Knowledge Center / EU AI Act
European Union · EU

EU AI Act

Risk-tiered EU regulation governing AI systems and models.

Introduction: The World's First Horizontal AI Law

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, commonly known as the EU AI Act, is the world's first comprehensive, horizontal statute governing the development, placing on the market, putting into service and use of artificial intelligence systems. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024, with obligations phasing in over a staggered timeline that runs to 2 August 2027. Unlike sector-specific rules, the AI Act applies across every economic sector and adopts a risk-based, product-safety architecture layered onto a fundamental-rights protection mission.

This CyberSigma Knowledge Center deep-dive is written for two audiences simultaneously: the auditor or conformity assessor who must evaluate an organisation's evidence against the Regulation's articles and annexes, and the implementer, CISO, Data Protection Officer or AI governance lead who must operationalise those obligations. The Act is a legal instrument, not a certifiable management-system standard like ISO/IEC 42001, so 'compliance' here means demonstrable conformity with directly applicable legal duties, backed by technical documentation, testing records and governance evidence that would withstand scrutiny from a national market surveillance authority or a notified body.

Copyright and source note
The EU AI Act (Regulation (EU) 2024/1689) is an official act of the European Union. The consolidated and authentic text is published free of charge on EUR-Lex in all official languages; EU legislation is not subject to third-party copyright restrictions but must be cited accurately. This guide is original CyberSigma commentary and interpretation. It paraphrases obligations and does not reproduce the verbatim legal text. Always verify against the authentic EUR-Lex version and subsequent delegated/implementing acts, harmonised standards and Commission guidance, which continue to evolve.

What is the EU AI Act

The EU AI Act is a directly applicable Regulation, meaning it takes legal effect in all 27 Member States without transposition into national law (though Member States must designate authorities and set penalty regimes). Its stated objective is to promote the uptake of trustworthy, human-centric AI while ensuring a high level of protection of health, safety and fundamental rights enshrined in the Charter of Fundamental Rights of the European Union, including democracy, the rule of law and environmental protection, against the harmful effects of AI systems.

The Act defines an 'AI system' (Article 3(1)) in alignment with the OECD definition: a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments. This inference-based definition is deliberately technology-neutral and excludes simpler traditional software and purely rule-based systems that do not infer.

The Act's central innovation is a four-tier risk pyramid. Systems posing an unacceptable risk are prohibited outright (Article 5). High-risk systems (Articles 6-49 and Annexes I and III) are permitted subject to stringent ex-ante conformity requirements. Systems posing limited or transparency risk (Article 50) carry disclosure duties. Minimal-risk systems are largely unregulated. Layered orthogonally onto this pyramid is a dedicated regime for general-purpose AI (GPAI) models, including those with systemic risk (Chapter V, Articles 51-56).

AttributeDetail
InstrumentRegulation (EU) 2024/1689
Common nameEU AI Act
IssuerEuropean Parliament and Council of the European Union
Entered into force1 August 2024
Legal natureDirectly applicable Regulation (no national transposition)
Regulatory modelRisk-based, product-safety (New Legislative Framework) plus fundamental-rights protection
Extraterritorial reachYes, based on output used in the EU and market placement
EnforcementNational market surveillance authorities, notified bodies, European AI Office, AI Board
Maximum fineEUR 35 million or 7% of total worldwide annual turnover (prohibited practices)

Who Must Comply: Scope and Applicability

The Act assigns distinct obligations to a chain of operators. Correctly classifying your organisation's role is the first and most consequential scoping decision, because the same entity can hold multiple roles across different systems, and a deployer that substantially modifies a high-risk system or markets it under its own name can be re-classified as a provider (Article 25).

Operator role (Article 3)Definition and who it captures
ProviderDevelops an AI system or GPAI model, or has one developed, and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge. Bears the heaviest obligations.
DeployerA natural or legal person using an AI system under its authority, except where used in a purely personal non-professional activity. Formerly termed 'user'.
ImporterLocated or established in the EU, places on the market an AI system bearing the name/trademark of a person established in a third country.
DistributorIn the supply chain, other than provider or importer, that makes an AI system available on the EU market.
Product manufacturerPlaces on the market or into service an AI system together with their product and under their own name, where the AI is a safety component under Annex I sectoral law.
Authorised representativeEstablished in the EU, mandated in writing by a non-EU provider to carry out obligations on its behalf.

Territorial scope (Article 2)

  • Providers placing AI systems on the market or putting them into service in the EU, irrespective of whether they are established in the EU or a third country.
  • Deployers of AI systems that have their place of establishment or are located within the EU.
  • Providers and deployers established in a third country where the output produced by the AI system is used in the EU, a deliberately broad extraterritorial hook.
  • Importers and distributors of AI systems, and EU-based product manufacturers integrating AI.
  • Affected persons located in the EU benefit from certain rights (e.g. Article 86 right to explanation of individual decision-making).

Key exclusions from scope

  • AI systems developed and used exclusively for military, defence or national security purposes.
  • AI systems used by public authorities in third countries or international organisations under international cooperation for law enforcement/judicial cooperation with the EU (subject to safeguards).
  • AI systems and models specifically developed and put into service for the sole purpose of scientific research and development.
  • Research, testing and development activity prior to placing on the market (except real-world testing).
  • AI released under free and open-source licences, unless placed on the market or put into service as high-risk, prohibited, or subject to Article 50 transparency, or is a GPAI model with systemic risk.
  • Purely personal, non-professional use by natural persons.

Structure of the EU AI Act

The Regulation comprises 113 Articles organised into 13 Chapters, supported by 180 recitals and 13 Annexes. The annexes are operationally critical: Annex III lists the eight high-risk use-case areas, Annex I lists Union harmonisation legislation, and Annexes IV, VII, VIII and XI define technical documentation, conformity assessment and registration content. The table below maps the principal chapters and the obligations they carry.

Chapter / ArticlesDomainCore content
Chapter I (Art. 1-4)General provisionsSubject matter, scope, definitions, AI literacy obligation
Chapter II (Art. 5)Prohibited AI practicesEight categories of unacceptable-risk practices
Chapter III (Art. 6-49)High-risk AI systemsClassification, requirements, provider/deployer duties, conformity assessment, registration
Chapter IV (Art. 50)Transparency obligationsDisclosure for certain limited-risk systems (chatbots, deepfakes, emotion/biometric categorisation)
Chapter V (Art. 51-56)General-purpose AI modelsGPAI obligations, systemic-risk classification, codes of practice
Chapter VI (Art. 57-63)Measures in support of innovationRegulatory sandboxes, real-world testing, SME support
Chapter VII (Art. 64-70)GovernanceEuropean AI Office, AI Board, advisory forum, scientific panel, national authorities
Chapter VIII (Art. 71)EU databaseRegistration of high-risk systems in the EU database
Chapter IX (Art. 72-94)Post-market monitoring, information sharing, market surveillanceMonitoring plans, serious incident reporting, enforcement
Chapter X (Art. 95)Codes of conductVoluntary codes for non-high-risk systems
Chapter XI (Art. 96-101)Delegation and committeeDelegated acts, Commission powers, GPAI fines
Chapter XII (Art. 99-101)PenaltiesAdministrative fines tiers
Chapter XIII (Art. 102-113)Final provisionsAmendments, entry into force, phased application dates

Implementation timeline (Article 113)

DateObligation becoming applicable
1 August 2024Regulation enters into force
2 February 2025Chapter I (general provisions) and Chapter II (prohibitions on unacceptable-risk practices); AI literacy duty (Art. 4)
2 August 2025GPAI model obligations (Chapter V), governance bodies (Chapter VII), notified bodies, confidentiality, most penalties provisions
2 August 2026General application of the Regulation, including Annex III high-risk obligations and Article 50 transparency
2 August 2027High-risk obligations for AI systems that are safety components of products under Annex I sectoral legislation; GPAI models placed on market before Aug 2025 must be compliant

Master Assessment Checklist

This is the operational heart of the guide. Each subsection below corresponds to a distinct obligation cluster in the Regulation. For each, the assessor verifies the stated control and collects the typical evidence. No obligation area is omitted. Where the Regulation cross-references an annex, the annex is named so that documentation can be traced back to the legal source.

5.1 Prohibited AI practices (Article 5)

What to verifyTypical evidence
No AI system deploys subliminal, manipulative or deceptive techniques that materially distort behaviour causing significant harmAI use-case inventory with prohibition screening; DPIA/FRIA screening records
No exploitation of vulnerabilities due to age, disability or specific socio-economic situationVulnerability-population risk assessment; screening sign-off
No social scoring by public or private actors leading to detrimental/unjustified treatmentData-use governance review; scoring-system register
No AI-based risk assessment predicting criminal offending solely on profiling/personalityLaw-enforcement use-case exclusion attestation
No untargeted scraping of facial images to build/expand facial recognition databasesData provenance records; scraping-source audit
No emotion recognition in workplace or education (except medical/safety)Emotion-inference system inventory; justification records
No biometric categorisation inferring sensitive attributes (race, political, religious, sexual orientation)Biometric-system classification review
No real-time remote biometric identification in public spaces for law enforcement outside narrow authorised exceptionsLegal-basis and judicial-authorisation evidence (law enforcement only)

5.2 AI literacy (Article 4)

What to verifyTypical evidence
Providers and deployers ensure a sufficient level of AI literacy of staff and persons operating AI on their behalfAI literacy training programme; attendance/completion records
Literacy measures account for technical knowledge, experience, education and the deployment contextRole-based training matrix; needs-analysis document
Ongoing awareness of opportunities, risks and possible harms of AIAwareness communications; refresher schedule

5.3 High-risk classification (Article 6, Annex I and III)

What to verifyTypical evidence
Correct classification against Annex I (safety components) and Annex III (eight use-case areas)High-risk classification determination per system; rationale record
Where Annex III applies, assessment of the Article 6(3) derogation (no significant risk to health/safety/rights)Documented derogation assessment; registration of the exemption decision
Systems performing profiling of natural persons are always treated as high-risk within Annex III areasProfiling-flag review in system inventory

5.4 Risk management system (Article 9)

What to verifyTypical evidence
A continuous, iterative risk management system runs across the entire lifecycleRisk management plan and procedure; version history
Identification and analysis of known and reasonably foreseeable risks to health, safety, fundamental rightsRisk register with likelihood/impact; residual-risk statements
Adoption of risk mitigation measures and testing against preliminarily defined metricsMitigation action log; test protocols and results
Consideration of risks to vulnerable groups and persons under 18Vulnerable-group impact analysis

5.5 Data and data governance (Article 10)

What to verifyTypical evidence
Training, validation and testing datasets meet quality criteria and are relevant, representative, error-free and complete as far as possibleData governance policy; dataset datasheets; quality metrics
Examination for possible biases likely to affect health/safety or cause discriminationBias assessment reports; mitigation measures
Appropriate data governance and management practices (collection, provenance, labelling, gap analysis)Data lineage records; annotation guidelines
Processing of special-category data for bias detection only where strictly necessary with safeguardsLegal-basis assessment; Article 10(5) safeguards documentation

5.6 Technical documentation (Article 11, Annex IV)

What to verifyTypical evidence
Technical documentation is drawn up before market placement and kept up to dateAnnex IV technical file; document-control record
Documentation demonstrates the system meets Chapter III Section 2 requirementsRequirement-to-evidence traceability matrix
General description, development process, monitoring, and risk-management details are presentCompleted Annex IV template covering all required headings

5.7 Record-keeping and logging (Article 12)

What to verifyTypical evidence
Automatic recording of events (logs) over the system's lifetimeLogging design specification; sample log extracts
Logs enable traceability appropriate to the intended purpose and support post-market monitoringLog retention policy; traceability demonstration
For remote biometric identification, logs capture reference database, input and identification resultsBiometric logging configuration evidence

5.8 Transparency and information to deployers (Article 13)

What to verifyTypical evidence
System operation is sufficiently transparent to enable deployers to interpret and use outputDesign documentation of interpretability features
Instructions for use provide identity of provider, characteristics, capabilities, limitations and performanceInstructions-for-use document; accessibility check
Human oversight measures and expected lifetime/maintenance are specifiedOversight and maintenance section of instructions

5.9 Human oversight (Article 14)

What to verifyTypical evidence
System is designed to be effectively overseen by natural persons during useHuman-oversight design specification
Oversight enables monitoring, interpreting output, deciding not to use, and intervening or stopping (stop button)Oversight procedure; UI evidence of override/stop controls
Measures address automation bias, especially for identification systems requiring two-person verificationAutomation-bias mitigation record; four-eyes rule evidence

5.10 Accuracy, robustness and cybersecurity (Article 15)

What to verifyTypical evidence
Appropriate levels of accuracy achieved and declared metrics stated in instructionsAccuracy test reports; declared metric values
Resilience to errors, faults, inconsistencies and environmental interaction (robustness)Robustness/stress-test results; fail-safe design records
Resilience against attempts to alter use or performance by third parties (adversarial, data/model poisoning, evasion)Security testing; adversarial red-team report; model-integrity controls
Feedback loops in continuous-learning systems are addressed to avoid biased outputsContinuous-learning risk controls documentation

5.11 Quality management system (Article 17)

What to verifyTypical evidence
Providers operate a documented quality management system (QMS)QMS manual; policies and procedures register
QMS covers regulatory compliance strategy, design control, testing, data management, risk management, post-market monitoring, incident reporting and record-keepingQMS scope matrix mapped to Article 17(1)(a)-(m)
Accountability and management framework definedResponsibility assignment; management review minutes

5.12 Conformity assessment, declaration and CE marking (Articles 43, 47, 48)

What to verifyTypical evidence
Appropriate conformity assessment procedure completed (internal control Annex VI or notified-body Annex VII)Conformity assessment records; notified-body certificate where applicable
EU declaration of conformity drawn up and retained for 10 years (Annex V)Signed EU declaration of conformity
CE marking affixed visibly, legibly and indelibly (physical or digital)CE-marking evidence; notified-body identification number where relevant
Reassessment triggered by substantial modificationChange-control log linking modifications to reassessment

5.13 Registration in the EU database (Articles 49, 71)

What to verifyTypical evidence
Provider registers the high-risk system in the EU database before market placementEU database registration confirmation; Annex VIII data
Public-authority deployers register their use of Annex III high-risk systemsDeployer registration record
Article 6(3) exemption decisions are registeredExemption registration entry

5.14 Provider obligations (Article 16)

What to verifyTypical evidence
Provider ensures compliance with all Chapter III requirements and indicates name/contact on the systemProvider identification labelling; compliance attestation
Corrective actions taken and authorities informed where non-conformity foundCorrective action procedure; notification records
Documentation kept for 10 years and made available to authorities on requestRetention schedule; access-request log

5.15 Deployer obligations (Article 26 and Fundamental Rights Impact Assessment Article 27)

What to verifyTypical evidence
Deployer uses the system per instructions, assigns competent human oversight, ensures input data relevanceDeployment SOP; oversight staffing records; input-data controls
Monitoring of operation and suspension/notification on risk or serious incidentOperational monitoring logs; incident-escalation records
Fundamental Rights Impact Assessment performed by public bodies and certain private deployers before useCompleted FRIA (Article 27); notification to authority
Affected persons informed where high-risk AI is used to make decisions about themNotice/disclosure records to affected persons

5.16 Transparency obligations (Article 50)

What to verifyTypical evidence
Users are informed when interacting with an AI system (chatbots) unless obviousChatbot disclosure UI evidence
AI-generated or manipulated synthetic content is marked in a machine-readable format as artificially generatedContent-watermarking/provenance metadata (e.g. C2PA) evidence
Deepfakes and AI-generated text on public-interest matters are disclosed as suchDeepfake/labelling policy and samples
Emotion recognition and biometric categorisation subjects are informedSubject-notification records

5.17 General-purpose AI models (Articles 53-55)

What to verifyTypical evidence
GPAI providers draw up and maintain technical documentation (Annex XI) for the modelModel card / technical documentation package
Information and documentation provided to downstream providers who integrate the model (Annex XII)Downstream integration documentation
Policy in place to comply with EU copyright law, including text-and-data-mining opt-outsCopyright compliance policy; opt-out honouring records
Sufficiently detailed public summary of training content publishedPublished training-data summary
GPAI with systemic risk: model evaluation, adversarial testing, systemic-risk assessment, serious-incident reporting to AI Office, cybersecurity protectionSystemic-risk evaluation reports; red-team results; incident notifications; security controls

5.18 Post-market monitoring and incident reporting (Articles 72, 73)

What to verifyTypical evidence
Providers establish a post-market monitoring system proportionate to risk with a documented planPost-market monitoring plan; collected performance data
Serious incidents reported to the relevant market surveillance authority without undue delayIncident register; notification timestamps
Reporting deadlines observed: generally within 15 days; 2 days for widespread infringement/serious disruption of critical infrastructure; 10 days where death is involvedIncident-timeline evidence mapped to Article 73(2)-(4)

Scoping and Materiality / Tiering

Scoping under the AI Act is driven by the risk pyramid rather than by data volume or revenue thresholds. The materiality assessment answers two questions for every AI system in the inventory: what risk tier does it occupy, and what is our operator role for it. These two axes together determine the applicable obligation set.

Risk tierTreatmentPrimary obligations
Unacceptable riskProhibited (Article 5)Cease/do not deploy; eight banned practices
High riskPermitted with controls (Annex I / III)Full Chapter III requirements, conformity assessment, registration
Limited / transparency riskPermitted with disclosure (Article 50)Inform users; label synthetic content and deepfakes
Minimal riskLargely unregulatedVoluntary codes of conduct (Article 95)
GPAI modelCross-cutting (Chapter V)Documentation, copyright, training summary
GPAI with systemic riskEnhanced (Article 55)Evaluation, red-teaming, incident reporting, cybersecurity

The systemic-risk threshold for GPAI is presumed where the cumulative amount of compute used for training exceeds 10^25 floating-point operations (FLOP), or where the Commission designates a model based on capability criteria. Materiality for high-risk classification hinges on Annex III use-case fit and the Article 6(3) 'no significant risk' derogation, which cannot be claimed where the system profiles natural persons.

Implementation Approach

A defensible programme is delivered in phases. Each phase produces deliverables that later become audit evidence, so the sequence is designed to build the technical file and governance record incrementally rather than retrofitting documentation.

Phase 1: Discovery and AI inventory

  • Activities: enumerate all AI systems and GPAI models across the organisation, including shadow AI and third-party embedded AI; capture purpose, data, operator role and lifecycle stage.
  • Activities: establish AI governance sponsorship, an AI governance board and an accountable owner.
  • Deliverables: authoritative AI system inventory/register; governance charter; RACI.

Phase 2: Classification and gap assessment

  • Activities: classify each system against Article 5, Annex III, Annex I and GPAI criteria; document derogations under Article 6(3); assess operator role per system.
  • Activities: perform a requirement-by-requirement gap analysis against Chapter III and Article 50.
  • Deliverables: classification determinations; prioritised gap register with remediation owners and dates.

Phase 3: Control build-out

  • Activities: implement risk management (Art. 9), data governance (Art. 10), logging (Art. 12), human oversight (Art. 14), accuracy/robustness/security (Art. 15); establish the QMS (Art. 17).
  • Activities: conduct FRIAs (Art. 27) and DPIAs; embed transparency features (Art. 50).
  • Deliverables: implemented controls; Annex IV technical documentation; QMS manual; FRIA/DPIA records.

Phase 4: Conformity and registration

  • Activities: select and complete the conformity assessment route (Annex VI internal control or Annex VII notified body); draw up the EU declaration of conformity; affix CE marking.
  • Activities: register high-risk systems and any exemptions in the EU database.
  • Deliverables: conformity assessment records; signed declaration; CE marking; EU database registration confirmations.

Phase 5: Operate, monitor and improve

  • Activities: run post-market monitoring per plan; operate serious-incident reporting with mapped deadlines; manage substantial-modification change control; deliver ongoing AI literacy.
  • Activities: schedule periodic internal audits and management reviews; track KPIs.
  • Deliverables: post-market monitoring reports; incident register; change-control records; audit reports and corrective actions.

Maturity / Capability Model

The Act does not define a maturity scale, but CyberSigma applies a five-level capability model to benchmark an organisation's AI governance readiness and to sequence investment. This model complements the ISO/IEC 42001 AI management system approach.

LevelNameCharacteristics
1Initial / ad hocNo AI inventory; classification undocumented; shadow AI prevalent; no accountability
2DevelopingPartial inventory; some classification; policies drafted; reactive risk handling
3DefinedComplete inventory and classification; QMS documented; FRIAs performed; technical files started
4ManagedConformity assessments completed; CE marking and registration done; post-market monitoring operating; KPIs tracked
5OptimisingContinuous improvement; automated logging and monitoring; systemic-risk controls; integrated with ISO 42001; audit-ready at all times

Assessment and Audit Approach

  1. Confirm scope: identify all operator roles and territorial triggers, and freeze the AI system inventory to be assessed.
  2. Verify prohibited-practice screening: test that no system falls under Article 5 and that screening is documented.
  3. Validate classification: independently re-perform Annex III/Annex I classification and challenge any Article 6(3) derogations.
  4. Examine technical documentation: trace each Chapter III requirement (Art. 9-15) to Annex IV documentation and test evidence.
  5. Assess governance controls: review the QMS (Art. 17), risk management (Art. 9), data governance (Art. 10) and human oversight (Art. 14) in operation, not just on paper.
  6. Test conformity artefacts: verify the conformity assessment route, EU declaration of conformity, CE marking and EU database registration.
  7. Review deployer duties: confirm FRIAs (Art. 27), instructions-for-use compliance, affected-person notices and operational monitoring.
  8. Evaluate transparency: sample chatbot disclosures, synthetic-content labelling and deepfake notices under Article 50.
  9. Inspect GPAI obligations where relevant: documentation, copyright policy, training summary and, for systemic risk, evaluations and incident reporting.
  10. Check post-market monitoring and incident reporting: test the plan, register and deadline adherence (2/10/15-day rules).
  11. Report findings: rate conformity per obligation, log non-conformities with severity, and agree a remediation plan and re-test date.

Evidence Request List

  • Governance: AI governance charter, RACI, management review minutes, AI literacy training records.
  • Inventory and classification: AI system register, classification determinations, Article 6(3) derogation assessments, operator-role mapping.
  • Risk and data: risk management plan and register, DPIAs, FRIAs, data governance policy, dataset datasheets, bias assessments, data lineage.
  • Technical file: Annex IV technical documentation, requirement-traceability matrix, accuracy/robustness/security test reports, adversarial red-team results.
  • Quality and operations: QMS manual and procedures, logging design and sample logs, human-oversight procedures and UI evidence.
  • Conformity: conformity assessment records, notified-body certificates, EU declaration of conformity, CE-marking evidence, EU database registrations.
  • Deployer artefacts: instructions for use, deployment SOPs, affected-person notices, operational monitoring logs.
  • Transparency: chatbot/synthetic-content/deepfake labelling policies and samples, watermarking/provenance metadata.
  • GPAI: model cards, downstream documentation (Annex XI/XII), copyright policy, published training-data summary, systemic-risk evaluations.
  • Post-market: monitoring plan and reports, serious-incident register with timestamps, corrective action logs, change-control records.

Roles and Responsibilities

RoleResponsibility under an AI Act programme
Executive sponsor / BoardAccountability for AI governance, risk appetite, resourcing and management review
AI governance lead / AI officerOwns the programme, inventory, classification and cross-functional coordination
CISO / Security teamArticle 15 cybersecurity, adversarial testing, model integrity, incident response
Data Protection OfficerDPIA/FRIA interface, special-category data safeguards (Art. 10), affected-person rights
Legal and complianceRegulatory interpretation, declarations of conformity, contracts with providers/deployers
Product / ML engineeringRisk management, data governance, logging, human-oversight design, technical documentation
Quality managementQMS operation (Art. 17), conformity assessment, CE marking, document control
Deployer operationsInstructions-for-use adherence, oversight staffing, operational monitoring, incident escalation
Internal auditIndependent assurance, evidence testing, non-conformity reporting

KPIs and Metrics to Track

  • Percentage of AI systems inventoried and classified against the risk pyramid.
  • Number of high-risk systems with a complete Annex IV technical file.
  • Percentage of high-risk systems with valid conformity assessment, EU declaration and CE marking.
  • Percentage of high-risk systems registered in the EU database before deployment.
  • Number and severity of open non-conformities against Chapter III requirements.
  • FRIA and DPIA completion rate for in-scope deployments.
  • AI literacy training completion rate (Article 4).
  • Mean time to detect and report serious incidents against the 2/10/15-day deadlines.
  • Bias and accuracy metrics per high-risk model versus declared thresholds.
  • Adversarial/robustness test coverage and pass rate.
  • Shadow AI discovery rate and time to bring into governance.
  • Percentage of GPAI usage with copyright policy and training-data summary evidence.

Readiness Checklist

  • Complete AI system and GPAI inventory including third-party and embedded AI is maintained.
  • Every system screened against Article 5 prohibited practices with documented outcomes.
  • High-risk classification determinations and Article 6(3) derogations documented and registered.
  • Risk management system (Art. 9) operating iteratively across the lifecycle.
  • Data governance and bias controls (Art. 10) implemented with dataset documentation.
  • Annex IV technical documentation drawn up and version-controlled.
  • Automatic logging (Art. 12) enabled with retention aligned to intended purpose.
  • Instructions for use and transparency to deployers (Art. 13) issued.
  • Human oversight measures (Art. 14) designed, including stop controls and anti-automation-bias.
  • Accuracy, robustness and cybersecurity (Art. 15) tested with adversarial evaluation.
  • Quality management system (Art. 17) documented and operating.
  • Conformity assessment completed, EU declaration signed, CE marking affixed.
  • High-risk systems and exemptions registered in the EU database.
  • FRIAs (Art. 27) completed for public and applicable private deployers.
  • Article 50 transparency, watermarking and deepfake labelling implemented.
  • GPAI documentation, copyright policy and training-data summary in place where relevant.
  • Post-market monitoring plan and serious-incident reporting with mapped deadlines operating.
  • AI literacy programme (Art. 4) delivered and tracked.

Common Gaps and Findings

  • No authoritative AI inventory, leaving shadow AI and embedded third-party AI unclassified.
  • Over-reliance on the Article 6(3) derogation without a documented justification, or claiming it despite profiling.
  • Risk management treated as a one-off exercise rather than an iterative lifecycle process (Art. 9).
  • Datasets used without provenance, representativeness or bias assessment evidence (Art. 10).
  • Human oversight designed on paper but no effective stop/override control in the interface (Art. 14).
  • Accuracy metrics undeclared and no adversarial/robustness testing against poisoning or evasion (Art. 15).
  • Technical documentation incomplete against Annex IV headings and not version-controlled.
  • Deployers not performing FRIAs or failing to notify affected persons of automated decisions.
  • AI-generated content and chatbots not disclosed or watermarked under Article 50.
  • GPAI integrated downstream without copyright policy or published training-data summary.
  • No post-market monitoring plan and incident reporting not aligned to the 2/10/15-day deadlines.
  • AI literacy obligation (Art. 4) unaddressed for staff operating AI systems.
  • Confusing operator roles, leading to missed provider obligations after substantial modification (Art. 25).

EU AI Act Mapped to Other Frameworks

EU AI Act obligationRelated framework / control
Quality and AI management system (Art. 17)ISO/IEC 42001 AI management system; ISO 9001
Risk management (Art. 9)ISO/IEC 23894 AI risk management; NIST AI RMF (GOVERN/MAP/MEASURE/MANAGE); ISO 31000
Data governance and bias (Art. 10)ISO/IEC 5259 data quality; GDPR Art. 5 principles; ISO/IEC TR 24027 bias
Cybersecurity and robustness (Art. 15)ISO/IEC 27001/27002; ISO/IEC 24029 robustness; NIST SP 800-53
Human oversight (Art. 14)NIST AI RMF trustworthiness characteristics; OECD AI Principles
Transparency and disclosure (Art. 13, 50)C2PA content provenance; ISO/IEC 12792 transparency taxonomy
Fundamental Rights Impact Assessment (Art. 27)GDPR DPIA (Art. 35); Council of Europe HUDERIA
Post-market monitoring / incident reporting (Art. 72-73)ISO/IEC 42001 monitoring; medical device / NLF vigilance; NIS2 incident reporting analogues
GPAI documentation (Art. 53, Annex XI/XII)Model cards; datasheets; ISO/IEC 42001 transparency controls
Overall governanceISO/IEC 38507 governance of AI; ISO/IEC 42001 Annex A controls

How CyberSigma Helps

Partner with CyberSigma for EU AI Act conformity
CyberSigma's CERT-In empanelled auditors and PCI QSAs combine legal-grade regulatory interpretation with hands-on engineering assurance to take you from AI discovery to defensible conformity. We build your AI inventory, classify every system against the risk pyramid, run gap assessments against Chapter III, and stand up the risk management, data governance, logging, human-oversight and cybersecurity controls the Regulation demands. We author Annex IV technical documentation, prepare you for the correct conformity assessment route, draft your EU declaration of conformity and guide CE marking and EU database registration. We deliver FRIAs, GPAI documentation reviews, adversarial red-teaming for Article 15 robustness, and a post-market monitoring and serious-incident reporting capability aligned to the 2/10/15-day deadlines. Integrated with ISO/IEC 42001 and NIST AI RMF, our programme keeps you audit-ready as the phased 2025-2027 timeline lands. Talk to CyberSigma to make trustworthy AI a demonstrable, sustainable capability.

Frequently asked questions

When does the EU AI Act apply?
It entered into force in 2024 with staggered application — prohibitions first, then GPAI and high-risk obligations phasing in through 2026-2027.

Need help with EU AI Act?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.