Article 63 of Regulation (EU) 2024/1689 — Derogations from certain requirements applicable to high-risk AI systems for certain operators. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 63 of Regulation (EU) 2024/1689 (the EU AI Act), situated within Title VI — Measures in Support of Innovation, establishes targeted derogations from certain requirements of Chapter III, Section 2 that would otherwise apply in full to providers and other operators of high-risk AI systems.
The principal beneficiaries are microenterprises within the meaning of Commission Recommendation 2003/361/EC (enterprises with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million). For such providers, Article 63 permits a simplified approach to the quality management system obligations laid down in Article 17, allowing procedures and policies to be implemented in a manner proportionate to the operator's size and operational capacity, rather than through the comprehensive documented system that larger providers must establish.
Article 63 further addresses public-body operators that deploy high-risk AI systems, recognising that their procurement and governance structures may differ materially from commercial operators. Certain documentation and conformity obligations may be adapted where a public body acts exclusively as deployer and the system is procured from an external provider who retains primary provider obligations.
Critically, the article preserves the substantive safety floor: derogations concern procedural form and scale, not the underlying requirements of accuracy, robustness, cybersecurity, data governance, transparency, and human oversight. All operators, regardless of size, must still ensure that high-risk AI systems meet the technical requirements of Articles 9 through 15 and remain subject to market surveillance obligations.
What This Means in Practice
Article 63 is a proportionality instrument. Its practical effect is to reduce administrative burden on the smallest market participants and on certain public-sector deployers without compromising the safety objectives of the Regulation.
For microenterprise providers, the most significant relief relates to Article 17 quality management systems. Rather than maintaining a fully documented QMS with designated roles, change-management procedures, post-market monitoring plans, and systematic version control, a microenterprise may implement equivalent governance through simpler internal procedures — for example, a concise policy document, a designated responsible person, and a basic incident log — provided these measures adequately address risk. The technical documentation obligations of Article 11 and the conformity assessment procedures of Articles 43–44 continue to apply in full, as do registration obligations in the EU database under Article 71.
For public-body deployers, Article 63 recognises that where a contracting authority procures a high-risk AI system, primary conformity obligations rest with the provider. The deployer's obligations under Article 26 — including fundamental rights impact assessments, human oversight designation, and logging — remain intact, but Article 63 provides contextual clarity that such bodies are not expected to replicate provider-side technical documentation they do not possess.
Practical example: A two-person legal-tech startup placing a contract-review AI system on the market (Annex III, point 5(a) — access to legal aid) must conduct a conformity assessment and register the system, but may document its risk-management process through a streamlined internal procedure rather than a formal ISO-aligned QMS. A large municipality deploying the same system from a third-party provider remains subject to deployer obligations but is not expected to produce the provider's technical file.
Operators should document their eligibility for derogations — specifically their classification as a microenterprise — as part of their compliance records, since market surveillance authorities may request evidence.
Key Obligations
- Establish proportionate quality management procedures: Microenterprise providers must implement internal procedures covering the substance of Article 17 obligations — risk management, data governance, documentation, post-market monitoring — scaled appropriately to their size and the risk profile of the AI system, even if not through a formal documented QMS.
- Maintain full technical documentation: Article 63 derogations do not reduce technical documentation requirements under Article 11 and Annex IV. Providers must still produce, maintain, and make available documentation demonstrating conformity.
- Complete applicable conformity assessment: All high-risk AI system providers, including microenterprises, must complete the conformity assessment procedure under Article 43 before placing a system on the market or putting it into service.
- Register in the EU AI Act database: Registration obligations under Article 71 apply regardless of operator size; microenterprises must register high-risk AI systems in the public EU database maintained by the Commission.
- Preserve human oversight and safety requirements: Technical requirements under Articles 9–15 (risk management, data governance, transparency, accuracy, robustness, cybersecurity, and human oversight) are not derogated and must be met in full by all providers irrespective of size.
- Document derogation eligibility: Operators relying on Article 63 derogations should maintain records demonstrating their qualifying status (e.g., microenterprise classification, or public-body deployer status) to substantiate their compliance approach to national market surveillance authorities.
Relationship to Other Articles
Article 63 operates as a proportionality modifier within the broader high-risk AI system compliance framework and must be read in conjunction with several other provisions.
Article 17 (Quality management systems) is the primary article from which microenterprise derogations are drawn; Article 63 conditions and limits those derogations. Articles 9–15 set the non-derogable technical floor that Article 63 explicitly preserves. Article 26 governs deployer obligations and is relevant to the public-body derogation provisions. Article 11 and Annex IV define technical documentation requirements that remain fully applicable.
Within Title VI, Article 63 sits alongside Articles 57–62 (AI regulatory sandboxes) and Articles 64–68 (support measures for SMEs and testing), forming a coherent SME-support framework. Article 9 of Title I (the general proportionality obligation applicable to all providers) provides the regulatory rationale underlying Article 63's specific relief measures. Article 71 (EU database) and Article 43 (conformity assessment) establish obligations that Article 63 does not modify.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal.
The phased application schedule relevant to Article 63 is as follows:
- 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable. Article 63 is not relevant at this stage.
- 2 August 2025 — General-purpose AI model obligations (Title III, Chapter V) and governance provisions became applicable. Article 63 derogations do not apply to GPAI providers.
- 2 August 2026 — The full high-risk AI system framework under Title III, Chapter III, Section 2 — including the requirements from which Article 63 provides derogations — becomes applicable to systems listed in Annex III (stand-alone high-risk AI systems, including biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice use cases). Article 63 derogations become operative from this date for qualifying operators.
- 2 August 2027 — High-risk AI systems embedded in products covered by Annex I harmonised legislation (machinery, medical devices, civil aviation, motor vehicles, etc.) become subject to the full framework. Article 63 derogations extend to qualifying operators in those product sectors from this date.
Operators seeking to rely on Article 63 derogations should begin internal eligibility assessments and proportionate compliance planning well in advance of the applicable date for their system category.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 63 derogations are available to specific categories of operators, notably microenterprises as defined in EU law and, in certain provisions, public bodies that procure or use high-risk AI systems. These operators benefit from reduced or modified compliance obligations compared to standard requirements under Chapter III, Section 2 of the Regulation.
Microenterprises that are providers of high-risk AI systems may fulfil certain documentation and quality management obligations in a simplified manner. In particular, they are not required to establish a full quality management system as described in Article 17, provided they implement appropriate procedures proportionate to their size and the nature of the AI system they place on the market.
No. Article 63 provides targeted derogations from specific procedural and documentation requirements, not a blanket exemption. Core safety, transparency, human oversight, accuracy, robustness, and cybersecurity obligations still apply. The derogations concern primarily the form and scale of compliance measures rather than their substance.
As part of the high-risk AI system framework under Title III, the requirements and associated derogations under Article 63 apply from 2 August 2026 for most high-risk systems listed in Annex III, and from 2 August 2027 for high-risk systems covered by Annex I (product safety legislation). The Regulation entered into force on 1 August 2024.
Article 63 is distinct from the sandbox provisions of Articles 57–60. Sandboxes offer a controlled environment for testing innovative AI before market placement. Article 63 derogations, by contrast, apply to operators in the normal market context and provide ongoing proportionality relief rather than temporary experimental latitude.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.