Article 3 — Definitions (EU AI Act)

Article 3 of Regulation (EU) 2024/1689 — Definitions. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 3 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the definitional framework that governs the entire Regulation. It contains 65 numbered definitions that give precise legal meaning to the core terminology used throughout the Act.

The most foundational definition is that of 'AI system' (Article 3(1)): a machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs — such as predictions, content, recommendations, or decisions — capable of influencing physical or virtual environments. This definition deliberately aligns with the OECD Recommendation on AI and is technology-neutral.

Article 3 also defines the principal market actors: providers (Article 3(3)), who develop and place AI systems on the market; deployers (Article 3(4)), who use AI systems in a professional context; importers (Article 3(6)); distributors (Article 3(7)); and operators, a collective term covering providers and deployers. Additional definitions cover general-purpose AI models (Article 3(63)), general-purpose AI systems (Article 3(66)), high-risk AI systems, intended purpose, reasonably foreseeable misuse, substantial modification, placing on the market, putting into service, safety component, biometric data, and many others that are essential for determining scope, obligations, and applicable risk categories under the Act.

What This Means in Practice

Article 3 is the gateway to the EU AI Act. Before any organisation can determine whether it is regulated, how heavily, and in what role, it must work through the definitions in Article 3 systematically.

Step 1 — Does your product qualify as an AI system? Apply the Article 3(1) test: Does the system operate with some autonomy? Does it infer from inputs to generate outputs? A machine-learning model used for credit scoring qualifies. A hard-coded eligibility calculator with fixed rules does not.

Step 2 — What is your role? A company that trains and commercialises a fraud-detection model is a provider. A bank that licenses that same model and integrates it into its loan approval workflow is a deployer. A US-headquartered company that sells the model into the EU market is an importer. The same legal entity can simultaneously hold multiple roles for different AI products or within the same value chain.

Step 3 — Does the GPAI definition apply? If your organisation develops a large foundation model (such as a large language model) trained on broad data and capable of multiple tasks, Article 3(63) likely applies, triggering the Title VIII obligations for GPAI models regardless of whether the model is itself deployed as a standalone AI system.

Concrete example: A SaaS company in Berlin that fine-tunes an open-source LLM and sells it as a customer-service chatbot to retailers is a provider of both a GPAI model (if it releases the underlying model) and an AI system. A retailer using the chatbot for customer interactions is a deployer. Both face distinct compliance obligations under the Act, all of which depend on correctly identifying roles via Article 3.

Key Obligations

Correctly identify the applicable legal role — every organisation must determine whether it acts as a provider, deployer, importer, distributor, or a combination thereof, as each role carries a distinct and non-transferable set of obligations under Titles III through VIII.
Apply the Article 3(1) AI system test before assuming the Regulation applies — confirm the presence of machine-based inference from inputs to generate outputs before engaging the full compliance framework.
Distinguish AI systems from GPAI models — Article 3(63) and 3(66) create a separate regulatory track for general-purpose AI models; organisations developing foundation or base models must evaluate applicability of Title VIII obligations independently of AI system classifications.
Assess whether a 'substantial modification' has occurred — Article 3(23) defines substantial modification as a change to an AI system after placing on the market that affects the system's compliance with the Regulation or alters its intended purpose; such modifications reset provider obligations and may trigger re-certification.
Establish the 'intended purpose' — Article 3(12) defines intended purpose as the use for which an AI system is specifically designed and documented by the provider; risk classification and applicable requirements are anchored to this definition, making accurate documentation of intended purpose a critical compliance control.
Account for 'reasonably foreseeable misuse' — Article 3(13) requires that providers consider uses of their system that are not intended but which may arise from reasonably foreseeable human behaviour, expanding the effective scope of risk assessment beyond declared use cases.

Relationship to Other Articles

Article 3 underpins every subsequent provision of the Regulation. It connects directly to Article 2 (scope of application), which uses the definitions of 'provider', 'deployer', 'importer', and 'distributor' to determine who is subject to the Act and under what territorial conditions. The Article 3(1) definition of AI system delimits the boundary between the Act and non-AI software regulation, feeding directly into the prohibited practices listed in Article 5 and the high-risk classification criteria in Article 6 and Annex III.

The definition of intended purpose links to the conformity assessment procedures in Articles 43–48 and to the technical documentation requirements in Article 11 and Annex IV. The GPAI model definitions in Article 3(63–66) are foundational to the entire Title VIII framework (Articles 51–56). The concept of substantial modification (Article 3(23)) triggers re-entry into provider obligations and connects to post-market monitoring under Article 72.

Compliance Timeline

Article 3, as part of Title I (General Provisions), entered into application on 2 August 2026 — 24 months after the Regulation entered into force on 1 August 2024. All definitions in Article 3 therefore have full legal effect as of that date.

Organisations should note, however, that accurate identification of roles and system classifications under Article 3 is a prerequisite for compliance with earlier phases of the Act's rollout. The prohibited practices in Article 5 applied from 2 February 2025 (6 months after entry into force), meaning organisations needed to apply Article 3 definitions to assess exposure to those prohibitions from that date. The GPAI model obligations under Title VIII applied from 2 August 2025 (12 months after entry into force). High-risk AI system requirements under Annex I apply from 2 August 2027 (36 months); those under Annex III apply from 2 August 2026, with a derogation to 2 August 2027 for certain systems already in service. Organisations that have not already completed their Article 3 role and system classification exercise are in breach of the foundational compliance prerequisite across multiple application phases.

Official AI Act Compliance Deadline Calendar

Updated 2026-06-22 · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation	Applies to	Original date	New date	Status	Countdown	Legal basis
Prohibited Practices (Art. 5)	All providers and deployers	2 February 2025	2 February 2025	active	—	AI Act Art. 5
GPAI Rules (Chapter 5)	GPAI model providers	2 August 2025	2 August 2025	active	—	AI Act Art. 51-56
High-risk AI — Annex III (standalone)	Providers of standalone Annex III systems	2 August 2026	2 December 2027	deferred	—	AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded)	AI embedded in Annex I regulated products	2 August 2026	2 August 2028	deferred	—	AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking	Providers of generative GPAI systems	2 August 2025	2 August 2025	active	—	AI Act Art. 50(2)
Regulatory Sandboxes	National competent authorities	2 August 2026	2 August 2026	active	—	AI Act Art. 57

⬇ Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

What is the legal definition of an 'AI system' under the EU AI Act?

Under Article 3(1) of Regulation (EU) 2024/1689, an AI system is a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. This definition aligns with the OECD definition of AI and is intentionally technology-neutral to remain future-proof.

What is the difference between an 'AI system' and a 'general-purpose AI model' under Article 3?

An AI system (Article 3(1)) is a deployed system producing outputs that influence real-world environments. A general-purpose AI model (Article 3(63)) is an AI model trained on large amounts of data at scale, capable of serving a wide range of purposes, that can be integrated into various downstream systems or applications. GPAI models are not themselves AI systems — they become subject to AI system rules only once integrated into a deployed product.

Who qualifies as a 'provider' versus an 'deployer' under Article 3?

A provider (Article 3(3)) is any natural or legal person who develops an AI system or general-purpose AI model and places it on the market or puts it into service under their own name. A deployer (Article 3(4)) is any natural or legal person, other than the provider, who uses an AI system under their own authority in a professional context. The distinction is critical because providers and deployers carry different and distinct sets of legal obligations throughout the Act.

Does the definition of 'AI system' in Article 3 cover traditional software and rule-based systems?

No. The Article 3(1) definition specifically requires that the system infer from inputs to generate outputs, implying a degree of learning, reasoning, or statistical inference. Simple rule-based or deterministic software that applies fixed, manually programmed logic without any inference capability does not fall within the scope of the definition, and therefore falls outside the scope of the Regulation.

What does 'placing on the market' mean under Article 3, and why does it matter?

Article 3(9) defines 'placing on the market' as the first making available of an AI system on the Union market. This triggers the full set of provider obligations under the Act — including conformity assessments, CE marking for certain high-risk systems, and registration requirements. The moment of first market placement determines when compliance must be demonstrated.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.