TL;DR The EU AI Act (Regulation EU 2024/1689) has been in force since August 2024, with high-risk obligations phasing in through 2026. Public authorities are particularly affected because many typical use cases (administrative decisions, law enforcement, migration, critical infrastructure) classify as high risk. Which AI applications qualify, which duties apply, and what a conformity assessment looks like in practice.

Why authorities are particularly affected

The EU AI Act classifies AI systems by risk. Four categories:

  • - Prohibited AI (Article 5): social scoring, manipulative AI, real-time biometric identification in public spaces (with exceptions)
  • - High-risk AI (Article 6 and Annex III): extensive obligations, conformity assessment
  • - Limited risk (Article 50): transparency duties (e.g. chatbots must be identifiable)
  • - Minimal risk: no specific duties

Annex III lists the high-risk areas. Several directly affect authorities:

  • - Education and vocational training (e.g. exam scoring, admissions)
  • - Employment and HR management (recruiting, performance evaluation)
  • - Access to essential private and public services (welfare, creditworthiness)
  • - Law enforcement (risk assessment, evidence analysis)
  • - Migration, asylum, border control
  • - Justice and democratic processes
  • - Critical-infrastructure management

Authorities deploying AI in any of these areas are in scope for high-risk obligations.

Obligations for high-risk systems

Articles 8 to 15 define the core requirements. In practice this means:

  1. 1. Risk management system (Article 9) across the full lifecycle. Identify, assess, minimise, monitor. Documented, regularly updated.
  2. 2. Data governance (Article 10). Training, validation and test data must be appropriate, representative, error-free, complete. Bias testing documented.
  3. 3. Technical documentation (Article 11 and Annex IV). Extensive: purpose, architecture, datasets, validation results, risks. Detailed enough that a supervisor can assess conformity from documentation alone.
  4. 4. Logging duty (Article 12). Automated logging of all inferences throughout operation. Retention at least 6 months, often longer.
  5. 5. Transparency (Article 13). Clear usage instructions, indication of limitations, output explainability.
  6. 6. Human oversight (Article 14). A human must review and, if necessary, override the AI result. No fully automated processing for decisions with legal effects.
  7. 7. Accuracy, robustness, cybersecurity (Article 15). Measurable requirements, regular tests, protection against adversarial attacks.

Conformity assessment

Before deployment of a high-risk system, the AI Act requires a conformity assessment (Article 43). For most use cases an internal assessment by the provider is sufficient. For sensitive areas (biometric identification, critical infrastructure), a notified body must be involved.

Output of the conformity assessment:

  • - EU declaration of conformity (Article 47)
  • - CE marking of the system (Article 48)
  • - Entry in the EU database for high-risk systems (Articles 49 and 71)

Authorities as deployers must verify that purchased or self-developed high-risk systems have this conformity assessment.

Checklist for authorities

Recommended implementation path:

1. Inventory AI applications

  • - Which AI systems are in use or planned?
  • - Per system: purpose, data flow, decision contribution, affected persons
  • - Output: inventory with risk classification

2. Classify against Annex III

  • - Per system: does it fall under high-risk?
  • - For unclear cases: obtain legal assessment
  • - Output: classification document with reasoning per system

3. Gap analysis for high-risk systems

  • - Per high-risk system: which of the 7 obligations are met, which are not?
  • - Output: action plan with owners and deadlines

4. Set up data governance

  • - Classify training data, document bias tests
  • - Personal data: legal basis under GDPR + compatibility with AI Act
  • - Output: data catalogue with protection levels and responsible owners

5. Build technical documentation

  • - Annex IV defines the structure
  • - Living documentation, not one-off
  • - Output: documented system per authority standard

6. Establish human oversight

  • - Roles, permissions, escalation paths
  • - Training for oversight personnel
  • - Output: rules of procedure for AI oversight

7. Monitoring and reporting

  • - Automated logging of all inferences
  • - Periodic review of model performance
  • - Incident reporting channels to the supervisor (in DE expected: BNetzA as central market surveillance)
  • - Output: monitoring dashboard, reporting calendar

Procurement: what tender documents must contain

Authorities procuring AI systems must include conformity requirements in tender documents. At minimum:

  • - Obligation to provide the EU declaration of conformity
  • - CE marking as eligibility condition
  • - Access to technical documentation for the operations phase
  • - Cooperation duties on incidents and conformity checks
  • - Data-processing guarantees (location, jurisdiction, sub-contractors)
  • - Audit and inspection rights

Applicability timeline

The AI Act enters into force in stages:

  • - 2 Feb 2025: Prohibited AI practices applicable
  • - 2 Aug 2025: GPAI provider obligations applicable
  • - 2 Aug 2026: Full applicability for high-risk systems per Annex III
  • - 2 Aug 2027: Applicability for high-risk systems embedded in other EU products (Annex I)

Authorities starting or expanding AI today must actively plan for the 2026 deadlines.

How GermanAI Defense supports

We guide authorities through EU AI Act conformity: inventory, classification, gap analysis, data governance, technical documentation per Annex IV. Optionally with our own sovereign AI infrastructure in Frankfurt, BSI-aligned, ISO/IEC 27001:2022 certified.

→ More on our AI Services: germanaidefense.com/ai-services