The Definitive EU AI Act Glossary: 20 Crucial Terms Every Business Must Know

Navigating the compliance landscape of the European Union Artificial Intelligence Act (EU AI Act) requires a precise understanding of its legal vocabulary. Here are the 20 most critical statutory terms defined in plain, actionable business English.

Branded Golonex Press featured graphic illustrating the definitive EU AI Act glossary and crucial legal compliance terms

Navigating the compliance landscape of the European Union Artificial Intelligence Act (EU AI Act) requires a precise understanding of its legal vocabulary. The final, enacted text of the law shifted away from standard industry slang to establish rigid, legally binding definitions. Failing to understand the difference between a "deployer" and a "provider," or "placing on the market" versus "putting into service," can lead to massive regulatory exposure.

This glossary outlines the 20 most critical statutory terms defined under Article 3 and related chapters of the EU AI Act, translated into plain, actionable business English.

1. Core System & Model Definitions

1.1 Artificial Intelligence System (AI System)

  • Official Legal Meaning (Article 3(1)): A machine-based system designed to operate with varying levels of autonomy and that may, for explicit or implicit objectives, generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
  • Plain English: Any software—ranging from simple machine learning classifiers to complex generative models—that can make decisions or generate content with some degree of independence from direct human input.
  • Why it matters: The Act specifically aligned this definition with the OECD standard to prevent simple, deterministic, rule-based software (like standard Excel macros or basic SQL logic) from accidentally falling under AI regulations.

1.2 General-Purpose AI (GPAI) Model

  • Official Legal Meaning (Article 3(63)): An AI model, including when trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications.
  • Plain English: A foundation model (such as an LLM, text-to-image generator, or multimodal transformer) that isn't built for just one narrow purpose, but can be fine-tuned or prompted to do hundreds of different tasks (e.g., GPT-4, Claude 3, Llama 3).
  • Why it matters: GPAI models are regulated separately from AI systems. If you build a raw foundation model, you face GPAI obligations (Article 53); if you build an app on top of it, you are running an AI system.

1.3 GPAI Model with Systemic Risk

  • Official Legal Meaning (Article 3(65)): A GPAI model that has high-impact capabilities, evaluated on the basis of appropriate technical tools and methodologies, or that has been designated as such by the European Commission due to its reach or market impact.
  • Plain English: Extremely powerful frontier AI models. Currently, the law presumes systemic risk if the cumulative compute used to train the model exceeds $10^{25}$ FLOPs (floating-point operations).
  • Why it matters: Providers of these models face heavy requirements (Article 55), including mandatory adversarial testing (red-teaming), incident tracking, and state-of-the-art cybersecurity.

2. Supply Chain & Value Chain Roles

Understanding your role in the AI supply chain is critical. The law regulates entities based on what they do with the system, not just who they are.

EU AI Act Supply Chain Roles

2.1 Provider

  • Official Legal Meaning (Article 3(3)): A natural or legal person, public authority, agency or other body that develops an AI system or a GPAI model or has an AI system or a GPAI model developed and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
  • Plain English: The entity that actually creates, brands, and sells/releases the AI software.
  • Why it matters: Providers bear the heaviest burden under the Act, including building Quality Management Systems (QMS), drawing up Annex IV Technical Documentation, and executing conformity assessments.

2.2 Deployer

  • Official Legal Meaning (Article 3(4)): Any natural or legal person, public authority, agency or other body using an AI system under its authority in a professional capacity, except where the AI system is used in the course of a personal non-professional activity.
  • Plain English: A company, government agency, or professional that buys and uses an AI system in their business operations (e.g., an enterprise using an AI hiring tool to screen resumes). Note: This replaces the confusing term "User" from earlier drafts.
  • Why it matters: If your business implements third-party high-risk AI tools, you are a Deployer. Under Article 26, you have strict obligations regarding operator training, human oversight, keeping logs (for at least 6 months), and conducting impact assessments. We have mapped out the operational timeline for implementing these requirements in our 16-Week Readiness Plan.

2.3 Importer

  • Official Legal Meaning (Article 3(6)): Any natural or legal person established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established outside the Union.
  • Plain English: The EU-based business that imports non-EU AI software into the European market.
  • Why it matters: Importers must legally verify that the non-EU provider has completed conformity assessments, drawn up technical files, and appointed an Authorized Representative. If they import compliant-deficient software, they share direct legal liability.

2.4 Distributor

  • Official Legal Meaning (Article 3(7)): Any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market without affecting its properties.
  • Plain English: A reseller, value-added partner, or marketplace vendor that distributes AI systems within the EU.
  • Why it matters: Distributors must verify that the AI system carries the mandatory CE Marking, has a registered EU database profile, and includes clear instructions for use before distributing it to customers.

2.5 Authorized Representative

  • Official Legal Meaning (Article 3(5)): Any natural or legal person established in the Union who has received a written mandate from a provider of an AI system or a GPAI model established outside the Union to act on its behalf and perform the tasks and obligations specified in this Regulation.
  • Plain English: An EU-based legal proxy that non-EU companies must hire to represent them in regulatory matters.
  • Why it matters: If your business is based in the US, UK, or anywhere else outside the EU, and you place an AI system on the EU market, you cannot do so legally without appointing an Authorized Representative. This representative serves as the local contact for market surveillance authorities and can be held liable for compliance failures.

3. Market Entry & Operational States

3.1 Placing on the Market

  • Official Legal Meaning (Article 3(9)): The first making available of an AI system or a GPAI model on the Union market.
  • Plain English: The exact moment you launch your software, open signups, or begin commercial distribution in the EU.
  • Why it matters: This is the legal "trigger event." The AI system must be fully compliant with all applicable rules of the Act prior to this exact moment.

3.2 Putting into Service

  • Official Legal Meaning (Article 3(11)): The supply of an AI system for first use directly to the deployer or for own use on the Union market for its intended purpose.
  • Plain English: Deploying a system for operational use, including building custom in-house AI tools for your own company's internal use (without selling them externally).
  • Why it matters: You cannot bypass the EU AI Act by claiming "we built it ourselves and don't sell it." Internal use of a high-risk AI system constitutes "putting into service" and triggers full compliance obligations.

4. Risk Classifications & Compliance Artifacts

4.1 Prohibited AI Practices (Unacceptable Risk)

  • Official Legal Meaning (Article 5): AI practices that are banned in the European Union because they pose a clear threat to safety, livelihoods, and fundamental rights.
  • Plain English: Banned AI use cases. Examples include untargeted scraping of facial images from the internet or CCTV, emotion recognition in workplaces/educational institutions, cognitive-behavioral manipulation, and social scoring.
  • Why it matters: Violating these prohibitions carries the highest administrative penalties in the Act: up to €35 million or 7% of worldwide annual turnover. These bans have been fully enforceable since February 2, 2025.

4.2 High-Risk AI System

  • Official Legal Meaning (Article 6): An AI system that is classified as high-risk either because it is a safety component of a regulated product (Annex I, e.g., medical devices, toys, vehicles) or because it falls under specific critical use cases listed in Annex III (e.g., critical infrastructure, employment, education, biometrics, banking, law enforcement).
  • Plain English: Systems that could cause serious harm to human safety or fundamental civil rights.
  • Why it matters: High-risk AI is the core focus of the Act. They are subject to extensive requirements before they can enter the EU market. For a deep dive into these obligations and why many firms are lagging, read our operational assessment of The August 2 Deadline.

4.3 Conformity Assessment

  • Official Legal Meaning (Article 3(20)): The process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled.
  • Plain English: A formal audit and validation process (either self-assessment or third-party "Notified Body" assessment) confirming that your high-risk AI meets all legal requirements.
  • Why it matters: A high-risk system cannot receive a CE Mark or enter the EU market without a successful, documented conformity assessment.

4.4 CE Marking (Conformity Marking)

  • Official Legal Meaning (Article 3(24)): A marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation.
  • Plain English: The familiar "CE" logo stamped on products or embedded in software dashboards, proving the AI system is officially certified as compliant.
  • Why it matters: Mandatory for all high-risk AI systems prior to launch. It is the visual proof of regulatory compliance.

4.5 Fundamental Rights Impact Assessment (FRIA)

  • Official Legal Meaning (Article 27): A mandatory assessment conducted by specific deployers of high-risk AI systems to evaluate and mitigate risks to fundamental rights in the specific context of deployment.
  • Plain English: A pre-deployment impact assessment required for public bodies, utility providers, and companies using high-risk AI for credit scoring or life/health insurance risk pricing.
  • Why it matters: If you fall into these categories, you must complete the FRIA, document how your deployment affects rights (like non-discrimination, privacy, and due process), and submit it to the national market surveillance authority before turning the system on.

4.6 Article 6(3) Derogation (High-Risk Exception)

  • Official Legal Meaning (Article 6(3)): An AI system that would otherwise be classified as high-risk under Annex III shall not be considered high-risk if it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the decision-making outcome.
  • Plain English: A legal "opt-out" clause. If your Annex III-matched system only performs a narrow procedural task, prepares tasks, or detects decision patterns without replacing human judgment, you can claim an exemption.
  • Why it matters: Highly sought after by AI companies to bypass heavy compliance costs. However, you must document this assessment and register the system in the EU database before launching. If your system performs profiling of natural persons, the exemption is automatically blocked.

5. Technical Monitoring & Supervision

5.1 Human Oversight

  • Official Legal Meaning (Article 14): Measures built into high-risk AI systems to ensure they can be effectively supervised, overseen, and controlled by competent natural persons during the period in which they are in use.
  • Plain English: Giving humans real-time transparency, warning flags, and an "emergency brake" (override capabilities) to prevent, pause, or reverse AI-driven decisions.
  • Why it matters: This must be designed into the UI/UX of the system from the beginning, not bolted on as a policy document afterwards.

5.2 Serious Incident

  • Official Legal Meaning (Article 3(44)): Any incident that directly or indirectly leads, has led or may lead to: the death of a person or serious damage to a person’s health; a serious and irreversible disruption of the management and operation of critical infrastructure; or a breach of obligations under Union law protecting fundamental rights.
  • Plain English: A critical malfunction of an AI system that causes severe physical, operational, or civil rights harm.
  • Why it matters: Both providers and deployers must immediately report any serious incidents to the European AI Office and national market surveillance authorities. Under Article 72, the reporting windows are exceptionally strict depending on severity:
    • Max 2 days for critical infrastructure disruptions.
    • Max 10 days in the event of a person's death or serious damage to health.
    • Max 15 days for general fundamental rights breaches or other serious incidents.

5.3 Biometric Categorisation System

  • Official Legal Meaning (Article 3(35)): An AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data, unless it is ancillary to another commercial service and strictly necessary for objective reasons.
  • Plain English: Using AI to classify people based on physical features (e.g., scanning faces to categorize gender, race, age, or political beliefs).
  • Why it matters: Biometric categorization systems based on sensitive political, religious, or philosophical beliefs are strictly prohibited under Article 5. Other variants are heavily restricted and classified as High-Risk.

5.4 Emotion Recognition System

  • Official Legal Meaning (Article 3(36)): An AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data.
  • Plain English: AI that analyzes facial expressions, voice pitch, or gait to determine if someone is angry, lying, stressed, or happy.
  • Why it matters: Emotion recognition in workplaces (HR/recruitment) and educational institutions is completely banned under Article 5. Other uses (e.g., marketing research) require explicit, prior user disclosures.

6. Regulatory Operationalization

Understanding these legal terms is only the first step. For enterprises operating in or exporting to the European Union, the true challenge lies in translating these statutory definitions into repeatable engineering procedures and software controls. High-risk compliance cannot be an afterthought; it must be designed directly into the software architecture, the logging layers, and the user interfaces of your agentic workflows.

Through the Golonex AI Compliance & GRC practice, we specialize in helping mid-market enterprises operationalize these exact Article 3 definitions. Our engineering teams perform comprehensive boundary audits to determine your exact role—whether as a Provider, Deployer, or Importer—and construct secure, private enclaves featuring built-in, tamper-evident logging (Article 12) and real-time human oversight telemetry (Article 14). We turn regulatory requirements into robust operational speed.

To map your active systems against Article 3 boundary classifications, read more about our services at golonex.ai or contact our GRC engineering team.

References & Citations

Golonex Press Briefing Service

Build Your Own Downstream Decision Layer

Golonex designs and deploys secure, compliant multi-agent operations for corporate pipelines. Let our engineers automate your highest-friction workflows.

Schedule Operational Audit →