binding.
3.1 Future of Life Institute — artificialintelligenceact.eu
50,000+ newsletter subscribers; updated continuously by FLI.
| Resource | Notes |
|---|---|
| AI Act Explorer | Interactive full-text browser with linked articles, recitals, and annexes |
| High-level summary | Concise overview of all four risk tiers and obligations — good first read |
| Implementation Timeline | Every key date with article references, from 2024 through 2031 |
| Implementation Documents | Collected index of all official implementing acts, guidelines, and delegated acts |
| The Act Texts | Index of all text versions (trilogues, published, consolidated) |
| Historic Documents | — |
| GPAI Providers overview | — |
| Small businesses guide | — |
| Guide for HR & Staffing | — |
| Transparency rules (Article 50) guide | — |
| Compliance Checker | Questionnaire → which obligations apply to your role and system |
| National implementation plans | — |
| AI Regulatory Sandboxes overview | — |
| EU AI Act Newsletter (Substack) | Biweekly briefing for policymakers and practitioners |
3.2 Law Firm Analyses
| Firm | Article | Focus |
|---|---|---|
| Jones Day | GPAI CoP published (Aug 2025) | Legal implications of the CoP for GPAI providers |
| Pinsent Masons | Guide to high-risk AI systems | Classification rules, provider obligations, practical steps |
| K&L Gates | EU & Luxembourg updates (Jan 2026) | Recent regulatory developments, national implementation |
| Kennedy's Law | Timeline deep-dive (2026) | Compliance deadline planning by obligation type |
| Lowenstein Sandler | Privacy angle (2024) | GDPR / AI Act interplay |
| Stephenson Harwood | Enforcement overview | Penalties, enforcement structure, national authority roles |
3.3 Policy Institutes & Think Tanks
| Organisation | Resource | Notes |
|---|---|---|
| Future of Life Institute | Full website | See §3.1 for detailed resource list |
| Interface EU | GPAI CoP deep-dive | Policy institute analysis of the CoP's reach and gaps |
3.4 Academic & Technical
| Resource | Notes |
|---|---|
| Assessing High-Risk AI Systems — technical verification (arXiv, Dec 2024) | Maps legal requirements to concrete technical checks |
3.5 Compliance Trackers & Practitioner Guides
| Resource | Angle |
|---|---|
| DataGuard — Timeline | Visual timeline by risk tier; good for quick orientation |
| Trilateral Research — Model-to-tier mapping | Maps AI model types to risk tiers and compliance deadlines |
| LegalNodes — 2026 updates | Business risk framing for the Aug 2026 enforcement wave |
| GDPR Local — Risk classification | Side-by-side comparison of all four risk categories |
| TRAIL ML — Risk classification | ML-practitioner angle on classification logic |
| Glocert — Classification Playbook | Decision-tree: Prohibited vs High-Risk vs Limited-Risk |
| CSA Lab Space — Enterprise Readiness | Gap analysis for enterprises ahead of Aug 2026 deadline |
| ModelOp — summary & compliance | Governance platform angle |
3.6 Newsletter & Ongoing Coverage
| Resource | Cadence |
|---|---|
| EU AI Act Newsletter (FLI Substack) | Biweekly |
| TTMS — EU AI Act 2025 Update | One-off |
Key Source Documents
Linked straight to the official online source — none are hosted on this site.
| Document | Official source |
|---|---|
| Official Journal PDF (~460 pages) | EUR-Lex |
| FLI High-level Summary | FLI |
| GPAI CoP — Transparency chapter | code-of-practice.ai |
| GPAI CoP — Copyright chapter | code-of-practice.ai |
| GPAI CoP — Safety & Security chapter | code-of-practice.ai |
Suggested Reading Order
Work through sources roughly in this order:
- 01 · Regulation Overview — what the Act does, four-tier risk framework
- 02 · Timeline — when each wave hits; where we are now
- 03 · Prohibited AI — 8 base Article 5 prohibitions in force, plus Omnibus intimate-material/CSAM additions applying from 2 December 2026 after OJ publication
- 06 · High-Risk Classification — Annex I vs III, exceptions
- 08 · Annex III Use Cases — the 8 high-risk areas, verbatim sub-points
- 09 · Annex I Products — the product-safety laws that trigger high-risk
- 10 · SME & Start-ups — reliefs in force today + Digital Omnibus final-text additions pending OJ publication
- 05 · GPAI Models & CoP — GPAI obligations + Code of Practice
- 04 · Governance & AI Office — who enforces what
- 07 · Conformity Assessment — notified bodies, CE marking flow
- Law firm analyses in §3.2 — practical compliance framing
- FLI implementation documents — pick annexes/articles relevant to your role