Regulation (EU) 2024/1689 — AI Act

EU AI Act Compliance Made Manageable

The EU AI Act is the world's first comprehensive AI law — and it applies to any organization whose AI systems affect people in the EU. Risk Meridian automatically classifies your AI systems by risk tier, maps obligations to specific articles, generates required documentation, and keeps your program audit-ready as deadlines approach.

⏱ Key deadline: August 2026 — High-risk AI system obligations fully enforceable. Fines up to €15M or 3% of global turnover.

Start EU AI Act AssessmentRead the Full Guide

4

Risk tiers classified automatically

6

Compliance frameworks supported

100+

EU AI Act controls mapped

Risk Classification

The Four EU AI Act Risk Tiers

The EU AI Act uses a risk-based approach. Your obligations depend entirely on which tier your AI system falls into. Risk Meridian classifies your systems automatically.

Prohibited

AI applications that pose an unacceptable risk to people's safety, livelihoods, or rights are banned outright under Article 5.

Examples

  • Real-time biometric identification in public spaces (with narrow exceptions)
  • Social scoring by public authorities
  • Exploitation of vulnerabilities to manipulate behavior
  • Subliminal techniques that distort behavior

Key Obligations

  • Complete prohibition — these systems cannot be deployed in the EU.
High Risk

High-risk AI systems (Annex III) must meet strict requirements before market placement, including conformity assessments and CE marking.

Examples

  • AI in hiring and employment decisions
  • AI used in credit scoring and insurance
  • AI in medical devices and diagnostics
  • AI for education and vocational training
  • Law enforcement and border control AI

Key Obligations

  • Risk management system (Article 9)
  • Data governance (Article 10)
  • Technical documentation (Article 11)
  • Record-keeping and logging (Article 12)
  • Transparency and user information (Article 13)
  • Human oversight measures (Article 14)
  • Accuracy, robustness, cybersecurity (Article 15)
  • Conformity assessment before deployment
  • Registration in EU database
Limited Risk

Limited-risk AI systems have specific transparency obligations so users know they are interacting with AI.

Examples

  • Chatbots and conversational AI
  • Emotion recognition systems
  • Deep fakes and synthetic media generation

Key Obligations

  • Disclose AI interaction to users (Article 50)
  • Label AI-generated content
  • Transparency on emotion recognition use
Minimal / No Risk

The vast majority of AI systems fall here. There are no mandatory requirements, but voluntary codes of conduct are encouraged.

Examples

  • AI-powered spam filters
  • Inventory management AI
  • Recommendation engines for streaming
  • AI-based video games

Key Obligations

  • No mandatory obligations
  • Voluntary codes of conduct recommended
  • Good practice: internal documentation
Compliance Deadlines

EU AI Act Enforcement Timeline

The EU AI Act rolls out in phases. Know your deadlines before they arrive.

  1. EU AI Act Enters into Force

    The regulation entered into force 20 days after publication in the Official Journal of the EU. The compliance clock started ticking.

  2. Prohibited Practices — Article 5 Applies

    Six months after entry into force: prohibitions on unacceptable-risk AI applications take effect. Violations can result in fines up to €35 million or 7% of global turnover.

  3. GPAI Model Rules Apply

    Rules for General Purpose AI models (GPT-style foundation models) apply. Providers must maintain technical documentation, comply with copyright law, and publish training data summaries.

  4. High-Risk AI — Full Compliance Required

    Two years after entry into force: all obligations for high-risk AI systems (Annex III) are enforceable. This is the critical deadline for most enterprise AI deployments.

  5. High-Risk AI in Regulated Products

    Three years after entry into force: extended deadline for high-risk AI embedded in regulated products (medical devices, machinery, toys, etc.) under existing EU product safety legislation.

Action Plan

EU AI Act Compliance Checklist

The six workstreams every organization deploying high-risk AI must complete before August 2026. Risk Meridian automates each one.

1

AI System Inventory & Classification

Articles 6–7
  • Catalog every AI system in use or under development
  • Classify each system by EU AI Act risk tier (prohibited / high / limited / minimal)
  • Identify all Annex III high-risk use cases
  • Determine if any systems qualify as GPAI models
  • Document the intended purpose and reasonably foreseeable misuse of each system
2

Risk Management System

Article 9
  • Establish a continuous risk management process for each high-risk AI system
  • Identify and analyze known and foreseeable risks throughout the AI lifecycle
  • Evaluate risks under conditions of reasonably foreseeable misuse
  • Adopt risk mitigation measures and residual risk acceptance criteria
  • Document risk management activities and decisions
3

Data Governance

Article 10
  • Implement data governance and management practices for training, validation, and testing data
  • Examine data for biases and take appropriate mitigation steps
  • Ensure training data is relevant, representative, error-free, and complete
  • Document data provenance, collection methods, and pre-processing operations
  • Establish procedures for handling personal data in training datasets
4

Technical Documentation

Article 11 + Annex IV
  • Prepare Annex IV technical documentation before market placement
  • Document system architecture, training methodologies, and performance metrics
  • Maintain documentation throughout the AI system lifecycle
  • Ensure documentation is available to national competent authorities on request
  • Update documentation when the system undergoes substantial modifications
5

Transparency & Human Oversight

Articles 13–14
  • Provide instructions for use enabling human oversight
  • Implement measures enabling users to interpret, override, or halt AI outputs
  • Ensure operators can monitor AI system performance in deployment
  • Log AI system operations to enable post-deployment auditing
  • Disclose AI involvement to end users where required by Article 50
6

Conformity & Registration

Articles 43–51
  • Complete conformity assessment for each high-risk AI system
  • Affix CE marking where required for EU market placement
  • Register high-risk AI systems in the EU database before deployment
  • Appoint an EU authorized representative if you are a non-EU provider
  • Establish a post-market monitoring plan and incident reporting process

TRAIGA tracks completion of every checklist item and surfaces gaps in a compliance dashboard.

Run My EU AI Act Gap Assessment
The Platform

How Risk Meridian Automates EU AI Act Compliance

From initial classification through conformity assessment and ongoing monitoring — every EU AI Act obligation has a corresponding workflow in Risk Meridian.

Automatic Risk Classification

Import or manually enter your AI systems. Risk Meridian classifies each one by EU AI Act risk tier based on its use case, affected population, and deployment context — no legal interpretation required.

Annex IV Technical Documentation Builder

Guided templates aligned to Annex IV generate the technical documentation required for every high-risk AI system. Export PDF-ready documentation at any time.

Article-Mapped Controls

Every control in Risk Meridian is mapped to a specific EU AI Act article. Track completion, assign owners, set due dates, and see your per-article compliance status at a glance.

Conformity Assessment Workflow

Step-by-step conformity assessment workflows guide you through self-assessment or preparation for third-party notified body review. Log decisions, evidence, and sign-offs.

Multi-Framework Coverage

EU AI Act controls are cross-walked to TRAIGA (Texas), NIST AI RMF, ISO 42001, and HIPAA AI guidance. Complete one assessment, satisfy multiple frameworks simultaneously.

Incident Reporting & Post-Market Monitoring

Log and track AI incidents with severity scoring. Risk Meridian generates incident reports aligned to EU AI Act Article 73 post-market monitoring requirements and national competent authority reporting.

FAQ

EU AI Act — Frequently Asked Questions

Who does the EU AI Act apply to?
The EU AI Act applies to any provider placing an AI system on the EU market or putting it into service in the EU, regardless of where the provider is established. It also applies to operators (deployers) of AI systems located in the EU, and to providers and operators located outside the EU when the AI system's output is used in the EU. In short: if your AI system affects people in the EU, you are likely in scope.
What are the penalties for non-compliance with the EU AI Act?
Fines are tiered by violation type. Deploying a prohibited AI system (Article 5) can result in fines up to €35 million or 7% of global annual turnover, whichever is higher. Violations of other obligations for high-risk systems (e.g., missing technical documentation, no conformity assessment) carry fines up to €15 million or 3% of global turnover. Providing incorrect or misleading information to notified bodies or authorities carries fines up to €7.5 million or 1% of global turnover. For SMEs and start-ups, the lower percentage figure applies.
What is a high-risk AI system under the EU AI Act?
High-risk AI systems are defined in Annex III of the EU AI Act and fall into eight categories: (1) biometric identification and categorization; (2) management of critical infrastructure; (3) education and vocational training; (4) employment and worker management; (5) access to essential services and benefits; (6) law enforcement; (7) migration, asylum, and border control; and (8) administration of justice. AI systems embedded in regulated products (medical devices, machinery, vehicles) under existing EU product safety law are also considered high-risk.
What is a GPAI model and what obligations apply?
A General Purpose AI (GPAI) model is an AI model trained on large amounts of data using self-supervision at scale that displays significant generality and can competently perform a wide range of tasks. Examples include large language models like GPT-4 or Claude. GPAI model providers must maintain technical documentation, comply with EU copyright law, and publish a summary of training data content. GPAI models with systemic risk (trained with more than 10^25 FLOPs) have additional obligations including adversarial testing, cybersecurity measures, and incident reporting.
Does the EU AI Act apply to AI systems already deployed before it took effect?
Yes, but with a transition period. AI systems that were already placed on the market or put into service before the EU AI Act entered into force generally have until 2027 to comply with the new requirements, provided they do not undergo a substantial modification. Systems placed on the market after August 2024 must comply with the applicable requirements by the relevant deadline (February 2025 for prohibited practices; August 2026 for high-risk systems).
How does Risk Meridian help with EU AI Act compliance?
Risk Meridian provides an end-to-end EU AI Act compliance workflow: AI system inventory and automatic risk classification; risk management documentation with guided templates; technical documentation builder aligned to Annex IV requirements; controls tracking mapped to specific EU AI Act articles; human oversight configuration checklists; ongoing monitoring dashboards; and board-ready compliance reports. Risk Meridian also maps EU AI Act obligations alongside TRAIGA (Texas), NIST AI RMF, ISO 42001, and other frameworks so multi-framework compliance does not require duplicate effort.

Related Resources

AI Governance Checklist

A printable checklist covering all major AI governance obligations across TRAIGA, EU AI Act, and NIST AI RMF.

Read more

AI Risk Assessment Guide

How to structure and conduct an AI risk assessment that satisfies EU AI Act Article 9 requirements.

Read more

EU AI Act Deep-Dive

Our full regulation reference covering every chapter, article, and recital you need to know.

Read more

AI Governance Software

See how Risk Meridian compares to spreadsheets and generic GRC tools for AI compliance management.

Read more

Don't let August 2026 sneak up on you

Start your EU AI Act readiness assessment today. Risk Meridian generates a gap report in minutes — giving you a clear, article-by-article view of what is done, what is missing, and what to tackle first.

Start EU AI Act AssessmentView Pricing