What’s Covered?
This resource lays out a comprehensive and structured overview of the EU AI Act’s key obligations, broken down by type of actor and AI system category. It focuses on three system classes: high-risk AI systems, AI systems (non-high-risk), and general-purpose AI models. For each relevant article, it indicates which type of actor it applies to—providers, deployers, importers, distributors, authorized representatives, and product manufacturers—using a clear table format.
The matrix starts by defining each operator’s legal role (from Article 3 of the AI Act), such as who qualifies as a provider (i.e. developer or brand-owner of an AI system), deployer (i.e. user of the system under their authority), or importer. It then outlines exclusions—military use, open-source, and purely personal applications are among the key carveouts.
For high-risk AI systems (as defined in Articles 6 and 7), the guide maps which actor is responsible for each provision, such as:
- Risk Management (Art. 9)
- Data Governance (Art. 10)
- Human Oversight (Art. 14)
- Post-market Monitoring (Art. 72)
- Right to Explanation (Art. 86)
It then transitions into obligations tied to general AI systems and general-purpose models. This includes transparency (Art. 50), registration (Art. 49, 71), and, for models with systemic risk, extensive documentation and evaluation duties (Art. 51–55). It also highlights evolving tools like codes of practice (Art. 56) and monitoring pathways for complaints (Art. 89).
💡 Why it matters?
This matrix does a solid job distilling a complex regulation into a tool that compliance officers, tech leads, and legal teams can actually use. Instead of just listing obligations by article, it helps users immediately see who must do what. In a world where AI compliance is becoming cross-functional, this kind of clarity is gold.
What’s Missing?
The document’s strength—brevity and tabular structure—also leaves out much of the how. For example, Articles like 9 and 10 impose risk and data governance obligations, but there’s no explanation of what compliance might look like in practice. There’s also limited guidance for organizations working across multiple roles (e.g., a product manufacturer that’s also a deployer). Interpretation of overlapping obligations is left up to the reader.
The resource assumes familiarity with the legal text of the AI Act. There are no real-world examples or common pitfalls to avoid. It doesn’t cover how obligations might shift during the product lifecycle, or how to resolve ambiguities between harmonised standards and the articles themselves. Lastly, the general-purpose model section focuses mostly on providers, even though downstream developers will also need clarity in practice.
Best For:
This is best suited for legal, compliance, and policy teams looking for a clear entry point into the EU AI Act. Especially useful for those mapping their internal responsibilities across the supply chain or prepping early compliance checklists. It’s less useful for technical teams needing implementation details.
Source Details:
Title: EU AI Act Compliance Matrix
Author: Müge Fazlioglu, CIPP/E, CIPP/US – Principal Researcher, Privacy Law and Policy at IAPP. She brings a hybrid background in tech law, global privacy regulation, and digital policy, having written extensively on AI, data governance, and the GDPR.
Publisher: International Association of Privacy Professionals (IAPP), October 2024.
Context: IAPP is a key global hub for privacy professionals. This document sits within their broader suite of EU AI Act tools including cheat sheets, explainer articles, and sector-specific timelines. It reflects IAPP’s focus on translating policy into operational insight.
