Decide
EU AI Act and standards: deploying AI robots in Europe
An AI-powered robot deployed in Europe falls under the EU AI Act, the new Machinery Regulation and, often, the GDPR. Here are the verified deadlines, the applicable standards and who is responsible for what.
The regulatory landscape at a glance
An AI-powered robot installed in a European factory sits at the intersection of three frameworks. Regulation (EU) 2024/1689, the AI Act, governs the AI system itself horizontally. The Machinery Regulation (EU) 2023/1230, applicable from 20 January 2027, governs the physical safety of the machine and replaces Directive 2006/42/EC. Finally, the GDPR applies as soon as the robot captures personal data: cameras filming operators, sensors that can track individual performance, or maintenance data traceable to a person.
These three texts do not replace one another: they stack. A single project may therefore require CE marking under the Machinery Regulation, a conformity assessment under the AI Act and an impact assessment under the GDPR. This page summarises the state of the law as verified on 9 July 2026; it is general information, not legal advice. For a specific project, have your analysis validated by specialised counsel.
EU AI Act: timeline and how robots are classified
The AI Act entered into force on 1 August 2024 and applies in waves. Important: the simplification package known as the digital omnibus on AI, given final approval by the Council of the EU on 29 June 2026, has postponed the high-risk deadlines compared with the original schedule.
| Date | What applies |
|---|---|
| 2 February 2025 | Prohibitions (Article 5) and AI literacy obligations |
| 2 August 2025 | Obligations for general-purpose AI models (GPAI), governance and penalties |
| 2 August 2026 | General application of the regulation, including transparency obligations (Article 50) |
| 2 December 2027 | Standalone high-risk systems under Annex III (postponed from 2 August 2026) |
| 2 August 2028 | High-risk systems embedded in regulated products under Annex I, including machinery (postponed from 2 August 2027) |
For robotics, the decisive classification route is Article 6(1): an AI system is high-risk if it is a safety component of a product covered by the legislation listed in Annex I (which includes machinery legislation) and subject to third-party conformity assessment. A perception model that triggers the safety stop of a cell, or that drives collision avoidance on a mobile robot, typically falls into this category.
The corresponding obligations are substantial: a risk management system (Article 9), governance of training data (Article 10), technical documentation (Article 11), event logging (Article 12), transparency towards the deployer (Article 13), effective human oversight (Article 14) and accuracy, robustness and cybersecurity requirements (Article 15). The industrial deployer has its own obligations (Article 26): use the system in line with its instructions, assign oversight to trained staff and inform the affected workers.
Machinery Regulation 2023/1230: what changes
Regulation (EU) 2023/1230 applies in full from 20 January 2027. Directive 2006/42/EC ceases to apply the same day, with no coexistence period: a machine placed on the market on 21 January 2027 must comply with the new text. Being a regulation rather than a directive, it applies directly across the EU without national transposition.
The key changes for a robotics project:
- Self-learning AI is explicitly covered. The text addresses systems with "fully or partially self-evolving behaviour" using machine learning approaches. Safety components with such behaviour are listed among the particular-risk products in Annex I Part A: their conformity assessment must go through a notified body, with no self-certification option.
- Cybersecurity becomes a safety requirement. Safety functions must be protected against corruption, and the manufacturer must maintain software security over the machine's lifetime, with update documentation for ten years after placing it on the market.
- Substantial modification is now regulated. Whoever substantially modifies a machine in service, for instance by adding an AI module that changes a safety function, becomes the manufacturer and must redo the conformity assessment.
- Digital instructions are allowed, under conditions, which simplifies fleet documentation.
ISO standards: the 2026 state of the art
Standards translate legal requirements into technical solutions presumed compliant. Three references structure robotics in 2026:
- ISO 10218-1:2025 and ISO 10218-2:2025 (industrial robots and cell integration): this major revision, published in early 2025 after nearly eight years of work, absorbs the content of ISO/TS 15066 on collaborative applications, clarifies functional safety and adds cybersecurity requirements. There is no longer a separate "cobot" standard: collaboration is an application mode covered by ISO 10218.
- ISO 13482 (service robots): the revision replacing the 2014 edition was finalised in early 2026. It is restructured by robot type and adds cybersecurity and data protection clauses.
- Humanoids: no dedicated standard yet. The IEEE humanoid study group, more than 60 experts led by ASTM International, has published its framework (taxonomy, stability metrics, human-robot interaction) to prepare future standards. On the ISO side, ISO 25785-1 is under development for mobile robots with actively controlled stability, meaning machines that, like humanoids, must maintain dynamic balance. Until then, an industrial humanoid is handled through ISO 10218 and an ISO 12100 risk assessment.
One caveat: the harmonisation of these standards under Machinery Regulation 2023/1230, which grants presumption of conformity through citation in the Official Journal of the EU, follows its own timetable. Check the citation status when your project starts. Our platforms comparator covers the cobots, arms and AMRs these standards apply to.
CE marking an AI robot cell: who is responsible
The most misunderstood question in robotics projects. Three roles, three distinct responsibilities:
- The robot manufacturer generally delivers "partly completed machinery": a robot arm on its own has no complete function. It comes with a declaration of incorporation and assembly instructions, not a CE marking as a final machine.
- The integrator who assembles robot, gripper, conveyors, sensors and software into a working cell becomes the manufacturer of the assembly. The integrator carries out the risk assessment of the complete cell, compiles the technical file, issues the EU declaration of conformity and affixes the CE marking. Individual CE markings on each component are never enough: the interfaces between machines create risks of their own.
- The deployer (the industrial operator) is responsible for compliant use: upkeep, operator training, employer obligations under national law, and the AI Act's deployer obligations for high-risk systems. If it substantially modifies the cell, it switches into the manufacturer role.
If your plant integrates its own cells, it holds both the integrator and deployer roles: plan the compliance skills and budget accordingly.
An 8-point checklist for industrial leaders
- Map the AI systems embedded in the project (perception, planning, control) and determine whether any of them acts as a safety component: that is the trigger for high-risk qualification under the AI Act.
- Identify your legal role for each piece of equipment: manufacturer, integrator or deployer. The obligations flow directly from it.
- Require the key documents from your supplier: declaration of incorporation or conformity, technical file, ISO 10218:2025 compliance for an industrial robot.
- Plan for the double deadline: Machinery Regulation on 20 January 2027 for any machine placed on the market after that date, embedded high-risk AI Act obligations on 2 August 2028.
- Clarify whether continuous learning is active in production. If self-evolving behaviour touches safety, anticipate the mandatory notified body route.
- Address the GDPR from the design stage: camera coverage, worker data, impact assessment if individual monitoring is possible.
- Organise human oversight: named roles, training, stop procedures, logging that is usable after an incident.
- Put long-term compliance in the contract: responsibility for software and cybersecurity updates, ten years of support, substantial modification clauses.
Keep reading
- Cost the compliance work in our factory ROI pillar.
- Place these deadlines within a broader decision with our factory director's roadmap.
- Compare the platforms covered by these standards in our platforms comparator.
Sources: Regulation (EU) 2024/1689, AI Act (June 2024), Gibson Dunn, AI omnibus agreement (May 2026), Covington, deadline relief (May 2026), Regulation (EU) 2023/1230 on machinery (June 2023), ISO 10218-1:2025, A3, ISO 10218 FAQ (2025), ISO 13482 revision (2026), The Robot Report, IEEE humanoid framework (2026). Verified 9 July 2026. This is not legal advice.