Select Compliances
The EU AI Act: Why It Matters to You
Regulation (EU) 2024/1689 laying down harmonised rules on Artificial Intelligence, commonly referred to as the EU Artificial Intelligence Act (EU AI Act).
The Act seeks to ensure that artificial intelligence systems used or put on the market in the EU are safe, legal, transparent, and respectful of fundamental rights.
Why This Framework Matters
The EU AI Act is neither a theoretical nor an aspirational document; it is an operative compliance regulation with direct business implications.
For organizations, the Act:
- Introduces mandatory AI risk classification that categorically defines whether a system can be deployed at all.
- Creates new compliance obligations across the entire AI lifecycle, from design to post-deployment monitoring
- Establishes significant financial penalties for failure to comply
- Requires coordination from a technical, legal, and governance standpoint among teams
Non-compliance from a risk perspective may result in the banning of products, reputational damage, regulatory enforcement actions, and operational disruption. From a business perspective, compliance is increasingly becoming a market access requirement in the EU. Similar regulatory approaches are emerging globally, including the Artificial Intelligence and Data Act and the Brazil Artificial Intelligence Bill.
Key Areas Covered by the Framework (Regulatory Highlights)
The EU Artificial Intelligence Act categorizes AI systems into four risk tiers:
A. Risk-Based Classification of AI Systems
The EU Artificial Intelligence Act categorizes AI systems into four risk tiers:
- Unacceptable Risk: Practices such as social scoring and certain biometric surveillance systems are prohibited outright.
- High Risk: AI systems used in areas like recruitment, creditworthiness, biometric identification, healthcare, education, and law enforcement.
- Limited Risk: Systems such as chatbots or emotion-recognition tools, subject primarily to transparency obligations.
- Minimal Risk: AI systems with negligible risk, largely exempt from
B. Governance and Accountability Requirements
For high-risk and GPAI systems, the Act mandates:
- Defined roles and responsibilities across providers and deployers
- Human oversight mechanisms
Clear accountability for AI outcomes and failures
C. Transparency and User Information
Certain AI systems must clearly disclose that:
- Users are interacting with an AI system
- Content has been AI-generated or manipulated (e.g., deepfakes)
D. General-Purpose AI (GPAI) Obligations
The Act introduces specific obligations for GPAI and systemic-risk GPAI models, including:
- Technical documentation
- Training compute disclosures
- Model risk mitigation measures
Governance, Documentation & Controls
Required Policies, Registers, or Assessments
Organizations are required to establish policies regarding the governance of AI related to risk management and to maintain an AI system inventory cataloguing the developed and used AI systems. Then, they need to use risk management approaches related to the misuse and harmful actions of AI and data governance policies related to the data used for training, validation, and testing. Other mandatory measures for high-risk AI systems are the assessment of the fundamental rights impacts and the mechanisms for human oversight.
Documentation Expectations
The EU Artificial Intelligence Act imposes an obligation on the providers to keep their technical and compliance documentation updated and accurate, which should comprise information about the design and purpose of the AI system, data used for
training, risk mitigation, performance parameters, and post-market monitoring plans.
Audit and Record-Keeping Obligations
The EU Artificial Intelligence Act spells out audit and record-keeping requirements, which mandate the automated recording of AI system activities and the maintenance of records enabling sufficient evidence of regulatory compliance. For high-risk AI systems, there is a requirement for internal and, if necessary, third-party conformity assessment, in order to determine continuous compliance with the regulatory requirements.
Reporting or Notification Requirements
Providers must report:
- Serious incidents or system malfunctions
- Any breach that may impact fundamental rights or safety to national market surveillance authorities within prescribed timelines.
How Our Platform Enables Compliance
Our AI governance platform operationalizes EU Artificial Intelligence Act compliance by:
- Automatically classifying AI systems based on risk categories
- Maintaining a centralized AI inventory and compliance register
- Mapping EU Artificial Intelligence Act obligations to technical and organizational controls
- Generating audit-ready documentation and conformity evidence
- Enabling continuous monitoring and post-deployment oversight
- Supporting GPAI-specific disclosures and risk management workflows
This transforms compliance from a manual, reactive exercise into a scalable, system- embedded capability.
Penalties & Liability Exposure
Prohibited AI Practices (Article 5):
Penalty: Fines up to €35 million or 7% of the offender’s total worldwide annual turnover for the preceding financial year, whichever is higher.
Non-Compliance with Obligations Related to High-Risk AI Systems:
Penalty: Fines up to €15 million or 3% of the offender’s total worldwide annual turnover for the preceding financial year, whichever is higher.
Provision of Incorrect, Incomplete, or Misleading Information:
Penalty: Fines up to €7.5 million or 1% of the offender’s total worldwide annual turnover for the preceding financial year, whichever is higher.
Penalties for Providers of General-Purpose AI Models:
Penalty: Fines up to €15 million or 3% of the provider’s total worldwide annual turnover for the preceding financial year, whichever is higher.
Who Should Pay Attention
The EU Artificial Intelligence Act is especially relevant for:
- AI and software firms
- Enterprises that implement AI in HR, finance, healthcare, mobility, or security
- Multinational companies providing AI-based services in the EU
- Compliance, legal, risk, and internal audit functions
- Members of the Board and the management team responsible for governance failures
Update & Enforcement Status
The EU Artificial Intelligence Act has been adopted and came into force in 2024.
- Obligations are applicable in phased timelines until 2025-26
- Market surveillance authorities and notified bodies are being designated
- Enforcement will be coordinated among EU Member States
It is expected that organizations will start preparing for compliance even before the deadlines for enforcement, as it is risky to retrofit governance controls after deployment.