The classic trap
Article 1 looks purely declaratory: a simple statement of subject matter. That is exactly the trap. Organisations read it as a preamble with no legal weight and conclude too quickly that the Regulation does not concern them. Yet Article 1 sets the material scope of the text: as soon as a system meets the definition of AI and is placed on the market, put into service or used in the Union, the full set of obligations applies. The EU AI Office (Brussels) supervises general-purpose AI models, and the CNPD remains competent for the personal data dimension. In Luxembourg, the AI market surveillance authority has not yet been formally designated, but this institutional uncertainty does not suspend your obligations: it only delays the moment of inspection.
What Article 1 actually triggers for you
The subject matter lists seven blocks of obligations (a to g) that do not all activate at the same pace or with the same intensity. Compliance starts with one simple question: where, in your information system, is AI hiding within the meaning of the Regulation?
- Prohibited practices (point b) apply first and hit hard: social scoring, manipulation, emotion recognition in the workplace.
- High-risk requirements (point c) cover recruitment, credit scoring and biometrics, uses very common in Luxembourg SMEs without them realising it.
- Transparency rules (point d) target chatbots, generated content and deepfakes, often embedded through third-party SaaS tools.
- General-purpose AI models (point e) create responsibility even when you merely integrate an external LLM API.
- Shadow AI, those AI tools adopted by teams without validation, is the leading source of unmanaged exposure.
How Luxgap automates this risk
Our Luxgap AI Inventory Radar makes scope denial impossible: it automatically discovers every AI system actually used across your organisation, including the shadow AI nobody declares. The tool continuously queries your M365 logs, Azure AD, network gateways and cloud spending records (AWS, Azure OpenAI, Anthropic) to map your complete AI footprint, without asking the owner to fill in a single form.
- Automatically detects every API call to an AI provider (OpenAI, Anthropic, Mistral, Azure OpenAI) as soon as a flow appears in your connected systems.
- Classifies each detected system against the Article 1 scope: prohibited practice, high-risk, transparency or general-purpose, based on the Regulation annexes.
- Alerts in real time via Teams or Slack when a new AI application is adopted by a team without prior validation.
- Scans your public sites and applications to flag chatbots and generated content subject to transparency obligations.
- Produces a timestamped, opposable PDF report, ready for an EU AI Office review or the future Luxembourg authority, demonstrating control of your AI scope.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real perimeter, with a free blind audit within 48h to measure your exposure before any commitment.