Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

← Back to Blog
Governance

EU AI Act Compliance: What You Need to Know

Enforcement reality is bifurcated. GPAI obligations under the EU AI Act are now in force. Annex III high-risk requirements likely slip to December 2, 2027 under the 3rd Omnibus trilogue (May 13, 2026 · 2nd attempt failed April 28). For any organization with EU customers, this is two separate compliance tracks · not one.

The four-tier risk classification

The EU AI Act categorizes every AI system into four tiers · each with escalating obligations:

  • Prohibited risk (Article 5): banned outright — subliminal manipulation · social scoring · real-time biometric ID in public spaces · emotion recognition in workplace/education. Already in force since February 2025.
  • High-risk (Annex III): recruitment · credit scoring · educational assessment · law enforcement · critical infrastructure · medical devices. Conformity assessment · technical documentation · human oversight · post-market monitoring required.
  • Limited risk (Article 50): chatbots · deepfakes · emotion recognition · biometric categorization. Transparency obligations · AI-generated content must be machine-readable as such.
  • Minimal risk: the rest. No specific obligations. Voluntary codes of conduct.

Correct tier classification is the foundation. Misclassification is the most common enforcement trigger — fines per Article 99 scale by tier and undertaking size.

High-risk requirements — non-negotiable for Annex III systems

If you build or deploy a high-risk system listed in Annex III · the Act mandates:

  • Risk management system across the AI lifecycle (Article 9)
  • Data governance — training, validation, and testing datasets meeting quality criteria (Article 10)
  • Technical documentation — pre-deployment and continuously updated (Article 11 · Annex IV)
  • Automatic record-keeping — system logs preserved for audit (Article 12)
  • Transparency · instructions for use · human oversight (Articles 13-14)
  • Accuracy · robustness · cybersecurity (Article 15)
  • Conformity assessment · CE marking · post-market monitoring · serious-incident reporting (Articles 43, 48, 72)

These aren't theoretical. They demand operational changes across AI development, deployment, and monitoring — typically 12-18 months of preparation before the deadline lands.

Transparency obligations and GPAI models

GPAI providers (general-purpose AI models — LLMs, diffusion models, multimodal foundation models) face Article 53-55 obligations, now in force:

  • Technical documentation of training data · process · evaluation
  • Copyright compliance policy · TDM opt-out respect
  • Detailed summary of training content published
  • For "systemic risk" models (10²⁵ FLOPs threshold): adversarial testing · serious-incident tracking · cybersecurity · energy reporting

Downstream deployers inherit transparency obligations · users must be informed when interacting with AI · AI-generated content must be marked detectable per Article 50(2).

The bifurcated enforcement timeline · LOCKED

The EU AI Act phases enforcement across multiple deadlines. The May 2026 trilogue update splits the picture:

  • Feb 2, 2025 · IN FORCE: Prohibited practices · AI literacy obligations · banned systems unusable.
  • GPAI obligations · now in force: GPAI obligations · Article 99 penalties · governance bodies operational.
  • Aug 2, 2026 (likely): Annex III high-risk for recruitment / credit / education was scheduled here · 3rd Omnibus trilogue 13 May 2026 expected to shift this.
  • Dec 2, 2027 (probable): Annex III high-risk requirements · conformity assessments · technical documentation · post-market monitoring. (2nd Omnibus failed April 28, 2026 · 3rd in trilogue.)
  • Aug 2, 2027: Annex II high-risk (machinery, toys, medical devices) requirements.

Decompose by track: GPAI-track ships now (no delay coming) · high-risk-track ships anyway because 12-18 months of prep starts before the deadline. Treat the bifurcation as the operating reality · not as an excuse to wait.

What to do now

Waiting is foreclosed — GPAI obligations are now in force. Proactive organizations are already executing five workstreams:

1. AI system inventory: Catalog every AI system — vendor solutions · internal models · third-party APIs · embedded ML. Tag each with purpose · risk tier · data dependencies · downstream consumers.

2. Tier-by-tier risk assessment: For each system · determine prohibited / high-risk / limited / minimal classification. Document the analysis · re-run quarterly as systems change.

3. Governance structure: Establish policies · accountability lines · deployment-decision authority · monitoring cadence. Article 26 deployer obligations don't run themselves.

4. Technical controls: Audit logs · model performance monitoring · bias detection · fundamental-rights impact assessments (FRIA) for public-sector deployers. The evidence Article 12 expects.

5. Vendor / GPAI documentation: Demand Annex IV-grade documentation from every GPAI provider you use. Renegotiate contracts now · before you become the upstream by default.

How acipta's EU AI Act suite accelerates compliance

The acipta.ai EU AI Act & ISO 42001 suite ships at launch window opening. What the suite automates:

  • Automated classification — agents analyze your AI inventory against Annex III · Article 5 · Article 50 criteria · assign risk tiers · flag conformity-assessment candidates
  • Article 11 / Annex IV documentation — technical documentation generated from system telemetry · not authored in spreadsheets
  • Control mapping — EU AI Act requirements mapped to your existing controls · gaps surfaced · ISO 42001 alignment included
  • Continuous monitoring — Article 72 post-market obligations · serious-incident detection · audit-ready evidence on demand

Every verdict signed at write time with Ed25519 · deterministically replayable for five years. Audit-defensible by construction.

The global trajectory · why GPAI compliance matters beyond Europe

The EU AI Act is the first comprehensive AI regulation globally — but not the last. The UK AI Bill · Colorado SB 24-205 · Texas TRAIGA · NYC AEDT · California SB 1047 successors · Brazil's AI Bill all cite Annex III definitions or borrow the four-tier structure. Organizations that build defensible AI governance for the EU also satisfy the parallel US-state and UK frameworks emerging through 2027.

GPAI obligations are now in force. The Annex III delay buys preparation time · not exemption. Start now.

Ready to achieve EU AI Act compliance ahead of the enforcement timeline?

Start Your AI Governance Program