EU AI Act Compliance
AI Act Public Sector Compliance: What Government Deployers Must Do Now
Public bodies face some of the strictest obligations under the EU AI Act, from mandatory fundamental rights impact assessments to citizen-facing transparency rules. Here is exactly what municipal and central government deployers must do before the deadlines hit.
Public bodies are not spectators in the EU AI Act
AI act public sector compliance is not optional, and it is not a distant concern. Under the EU AI Act, government bodies that deploy AI systems carry obligations that are, in several cases, heavier than those placed on private-sector deployers of equivalent tools. If your municipality uses an automated scoring system to prioritise social benefit applications, or your ministry deploys an AI tool to assess permit eligibility, you are already in scope. The question is whether you are prepared.
The Act entered into force on 1 August 2024. The first hard deadline, covering prohibited AI practices under Article 5, passed on 2 February 2025. High-risk obligations under Article 26 apply from 2 August 2026. That is not far away for organisations that run on procurement cycles measured in years.
Why public sector deployers face stricter rules
The EU AI Act is explicit: systems used by public authorities in certain domains are automatically classified as high-risk. Annex III lists the categories. They include AI used in the administration of justice and democratic processes, essential private and public services, law enforcement, migration and border control, and the management of critical infrastructure.
Consider what this covers in practice. A Dutch gemeente (municipality) using AI to rank social assistance claimants is in Annex III. A national tax authority using algorithmic risk profiling to flag VAT fraud falls there too. A regional employment service using AI to match jobseekers to vacancies: also Annex III.
This matters because high-risk deployers carry obligations under Article 26 that go well beyond simply turning a tool on. You must verify that the AI system is fit for your intended purpose. You must ensure your staff have the AI literacy needed to operate and oversee it, per Article 4. You must log outputs, monitor for drift, and maintain incident records. You also bear direct responsibility for the decisions the system informs, even if a private-sector vendor built the model.
The mandatory Fundamental Rights Impact Assessment
This is the obligation that catches most public-sector organisations off guard. Article 27 requires deployers of high-risk AI systems to carry out a Fundamental Rights Impact Assessment (FRIA) before putting the system into use. This obligation applies specifically to bodies governed by public law and to private operators running public services.
A FRIA is not a checkbox exercise. It requires you to identify which categories of people are affected by the AI system, assess how the system could produce discriminatory or disproportionate outcomes, and document what safeguards are in place. You must consider intersecting characteristics: age, disability, ethnicity, gender, and socioeconomic status all warrant examination.
The FRIA must be registered. Article 27 requires public deployers to notify their relevant market surveillance authority of the outcome. In the Netherlands, the Autoriteit Persoonsgegevens (AP) has been designated as a competent supervisory authority. Belgian public bodies report to the AI Office and, depending on the processing involved, may also have obligations to the APD/GBA.
If your organisation has already conducted a GDPR Data Protection Impact Assessment (DPIA) for the same system, you do not start from zero. The FRIA draws on much of the same analysis. But the DPIA alone does not satisfy Article 27. A FRIA has a broader scope, examining fundamental rights beyond privacy, including the right to effective remedy under Article 47 of the EU Charter and the right to non-discrimination under Articles 21 and 22.
Citizen-facing transparency: what Article 50 requires
When a public body deploys AI in a way that interacts directly with citizens, Article 50 applies. Citizens must be informed that they are interacting with an AI system, not a human, unless this is obvious from context.
This is not about adding a footer to a webpage. If your municipality operates an AI-powered chatbot handling benefit queries, or a virtual assistant managing appointment scheduling, the disclosure must be active and clear at the start of the interaction. The obligation sits with the deployer, not just the vendor who built the tool.
For decisions that significantly affect citizens, transparency goes further. Under Article 86, individuals subject to decisions made with AI assistance have the right to receive a meaningful explanation of how the decision was reached. Public authorities are not exempt from this; they are directly bound.
This has immediate operational consequences. If your housing department uses AI to score social housing applications, rejected applicants can request an explanation of the AI-assisted decision. Your staff need to be able to provide one. That requires both technical documentation from the vendor and trained human reviewers who understand the system's outputs.
Procurement: the hidden compliance problem
Many public bodies assume their vendor carries the compliance burden. This is not how the AI Act works. Deployers are responsible for what they deploy.
When a central government ministry or regional authority procures an AI system, it must verify that the system has gone through the conformity assessment process required under the Act. For high-risk systems, this means checking that a CE marking has been issued, that the system is registered in the EU database established under Article 71, and that technical documentation is available for review.
Current public procurement frameworks in most EU member states were not designed with these requirements in mind. Tender documents typically specify functional requirements and price. They rarely include clauses requiring vendors to provide conformity assessment records, technical documentation under Article 11, or audit log access under Article 12.
The practical fix is to build AI Act compliance requirements into your procurement specifications now. Before 2026, every new AI-enabled contract your organisation signs should include: a warranty that the system meets Annex III obligations where applicable, contractual access to technical documentation, notification obligations if the vendor modifies the model, and the right to audit logs for the duration of the contract.
What this means for government employees day to day
Government employees who use AI tools in their work are subject to the Article 4 AI literacy obligation. This is not aspirational. The Act requires deployers to ensure that staff who operate high-risk AI systems have a sufficient understanding of the system's capabilities, limitations, and potential for error.
In practice, this means HR and learning and development teams in public bodies need to design and document training programmes for AI-using staff. A brief internal briefing is not enough. Training records must be maintained and should cover: what the system does, how it reaches outputs, where it can fail, and how to escalate concerns.
For front-line staff in social services, employment agencies, immigration services, and justice administration, this is especially pressing. These are the employees whose daily decisions are most directly shaped by AI-generated recommendations. They must be equipped to apply meaningful human oversight, as required by Article 26(1). An employee who rubber-stamps every AI output without review is not fulfilling that obligation, and neither is the organisation that trained them to do so.
Register, monitor, and report
Once a high-risk AI system is deployed, the obligations do not stop. Public-sector deployers must monitor systems for performance changes, log incidents, and report serious malfunctions to their national supervisory authority under Article 73. Fines for non-compliance reach €15 million or 3% of global annual turnover for prohibited practices violations, per Article 99. Public bodies are not shielded from enforcement.
Keep an up-to-date inventory of every AI system your organisation uses. Classify each one against Annex III. Where a system is high-risk, assign a named internal owner, document the FRIA, and set a calendar reminder for annual review.
Start with your inventory today. If you are unsure which of your current AI tools are in scope, run a free 2-minute compliance check at comply.khairos.ai to get an immediate picture of where your organisation stands before the August 2026 deadline.
# Need help getting compliant?
The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.
Start the free check →