Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Editorial · CASRAI · Compliance and regulatory

Making sense of the EU AI Act for research administration

What the EU AI Act actually requires of research administrators, where the exemptions sit, and the practical compliance checklist for institutions in 2026.

ByCASRAI Editorial Board
Published 29 Jan 2026· 6 minute read

The EU Artificial Intelligence Act entered into force in August 2024 with a staged implementation timeline that runs through 2027. By February 2025 the prohibited-AI-practices provisions and the AI-literacy obligation became binding; through 2025 the general-purpose-AI provisions came into effect; in 2026 the high-risk-AI obligations begin to apply; in 2027 the act is fully in force. Research-administration offices across Europe (and at non-EU institutions handling EU data subjects or EU collaborators) have been working through the implications. This post is a practical orientation, not legal advice, on what the act requires of research administration in 2026.

What the act actually covers

The EU AI Act is risk-tiered. Prohibited practices (social scoring, real-time biometric identification in public spaces with narrow exceptions, exploitative manipulation) are out, full stop. High-risk AI systems — defined in Annex III to include AI used in education, employment, law enforcement, critical infrastructure, and several other domains — face substantial obligations around risk management, data governance, technical documentation, transparency, human oversight, accuracy, and post-market monitoring. Limited-risk AI (chatbots, emotion-recognition systems, AI-generated content) faces transparency obligations. Minimal-risk AI faces none specific to the act.

The research-specific carve-outs are important but narrower than is sometimes claimed. The act excludes AI systems and models developed solely for the purpose of scientific research and development; it does not exclude AI systems used in the conduct of research that is not itself AI research. A clinical-trial protocol that uses an AI system for patient stratification is not exempt because it is research; the AI system is being deployed in a context (healthcare) covered by the act. The exemption is for AI as an object of study, not AI as a tool of study.

Where research-administration touches the act

Five touchpoints in practice.

1. AI literacy obligation

Article 4 requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy of their staff and others using AI systems on their behalf. This applies to research-administration staff using AI tools (proposal-screening assistants, plagiarism detection with AI components, AI-assisted compliance review). The required “sufficient level” is not specified in detail; the European AI Office and national competent authorities are expected to publish guidance. The CASRAI EU AI Act entry tracks the guidance as it emerges.

Practically, institutions should be running AI-literacy training for research-administration staff in 2026. This need not be elaborate; an annual two-hour training covering what AI systems the institution uses, what their limitations are, what the disclosure obligations are, and where to escalate concerns is a defensible baseline.

2. High-risk AI in education and employment

Annex III includes AI systems used in education (admissions decisions, student assessment, allocation to programmes) and in employment (recruitment, performance evaluation, task allocation). University admissions offices using AI to triage applications fall within high-risk; research-administration offices using AI to score research proposals likely do not, but the boundary is being tested. Employment decisions about research staff — using AI to rank job applicants or to score performance for promotion — clearly fall within high-risk.

For research administration, the practical question is whether any AI system in current or planned use crosses the threshold. The compliance checklist runs: identify all AI systems in use; categorise each against the act; for high-risk systems, conduct a fundamental-rights impact assessment; ensure human oversight is meaningful, not nominal; document the risk-management system; register in the EU database.

3. GenAI transparency obligations

Article 50 requires that AI-generated content be marked as such, with limited exceptions. For research administration, this affects AI-generated text in proposal review, AI-generated summaries of compliance documents, AI-generated translations of regulatory text. Where AI is used to generate content that will be read by a human as if it were human-produced, the act requires a marker.

This dovetails with the publisher-led GenAI disclosure conventions for scholarly content. The CASRAI institutional GenAI disclosure guidance integrates the publisher requirements and the EU AI Act obligations into a single workflow.

4. Data governance and GDPR alignment

The AI Act intersects extensively with the GDPR. High-risk AI systems must use training, validation, and testing data sets that are relevant, sufficiently representative, free of errors, and complete. For systems trained on personal data, the GDPR’s purpose-limitation and minimisation principles apply alongside the AI Act’s data-governance requirements. Research administration that procures or deploys AI systems should ensure the AI vendor can document training-data provenance and consent status for any personal data used.

5. Research-exemption boundary cases

The research exemption is being tested at the boundary. A university research group developing an AI system as their research output is exempt; the same group using the system in a clinical context with EU patients is not. A university operating a public-facing AI service developed in-house is a provider under the act and subject to the full provider obligations even if the development was research. The European AI Office has indicated it will publish boundary guidance through 2026; until it does, the conservative reading is that any AI use outside the development phase brings the act into play.

The compliance checklist

The practical 2026 checklist for a research-administration office:

  • Inventory all AI systems in use or planned use across research administration.
  • Categorise each system against the AI Act risk tiers.
  • For high-risk systems, conduct a fundamental-rights impact assessment.
  • For GenAI use, ensure transparency markers are applied to AI-generated content.
  • For employment-decision systems involving research staff, ensure human oversight is documented and meaningful.
  • Run AI-literacy training for relevant staff.
  • Verify that AI vendors can document training-data provenance and consent.
  • Align AI Act compliance with GDPR processes; do not run parallel programmes.
  • Track guidance from the European AI Office and national competent authority.
  • Document everything; the act’s audit posture is documentation-heavy.

Non-EU implications

The act’s extraterritorial reach matters for non-EU institutions. If an institution outside the EU operates an AI system whose output is used in the EU, the act applies. A US university running AI-assisted admissions for an EU campus, a UK research administration office using AI to triage proposals from EU collaborators, a Canadian institution running a GenAI service available to EU users — all may fall within the act’s scope. Non-EU institutions with material EU engagement should run the same compliance checklist as EU institutions.

What’s still uncertain

Several material questions remain open through 2026 and will be resolved by Commission guidance, national-authority interpretation, or early case law. Where does the boundary of “research and development” sit? How is “sufficient level of AI literacy” measured? What documentation suffices for the fundamental-rights impact assessment? How does the act interact with existing sectoral regulation (clinical-trials regulation, education-sector law, employment law) in member states? The CASRAI compliance and regulatory domain is tracking these questions and publishing updates as guidance emerges.

For now, the operating posture for research administration is: take the inventory; do the risk-tiering; document the high-risk systems; run the literacy training; treat the act as a serious ongoing compliance programme, not a one-off exercise. The penalties under the act are substantial and the enforcement architecture is being built; the institutions that started in 2024-2025 are well placed, those that haven’t started should begin now.

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →