EU AI Act Compliance Made Manageable
The EU AI Act is the world's first comprehensive AI law — and it applies to any organization whose AI systems affect people in the EU. Risk Meridian is being built to classify your AI systems by EU AI Act risk tier, map obligations to specific articles, and generate the documentation high-risk systems require. EU AI Act support is on our near-term roadmap; TRAIGA governance is available today and gives you a head start.
⏱ Key deadline: August 2026 — High-risk AI system obligations fully enforceable. Fines up to €15M or 3% of global turnover.
4
Risk tiers classified automatically
6
Compliance frameworks on our roadmap
100+
EU AI Act controls mapped
The Four EU AI Act Risk Tiers
The EU AI Act uses a risk-based approach. Your obligations depend entirely on which tier your AI system falls into. Risk Meridian classifies your systems automatically.
AI applications that pose an unacceptable risk to people's safety, livelihoods, or rights are banned outright under Article 5.
Examples
- Real-time biometric identification in public spaces (with narrow exceptions)
- Social scoring by public authorities
- Exploitation of vulnerabilities to manipulate behavior
- Subliminal techniques that distort behavior
Key Obligations
- Complete prohibition — these systems cannot be deployed in the EU.
High-risk AI systems (Annex III) must meet strict requirements before market placement, including conformity assessments and CE marking.
Examples
- AI in hiring and employment decisions
- AI used in credit scoring and insurance
- AI in medical devices and diagnostics
- AI for education and vocational training
- Law enforcement and border control AI
Key Obligations
- Risk management system (Article 9)
- Data governance (Article 10)
- Technical documentation (Article 11)
- Record-keeping and logging (Article 12)
- Transparency and user information (Article 13)
- Human oversight measures (Article 14)
- Accuracy, robustness, cybersecurity (Article 15)
- Conformity assessment before deployment
- Registration in EU database
Limited-risk AI systems have specific transparency obligations so users know they are interacting with AI.
Examples
- Chatbots and conversational AI
- Emotion recognition systems
- Deep fakes and synthetic media generation
Key Obligations
- Disclose AI interaction to users (Article 50)
- Label AI-generated content
- Transparency on emotion recognition use
The vast majority of AI systems fall here. There are no mandatory requirements, but voluntary codes of conduct are encouraged.
Examples
- AI-powered spam filters
- Inventory management AI
- Recommendation engines for streaming
- AI-based video games
Key Obligations
- No mandatory obligations
- Voluntary codes of conduct recommended
- Good practice: internal documentation
EU AI Act Enforcement Timeline
The EU AI Act rolls out in phases. Know your deadlines before they arrive.
EU AI Act Enters into Force
The regulation entered into force 20 days after publication in the Official Journal of the EU. The compliance clock started ticking.
Prohibited Practices — Article 5 Applies
Six months after entry into force: prohibitions on unacceptable-risk AI applications take effect. Violations can result in fines up to €35 million or 7% of global turnover.
GPAI Model Rules Apply
Rules for General Purpose AI models (GPT-style foundation models) apply. Providers must maintain technical documentation, comply with copyright law, and publish training data summaries.
High-Risk AI — Full Compliance Required
Two years after entry into force: all obligations for high-risk AI systems (Annex III) are enforceable. This is the critical deadline for most enterprise AI deployments.
High-Risk AI in Regulated Products
Three years after entry into force: extended deadline for high-risk AI embedded in regulated products (medical devices, machinery, toys, etc.) under existing EU product safety legislation.
EU AI Act Compliance Checklist
The six workstreams every organization deploying high-risk AI must complete before August 2026. Risk Meridian is designed to support each one.
AI System Inventory & Classification
- Catalog every AI system in use or under development
- Classify each system by EU AI Act risk tier (prohibited / high / limited / minimal)
- Identify all Annex III high-risk use cases
- Determine if any systems qualify as GPAI models
- Document the intended purpose and reasonably foreseeable misuse of each system
Risk Management System
- Establish a continuous risk management process for each high-risk AI system
- Identify and analyze known and foreseeable risks throughout the AI lifecycle
- Evaluate risks under conditions of reasonably foreseeable misuse
- Adopt risk mitigation measures and residual risk acceptance criteria
- Document risk management activities and decisions
Data Governance
- Implement data governance and management practices for training, validation, and testing data
- Examine data for biases and take appropriate mitigation steps
- Ensure training data is relevant, representative, error-free, and complete
- Document data provenance, collection methods, and pre-processing operations
- Establish procedures for handling personal data in training datasets
Technical Documentation
- Prepare Annex IV technical documentation before market placement
- Document system architecture, training methodologies, and performance metrics
- Maintain documentation throughout the AI system lifecycle
- Ensure documentation is available to national competent authorities on request
- Update documentation when the system undergoes substantial modifications
Transparency & Human Oversight
- Provide instructions for use enabling human oversight
- Implement measures enabling users to interpret, override, or halt AI outputs
- Ensure operators can monitor AI system performance in deployment
- Log AI system operations to enable post-deployment auditing
- Disclose AI involvement to end users where required by Article 50
Conformity & Registration
- Complete conformity assessment for each high-risk AI system
- Affix CE marking where required for EU market placement
- Register high-risk AI systems in the EU database before deployment
- Appoint an EU authorized representative if you are a non-EU provider
- Establish a post-market monitoring plan and incident reporting process
Risk Meridian is being built to track completion of every checklist item and surface gaps in a compliance dashboard.
Join the EU AI Act early-access listHow Risk Meridian Will Support EU AI Act Compliance
From initial classification through conformity assessment and ongoing monitoring — we are building a Risk Meridian workflow for each EU AI Act obligation.
Automatic Risk Classification
Import or manually enter your AI systems. Risk Meridian will classify each one by EU AI Act risk tier based on its use case, affected population, and deployment context — no legal interpretation required.
Annex IV Technical Documentation Builder
Guided templates aligned to Annex IV will generate the technical documentation required for every high-risk AI system. Export PDF-ready documentation at any time.
Article-Mapped Controls
Every control in Risk Meridian will be mapped to a specific EU AI Act article. Track completion, assign owners, set due dates, and see your per-article compliance status at a glance.
Conformity Assessment Workflow
Step-by-step conformity assessment workflows will guide you through self-assessment or preparation for third-party notified body review. Log decisions, evidence, and sign-offs.
Multi-Framework Coverage
EU AI Act controls are being cross-walked to TRAIGA (Texas), NIST AI RMF, ISO 42001, and HIPAA AI guidance. Document once and reuse that work as we add framework mappings.
Incident Reporting & Post-Market Monitoring
Log and track AI incidents with severity scoring. Risk Meridian will generate incident reports aligned to EU AI Act Article 73 post-market monitoring requirements and national competent authority reporting.
EU AI Act — Frequently Asked Questions
- Who does the EU AI Act apply to?
- The EU AI Act applies to any provider placing an AI system on the EU market or putting it into service in the EU, regardless of where the provider is established. It also applies to operators (deployers) of AI systems located in the EU, and to providers and operators located outside the EU when the AI system's output is used in the EU. In short: if your AI system affects people in the EU, you are likely in scope.
- What are the penalties for non-compliance with the EU AI Act?
- Fines are tiered by violation type. Deploying a prohibited AI system (Article 5) can result in fines up to €35 million or 7% of global annual turnover, whichever is higher. Violations of other obligations for high-risk systems (e.g., missing technical documentation, no conformity assessment) carry fines up to €15 million or 3% of global turnover. Providing incorrect or misleading information to notified bodies or authorities carries fines up to €7.5 million or 1% of global turnover. For SMEs and start-ups, the lower percentage figure applies.
- What is a high-risk AI system under the EU AI Act?
- High-risk AI systems are defined in Annex III of the EU AI Act and fall into eight categories: (1) biometric identification and categorization; (2) management of critical infrastructure; (3) education and vocational training; (4) employment and worker management; (5) access to essential services and benefits; (6) law enforcement; (7) migration, asylum, and border control; and (8) administration of justice. AI systems embedded in regulated products (medical devices, machinery, vehicles) under existing EU product safety law are also considered high-risk.
- What is a GPAI model and what obligations apply?
- A General Purpose AI (GPAI) model is an AI model trained on large amounts of data using self-supervision at scale that displays significant generality and can competently perform a wide range of tasks. Examples include large language models like GPT-4 or Claude. GPAI model providers must maintain technical documentation, comply with EU copyright law, and publish a summary of training data content. GPAI models with systemic risk (trained with more than 10^25 FLOPs) have additional obligations including adversarial testing, cybersecurity measures, and incident reporting.
- Does the EU AI Act apply to AI systems already deployed before it took effect?
- Yes, but with a transition period. AI systems that were already placed on the market or put into service before the EU AI Act entered into force generally have until 2027 to comply with the new requirements, provided they do not undergo a substantial modification. Systems placed on the market after August 2024 must comply with the applicable requirements by the relevant deadline (February 2025 for prohibited practices; August 2026 for high-risk systems).
- How does Risk Meridian help with EU AI Act compliance?
- EU AI Act support is on our roadmap. As designed, Risk Meridian will provide an EU AI Act compliance workflow: AI system inventory and automatic risk classification; risk management documentation with guided templates; a technical documentation builder aligned to Annex IV requirements; controls tracking mapped to specific EU AI Act articles; human oversight configuration checklists; ongoing monitoring dashboards; and board-ready compliance reports. Risk Meridian will also map EU AI Act obligations alongside TRAIGA (Texas), NIST AI RMF, ISO 42001, and other frameworks so multi-framework work does not require duplicate effort. TRAIGA governance is available today.
Related Resources
AI Governance Checklist
A printable checklist covering all major AI governance obligations across TRAIGA, EU AI Act, and NIST AI RMF.
Read moreAI Risk Assessment Guide
How to structure and conduct an AI risk assessment that satisfies EU AI Act Article 9 requirements.
Read moreEU AI Act Deep-Dive
Our full regulation reference covering every chapter, article, and recital you need to know.
Read moreAI Governance Software
See how Risk Meridian compares to spreadsheets and generic GRC tools for AI compliance management.
Read moreDon't let August 2026 sneak up on you
Join the EU AI Act early-access list. We'll help you put your TRAIGA governance in place today and bring you onboard for EU AI Act support as we roll it out — giving you a clear, article-by-article view of what is done, what is missing, and what to tackle first.