Article 2 of Regulation (EU) 2024/1689 — Scope. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 2 of Regulation (EU) 2024/1689 defines the material and territorial scope of the EU AI Act. It establishes which actors, systems, and circumstances fall within the regulation's remit.
Ratione personae, the Act applies to: (1) providers placing AI systems on the Union market or putting them into service in the EU, irrespective of their place of establishment; (2) deployers of AI systems who are established or located in the EU; (3) providers and deployers established in third countries where the output produced by the AI system is used in the Union; (4) importers and distributors of AI systems; and (5) product manufacturers who place AI systems as safety components of regulated products on the Union market.
Article 2 further clarifies that the Act does not apply to AI systems developed or used exclusively for military, national security, or defence purposes, nor to AI systems used by public authorities of third countries or international organisations in the context of international agreements on law enforcement and judicial cooperation. AI systems that are not yet placed on the market and are still in the research and development phase, prior to being made available to users, also fall outside scope.
Where a deployer or provider is established outside the EU but the AI system's output is used within the EU, the Act still applies, establishing a strong extraterritorial reach comparable to the GDPR model.
What This Means in Practice
Article 2 determines whether your organisation must comply with the EU AI Act at all — it is the threshold question every legal and compliance team must answer before any obligations can be assessed.
For EU-based companies, the analysis is straightforward: if you develop, deploy, import, distribute, or integrate AI systems into products or services available in the EU, you are in scope. This includes SaaS providers offering AI-powered features, enterprises deploying AI tools in HR, lending, or healthcare, and manufacturers embedding AI into physical products subject to existing EU product safety legislation.
For non-EU companies, the critical test is whether the AI system's output reaches or affects individuals or entities in the EU. A US-based company providing an AI recruitment screening tool used by European subsidiaries of multinationals, for example, is in scope even if the company itself has no EU presence. Such providers must designate an authorised representative in the Union.
Practically, compliance teams should first map every AI system in use or development, then apply the Article 2 criteria to each. Systems exclusively used for internal R&D — not deployed to end users — can be documented as out of scope, but this status must be actively maintained and revisited at deployment. Military and national security carve-outs are narrow and should not be assumed to apply to dual-use systems or law enforcement tools without careful legal review.
Open-source model providers benefit from some relaxed obligations but remain in scope for prohibited practices and high-risk classifications.
Key Obligations
- Scope determination: Organisations must affirmatively determine whether they fall within one of the defined actor categories (provider, deployer, importer, distributor, or product manufacturer) before assessing which tier of obligations applies to them.
- Extraterritorial compliance: Non-EU providers whose AI system outputs are used in the Union must comply with the Act and designate an authorised representative established in the EU.
- Role clarity: Where the same organisation acts simultaneously as provider and deployer, both sets of obligations apply cumulatively; organisations must document and manage each role separately.
- R&D boundary documentation: Organisations relying on the research and development exemption must maintain clear records demonstrating that the system has not been placed on the market or put into service, and must reassess scope at each stage of development.
- Narrow reading of exclusions: Military, national security, and defence exclusions must be applied strictly; dual-use AI systems or those used in general law enforcement contexts do not automatically qualify for exclusion.
- Authorised representative designation: Third-country providers in scope must formally designate and document an authorised representative in the EU as part of their compliance infrastructure.
Relationship to Other Articles
Article 2 is the entry point to the entire regulatory framework and must be read alongside several foundational provisions. Article 3 (Definitions) is essential for interpreting the key terms used in Article 2, particularly the definitions of "AI system," "provider," and "deployer," which determine scope. Article 5 (Prohibited AI Practices) applies to all actors within scope regardless of risk tier, making correct scope determination under Article 2 a prerequisite for assessing the most serious obligations. Article 6 (Classification of High-Risk AI Systems) and Article 51 (Classification of GPAI Models) only become relevant once Article 2 scope is confirmed. For organisations relying on the third-country provider pathway, Article 2 connects directly to Article 25 (Obligations of Importers) and Article 26 (Obligations of Distributors). The extraterritorial reach established in Article 2 mirrors the logic of Article 3 of the GDPR, and regulatory authorities have confirmed these provisions should be read consistently.
Compliance Timeline
Article 2 entered into force on 1 August 2024, twenty days after publication of the Regulation in the Official Journal of the EU. However, its practical obligations activate according to the Act's phased application schedule:
- 2 February 2025: Article 2 scope applies fully with respect to the prohibited AI practices under Article 5 — organisations must have completed their scope determination by this date to assess whether any of their systems fall into prohibited categories.
- 2 August 2025: Scope applies to General-Purpose AI (GPAI) model providers under Title VIII (Articles 51–56), including systemic risk assessments and transparency obligations.
- 2 August 2026: Obligations for EU institutions and bodies using AI systems under Article 2(1)(h) become applicable.
- 2 December 2026: Article 2 scope applies to high-risk AI systems listed in Annex I (safety components of regulated products).
- 2 August 2027: Full application to high-risk AI systems listed in Annex III (standalone high-risk applications in areas such as employment, education, critical infrastructure, and law enforcement).
Organisations should treat August 2024 as the date from which scope mapping exercises should have commenced, with each subsequent deadline triggering a corresponding compliance workstream.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
The EU AI Act applies to providers placing AI systems on the EU market or putting them into service in the EU, regardless of where the provider is established. It also covers deployers operating AI systems within the EU, importers and distributors of AI systems, and product manufacturers incorporating AI systems. Non-EU providers are covered if the output of their AI system is used within the EU.
Generally no — but there is an important exception. If an AI system is developed outside the EU but its outputs are used inside the EU, the Act may still apply. Providers established in third countries must designate an authorised representative in the EU if their systems are made available in the EU market.
Yes. Article 2 explicitly excludes AI systems used exclusively for military, national security, or defence purposes, as well as AI systems used solely for research and development not yet placed on the market. Public authorities of third countries and international organisations are also excluded when acting within international law enforcement cooperation frameworks.
Open-source AI systems are partially in scope. While providers of free and open-source AI systems benefit from lighter obligations in some areas, they are not fully exempt — particularly when the system falls into prohibited or high-risk categories, or when it involves general-purpose AI models with significant systemic risk.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.