Written by Jakub Rusinowski · Last updated 2026-07-12 · Hardware figures computed by our VRAM engine
This page is practitioner guidance on deployment mechanics, not legal advice — involve your counsel or DPO for decisions about your specific obligations.
The EU AI Act (Regulation (EU) 2024/1689) regulates AI by use case, not by hosting location — its main obligations for high-risk systems apply from August 2, 2026. Self-hosting does not exempt you from the Act; what it changes is role clarity and evidence: as the deployer (and sometimes provider) of an open-weight model you control the logs, documentation, and data flows the Act asks about, instead of depending on a vendor's paperwork. Here is the timeline, the role logic, and what an on-prem deployment does and does not solve.
The Act entered into force on August 1, 2024 and applies in stages (dates from the Regulation's own text):
| Date | What applies |
|---|---|
| February 2, 2025 | Prohibited practices (Art. 5) and AI-literacy duties |
| August 2, 2025 | Obligations for general-purpose AI (GPAI) *model providers*; governance structures |
| August 2, 2026 | The main event: obligations for high-risk AI systems (Annex III), transparency duties, most remaining provisions |
| August 2, 2027 | High-risk rules for AI embedded in regulated products (Annex I) and pre-existing GPAI models |
Penalties scale to the violation: up to €35M or 7% of global annual turnover for prohibited practices, lower tiers for other breaches. The reason this page exists on an on-prem hub: the August 2026 date is when the compliance questions stop being theoretical for ordinary companies — and the survey data on the stats page shows procurement already reacting.
Question 1 — is your use case high-risk? The Act classifies by *what the system does*, not where it runs. Annex III lists the high-risk domains: employment decisions (CV screening, promotion), education scoring, credit and insurance eligibility, essential-services access, biometrics, critical infrastructure, law enforcement. An internal document-summarization assistant is not high-risk; the same model wired into hiring decisions is. Most business deployments described on this hub — internal assistants, RAG over documents, drafting — fall outside Annex III and face only transparency-level duties (e.g., users must know they're interacting with AI). The classification exercise, done honestly per use case, is the first deliverable.
Question 2 — are you a deployer, or also a provider? The Act splits duties between the *provider* (who develops/places the system on the market) and the *deployer* (who uses it under their authority). Self-hosting an open-weight model for internal use makes you a deployer of your system. Two escalations to know about: substantially modifying a high-risk system, or placing your own AI system on the market under your name, can move you into provider territory with its heavier documentation and conformity duties. And the *GPAI model provider* obligations (training-data summaries, technical documentation) sit with the model's maker — Meta, Alibaba, Mistral — not with a company that downloads and runs the weights; the Act also contains carve-outs easing some GPAI duties for open-source-released models. Where exactly your deployment sits is a counsel question; the point here is that the roles are defined and self-hosting doesn't blur them.
What it does not change: your obligations. A high-risk use case carries the same deployer duties — human oversight, input-data relevance, monitoring, incident reporting, record-keeping — whether the model answers from your rack or a vendor's API. Anyone selling "on-premise = AI Act compliant" is selling a category error; run them through the vendor checklist.
What it genuinely changes — evidence and dependency:
The honest summary: the Act is workload regulation, and self-hosting is evidence infrastructure. Companies choosing on-prem "because of the AI Act" are usually choosing it for the same reason they choose it for GDPR — not exemption, but a shorter, self-owned path to demonstrating the things the law asks them to demonstrate.
For a company running (or planning) self-hosted AI, the preparation that counsel will not object to:
1. Inventory and classify every AI use case against Annex III — most will land outside it; the ones inside get the full treatment. 2. Stand up the logging now — the gateway-with-audit-log pattern from the deployment guide satisfies the record-keeping instinct of both this Act and GDPR, and it's a day of work. 3. Pin and document model versions — which model, which weights hash, which system prompts, for each use case. Trivial to do on owned infrastructure; this becomes your technical file's backbone if a use case is high-risk. 4. Add the transparency touches — users told they're talking to AI; AI-literacy training logged (already applicable since February 2025). 5. Put the high-risk use cases through counsel before August 2026 — with the inventory, logs, and version documentation above, that conversation is short.
Jakub Rusinowski, the founder of LLM Configurator, runs corporate workshops and lectures on deploying local LLMs — hardware sizing, model selection, compliance-friendly architectures, and hands-on setup for your team. Direct, vendor-neutral, practitioner-level.