Ask the analyst: answers with sources
Frequently asked questions on EU regulation for AI and transport & logistics, answered from our knowledge base — each answer links to the source article and the primary legal text. Factual analysis, not legal advice.
Ask a question
Ask anything about AI regulation. You get an answer with its sources — based solely on this knowledge base and the primary legal text. No source, no answer.
ⓘ General information, not legal advice.
Keep asking — or apply this to your own systems?
Create a free account. The assistant then answers not just general questions, but shows you per system what the rules mean for you — and what changes the moment the law moves.
No commitment, no credit card. Up to 2 systems free.
Does the AI Act apply now, or only from 2027?
Partly already. The prohibited practices (Art. 5) and the AI-literacy duty (Art. 4) have applied since 2 February 2025, and the GPAI regime since 2 August 2025. The heaviest high-risk obligations are shifting — expected to 2 December 2027 via the Digital Omnibus agreement — but until that is in the Official Journal, the formal date stands.
In the knowledge base: The AI Act timeline of obligations: what applies when
Primary source: Regulation (EU) 2024/1689 (AI Act), authentic text in the Official Journal; Article 113 contains the application dates. · European Commission policy page on the AI Act, with the current state of implementation.
Is my AI system high-risk?
Usually not. A system is only high-risk if it falls under an Annex III category (such as recruitment, lending or critical infrastructure) and genuinely plays a meaningful role in the decision. A large share of AI uses fall outside it; the classification depends on your concrete use.
In the knowledge base: High-risk AI mapped: classification and obligations in one overview
Primary source: Regulation (EU) 2024/1689: Article 6 and Annexes I and III (classification), Articles 8-27 (obligations), Article 49 (registration). · Chapter III of the AI Act in the unofficial rendering by the Future of Life Institute.
Do I already need to act on AI literacy?
Yes. Since 2 February 2025 every organisation deploying AI must ensure sufficient AI literacy among those who work with it (Art. 4). There is no revenue threshold or sector exemption. It is role-based knowledge — knowing what the system can do, its risks and when a human steps in — not a mandatory course.
In the knowledge base: Article 4 AI Act: the literacy obligation that already applies
Primary source: Regulation (EU) 2024/1689, Article 4 and recital 20; date of application in Article 113. · European Commission questions and answers on the interpretation and scope of Article 4.
What is a GPAI model and does that regime affect me?
GPAI means 'general-purpose AI' — broadly usable models such as large language models. The model's provider has its own duties (transparency, technical documentation, a copyright policy; extra requirements for systemic risk). If you use a GPAI model in your own application, you are usually not the model provider, but the rules for your application apply.
In the knowledge base: The GPAI regime: what providers of general-purpose AI models must already do
Primary source: Regulation (EU) 2024/1689, Chapter V (Articles 51-56) and Article 101 (fines for GPAI providers). · The GPAI Code of Practice, published 10 July 2025, with chapters on transparency, copyright and safety.
How high are the fines under the AI Act?
The heaviest category — deploying a prohibited AI practice — can cost up to €35 million or 7% of worldwide annual turnover, whichever is higher. Other infringements carry lower maxima. Enforcement is being phased in.
In the knowledge base: AI Act: how high are the fines and who enforces?
Primary source: Regulation (EU) 2024/1689 (AI Act), authentic text in the Official Journal; Article 99 governs penalties. · European Commission page on the AI Office, the central body supervising general-purpose AI models.
What is the difference between the Data Act and the GDPR?
The GDPR concerns personal data; the Data Act concerns access to and sharing of (mainly non-personal) data from connected products, such as sensors and on-board units. They can overlap: if your product data also contains personal data, both apply at once.
In the knowledge base: Data Act vs GDPR: what if my data contains personal data?
Primary source: Regulation (EU) 2023/2854 (Data Act); applicable since 12 September 2025.
Does my company fall under NIS2?
That depends on your sector and size. NIS2 targets 'essential' and 'important' entities in designated sectors — including transport and logistics — above certain thresholds. Transport is named explicitly as an essential sector. The Dutch implementing law sets the precise scope.
In the knowledge base: Does NIS2 apply to my transport or logistics company?
Primary source: Directive (EU) 2022/2555 (NIS2): transport as an essential sector; essential vs important entities by size. · European Commission — NIS2: scope (18 sectors, including transport) and entity categories.
Which goods fall under CBAM?
CBAM, the carbon border levy, applies to imports of carbon-intensive goods: iron and steel, aluminium, cement, fertilisers, hydrogen and electricity. Importers must report the embedded emissions; the financial obligation is phased in.
In the knowledge base: Which goods fall under CBAM?
Primary source: Regulation (EU) 2023/956 (CBAM); definitive regime from 1 January 2026.
Does the Platform Work Directive apply to my delivery platform?
If you assign and manage work via a digital platform, most likely yes. The directive introduces a legal presumption of employment and sets requirements for algorithmic management (transparency, human oversight). The concrete rules follow from national transposition, due by 2 December 2026.
In the knowledge base: Platform Work Directive: implications for couriers and last-mile platforms
Primary source: Directive (EU) 2024/2831 on improving working conditions in platform work, authentic text in the Official Journal. · European Commission page on platform work, with background on the directive and its implementation.
When does ETS2 start and what does it mean for my fuel costs?
ETS2 prices the CO2 emissions of fuels for road transport and buildings through a separate emissions trading system, expected from 2027. The cost sits with fuel suppliers and is likely passed through to diesel and pump prices. See the file for the exact date and conditions.
In the knowledge base: When does ETS2 actually start?
Primary source: Directive (EU) 2023/959; ETS2 for road-transport fuel, starts 2028.
Has the AI Act been postponed?
Not as a whole. Only the high-risk block and the transparency layer shift (expected to December 2027 and December 2026) via the Digital Omnibus agreement. The prohibited practices, the AI-literacy duty and the GPAI regime still apply. And until the shift is in the Official Journal, the formal date remains legally binding.
In the knowledge base: The Digital Omnibus file: what shifts, what stands, and what remains to be done
Primary source: European Parliament press release (16 June 2026): plenary adopted the text 423-57-174; high-risk delay and nudifier/CSAM ban. Council adoption still required. · Analysis of the political agreement of 7 May 2026 between the Council and the European Parliament.
What is a FRIA and do I need to do one?
A FRIA is the fundamental rights impact assessment of Article 27 of the AI Act. Certain deployers of high-risk AI — mainly public bodies and some private parties — must assess the impact on fundamental rights before putting the system into use. If you don't use a high-risk system in such a context, the FRIA is not required.
In the knowledge base: FRIA: when must I run a fundamental-rights impact assessment (Art. 27)?
Primary source: Regulation (EU) 2024/1689 (AI Act), Art. 27: fundamental rights impact assessment.
Do I have to disclose that something was made by AI?
Often yes. Article 50 of the AI Act requires transparency: users must know when they are interacting with an AI system (such as a chatbot), and AI-generated content and deepfakes must be recognisable as such. These duties apply in phases; see the file for the exact dates.
In the knowledge base: Article 50: chatbots, deepfakes and the duty to make AI recognisable
Primary source: Regulation (EU) 2024/1689, Article 50 (transparency obligations for certain AI systems). · Article 50 in the unofficial rendering by the Future of Life Institute.
May I monitor my drivers or staff with AI?
Not without limits. AI that infers emotions in the workplace has been banned since 2 February 2025 (Art. 5). Other forms of AI monitoring can be high-risk and in any case fall under the GDPR: you need a legal basis, transparency and proportionality. Continuous, intrusive monitoring is legally risky.
In the knowledge base: May I monitor my drivers with AI?
Primary source: Regulation (EU) 2024/1689 (AI Act); phased application 2025–2027.
Do DORA or NIS2 apply to me?
For financial entities DORA prevails: it is the lex specialis for digital resilience in the financial sector. If you don't fall under it but are in a designated sector (such as transport), NIS2 applies. Some organisations touch both; the file explains the demarcation.
In the knowledge base: DORA or NIS2: which one applies to my (logistics) organisation?
Primary source: Regulation (EU) 2022/2554 (DORA), authentic text; applies since 17 January 2025; scope limited to financial entities. · Directive (EU) 2022/2555 (NIS2): transport as an essential sector; relationship with sector-specific Union acts.
What is the Cyber Resilience Act?
The Cyber Resilience Act sets mandatory cybersecurity requirements for products with digital elements — from software to connected hardware — across their lifecycle, including security updates and vulnerability reporting. Manufacturers must demonstrate conformity (CE marking). The requirements apply in phases.
In the knowledge base: Cyber Resilience Act: security requirements for connected products
Primary source: Regulation (EU) 2024/2847 (Cyber Resilience Act): security requirements for products with digital elements; full application 11 December 2027. · European Commission — Cyber Resilience Act: scope, obligations and phased entry into application.
May I use a digital consignment note (e-CMR)?
Yes. The e-CMR is the electronic version of the international consignment note; states that ratified the protocol recognise it as legally valid. In the EU the eFTI Regulation sits on top, requiring authorities to accept digital transport data. See the file for the status per country.
In the knowledge base: eCMR: the electronic consignment note in road transport
Primary source: European Parliament (EPRS): briefing on electronic freight documents and the eCMR (Additional Protocol to the CMR Convention, 2008). · Regulation (EU) 2020/1056 (eFTI): authorities must accept electronic freight information via certified platforms (from 9 July 2027).
From when is eFTI mandatory?
The eFTI Regulation requires authorities to accept transport information digitally when a company provides it electronically; that acceptance duty starts in 2027. For companies, providing it is not an obligation but a right — and increasingly the norm in practice. See the file for the exact date.
In the knowledge base: Is eFTI mandatory for me as a carrier?
Primary source: Regulation (EU) 2020/1056 (eFTI): authorities must accept electronic freight information from 9 July 2027, via certified platforms.
What does AEO status get you?
AEO (Authorised Economic Operator) is the 'trusted trader' status in customs law. It brings benefits such as fewer physical checks, faster handling and mutual recognition with third countries. In return there are requirements on compliance, record-keeping and security.
In the knowledge base: AEO status: what does Authorised Economic Operator offer and what are the requirements?
Primary source: Regulation (EU) 952/2013 (Union Customs Code), Arts 38-39: AEO. · European Commission — Authorised Economic Operator (AEO).
Which AI uses are outright banned?
Article 5 bans, among others: social scoring by authorities, untargeted facial-recognition scraping, emotion recognition in the workplace and education, biometric categorisation on sensitive traits, certain predictive-policing uses, and manipulative or exploitative AI. These prohibitions have applied since 2 February 2025.
In the knowledge base: Prohibited AI practices (Article 5): the hard floor that already applies
Primary source: Regulation (EU) 2024/1689, Article 5 (prohibited practices) and Article 99(3) (maximum fine). · Commission guidelines on the prohibited practices, adopted 4 February 2025.
When do I, as a user, become a 'provider' under the AI Act?
Under Article 25 you, as a deployer, become a provider yourself — taking on the heavier provider duties — if you put your own name or brand on a high-risk system, substantially modify it, or change it so that it becomes high-risk. Responsibility then shifts to you.
In the knowledge base: When do I, as a user, become the provider of an AI system (Art. 25)?
Primary source: Regulation (EU) 2024/1689 (AI Act), Art. 25: responsibilities along the value chain.
Do I have to report a serious AI incident?
Yes, for high-risk AI. Article 73 requires providers to report serious incidents to the market surveillance authority without undue delay after establishing a causal link. See the file for the exact deadlines per incident type.
In the knowledge base: Reporting serious AI incidents: what does AI Act Art. 73 require?
Primary source: Regulation (EU) 2024/1689 (AI Act), Arts 72-73: monitoring and incident reporting.
Does my high-risk AI need CE marking?
Yes. High-risk AI must undergo a conformity assessment and carry CE marking before being placed on the market. For most systems this can be done via internal control; in certain cases a notified body is required.
In the knowledge base: Conformity assessment and CE marking for high-risk AI: how does it work?
Primary source: Regulation (EU) 2024/1689 (AI Act), Arts 43, 47, 48: conformity assessment and CE.
Is my planning algorithm high-risk?
Possibly. Algorithms that allocate work, monitor performance or evaluate staff fall under the Annex III employment category and can therefore be high-risk. It depends on how decisively the system shapes decisions about people.
In the knowledge base: Is my planning algorithm high-risk under the AI Act?
Primary source: Regulation (EU) 2024/1689 (AI Act); phased application 2025–2027.
Do my warehouse robots fall under the AI Act or the Machinery Regulation?
Often both. If the robot uses AI as a safety component, the AI Act may apply; on top of that, the new Machinery Regulation sets its own safety requirements. The two regimes stack, with combined CE requirements. See the file for the timeline.
In the knowledge base: Does my warehouse robot fall under the AI Act and the Machinery Regulation?
Primary source: Regulation (EU) 2024/1689 (AI Act); phased application 2025–2027.
What is the GPAI Code of Practice and must I join?
The GPAI Code of Practice is a voluntary instrument (Art. 56) through which providers of GPAI models can demonstrate compliance with their duties. Three chapters: transparency, copyright, and safety & security. Joining is not mandatory, but the code is becoming the benchmark in practice.
In the knowledge base: The GPAI Code of Practice: what is in it and who is it for?
Primary source: European Commission — GPAI Code of Practice. · Regulation (EU) 2024/1689 (AI Act), Arts 53, 55, 56: GPAI obligations.
Do I have to mark AI-generated content?
Often yes. Providers must mark their AI output in a machine-readable way, and deployers must label deepfakes as artificial (Art. 50). The European Commission published a code of practice showing how; the underlying transparency duty applies in phases.
In the knowledge base: Final Code of Practice on marking AI-generated content published
Primary source: Commission page with the final Code of Practice (10 June 2026): section 1 for providers, section 2 for deployers. · Commission FAQ: the code is voluntary, with machine-readable marking/detection and optional EU icons; reviewed at least every two years.
Do I need to adjust my contracts for the Data Act?
Probably. The Data Act affects terms on data access and sharing, switching between cloud services, and includes protection against unfair contract terms for SMEs. Review your B2B data and cloud contracts. The regulation has applied since September 2025.
In the knowledge base: Data Act: which contract terms must I review?
Primary source: Regulation (EU) 2023/2854 (Data Act): fair sharing terms (FRAND) and the ban on unfair contract terms. · European Commission — Data Act policy page: scope, rights and obligations.
What does the PPWR change for my packaging?
The Packaging and Packaging Waste Regulation (PPWR) sets requirements on recyclability, recycled content and reducing packaging waste, plus reuse targets. The obligations are phased in. See the file for the relevant dates and exemptions.
In the knowledge base: PPWR: the packaging regulation reshapes your logistics
Primary source: Regulation (EU) 2025/40 (PPWR): requirements for packaging and packaging waste; applicable from 12 August 2026. · European Commission — packaging and packaging waste (PPWR).
What is FuelEU Maritime and does it affect my shipping?
FuelEU Maritime requires ships to gradually cut the greenhouse-gas intensity of the energy they use on board. It applies to large ships calling at EU ports and is in force from 2025, alongside the ETS for shipping. See the file for the details.
In the knowledge base: FuelEU Maritime & EU ETS: decarbonisation reaches shipping
Primary source: Regulation (EU) 2023/1805 (FuelEU Maritime): GHG-intensity limits for ships >5,000 GT; applicable from 1 January 2025. · EMSA — FuelEU Maritime: scope, targets and obligations, including on-shore power at berth.
What does Euro 7 change for my fleet?
Euro 7 tightens vehicle emission limits and adds new requirements, such as limits on brake and tyre particles and rules on battery durability. The standards are phased in; see the file for the dates per vehicle category.
In the knowledge base: Euro 7: what does the new emission standard change for road transport?
Primary source: Regulation (EU) 2024/1257 (Euro 7): vehicle emission standards.
What is the EU Digital Identity Wallet (eIDAS 2)?
Under the revised eIDAS Regulation, member states must offer citizens and businesses a European Digital Identity Wallet to prove identity and documents securely and across borders. Rollout is foreseen from 2026; see the file for the status.
In the knowledge base: eIDAS 2.0 & the EU Digital Identity Wallet: digital identity for the chain
Primary source: Regulation (EU) 2024/1183 (eIDAS 2.0): European framework for digital identity and the EU Digital Identity Wallet. · European Commission — eIDAS framework and the rollout of the EU Digital Identity Wallet.
What are the NIS2 reporting deadlines for an incident?
For a significant incident there is a staged duty: an early warning within 24 hours, a fuller notification within 72 hours, and a final report later. The precise handling runs via the national CSIRT/authority.
In the knowledge base: NIS2: what exactly does the 24/72-hour reporting duty involve?
Primary source: Directive (EU) 2022/2555 (NIS2): phased reporting duty for significant incidents (early warning, notification, final report). · European Commission — NIS2: incident reporting and supervision.
My customer asks for CSRD data while I don't report myself — must I provide it?
Formally you are not in scope if you fall below the CSRD thresholds, but large customers and banks increasingly request ESG data through the value chain. In practice, providing it becomes part of the contract: not delivering can cost you the business.
In the knowledge base: CSRD chain requests: what if I don't have to report myself?
Primary source: Directive (EU) 2022/2464 (CSRD); sharply narrowed by the 2026 Omnibus.
Does the AI Act apply to small businesses (SMEs)?
Yes. There is no size threshold and no SME exemption: the AI Act applies whether you have 5 or 5,000 people, and also if you only use AI rather than build it. There are SME support measures, though, such as free access to regulatory sandboxes and simplified technical documentation. Want to know what affects you? Take the free scan on yrproject.
In the knowledge base: Article 4 AI Act: the literacy obligation that already applies
Primary source: Regulation (EU) 2024/1689, Article 4 and recital 20; date of application in Article 113. · European Commission questions and answers on the interpretation and scope of Article 4.
Is there a free way to check what the AI Act means for me?
Yes. The free AI Act scan on yrproject shows in a few minutes which rules affect you — prohibited practices, high risk, GPAI, transparency and AI literacy — with a readiness score, your biggest gaps and source references. No account needed; everything stays local in your browser.
In the knowledge base: High-risk AI mapped: classification and obligations in one overview
Primary source: Regulation (EU) 2024/1689: Article 6 and Annexes I and III (classification), Articles 8-27 (obligations), Article 49 (registration). · Chapter III of the AI Act in the unofficial rendering by the Future of Life Institute.
How do I start making an inventory of my AI systems?
Start with an inventory: which AI systems do you use or build, for what purpose, and what role does the system play in decisions about people? That determines the risk class and therefore your obligations. Over half of organisations don't yet have such an overview — it's the first step. The free scan on yrproject structures this inventory for you.
In the knowledge base: High-risk AI mapped: classification and obligations in one overview
Primary source: Regulation (EU) 2024/1689: Article 6 and Annexes I and III (classification), Articles 8-27 (obligations), Article 49 (registration). · Chapter III of the AI Act in the unofficial rendering by the Future of Life Institute.
What steps should I take before the AI Act deadlines?
Four steps, in order: (1) inventory your AI systems; (2) classify them (prohibited, high-risk, GPAI, transparency); (3) sort out AI literacy now — that duty already applies; (4) for high-risk AI, build the management system (EN ISO/IEC 42001 helps) and layer the harmonised standards on later. Start with the free scan to see your baseline and gaps.
In the knowledge base: The AI Act timeline of obligations: what applies when
Primary source: Regulation (EU) 2024/1689 (AI Act), authentic text in the Official Journal; Article 113 contains the application dates. · European Commission policy page on the AI Act, with the current state of implementation.
May I use copyright-protected material to train AI?
For commercial AI training in the EU you rely on the text-and-data-mining exception (Art. 4 DSM Directive): it applies unless the rightholder made a machine-readable reservation. The AI Act obliges GPAI providers to respect that reservation and to publish a summary of the training data — including for models trained outside the EU but placed on the EU market.
In the knowledge base: AI and copyright: may you use protected material as training data?
Primary source: Directive (EU) 2019/790 (DSM Copyright Directive), Art. 3 and 4: the text-and-data-mining exceptions. · Regulation (EU) 2024/1689 (AI Act), Art. 53 and recitals 104-107: copyright policy and training-data summary for GPAI.
Do I own the copyright in what an AI produces?
Purely machine-generated output in principle carries no copyright: protection requires a human creative choice (an 'author's own intellectual creation', CJEU). If you give the final result your own stamp through selection, editing or targeted instructions, it may be protected. Where the line falls is case-specific; arrange exclusivity contractually if needed.
In the knowledge base: AI and copyright: may you use protected material as training data?
Primary source: Directive (EU) 2019/790 (DSM Copyright Directive), Art. 3 and 4: the text-and-data-mining exceptions. · Regulation (EU) 2024/1689 (AI Act), Art. 53 and recitals 104-107: copyright policy and training-data summary for GPAI.
Do autonomous AI agents fall under the AI Act?
There is no separate 'agent' category, but agentic AI is firmly covered: the underlying model via the GPAI regime, the risk class via the use (Annex III = high-risk), plus the duties on transparency (Art. 50) and human oversight (Art. 14). The sharpest open question is liability for what an agent does autonomously. Treat an agent as high-risk until analysis shows otherwise.
In the knowledge base: Agentic AI: how do autonomous AI agents fall under the rules?
Primary source: Regulation (EU) 2024/1689 (AI Act), Art. 14 (human oversight), 50 (transparency), 53 and 55 (GPAI). · IMDA Singapore — Model AI Governance Framework for Agentic AI (22 January 2026), the world's first.
May I use AI in recruitment and hiring?
Yes, but under conditions. AI for recruitment, selection and workforce management falls under Annex III of the AI Act and is high-risk — for every employer, regardless of sector or size. You must build in human oversight, inform candidates and workers, and comply with the GDPR for automated decisions. Emotion recognition in the workplace is banned outright.
In the knowledge base: AI in recruitment and HR: what every employer needs to know
Primary source: Regulation (EU) 2024/1689 (AI Act): Annex III designates employment/workforce management as high-risk; Art. 5 bans emotion recognition in the workplace. · General Data Protection Regulation (GDPR), Art. 22: safeguards for decisions based solely on automated processing with significant effects.
Which incidents must AI providers report to the authorities?
Providers of high-risk AI must report serious incidents to the market surveillance authority (Art. 73). 'Serious' includes death or serious harm to health, serious and irreversible disruption of critical infrastructure, breaches of fundamental rights, and serious damage to property or the environment. Reporting is without undue delay after establishing a causal link; see the file for the exact deadlines.
In the knowledge base: Reporting serious AI incidents: what does AI Act Art. 73 require?
Primary source: Regulation (EU) 2024/1689 (AI Act), Arts 72-73: monitoring and incident reporting.
What is AEO and why apply for the status?
AEO (Authorised Economic Operator) is the customs status of 'trusted trader'. You apply for it because it brings concrete benefits: fewer physical and document checks, priority treatment, simplifications and mutual recognition with third countries. In return there are requirements on compliance, record-keeping, solvency and security.
In the knowledge base: AEO status: what does Authorised Economic Operator offer and what are the requirements?
Primary source: Regulation (EU) 952/2013 (Union Customs Code), Arts 38-39: AEO. · European Commission — Authorised Economic Operator (AEO).
Does NIS2 apply to the transport and logistics sector?
Yes. Transport is a designated essential sector under NIS2 — road, rail, air and water transport and related infrastructure. Medium and large entities must take risk-management measures, report incidents and ensure compliance at board level. The precise scope follows from the national implementing law.
In the knowledge base: NIS2: cybersecurity becomes a board responsibility in transport
Primary source: Directive (EU) 2022/2555 (NIS2): cybersecurity duties for essential and important entities; transposition by 17 October 2024. · European Commission — NIS2: scope (18 sectors, including transport), risk management and management accountability.
Do I have to register my organisation under NIS2?
Often yes. Member states must set up a registration mechanism, and entities in scope of NIS2 must register with the competent authority or CSIRT, providing basic details such as contact points and the member states where they operate. Certain digital service providers face a specific registration duty. See the file for the Dutch implementation.
In the knowledge base: "NIS2: must I register my organisation, and how?"
Primary source: Directive (EU) 2022/2555 (NIS2): registration of entities and the list of essential and important entities by Member States. · European Commission — NIS2: scope, entity categories and obligations for Member States and entities.
What does NIS2 mean for management liability?
NIS2 makes cybersecurity a management responsibility. The board must approve the risk-management measures, oversee their implementation and undergo mandatory training — and can be held personally liable for serious negligence. Cybersecurity is thus no longer an IT matter but a boardroom one.
In the knowledge base: NIS2 and board accountability: what must management do?
Primary source: Directive (EU) 2022/2555 (NIS2): management governance (Art. 20) and risk-management measures (Art. 21). · European Commission — NIS2: governance and responsibility of management bodies.
Does medical AI fall under the AI Act or the MDR?
Often both. If the AI is a medical device (or part of one), the MDR applies with CE marking; at the same time AI as a safety component in such a regulated product is high-risk under the AI Act (Annex I). The conformity assessment is aligned as far as possible, via the same notified body. Health data also falls under the GDPR as special-category personal data.
In the knowledge base: AI in healthcare: the AI Act and the Medical Device Regulation (MDR)
Primary source: Regulation (EU) 2024/1689 (AI Act): Art. 6 and Annex I — AI as a safety component of regulated products (incl. medical devices) is high-risk. · Regulation (EU) 2017/745 (MDR): conformity and CE marking for medical devices.
May an algorithm automatically reject a candidate?
In principle no. GDPR Art. 22 prohibits decisions based solely on automated processing that significantly affect someone — such as an automatic rejection — unless safeguards apply (information, human intervention, objection). The AI Act adds meaningful human oversight for high-risk recruitment. 'A human presses the button' is not enough.
In the knowledge base: Can an algorithm reject a candidate? Automated decisions in recruitment
Primary source: General Data Protection Regulation (GDPR), Art. 22: safeguards for decisions based solely on automated processing with significant effects. · Regulation (EU) 2024/1689 (AI Act): Art. 14 (human oversight) and Art. 26 for high-risk recruitment.
How do I prevent AI discrimination in recruitment?
Recruitment AI is high-risk: the AI Act requires representative, bias-examined training data (Art. 10) and human oversight (Art. 14). Test your data and outcomes for unequal effects on protected groups, keep a human in the loop, and document your bias checks. Equal-treatment law and the GDPR also apply — a skewed outcome can be unlawful on three tracks.
In the knowledge base: AI and discrimination in recruitment: how to prevent bias?
Primary source: Regulation (EU) 2024/1689 (AI Act): Art. 10 (data quality and bias examination) and Annex III (recruitment as high-risk).
May I monitor employees with AI?
Within limits. Emotion recognition in the workplace is banned (Art. 5). Performance or behaviour monitoring can be high-risk (Annex III) and in any case falls under the GDPR: you need a valid legal basis, transparency and proportionality, often a DPIA, and in many countries works-council approval. Continuous, intrusive monitoring is legally risky.
In the knowledge base: Monitoring employees with AI: what is allowed and what isn't?
Primary source: Regulation (EU) 2024/1689 (AI Act): Art. 5 (ban on workplace emotion recognition) and Annex III (workforce management high-risk). · General Data Protection Regulation (GDPR): legal basis, transparency and data minimisation for monitoring.
Does the AI Act apply to schools and education?
Yes, and strictly. AI that determines admission, evaluates learning outcomes, assesses the level of education or monitors test behaviour (proctoring) falls under Annex III and is high-risk. Emotion recognition in educational institutions is also banned (Art. 5). The GDPR applies too, often involving minors' data, plus the AI-literacy duty.
In the knowledge base: AI in education: what does the AI Act mean for schools and trainers?
Primary source: Regulation (EU) 2024/1689 (AI Act): Annex III (education) high-risk; Art. 5 bans emotion recognition in education.
Does the AI Act apply to government?
Yes, and extra strictly. AI that determines access to public services or benefits, or is used in law enforcement, migration or justice, is high-risk (Annex III). As deployers, public authorities must carry out a fundamental rights assessment (FRIA, Art. 27) before use and be transparent to citizens. The SyRI case shows why: transparency and proportionality are decisive.
In the knowledge base: AI in government: what applies to the public sector?
Primary source: Regulation (EU) 2024/1689 (AI Act): Annex III (public services, law enforcement, migration, justice) high-risk; Art. 27 (FRIA for public authorities).
What is the European Health Data Space (EHDS)?
The EHDS is an EU regulation that gives citizens access to and control over their electronic health data and enables cross-border exchange (primary use), and governs the reuse of health data for research and policy via access bodies (secondary use). It builds on the GDPR and forms the backbone of trustworthy healthcare AI. Application is phased.
In the knowledge base: The European Health Data Space (EHDS): what changes for healthcare?
Primary source: Regulation (EU) 2025/327 (European Health Data Space): primary and secondary use of electronic health data. · General Data Protection Regulation (GDPR): the EHDS builds on and complements the GDPR for health data.
Is AI online proctoring (exam surveillance) allowed?
Under conditions. AI that detects prohibited behaviour during tests is high-risk (Annex III): human oversight on every flag, transparency and logging. If the tool measures emotions or 'engagement', it is banned (Art. 5). The GDPR also requires proportionality (is there a less intrusive alternative?) and a DPIA — especially for minors.
In the knowledge base: AI proctoring and exam surveillance: is AI monitoring allowed?
Primary source: Regulation (EU) 2024/1689 (AI Act): Annex III (detecting prohibited behaviour during tests) high-risk; Art. 5 bans emotion recognition in education. · General Data Protection Regulation (GDPR): legal basis, proportionality and DPIA for monitoring.
Must governments publish or register their algorithms?
Yes, in two ways. Dutch governments publish their algorithms in the national Algorithm Register (transparency to citizens). In addition, the AI Act requires registration of high-risk AI in an EU database (Art. 49/71) — also by the authority deploying such a system. Keep the information consistent with your fundamental rights assessment (FRIA).
In the knowledge base: The algorithm register: must governments publish their AI?
Primary source: Regulation (EU) 2024/1689 (AI Act): Art. 49 and 71 — registration of high-risk AI in the EU database, also by public authorities. · The Dutch Algorithm Register: public transparency about algorithms used by government.
Prohibited AI practices (Article 5): the hard floor that already applies
Article 5 is the hardest provision of the AI Act: not obligations or conditions, but an outright ban. It has applied since 2 February 2025, to providers and deployers alike, and the Digital Omnibus agreement of May 2026 changes nothing about it (see the timeline). Violations risk the regulation's highest fine category: up to €35 million or 7 percent of worldwide annual turnover (Article 99(3)).
In the knowledge base: Prohibited AI practices (Article 5): the hard floor that already applies
Primary source: Regulation (EU) 2024/1689, Article 5 (prohibited practices) and Article 99(3) (maximum fine). · Commission guidelines on the prohibited practices, adopted 4 February 2025.
High-risk AI mapped: classification and obligations in one overview
The high-risk regime of Chapter III is the centre of gravity of the AI Act: by far the most obligations, the conformity assessment and the CE marking hang from it. It is also the part whose date of application is expected to shift, under the Digital Omnibus agreement of 7 May 2026 (see the timeline), to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). What has to be done does not change — only when.
In the knowledge base: High-risk AI mapped: classification and obligations in one overview
Primary source: Regulation (EU) 2024/1689: Article 6 and Annexes I and III (classification), Articles 8-27 (obligations), Article 49 (registration). · Chapter III of the AI Act in the unofficial rendering by the Future of Life Institute.
FRIA: when must I run a fundamental-rights impact assessment (Art. 27)?
Short answer: Not every user of high-risk AI has to run a fundamental-rights impact assessment (FRIA). Article 27 of the AI Act imposes that duty only on specific deployers: public bodies, private parties that provide public services, and those using high-risk AI to assess creditworthiness or for risk assessment and pricing in life and health insurance. The FRIA must be completed before first use.
In the knowledge base: FRIA: when must I run a fundamental-rights impact assessment (Art. 27)?
Primary source: Regulation (EU) 2024/1689 (AI Act), Art. 27: fundamental rights impact assessment.
The AI Act timeline of obligations: what applies when
The AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, but its obligations apply in stages. Since the political agreement on the Digital Omnibus of 7 May 2026, two timelines moreover run in parallel: the dates currently written in the regulation, and the dates politically agreed but not yet published in the Official Journal. Anyone navigating this field needs to know both.
In the knowledge base: The AI Act timeline of obligations: what applies when
Primary source: Regulation (EU) 2024/1689 (AI Act), authentic text in the Official Journal; Article 113 contains the application dates. · European Commission policy page on the AI Act, with the current state of implementation.
The GPAI regime: what providers of general-purpose AI models must already do
While the high-risk obligations are expected to shift to late 2027, the regime for general-purpose AI models (GPAI) is already running at full speed. Chapter V has applied to new models since 2 August 2025, and on 2 August 2026 the European AI Office gains the power to enforce it. For anyone offering large models — or building on them — this is currently the most concrete part of the AI Act.
In the knowledge base: The GPAI regime: what providers of general-purpose AI models must already do
Primary source: Regulation (EU) 2024/1689, Chapter V (Articles 51-56) and Article 101 (fines for GPAI providers). · The GPAI Code of Practice, published 10 July 2025, with chapters on transparency, copyright and safety.
Article 4 AI Act: the literacy obligation that already applies
Article 4 of the AI Act is one of the least conspicuous but most broadly applicable provisions of the law. It has applied since 2 February 2025, it touches virtually every organisation that uses AI systems — including those that merely deploy a generative AI assistant — and it was not postponed by the Digital Omnibus agreement of May 2026.
In the knowledge base: Article 4 AI Act: the literacy obligation that already applies
Primary source: Regulation (EU) 2024/1689, Article 4 and recital 20; date of application in Article 113. · European Commission questions and answers on the interpretation and scope of Article 4.
Article 50: chatbots, deepfakes and the duty to make AI recognisable
Between the prohibitions (already applicable) and the high-risk regime (expected late 2027) sits Article 50: the transparency layer that touches nearly every organisation deploying AI towards the public. Under the Digital Omnibus agreement of 7 May 2026 this layer becomes applicable on 2 December 2026 — formally, until publication in the Official Journal, the date still reads 2 August 2026 — and the accompanying marking code of practice was published in final form on 10 June 2026.
In the knowledge base: Article 50: chatbots, deepfakes and the duty to make AI recognisable
Primary source: Regulation (EU) 2024/1689, Article 50 (transparency obligations for certain AI systems). · Article 50 in the unofficial rendering by the Future of Life Institute.
AI Act: how high are the fines and who enforces?
Short answer: The AI Act (Regulation (EU) 2024/1689) sets tiered fines in Article 99, rising to EUR 35 million or 7% of total worldwide annual turnover for breaching the prohibition on certain AI practices — whichever is higher applies. Enforcement is shared: national market surveillance authorities enforce within the Member States, while the European Commission's AI Office supervises providers of general-purpose AI models.
In the knowledge base: AI Act: how high are the fines and who enforces?
Primary source: Regulation (EU) 2024/1689 (AI Act), authentic text in the Official Journal; Article 99 governs penalties. · European Commission page on the AI Office, the central body supervising general-purpose AI models.
May I monitor my drivers with AI?
Short answer: It depends on what the AI does. Emotion recognition in the workplace is banned, AI for scheduling, planning and recruitment is high-risk, and other monitoring is in principle allowed provided you meet the baseline obligations.
In the knowledge base: May I monitor my drivers with AI?
Primary source: Regulation (EU) 2024/1689 (AI Act); phased application 2025–2027.
AI in recruitment for logistics: is it high-risk under the AI Act?
Short answer: Yes, as a rule. AI systems you use to recruit, screen, or select candidates for logistics roles fall under Annex III of the AI Act and therefore count as high-risk — regardless of the sector you operate in.
In the knowledge base: AI in recruitment for logistics: is it high-risk under the AI Act?
Primary source: Regulation (EU) 2024/1689 (AI Act); Annex III classifies employment and workforce management as high-risk. · European Commission — overview of the AI regulatory framework and the risk-based approach.
Is eFTI mandatory for me as a carrier?
Short answer: not in the way you might think. eFTI does not require you to digitise your freight information. It requires the government to *accept* electronic freight information when you provide it — from 9 July 2027.
In the knowledge base: Is eFTI mandatory for me as a carrier?
Primary source: Regulation (EU) 2020/1056 (eFTI): authorities must accept electronic freight information from 9 July 2027, via certified platforms.
The Data Act for transport and logistics: who gets access to your vehicle and supply-chain data?
Transport and logistics run on data: telematics, on-board units, tachographs, reefer sensors, warehouse and terminal systems. Until recently the question "who owns that data?" was largely a matter of contracts and bargaining power. Since 12 September 2025 the Data Act (Regulation (EU) 2023/2854) gives a European answer. This is not AI regulation — it is purely about data: who may access it, on what terms, and how to avoid being locked into a single vendor.
In the knowledge base: The Data Act for transport and logistics: who gets access to your vehicle and supply-chain data?
Primary source: Regulation (EU) 2023/2854 (Data Act): access to and sharing of connected-product and related-service data; applicable since 12 September 2025. · European Commission — Data Act policy page: scope, rights and obligations, and phased application.
Which goods fall under CBAM?
Short answer: CBAM covers imports of iron and steel, aluminium, cement, fertilisers, electricity and hydrogen. The definitive regime applies from 1 January 2026 under Regulation (EU) 2023/956.
In the knowledge base: Which goods fall under CBAM?
Primary source: Regulation (EU) 2023/956 (CBAM); definitive regime from 1 January 2026.
Does NIS2 apply to my transport or logistics company?
Short answer: probably yes, unless you are micro or small. Air, rail, road and water transport are explicitly listed in NIS2 as an essential sector. So the question is not *whether* transport is in scope, but *whether your company is large enough.*
In the knowledge base: Does NIS2 apply to my transport or logistics company?
Primary source: Directive (EU) 2022/2555 (NIS2): transport as an essential sector; essential vs important entities by size. · European Commission — NIS2: scope (18 sectors, including transport) and entity categories.
When does ETS2 actually start?
Short answer: Actual pricing under ETS2 starts in 2028, one year later than the originally planned start in 2027. The monitoring and reporting obligations, however, are already running today.
In the knowledge base: When does ETS2 actually start?
Primary source: Directive (EU) 2023/959; ETS2 for road-transport fuel, starts 2028.
EMSWe: one maritime window for ship and port reporting
A ship calling at a European port must report a series of formalities: arrival and departure, cargo, crew, waste, security. For a long time these reports differed by country and by authority. The EMSWe Regulation (Regulation (EU) 2019/1239) harmonises that — and has applied since 15 August 2025.
In the knowledge base: EMSWe: one maritime window for ship and port reporting
Primary source: Regulation (EU) 2019/1239 (EMSWe): harmonised reporting formalities via national single windows; applicable since 15 August 2025. · European Commission — EMSWe: national single window, harmonised data set and the once-only principle.
Cyber Resilience Act: security requirements for connected products
Where NIS2 governs the cybersecurity of your organisation, the Cyber Resilience Act (Regulation (EU) 2024/2847) governs the security of the products themselves. For transport and logistics that is no abstraction: telematics, on-board units, trackers, sensors and connected vehicle components are all "products with digital elements".
In the knowledge base: Cyber Resilience Act: security requirements for connected products
Primary source: Regulation (EU) 2024/2847 (Cyber Resilience Act): security requirements for products with digital elements; full application 11 December 2027. · European Commission — Cyber Resilience Act: scope, obligations and phased entry into application.
eCMR: the electronic consignment note in road transport
In cross-border road transport the CMR consignment note has been the proof of the carriage contract for decades. The eCMR is its electronic counterpart — and it is gaining ground fast.
In the knowledge base: eCMR: the electronic consignment note in road transport
Primary source: European Parliament (EPRS): briefing on electronic freight documents and the eCMR (Additional Protocol to the CMR Convention, 2008). · Regulation (EU) 2020/1056 (eFTI): authorities must accept electronic freight information via certified platforms (from 9 July 2027).
FuelEU Maritime & EU ETS: decarbonisation reaches shipping
Beyond the digital and data rules, shipping is also hit by a decarbonisation wave. Two EU instruments work together: FuelEU Maritime steers the fuel, the EU ETS prices the emissions.
In the knowledge base: FuelEU Maritime & EU ETS: decarbonisation reaches shipping
Primary source: Regulation (EU) 2023/1805 (FuelEU Maritime): GHG-intensity limits for ships >5,000 GT; applicable from 1 January 2025. · EMSA — FuelEU Maritime: scope, targets and obligations, including on-shore power at berth.
PPWR: the packaging regulation reshapes your logistics
The Packaging and Packaging Waste Regulation (PPWR, Regulation (EU) 2025/40) affects everyone who packs, ships or stores goods. It entered into force on 11 February 2025 and, after a transition period, applies from 12 August 2026. Unlike a directive, a regulation applies directly — no national transposition needed.
In the knowledge base: PPWR: the packaging regulation reshapes your logistics
Primary source: Regulation (EU) 2025/40 (PPWR): requirements for packaging and packaging waste; applicable from 12 August 2026. · European Commission — packaging and packaging waste (PPWR).
CSRD after the Omnibus: who in transport still has to report?
The CSRD required companies to produce extensive ESG reporting. For transport and logistics the picture changed dramatically in 2026 through the Omnibus — the EU simplification package that sharply reduced its scope.
In the knowledge base: CSRD after the Omnibus: who in transport still has to report?
Primary source: European Commission — Corporate Sustainability Reporting Directive (CSRD): scope and reporting obligations. · Directive (EU) 2022/2464 (CSRD): the original sustainability reporting directive, narrowed by the 2026 Omnibus.
eIDAS 2.0 & the EU Digital Identity Wallet: digital identity for the chain
Digitising freight documents (eCMR, eFTI) stands or falls on trust: who is the sender, is the permit valid, is the signature genuine? eIDAS 2.0 (Regulation (EU) 2024/1183) builds the European foundation for that with the EU Digital Identity Wallet.
In the knowledge base: eIDAS 2.0 & the EU Digital Identity Wallet: digital identity for the chain
Primary source: Regulation (EU) 2024/1183 (eIDAS 2.0): European framework for digital identity and the EU Digital Identity Wallet. · European Commission — eIDAS framework and the rollout of the EU Digital Identity Wallet.
EU Deforestation Regulation (EUDR): what it means for logistics and import
Short answer: The EU Deforestation Regulation (EUDR, Regulation (EU) 2023/1115) prohibits placing seven commodities and their derived products on the EU market — or exporting them — if they come from land deforested or degraded after 31 December 2020. Anyone who imports or trades these goods must be able to prove this through a due diligence statement containing geolocation data. For large and medium operators the regulation applies from 30 December 2026.
In the knowledge base: EU Deforestation Regulation (EUDR): what it means for logistics and import
Primary source: Regulation (EU) 2023/1115 (EUDR): rules against deforestation; due diligence and traceability for seven commodities. · European Commission — deforestation-free products regulation (EUDR): scope and application dates.
AEO status: what does Authorised Economic Operator offer and what are the requirements?
Short answer: AEO status is a mark that customs uses to recognise you as a trusted trader. It brings fewer checks, priority treatment and easier access to simplifications. In return, you must meet fixed requirements such as a clean compliance record and auditable records.
In the knowledge base: AEO status: what does Authorised Economic Operator offer and what are the requirements?
Primary source: Regulation (EU) 952/2013 (Union Customs Code), Arts 38-39: AEO. · European Commission — Authorised Economic Operator (AEO).
Euro 7: what does the new emission standard change for road transport?
Short answer: Euro 7 is the new EU emission standard that succeeds Euro 6 (light vehicles) and Euro VI (heavy vehicles). It regulates not only exhaust emissions but, for the first time, also non-exhaust emissions such as brake and tyre wear, and it sets durability requirements for electric-vehicle batteries. The application dates differ per vehicle category.
In the knowledge base: Euro 7: what does the new emission standard change for road transport?
Primary source: Regulation (EU) 2024/1257 (Euro 7): vehicle emission standards.
DORA or NIS2: which one applies to my (logistics) organisation?
Short answer: For a logistics organisation, NIS2 is almost always the relevant framework, not DORA. NIS2 explicitly lists transport (air, rail, road, water) as an essential sector. DORA applies only to financial entities. If you are both at once — for example a carrier holding a payment licence — DORA takes precedence for that part as the more specific rule.
In the knowledge base: DORA or NIS2: which one applies to my (logistics) organisation?
Primary source: Regulation (EU) 2022/2554 (DORA), authentic text; applies since 17 January 2025; scope limited to financial entities. · Directive (EU) 2022/2555 (NIS2): transport as an essential sector; relationship with sector-specific Union acts.
Which smart tachograph deadline applies to my truck?
Short answer: Which smart tachograph deadline applies to you depends on the device currently fitted in your truck and whether you carry out international transport. Under the Mobility Package (Regulation (EU) 2020/1054), older devices must be phased out and replaced by the second-generation smart tachograph (ST2).
In the knowledge base: Which smart tachograph deadline applies to my truck?
Primary source: Regulation (EU) 2020/1054 (Mobility Package); second-generation smart tachograph.