The questions your AI compliance tools answer

Only in narrow cases. Article 27(1) explicitly captures two categories: (a) bodies governed by public law and private entities providing public services, and (b) deployers of Annex III(5)(b) creditworthiness AI or (5)(c) life/health insurance pricing AI. HR AI under Annex III(4) is NOT directly in Article 27 scope unless you're also a public body. The FRIA self-checker walks you through it in 5 questions.

Article 22 attaches when (1) the decision is based SOLELY on automated processing with no meaningful human in the loop, AND (2) it produces a legal effect or similarly significant effect on the data subject (credit decision, hiring, benefits, etc.). Three Article 22(2) exemptions exist: contract necessity, Union/Member State law, explicit consent. Article 22(3) safeguards apply even when an exemption is claimed.

Article 51(2) of the EU AI Act presumes systemic risk for general-purpose AI models trained with cumulative compute greater than 10^25 floating-point operations. Above the threshold = Article 55 obligations attach (model evaluations, adversarial testing, serious-incident reporting, cybersecurity). GPT-4 is ~2×10^25 FLOPs (above), Llama 3 70B is ~6×10^24 FLOPs (below). Most readers are deployers, not GPAI providers, so the threshold rarely applies to them directly.

Article 73 has three clocks, all starting from awareness: 2 days for incidents posing immediate or imminent risk of widespread harm to public health or critical infrastructure; 10 days for incidents causing death or serious deterioration in a person's state of health; 15 days for any other serious incident. GDPR Article 33 personal-data breach notification runs separately on a 72-hour clock. For medical AI, MDR Article 87 vigilance runs on the same 2/10/15 day cadence in parallel.

Article 99 tiers stack with GDPR Article 83 and Consumer Credit Directive Article 24 penalties. Worst case: Article 5 prohibited practice (EUR 35M or 7% AI Act) + GDPR Article 83(5) breach (EUR 20M or 4%) + CCD national penalties. Authorities typically coordinate to avoid double-counting on a single incident, but the legal exposure is real. SME relief under Article 99(6) caps the AI Act side at the LOWER of fixed or percentage for small businesses.

Two HR practices are Article 5 PROHIBITED (live since 2 Feb 2025): emotion recognition in the workplace (5(1)(f), e.g. voice-tone or facial-expression scoring) and cross-context social scoring of workers (5(1)(c)). Most other HR AI, sourcing, CV screening, interview scoring on structured questions, performance review summaries, promotion/termination prediction, task allocation in platform work, worker monitoring tied to decisions, sits in Annex III(4) high-risk territory. Generic FAQ chatbots without decisioning drop to Article 50 limited.

Article 4 requires AI literacy proportionate to role. Three tiers: Tier 1 (bash users) 1-2 hours / year covering scope + Article 5 prohibitions; Tier 2 (decision-influencers) 3-4 hours / year covering Annex III basics + FRIA awareness + GDPR Article 22; Tier 3 (decisioning operators + technical) 8-12 hours / year covering full deployer obligations + incident reporting + technical documentation review. The literacy gap analyser maps role + exposure + existing training to a tier.

If it qualifies as a medical device under MDR 2017/745 or as IVD under IVDR 2017/746, it's Annex I embedded high-risk, conformity assessment is integrated with notified-body work and Article 73 incident reporting runs parallel to MDR Article 87 vigilance on the same 2/10/15 day clock. Public-health benefits eligibility AI and emergency dispatch AI go via Annex III(5)(a) standalone. Hospital admin AI without these specifics is often out of healthcare-specific scope.

Yes for B2C consumer credit. Three regimes apply simultaneously: EU AI Act Annex III(5)(b) high-risk + Article 27(1)(b) FRIA, GDPR Article 22 automated-decision-making, and Consumer Credit Directive (2023/2225) Article 18 explainability. Pure B2B credit without natural-person guarantees is out of Annex III(5)(b). SME lending with personal guarantees from owners pulls the natural-person portion back into scope.

8 subcategories: (1) biometric identification + categorisation, (2) critical infrastructure, (3) education + vocational training, (4) employment + worker management, (5) access to essential services (credit, insurance, public benefits, emergency dispatch), (6) law enforcement, (7) migration / asylum / borders, (8) administration of justice + democratic processes. (5)(b)+(c), (7), and (8) explicitly trigger Article 27 FRIA. The deeper classifier walks all 8 with examples + sectoral overlay flags.