Image description: A printed EU AI Act document with a transparent ARIA accessibility-tree overlay and a fountain pen on top — the visual marker for the AI Act x disability law intersection.
Reading Time: 12 minutes
Regulation (EU) 2024/1689, commonly called the EU AI Act, was published in the Official Journal on 12 July 2024, entered into force on 1 August 2024, and reached its main applicability date — when the high-risk and general-purpose-AI obligations bind providers and deployers across the Single Market — on 2 August 2026. It is the first comprehensive horizontal AI law in any major jurisdiction, and it sits on top of, rather than replaces, the existing disability-rights stack: the European Accessibility Act, the Web Accessibility Directive, the Employment Equality Directive 2000/78/EC, and the EU’s ratification of the UN Convention on the Rights of Persons with Disabilities (CRPD).
Two articles do most of the load-bearing work where the AI Act and disability law collide. Article 16 sets the obligations on providers of general-purpose AI models — the foundation-model layer that powers most consumer-facing AI products in 2026. Article 73, read together with Articles 8 through 15 and Annex III, sets the requirements that bind providers and deployers of high-risk AI systems. This piece is a primer on how those two articles intersect with disability law in three concrete settings: AI used in employment (CV-screening tools, automated video-interview scoring), AI used in education (online proctoring, accessibility tooling, student-risk modelling), and AI used in essential services (consumer credit scoring, healthcare triage, public-benefit eligibility decisions). It also covers the CRPD overlay that the EU’s institutional commitments add on top, and the documentation duties — Annex IV technical documentation, post-market monitoring, fundamental-rights impact assessments — that vendors are now expected to produce.
What the AI Act is — and how it is structured
The AI Act is a regulation, not a directive: it applies directly in every Member State without national transposition, and the obligations it imposes on providers and deployers are uniform across the 27/27 EU national markets plus the EEA. Its core architectural choice is a risk-tier framework with four levels — prohibited practices (Article 5), high-risk AI systems (Articles 6 through 27 and Annex III), limited-risk transparency obligations (Article 50), and unregulated minimal-risk uses. Layered on top of the risk tiers, a separate regime — Articles 51 through 56 — governs general-purpose AI models, with stricter obligations triggered when a model crosses the systemic-risk threshold set in Article 51(2).
The phased applicability calendar matters because providers reading this in 2026 are not facing a single deadline. The Article 5 prohibitions on unacceptable-risk practices — social scoring by public authorities, real-time remote biometric identification in public spaces except for narrowly defined law-enforcement uses, emotion recognition in workplaces and schools — became applicable on 2 February 2025, six months after entry into force. The Article 51-56 general-purpose-AI obligations became applicable on 2 August 2025. The full high-risk regime, including the Article 73 post-market monitoring duties, came into force on 2 August 2026, with a further extension to 2 August 2027 for the subset of high-risk systems that are also safety components of products already regulated under EU product-safety legislation (Annex I sectoral law — medical devices, machinery, toys, vehicles).
Enforcement is split. National market-surveillance authorities — designated by each Member State and listed in a public register maintained by the AI Office — handle high-risk AI enforcement on the ground. The AI Office, established inside the European Commission’s DG CNECT, has exclusive competence for general-purpose-AI enforcement under Article 88. Maximum administrative fines run to EUR 35 million or 7% of worldwide annual turnover for breaches of the Article 5 prohibitions, EUR 15 million or 3% for breaches of most other operator obligations including the Article 16 and Article 73 duties covered in this primer, and EUR 7.5 million or 1% for supplying incorrect or misleading information to authorities.
Article 16 — what general-purpose-AI providers must do
Article 16 is the operative provision for the foundation-model layer. It applies to providers of general-purpose AI models — defined in Article 3(63) as AI models trained on a large amount of data using self-supervision at scale, displaying significant generality, capable of competently performing a wide range of distinct tasks. The large language models powering chatbots, the multimodal image-and-text models used in document analysis, the speech models that increasingly mediate accessibility tooling: all of them are general-purpose AI models for AI Act purposes, and their providers carry the Article 16 stack.
The Article 16 duties divide into three blocks. First, technical documentation: providers must prepare and keep up to date a technical file covering the model’s training, testing, and evaluation, including the training-data sources at a high level, the energy consumption of training, the evaluation benchmarks used, and the known limitations. Annex XI specifies the minimum content. Second, information disclosures to downstream deployers: providers must make available to companies that integrate the model into their own systems enough information about the model’s capabilities, limitations, intended use, and known risks for the downstream operator to comply with its own AI Act obligations. Third, copyright and content-provenance: providers must put in place a policy to comply with EU copyright law, including the Article 4(3) text-and-data-mining opt-out under Directive (EU) 2019/790, and publish a sufficiently detailed summary of the training-data corpus.
The disability angle on Article 16 is twofold. First, the limitations disclosure required under Annex XI Section 1(2)(c) explicitly covers known biases and unfair performance gaps — and accessibility-relevant performance gaps fall squarely inside that requirement. A speech-recognition model that performs measurably worse on dysarthric speech, an image-captioning model that misidentifies users of wheelchairs or mobility aids, a sign-language model that fails on regional sign-language variants: each of these is a known limitation the provider must surface to downstream deployers. Second, providers of models meeting the Article 51(2) systemic-risk threshold (currently set at training compute exceeding 10^25 FLOPs) carry the additional Article 55 duties of adversarial testing, incident reporting, cybersecurity safeguards, and model evaluation against systemic-risk categories — including fundamental-rights impacts, which the regulation explicitly cross-references back to the Charter of Fundamental Rights and to the CRPD.
Article 73 — high-risk AI systems and the post-market regime
Article 73 sits inside Section 3 of Chapter III, the section that governs high-risk AI systems already placed on the market. It requires that providers of high-risk AI establish a post-market monitoring system, proportionate to the nature of the system and the risks it presents, that actively and systematically collects, documents, and analyses data on the performance of the AI system throughout its lifetime. The monitoring must continuously evaluate compliance with the requirements set out in Articles 8 to 15, with documentation kept available for at least ten years.
Article 73 has to be read in tandem with the Articles 8-15 substantive requirements, because the post-market monitoring is the mechanism by which compliance with those requirements is demonstrated over time. Article 9 mandates a risk-management system. Article 10 governs data and data-governance — specifically requiring that training, validation, and testing datasets be relevant, sufficiently representative, free of errors, and complete in view of the intended purpose, with explicit attention to “the specific geographical, contextual, behavioural or functional setting” in which the system will be used. Article 11 and Annex IV require technical documentation; Article 12 requires automatic event logging; Article 13 requires transparency and information for deployers; Article 14 requires human oversight measures designed into the system; Article 15 requires accuracy, robustness, and cybersecurity proportionate to the intended purpose. Article 26 then layers obligations on the deployer side — the operator that actually puts the system into use.
What makes a system “high-risk” is set in Article 6 and Annex III. The Annex III list names eight use-case categories — biometrics; critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services; law enforcement; migration, asylum and border control; administration of justice and democratic processes — and within each category enumerates the specific use-cases that trigger the high-risk classification. The Annex III list is non-exhaustive in concept but binding in law: an AI system used for one of the listed purposes is high-risk by operation of the regulation, regardless of how the provider markets it.
Where Articles 16 and 73 intersect with disability law
Three intersection points dominate the practical compliance landscape in 2026: employment AI, education AI, and AI used in essential services. Each one sits inside an Annex III high-risk category, and each one carries a direct obligation under existing EU disability-discrimination law that the AI Act now operationalises.
Employment — CV screening, video-interview scoring, productivity monitoring
Annex III Section 4 captures AI systems used for recruitment, selection, task allocation, performance evaluation, and termination decisions. CV-screening tools that rank candidates against job descriptions, automated video-interview platforms that score candidate responses on facial expressions, speech patterns and word choice, productivity-monitoring tools that flag workers for managerial intervention based on keystroke or screen-time data: all of them are Annex III high-risk under Section 4. Article 9’s risk-management duty and Article 10’s data-governance duty require providers to identify and mitigate disparate-impact risks at the model-training stage. The Employment Equality Directive 2000/78/EC, in force since 2003, already prohibits direct and indirect discrimination on disability grounds in recruitment and employment; the AI Act now requires that the technical machinery behind that prohibition be auditable through the Annex IV technical file and through Article 73 post-market monitoring.
The bias-mitigation duty is explicit. Article 10(2)(g) requires that providers examine training-data design choices for “possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law.” Once a disability-related disparate impact is identified — a video-interview model that systematically penalises candidates with speech disabilities, an HR-analytics model that misclassifies the work patterns of employees with cognitive disabilities or chronic illness — Article 10(2)(h) requires “appropriate measures to detect, prevent and mitigate” it. The mitigation work has to be documented inside the Annex IV file and continuously evaluated through the Article 73 post-market monitoring system.
Education — proctoring, accessibility tooling, risk-prediction
Annex III Section 3 covers AI used to determine access to education, evaluate learning outcomes, assess the appropriate level of education, and monitor students during tests. Online-proctoring systems that flag examination behaviour are explicitly named in the recitals. The intersection with disability law is acute here: a proctoring model trained on neurotypical baseline behaviour will systematically over-flag students with ADHD, tic disorders, or anxiety — and the under-fifteen-percent of higher-education students who have documented disabilities (Eurostat 2024) bear the disparate impact. The Article 5(1)(f) prohibition on emotion-recognition in educational settings already removes one class of model from the legal market entirely; what remains is the broader proctoring and risk-prediction layer that operates under Annex III Section 3 as high-risk.
Accessibility tooling sits on the other side of the same border. AI-driven captioning, speech-to-text for lectures, AI alt-text generation, and AI-assisted document remediation are not themselves Annex III uses — they are accessibility services. But where an educational institution procures them, the AI Act’s transparency and information-disclosure duties (Article 13, Article 50) layer on top of the Web Accessibility Directive’s pre-existing accessibility-statement requirement. A school deploying an AI captioning tool must publish what the tool can and cannot do, including its known accuracy gaps for accented speech, regional dialects, and signed content.
Essential services — credit scoring, healthcare triage, benefit eligibility
Annex III Section 5 covers AI used to evaluate credit scores or creditworthiness, to risk-assess pricing in life and health insurance, to evaluate eligibility for essential public benefits and services, and to dispatch or establish priority in emergency response. Each of these intersects with disability law at a different point. Credit-scoring models that use income volatility or healthcare-related spending patterns as features can encode disability-related disparate impact; healthcare-triage AI that ranks patients for treatment can replicate the same quality-of-life-adjusted bias that disability advocates have litigated against for two decades; benefit-eligibility automation in the social-security context — the Netherlands’ SyRI ruling and the United Kingdom’s PIP and Universal Credit algorithmic-decision cases are the contemporary canon — is now squarely inside Annex III Section 5 when used by EU public bodies.
Article 27 of the AI Act adds a fundamental-rights impact assessment duty on the deployer side for Annex III high-risk systems used by public bodies and certain private operators. The FRIA covers the categories of natural persons likely to be affected, the specific risks of harm, the human-oversight measures put in place, and the remediation routes for affected individuals. Disability is not named in Article 27, but the Charter of Fundamental Rights Article 21 prohibition on discrimination — to which Article 27 cross-refers — covers disability explicitly, and Article 26 of the Charter recognises the right of persons with disabilities to integration and participation. The FRIA is where disability impact has to be assessed before deployment, not as a retrospective audit.
The CRPD overlay
The European Union is a party to the UN Convention on the Rights of Persons with Disabilities in its own right — the first international human-rights treaty the EU has joined as a regional integration organisation — and the CRPD therefore binds the EU institutions, including in their interpretation of the AI Act. Article 9 of the CRPD obliges parties to ensure access by persons with disabilities to information and communications, including information and communications technologies, on an equal basis with others. Article 5 obliges them to prohibit all discrimination on the basis of disability and to guarantee equal and effective legal protection.
Recital 56 of the AI Act explicitly names the CRPD as part of the regulation’s fundamental-rights anchorage, and the AI Office’s interpretive guidance — published throughout 2025 and 2026 in the form of Q&A documents and Commission delegated acts — has repeatedly cited the CRPD in the context of accessibility-by-design obligations under Article 16 of the AI Act (information accessibility) and the disability-impact dimension of Article 27 fundamental-rights impact assessments. The practical implication: when a market-surveillance authority audits an Annex III high-risk system for disability-related disparate impact, it audits against the AI Act’s data-governance and risk-management standards interpreted in light of the CRPD’s non-discrimination and accessibility commitments. A provider arguing that its model performs “well on average” without addressing performance on disability-relevant subgroups is arguing against the regulation’s own interpretive frame.
Practical implications for vendors and deployers
For providers of high-risk AI systems and of general-purpose AI models, the compliance architecture in 2026 has four load-bearing components. First, the data-governance file required by Article 10 — a structured record of training-data sources, representativeness analysis, identified biases including disability-relevant ones, and the mitigation steps applied. Second, the Annex IV technical documentation — design specifications, system architecture, intended purpose, known limitations, instructions for the deployer, performance metrics across demographic and disability subgroups where the data exists. Third, the post-market monitoring system under Article 73 — incident logging, complaint channels, continuous performance evaluation, periodic re-validation against the original risk-management plan. Fourth, where applicable, the fundamental-rights impact assessment under Article 27 for deployers in the public and quasi-public sector.
Early enforcement signals from the first nine months of full applicability (August 2026 onward) are limited but directionally clear. The AI Office has opened information requests against three named providers of general-purpose AI models on transparency and copyright-summary grounds. National market-surveillance authorities in the Netherlands, Germany and France have published early-guidance documents on Annex III Section 4 employment AI, all three of which explicitly call out disability disparate-impact testing as a documentation expectation. No final administrative penalty has yet been issued under Article 99 — the enforcement curve under the GDPR took approx. 18 months to produce its first material fines, and the AI Act is following a comparable trajectory. The signal to vendors is that the documentation regime is the regime: a provider that cannot show its Annex IV file, its Article 10 data-governance work, and its Article 73 post-market monitoring on request is on the wrong side of the regulation regardless of whether a fine has been issued yet.
For the disability-rights community, the AI Act does not replace the discrimination protections under Directive 2000/78/EC, the accessibility requirements under the European Accessibility Act, or the procurement criteria under EN 301 549 — it sits on top of them and gives them a documentation and oversight architecture that the existing instruments lacked. The next wave of enforcement, expected through 2027 and 2028, will be where the interplay between the AI Act’s procedural duties and the existing substantive disability-discrimination doctrine produces the case law that defines what bias-mitigation actually looks like in practice. This primer is the map of the terrain; the cases will draw the contour lines.