EU AI Act
Readiness Guide
The EU AI Act is the world's first comprehensive AI law. If your AI touches the EU, here's what you must do — explained in plain English.
What is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It establishes a risk-based framework for all AI systems placed on the EU market, regardless of where the provider is located. The Act classifies AI into four risk levels and imposes obligations proportional to the risk level.
Like the GDPR, the EU AI Act has extraterritorial scope — US companies offering AI to EU users must comply. The Act entered into force on August 1, 2024, with phased application culminating in full enforcement for high-risk AI systems on August 2, 2026.
Key Facts
- Regulation: EU Regulation 2024/1689
- Entered into force: August 1, 2024
- Full enforcement: August 2, 2026
- Scope: All AI placed on EU market (extraterritorial)
- Max penalty: €35M or 7% of global annual turnover
- Cure period: None
- Enforcement: National AI authorities + EU AI Office
EU AI Act Risk Classification
The Act classifies AI systems into four risk levels. Your obligations depend on which level your AI system falls into.
Unacceptable Risk — Banned
High Risk — Strict Requirements
Limited Risk — Transparency Obligations
Minimal Risk — No Obligations
High-Risk AI Requirements
If your AI system is classified as high-risk, you must comply with the full set of requirements under Articles 9-15 of the EU AI Act.
Risk Management System
Art. 9Data Governance
Art. 10Technical Documentation
Art. 11Record-Keeping
Art. 12Transparency & Instructions
Art. 13Human Oversight
Art. 14Accuracy, Robustness & Cybersecurity
Art. 15Conformity Assessment
Art. 43EU AI Act Penalties
The EU AI Act has the most severe penalties of any AI regulation in the world. There is no cure period.
| Violation Type | Max Penalty | Cure Period |
|---|---|---|
| Prohibited AI practices | €35M or 7% of global turnover | None |
| Non-compliance with high-risk obligations | €15M or 3% of global turnover | None |
| Incorrect information to authorities | €7.5M or 1% of global turnover | None |
SMEs and startups face proportional penalties, but the regulatory burden of compliance documentation is the same regardless of company size. Proactive preparation is essential.
How ISAF Maps to EU AI Act Requirements
The Instruction Stack Audit Framework (ISAF), published by Subodh KC in Zenodo, provides a practical methodology for tracing AI accountability across nine abstraction layers — directly mapping to Article 9 risk management requirements.
The EU AI Act requires a risk management system (Article 9) that identifies, analyzes, and mitigates risks throughout the AI system lifecycle. ISAF operationalizes this by providing a nine-layer audit framework that traces accountability from the instruction layer (prompts, system messages) through the model, data, infrastructure, and governance layers.
ISAF to Article 9 mapping:
- Layer 1-3 (Instruction, Context, Model): Maps to risk identification and analysis (Art. 9(2)(a)-(b))
- Layer 4-6 (Data, Pipeline, Infrastructure): Maps to data governance requirements (Art. 10) and technical documentation (Art. 11)
- Layer 7-9 (Monitoring, Governance, Accountability): Maps to human oversight (Art. 14), accuracy and robustness (Art. 15), and post-market monitoring (Art. 72)
EU AI Act Compliance Checklist
A practical checklist for preparing for EU AI Act compliance before the August 2026 full enforcement deadline.
Classify
Implement
Assess
Monitor
Get the EU AI Act Readiness Checklist
Free EU AI Act Readiness Checklist
How Subodh KC Can Help
My Instruction Stack Audit Framework (ISAF), published in Zenodo, maps directly to EU AI Act Article 9 requirements across nine abstraction layers.
Risk Classification
ISAF Implementation
Conformity Preparation
Contact Subodh KC for EU AI Act compliance advisory, or explore advisory services.
Frequently Asked Questions
What is the EU AI Act?
When does the EU AI Act take effect?
Who needs to comply with the EU AI Act?
What are the EU AI Act penalties?
What are the EU AI Act risk levels?
Does the EU AI Act have a cure period?
How does the ISAF framework map to the EU AI Act?
Does the EU AI Act apply to US companies?
This guide is for informational purposes and does not constitute legal advice. For jurisdiction-specific compliance guidance, contact Subodh KC for advisory services. Last updated: July 2026.