Skip to main content

Sources & References

Hierarchical index of authoritative sources, from the regulation text down to secondary analyses. The team's shared map for navigating the regulation.


Level 1 — Primary Regulation Documents

1.1 The Regulation Text (Regulation (EU) 2024/1689)

ResourceFormatNotes
EUR-Lex ELI pageHTMLMetadata, all formats, all languages
Full text HTMLHTMLOfficial Journal — English
Full text PDFPDFAuthentic OJ edition (~460 pages)
CELEX permalinkHTMLAll EU languages
ELI permanent linkHTML
Consolidated version (12 Jul 2024)HTMLStarting point for reading

What it is: Regulation (EU) 2024/1689, adopted 13 June 2024, published in the Official Journal 12 July 2024, in force 1 August 2024. Contains 180 recitals, 113 articles, and 13 annexes.

1.2 EC Digital Strategy — AI Act Hub

ResourceNotes
Main AI Act policy pageOfficial landing page — risk tiers, timeline, links to all Commission instruments
Governance & enforcementAI Office, AI Board, national authorities, enforcement structure
StandardisationCEN/CENELEC standards roadmap — key for conformity assessment
Q&ACovers Digital Omnibus changes, GPAI, SME rules
AI Act Whistleblower Tool

What it is: The European Commission's (DG CONNECT) official hub for the AI Act. Maintained live; updated as new guidelines and implementing acts are published. Contains the official risk pyramid, timeline, and links to all Commission-published support documents.

1.3 AI Act Service Desk (Official EC Support Platform)

ResourceNotes
HomeSingle information platform run by DG CONNECT / AI Office
Implementation Timeline · local summaryOfficial milestones; updated with Omnibus changes
AI Act ExplorerInteractive article-by-article navigator
Compliance CheckerQuestionnaire → which obligations apply to you
FAQCovers Omnibus, GPAI, SME rules, sandboxes
High-Risk Guidelines ExplorerClause-level navigator for Art. 6 classification guidelines
High-Risk AI Summaries & Examples

What it is: Official EC single-information platform for AI Act compliance questions. Run by DG CONNECT / AI Office. The FAQ covers the Digital Omnibus changes.


Level 2 — Official Guidance, Implementing Acts & Regulatory Bodies

These documents interpret and operationalise the regulation. Second in authority after the regulation text itself.

2.1 EU AI Office

ResourceNotes
AI Office overview · local summaryMandate, role, contact
AI Office tasks (FLI)Exhaustive list of Art. 88–94 responsibilities
GPAI enforcement overview (FLI)How the AI Office investigates GPAI providers
Contact AI Office

What it is: Established within DG CONNECT (European Commission), the AI Office is the EU-wide body for monitoring GPAI model compliance and coordinating enforcement across member states. Operational since early 2024.

2.2 Commission Guidelines & Published Instruments

ResourceTopic
Guidelines — prohibited AI practices · local summaryLegal explanations + examples for all 8 banned categories
Guidelines — AI system definitionWhat is in scope; classification of software as AI
Guidelines — GPAI model obligations scope · local summaryWho is a "provider" vs "deployer" along the GPAI value chain
Draft guidelines — high-risk classification (May 2026) · local summaryArt. 6 exceptions; practical classification logic
Draft guidelines — transparency obligations Art. 50 (May 2026)Chatbot disclosure, deepfake labelling requirements
Template — GPAI training content summaryWhat providers must publish about training data
Report — review of prohibitions & high-risk (May 2026)Commission's first annual review; signals potential list changes
Three studies on Article 5Deep technical/legal analysis of each prohibited practice
Impact Assessment of the AI Act

2.3 GPAI Code of Practice

ResourceNotes
Official CoP site · EC: contents of the code · summaryFinal version published 10 July 2025. Three chapters: Transparency, Copyright, Safety & Security. Providers may use an adequate Code of Practice to help demonstrate compliance with Articles 53 and 55 while harmonised standards are unavailable; do not describe it as creating a presumption of conformity.
EC CoP pageOfficial Commission landing page for the CoP
Signatory TaskforceIndustry/expert process that drafted the CoP
Introduction to the CoP (FLI)Accessible explainer of structure and purpose
CoP summarised (FLI)Chapter-by-chapter breakdown
GPAI Guidelines overview (FLI)

What it is: Published 10 July 2025 by the Commission. Voluntary tool covering three chapters: Transparency, Copyright, and Safety & Security. Providers may use an adequate Code of Practice to help demonstrate compliance with Articles 53 and 55 while harmonised standards are unavailable; PE-CONS 30/26 says codes of practice have limited legal effect and do not create a presumption of conformity.

2.4 AI Pact

ResourceNotes
AI Pact overviewVoluntary initiative for providers/deployers to comply with key AI Act obligations ahead of mandatory dates

2.5 Standardisation

ResourceNotes
AI Act standardisation pageCEN/CENELEC standards roadmap — prerequisite for harmonised conformity
Standard-setting overview (FLI)

What it is: CEN/CENELEC and ETSI are developing harmonised standards under the AI Act. Conformity with these will grant a legal presumption of compliance for high-risk AI systems.

2.6 Notified Bodies & Conformity Assessment

ResourceNotes
VDE guide — conformity assessment for high-risk AI · local summaryStep-by-step for high-risk AI providers
MedEnvoy — notified bodiesNB requirements, designation process, capacity constraints
arXiv 2512.13907 — technical verificationMaps each legal requirement to concrete technical checks

What it is: Chapter III Section 4 of the Act governs notified bodies. Designation of notified bodies by national authorities became applicable 2 August 2025. Third-party conformity assessment is required for Annex I products and certain biometric systems.

2.7 EDPB / Data Protection Intersection

ResourceNotes
EDPB homepage
Stephenson Harwood — enforcement overview · local summaryCovers EDPB's recommended role as market surveillance authority

What it is: The EDPB recommended that national data protection authorities (DPAs) be designated as market surveillance authorities for high-risk AI systems that impact personal data rights. No standalone EDPB opinion has been published on the AI Act yet (as of mid-2026).

2.8 Digital Omnibus (Simplification Package)

ResourceNotes
Omnibus proposalThe amendment text; proposed Nov 2025
Political agreement (7 May 2026)Political-agreement announcement: extended timelines, intimate-material/CSAM prohibition, AI Office powers
Final act text, PE-CONS 30/26Final Digital Omnibus on AI text after Parliament first reading; use until OJ publication and CELEX citation are available.
Council I/A item note, ST 10752/26Explains adoption mechanics: if Council approves Parliament's position, the legislative act is adopted, then signed and published in the OJ.
Digital Package on Simplification

What it is: Proposed by the Commission on 19 November 2025; provisional agreement reached 6–7 May 2026; Coreper confirmed the agreement on 13 May 2026; Parliament adopted its first-reading position on 16 June 2026; Council gave final approval on 29 June 2026. During this audit no EUR-Lex/OJ publication was found. Key final-text changes include Chapter III high-risk deferrals (Annex III → 2 December 2027, Annex I → 2 August 2028), Article 5 intimate-material/CSAM prohibitions applying from 2 December 2026, national sandbox deadline moved to 2 August 2027, an optional EU-level AI Office sandbox, and SME/SMC simplification measures.


Level 3 — High-Quality Secondary Sources

Interpretations, analyses, and practical guides. Authoritative but not legally binding.

3.1 Future of Life Institute — artificialintelligenceact.eu

50,000+ newsletter subscribers; updated continuously by FLI.

ResourceNotes
AI Act ExplorerInteractive full-text browser with linked articles, recitals, and annexes
High-level summaryConcise overview of all four risk tiers and obligations — good first read
Implementation TimelineEvery key date with article references, from 2024 through 2031
Implementation DocumentsCollected index of all official implementing acts, guidelines, and delegated acts
The Act TextsIndex of all text versions (trilogues, published, consolidated)
Historic Documents
GPAI Providers overview
Small businesses guide
Guide for HR & Staffing
Transparency rules (Article 50) guide
Compliance CheckerQuestionnaire → which obligations apply to your role and system
National implementation plans
AI Regulatory Sandboxes overview
EU AI Act Newsletter (Substack)Biweekly briefing for policymakers and practitioners

3.2 Law Firm Analyses

FirmArticleFocus
Jones DayGPAI CoP published (Aug 2025)Legal implications of the CoP for GPAI providers
Pinsent MasonsGuide to high-risk AI systemsClassification rules, provider obligations, practical steps
K&L GatesEU & Luxembourg updates (Jan 2026)Recent regulatory developments, national implementation
Kennedy's LawTimeline deep-dive (2026)Compliance deadline planning by obligation type
Lowenstein SandlerPrivacy angle (2024)GDPR / AI Act interplay
Stephenson HarwoodEnforcement overviewPenalties, enforcement structure, national authority roles

3.3 Policy Institutes & Think Tanks

OrganisationResourceNotes
Future of Life InstituteFull websiteSee §3.1 for detailed resource list
Interface EUGPAI CoP deep-divePolicy institute analysis of the CoP's reach and gaps

3.4 Academic & Technical

ResourceNotes
Assessing High-Risk AI Systems — technical verification (arXiv, Dec 2024)Maps legal requirements to concrete technical checks

3.5 Compliance Trackers & Practitioner Guides

ResourceAngle
DataGuard — TimelineVisual timeline by risk tier; good for quick orientation
Trilateral Research — Model-to-tier mappingMaps AI model types to risk tiers and compliance deadlines
LegalNodes — 2026 updatesBusiness risk framing for the Aug 2026 enforcement wave
GDPR Local — Risk classificationSide-by-side comparison of all four risk categories
TRAIL ML — Risk classificationML-practitioner angle on classification logic
Glocert — Classification PlaybookDecision-tree: Prohibited vs High-Risk vs Limited-Risk
CSA Lab Space — Enterprise ReadinessGap analysis for enterprises ahead of Aug 2026 deadline
ModelOp — summary & complianceGovernance platform angle

3.6 Newsletter & Ongoing Coverage

ResourceCadence
EU AI Act Newsletter (FLI Substack)Biweekly
TTMS — EU AI Act 2025 UpdateOne-off

Key Source Documents

Linked straight to the official online source — none are hosted on this site.

DocumentOfficial source
Official Journal PDF (~460 pages)EUR-Lex
FLI High-level SummaryFLI
GPAI CoP — Transparency chaptercode-of-practice.ai
GPAI CoP — Copyright chaptercode-of-practice.ai
GPAI CoP — Safety & Security chaptercode-of-practice.ai

Suggested Reading Order

Work through sources roughly in this order:

  1. 01 · Regulation Overview — what the Act does, four-tier risk framework
  2. 02 · Timeline — when each wave hits; where we are now
  3. 03 · Prohibited AI — 8 base Article 5 prohibitions in force, plus Omnibus intimate-material/CSAM additions applying from 2 December 2026 after OJ publication
  4. 06 · High-Risk Classification — Annex I vs III, exceptions
  5. 08 · Annex III Use Cases — the 8 high-risk areas, verbatim sub-points
  6. 09 · Annex I Products — the product-safety laws that trigger high-risk
  7. 10 · SME & Start-ups — reliefs in force today + Digital Omnibus final-text additions pending OJ publication
  8. 05 · GPAI Models & CoP — GPAI obligations + Code of Practice
  9. 04 · Governance & AI Office — who enforces what
  10. 07 · Conformity Assessment — notified bodies, CE marking flow
  11. Law firm analyses in §3.2 — practical compliance framing
  12. FLI implementation documents — pick annexes/articles relevant to your role