Subodh KCSubodh KC/systems
let's talk →
Compliance Guide

EU AI Act
Readiness Guide

The EU AI Act is the world's first comprehensive AI law. If your AI touches the EU, here's what you must do — explained in plain English.

Overview

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It establishes a risk-based framework for all AI systems placed on the EU market, regardless of where the provider is located. The Act classifies AI into four risk levels and imposes obligations proportional to the risk level.

Like the GDPR, the EU AI Act has extraterritorial scope — US companies offering AI to EU users must comply. The Act entered into force on August 1, 2024, with phased application culminating in full enforcement for high-risk AI systems on August 2, 2026.

Key Facts

  • Regulation: EU Regulation 2024/1689
  • Entered into force: August 1, 2024
  • Full enforcement: August 2, 2026
  • Scope: All AI placed on EU market (extraterritorial)
  • Max penalty: €35M or 7% of global annual turnover
  • Cure period: None
  • Enforcement: National AI authorities + EU AI Office
Risk Framework

EU AI Act Risk Classification

The Act classifies AI systems into four risk levels. Your obligations depend on which level your AI system falls into.

Unacceptable Risk — Banned

AI systems that pose a clear threat to safety, livelihoods, or rights are prohibited. Includes social scoring by public authorities, real-time remote biometric identification in public spaces (with exceptions), AI that manipulates human behavior to circumvent free will, and AI that exploits vulnerabilities of specific groups (children, persons with disabilities).

High Risk — Strict Requirements

AI systems that could negatively affect safety or fundamental rights. Includes AI used in critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. Subject to the full set of requirements under Article 9-15.

Limited Risk — Transparency Obligations

AI systems that interact with humans, generate content, or are used for emotion recognition or biometric categorization must inform users they are interacting with AI. Deepfakes and AI-generated content must be labeled as such.

Minimal Risk — No Obligations

The majority of AI systems (spam filters, inventory optimization, video game AI, etc.) fall into this category. No specific obligations under the Act. Providers may voluntarily adopt codes of conduct.
Articles 9-15

High-Risk AI Requirements

If your AI system is classified as high-risk, you must comply with the full set of requirements under Articles 9-15 of the EU AI Act.

Risk Management System

Art. 9
Establish, implement, document, and maintain a risk management system throughout the AI system lifecycle.

Data Governance

Art. 10
Training, validation, and testing data must be relevant, representative, free of errors, and complete to the extent possible.

Technical Documentation

Art. 11
Maintain technical documentation demonstrating conformity with requirements before market placement.

Record-Keeping

Art. 12
AI system must automatically record events (logs) during operation to ensure traceability.

Transparency & Instructions

Art. 13
Provide clear instructions for use, enabling deployers to interpret system output and use it appropriately.

Human Oversight

Art. 14
Design system to allow effective human oversight during operation, including the ability to override or interrupt.

Accuracy, Robustness & Cybersecurity

Art. 15
Achieve appropriate levels of accuracy, robustness, and cybersecurity throughout the lifecycle.

Conformity Assessment

Art. 43
Understand conformity assessment before market placement. High-risk AI requires either internal control or third-party assessment depending on the system type.
Enforcement

EU AI Act Penalties

The EU AI Act has the most severe penalties of any AI regulation in the world. There is no cure period.

Violation TypeMax PenaltyCure Period
Prohibited AI practices€35M or 7% of global turnoverNone
Non-compliance with high-risk obligations€15M or 3% of global turnoverNone
Incorrect information to authorities€7.5M or 1% of global turnoverNone

SMEs and startups face proportional penalties, but the regulatory burden of compliance documentation is the same regardless of company size. Proactive preparation is essential.

Practical Implementation

How ISAF Maps to EU AI Act Requirements

The Instruction Stack Audit Framework (ISAF), published by Subodh KC in Zenodo, provides a practical methodology for tracing AI accountability across nine abstraction layers — directly mapping to Article 9 risk management requirements.

The EU AI Act requires a risk management system (Article 9) that identifies, analyzes, and mitigates risks throughout the AI system lifecycle. ISAF operationalizes this by providing a nine-layer audit framework that traces accountability from the instruction layer (prompts, system messages) through the model, data, infrastructure, and governance layers.

ISAF to Article 9 mapping:

  • Layer 1-3 (Instruction, Context, Model): Maps to risk identification and analysis (Art. 9(2)(a)-(b))
  • Layer 4-6 (Data, Pipeline, Infrastructure): Maps to data governance requirements (Art. 10) and technical documentation (Art. 11)
  • Layer 7-9 (Monitoring, Governance, Accountability): Maps to human oversight (Art. 14), accuracy and robustness (Art. 15), and post-market monitoring (Art. 72)
Action Items

EU AI Act Compliance Checklist

A practical checklist for preparing for EU AI Act compliance before the August 2026 full enforcement deadline.

Classify

Determine which risk level your AI system falls into (unacceptable, high, limited, minimal)
If high-risk, identify which Annex III category applies (critical infrastructure, education, employment, essential services, law enforcement, migration, justice)
Determine if your system is a general-purpose AI model with systemic risk

Implement

Establish a risk management system (Art. 9) covering the entire lifecycle
Implement data governance for training, validation, and testing data (Art. 10)
Maintain technical documentation demonstrating conformity (Art. 11)
Implement automatic logging and record-keeping (Art. 12)
Prepare clear instructions for use for deployers (Art. 13)
Design for effective human oversight (Art. 14)
Achieve appropriate accuracy, robustness, and cybersecurity (Art. 15)

Assess

Determine conformity assessment pathway (internal control vs. third-party notified body)
If third-party assessment required, engage a notified body early
Prepare EU declaration of conformity and CE marking

Monitor

Establish post-market monitoring system (Art. 72)
Implement serious incident reporting process (Art. 73)
Designate an EU authorized representative if established outside the EU
Track national AI authority designations and guidance
Free Resource

Get the EU AI Act Readiness Checklist

Free EU AI Act Readiness Checklist

A practical, printable checklist covering EU AI Act risk classification, high-risk AI requirements, conformity assessment, and post-market monitoring — informed by the ISAF framework published in Zenodo.

No spam. Unsubscribe anytime.

Expertise

How Subodh KC Can Help

My Instruction Stack Audit Framework (ISAF), published in Zenodo, maps directly to EU AI Act Article 9 requirements across nine abstraction layers.

Risk Classification

Determine your AI system's risk level under the EU AI Act and identify applicable Annex III categories and obligations.

ISAF Implementation

Implement the Instruction Stack Audit Framework to satisfy Article 9 risk management requirements and generate audit-grade technical documentation.

Conformity Preparation

Prepare for conformity assessment — internal control or third-party notified body — with complete technical documentation and EU declaration of conformity.

Contact Subodh KC for EU AI Act compliance advisory, or explore advisory services.

FAQ

Frequently Asked Questions

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It establishes a risk-based framework for all AI systems placed on the EU market, regardless of where the provider is located. The Act classifies AI into four risk levels: unacceptable (banned), high-risk (strict requirements), limited-risk (transparency obligations), and minimal-risk (no obligations).

When does the EU AI Act take effect?

The EU AI Act entered into force on August 1, 2024, with phased application. Prohibited practices apply from February 2, 2025. General-purpose AI model obligations apply from August 2, 2025. Full enforcement for high-risk AI systems applies from August 2, 2026. National AI authorities must be designated by August 2, 2025.

Who needs to comply with the EU AI Act?

The EU AI Act applies to any provider placing an AI system on the EU market, regardless of where the provider is established. It also applies to deployers of AI systems in the EU, importers, distributors, and manufacturers. Non-EU companies offering AI to EU users must comply. This is an extraterritorial regulation similar to the GDPR.

What are the EU AI Act penalties?

Penalties for prohibited AI practices: up to €35 million or 7% of global annual turnover, whichever is higher. For non-compliance with high-risk AI obligations: up to €15 million or 3% of global annual turnover. For supplying incorrect information: up to €7.5 million or 1% of global annual turnover. SMEs face proportional penalties.

What are the EU AI Act risk levels?

Four risk levels: (1) Unacceptable — banned entirely (social scoring, real-time biometric ID, manipulation). (2) High-risk — strict requirements including risk management, data governance, human oversight, and conformity assessment. (3) Limited risk — transparency obligations (users must know they interact with AI). (4) Minimal risk — no specific obligations.

Does the EU AI Act have a cure period?

No. Unlike the Texas TRAIGA, the EU AI Act does not provide a cure period. Non-compliance can result in immediate penalties. This makes proactive compliance preparation essential before the August 2026 full enforcement deadline.

How does the ISAF framework map to the EU AI Act?

The Instruction Stack Audit Framework (ISAF), published by Subodh KC in Zenodo, maps directly to EU AI Act Article 9 (Risk Management System) requirements across nine abstraction layers. ISAF provides a practical methodology for tracing AI accountability and generating audit-grade evidence that satisfies the Act's technical documentation requirements.

Does the EU AI Act apply to US companies?

Yes. The EU AI Act has extraterritorial scope. Any company placing AI systems on the EU market or whose AI output is used in the EU must comply, regardless of where the company is headquartered. This is similar to how the GDPR applies to US companies handling EU user data.

Prepare for EU AI Act Compliance

Full enforcement begins August 2026. Get an EU AI Act risk assessment or compliance roadmap from Subodh KC — author of the ISAF framework published in Zenodo.

This guide is for informational purposes and does not constitute legal advice. For jurisdiction-specific compliance guidance, contact Subodh KC for advisory services. Last updated: July 2026.

Let's Talk →