AI Act and EdTech: What are the obligations for providers and educational institutions?

Why EdTech is covered by the AI Act

AI tools used in education are predominantly classified as high-risk under the AI Act. This classification imposes strict obligations on providers and educational institutions.

Annex III of Regulation (EU) 2024/1689 lists AI systems considered high-risk. Point 3 specifically targets systems used in education and vocational training. The following are covered:

• Student assessment tools,
• Adaptive learning platforms,
• School or career guidance systems,
• Behaviour or cheating detection tools.

Practical example: An automated essay grading platform, such as those used in some universities, is classified as high-risk. Similarly, a high school guidance system based on AI, which recommends study paths based on student results and profiles, falls into this category.

This classification is justified by the potential impact of these tools on students' fundamental rights. An error or bias in an assessment system can compromise access to education or disproportionately influence school guidance.

EdTech providers: Your obligations as a provider

Developers of educational software using AI are considered providers under the AI Act. Their obligations are multiple and technical.

As a provider, you must:

1. Classify your system: Verify whether your tool falls into the high-risk category (Annex III, point 3). An adaptive learning platform or an automated grading system is typically covered.
2. Technically document your system: Prepare documentation in accordance with Annex IV of the Regulation. This documentation must describe the system, its limitations, performance, and risk mitigation measures.
3. Implement a risk management system: Identify and mitigate risks associated with your tool, particularly biases in assessments or guidance recommendations.
4. Ensure transparency: Inform users that the system uses AI and provide explanations of how it works (Article 13).
5. Guarantee data quality: Data used to train your model must be representative and free from bias. Article 10 imposes strict criteria, particularly for sensitive data such as that of minors.
6. Register your system: High-risk systems must be registered in the EU's dedicated AI database.

Example: A developer of automated essay grading software must document the evaluation criteria of its AI, explain how biases are detected and corrected, and inform user institutions of the system's limitations.

Educational institutions: Your obligations as a deployer

Schools, universities, and other educational bodies using AI tools are considered deployers. Their obligations differ from those of providers.

As a deployer, you must:

1. Verify provider compliance: Ensure that the system used complies with the AI Act. This includes checking technical documentation and system registration.
2. Supervise system use: Implement procedures to monitor the tool's operation and detect any malfunctions or biases.
3. Inform users: Students, parents, and teachers must be informed about the use of AI and its implications.
4. Maintain an incident log: Document any incidents related to the system's use and report them to the provider.
5. Conduct a FRIA if you are a public body: Public institutions using high-risk systems must conduct a Fundamental Rights Impact Assessment (Article 27).

Example: A university using an AI-based cheating detection tool must verify that the provider has properly documented the system, inform students of its use, and monitor false positives that could penalise students.

For public institutions, the FRIA is a key obligation. It must assess the system's impact on students' fundamental rights, particularly regarding non-discrimination and data protection.

Minors' data and bias: Specific risks in education

AI tools in education raise unique challenges, particularly regarding the protection of minors' data and bias management.

Protection of minors' data

Students' personal data, particularly that of minors, benefits from enhanced protection under the GDPR. The AI Act strengthens these requirements:

• Parental consent: For minors under 15, parental consent is generally required for data processing.
• Data minimisation: Only strictly necessary data should be collected and processed.
• Data security: Providers must implement technical and organisational measures to protect students' data.

Example: An adaptive learning platform must not collect data on students' ethnic origins or political opinions unless such data is strictly necessary and explicitly consented to.

Managing bias in assessment and guidance systems

AI systems used to assess students or guide them towards study paths can replicate or amplify existing biases. The AI Act requires providers to:

• Use representative data: Training data must cover all student groups to avoid under-representation biases.
• Test for bias: Systems must be tested to detect potential biases related to gender, socio-economic background, or other protected criteria.
• Document mitigation measures: Providers must explain how they correct detected biases.

Example: A school guidance system that recommends more scientific paths to boys and literary paths to girls must be corrected to avoid perpetuating these stereotypes.

Timeline and next steps

Obligations related to high-risk systems in education will come into force on 2 December 2027. Several key deadlines must be anticipated before then.

Here are the key dates to remember:

• 2 November 2026: Transparency obligations for generative AI systems (watermarking, disclosure). Tools such as educational chatbots or pedagogical content generators are covered.
• 2 December 2027: Entry into force of obligations for high-risk systems listed in Annex III. EdTech providers and educational institutions must be compliant by this date.
• 2026-2027: The Higher Council for Digital Education (CSEN) and the Ministry of National Education will publish specific guidelines for the use of AI in education. These documents will help institutions prepare.

For EdTech providers, the priority is to start documenting their systems and implementing risk management measures now. Institutions must identify the AI tools they use and verify their compliance.