Guidance for organisations deploying or self-hosting a Qiplim Studio instance within the European Union.
Last updated: April 2026. Based on Regulation (EU) 2024/1689.
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and imposes obligations on providers and deployers. Key compliance deadlines run from February 2025 to August 2027.
Qiplim Studio uses AI (LLMs) to generate educational content: quizzes, summaries, flashcards, podcasts, etc. from documents. The classification depends on how you deploy it.
Content generation (creating learning materials from documents) is not listed in Annex III. If Qiplim Studio is used as a content creation tool where educators review and approve outputs before use, it falls under limited or minimal risk.
Under Annex III, section 3 (Education and vocational training), these uses ARE high-risk:
If your deployment uses quiz/assessment results to automatically determine grades, certifications, or student progression without human review, it may be classified as high-risk.
Educators use Qiplim to generate content, review it, then deliver to students.
Transparency: inform users that content is AI-generated. No further AI Act obligations.
Students interact with generated content. Results are tracked but not used for decisions.
Transparency: clearly label AI-generated content. Inform students that AI is involved. Keep human oversight for any assessment decisions.
AI-generated quiz results directly influence grades, certifications, or student access.
Full high-risk compliance required: risk management system, data governance, technical documentation, transparency to deployers and users, human oversight measures, accuracy and robustness testing, EU database registration.
Transparency: label all AI-generated content as such
Human oversight: ensure a qualified person reviews AI outputs before consequential use
Data governance: document what data is processed, where it is stored, and retention periods
Provider information: document which AI providers (Mistral, OpenAI, etc.) are used and their terms
BYOK keys: if using Bring Your Own Key, ensure your data processing agreements cover the AI provider
Risk assessment: evaluate whether your specific use case falls under Annex III high-risk categories
Record-keeping: enable logging of AI generations for audit purposes
User information: inform end users that AI is used in content generation
Choose your AI provider and control data processing. Keys encrypted with AES-256-GCM.
All AI generations are logged with provider, model, timestamps, and token usage.
Generated content goes through an editor before publication. No direct student-facing auto-publish.
Deploy on your infrastructure. Full control over data residency and processing.
Inspect the code. Verify what the AI does. No black box.
February 2025: Prohibited AI practices banned
August 2025: GPAI model obligations apply
August 2026: High-risk system requirements (Annex III) enforceable
August 2027: Full enforcement for all AI systems
This page provides general guidance and does not constitute legal advice. Consult a qualified legal professional to assess your specific deployment scenario.