EU AI Act Compliance

Understand the world's first complete AI regulation

The EU AI Act is here. Risk-based obligations apply to anyone developing or deploying AI in the EU. Ensure your innovation doesn't bring liability.

EU Regulation Artificial Intelligence

Quick Facts

Phased

Type EU Regulation

Prohibited AI Bans 2 Feb 2025

GPAI Obligations 2 Aug 2025

High-Risk Requirements 2 Aug 2026

Max Fine (Prohibited) EUR 35M / 7%

What is the EU AI Act?

The EU AI Act (EU 2024/1689) is the world's first complete regulation on artificial intelligence. It classifies AI systems by risk level and imposes obligations proportional to the risk they pose.

Risk-Based Approach

Safety rules are tailored to the specific risk level of the AI system - from minimal (no restrictions) to unacceptable (banned).

Extraterritorial Scope

Applies to any provider placing AI on the EU market, regardless of where they are based. Deployers within the EU are also covered.

GPAI Obligations

General-purpose AI models (like foundation models) face specific transparency and documentation requirements, with stricter rules for systemic risk models.

The Stakes are High

€35M

Maximum fines for prohibited AI

of global annual turnover

Market Ban

Non-compliant systems must be withdrawn from the market

Prohibited AI: EUR 35M or 7% of global turnover

High-risk violations: EUR 15M or 3% of global turnover

Misleading info: EUR 7.5M or 1% of global turnover

AI Risk Categories

Determine where your AI system falls to understand your compliance obligations.

Unacceptable Risk

Banned

AI systems considered a clear threat to safety, livelihoods, and fundamental rights.

• Social scoring by governments
• Manipulative AI targeting vulnerable groups
• Untargeted facial recognition scraping
• Emotion recognition in workplaces and schools
• Predictive policing based solely on profiling

High Risk

Strict Obligations

Systems used in critical areas requiring conformity assessments and ongoing monitoring.

• Critical infrastructure (transport, energy, water)
• Education and vocational training
• Employment and worker management
• Essential services (credit scoring, insurance)
• Law enforcement and border control

Limited Risk

Transparency Obligations

Systems with specific transparency risks - users must know they interact with AI.

• Chatbots and customer service AI
• Deepfakes (must be labeled)
• AI-generated content

Minimal Risk

No New Obligations

The vast majority of AI systems. Voluntary codes of conduct encouraged.

• Spam filters
• AI-enabled video games
• Inventory management tools

Requirements for High-Risk AI

Risk Management System

Establish, implement, document and maintain a risk management system throughout the AI system's lifecycle.

Data Governance

Training, validation and testing datasets must meet quality criteria to ensure systems are unbiased and representative.

Technical Documentation

Detailed documentation must be drawn up before the system is placed on the market to demonstrate compliance.

Record Keeping

Automatic recording of events (logging) to ensure traceability of the system's functioning throughout its lifecycle.

Transparency & Information

Ensure that deployers can interpret the system's output and use it appropriately. Clear instructions must be provided.

Human Oversight

Systems must be designed to allow effective oversight by natural persons, including the ability to override or shut down.

ISO 42001 as your Article 9 implementation standard: ISO/IEC 42001:2023 (AI Management Systems) provides a certified governance framework that supports EU AI Act Article 9 risk management requirements and broader governance obligations for high-risk AI systems. Organizations with ISO 42001 certification hold a third-party-validated AIMS, precisely the kind of evidence regulators and conformity assessment bodies expect. Explore our ISO 42001 certification service →

What You Get

Our EU AI Act compliance delivers risk classification and governance structures tailored to your AI systems.

AI System Inventory & Classification

Complete catalog of AI systems with risk-tier classification and scope determination

Risk Management System

Lifecycle risk management framework for high-risk AI systems

Technical Documentation

Detailed documentation demonstrating compliance with AI Act requirements

Data Governance Framework

Training and validation data quality controls to ensure bias mitigation

Conformity Assessment Package

Evidence and documentation for conformity assessment and CE marking

How D3 Cyber Helps

We manage the complexities of the AI Act so you can focus on innovation. Our services address specific needs, while our solutions deliver complete compliance journeys.

Service

Cyber Health Check

Classify your AI systems across risk tiers and identify compliance gaps against EU AI Act requirements.

Learn more →

Service

Compliance Gap Assessment

Detailed audit of your AI systems against high-risk requirements - from data governance to human oversight.

Learn more →

Service

Managed Compliance

Structured path to implement documentation, governance structures, and conformity assessment procedures.

Learn more →

Solution

Regulatory Services

End-to-end AI Act compliance from risk classification through conformity assessment and ongoing monitoring.

Learn more →

Service

AI Security Governance

Build the AI governance framework the Act demands - policies, risk management, and responsible AI practices.

Learn more →

Solution

vCISO (Fractional CISO)

Strategic leadership for AI governance, board reporting, and ongoing compliance management as your AI evolves.

Learn more →

EU AI Act Compliance FAQ

What AI systems are banned under the EU AI Act?

The Act prohibits AI systems that pose unacceptable risks. Banned applications include: social scoring systems by governments, real-time biometric surveillance in public spaces (with narrow exceptions for law enforcement), AI that manipulates people through subliminal techniques, AI that exploits vulnerabilities of specific groups, and AI used for predictive profiling based on personal characteristics. These prohibitions applied from August 2024.

What does high-risk AI classification mean for my organization?

High-risk AI systems face the most stringent compliance obligations. They must undergo a conformity assessment before market placement, implement risk management systems, use high-quality training data, maintain detailed technical documentation, enable human oversight, and achieve accuracy and robustness standards. High-risk categories include AI in critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice.

Does the EU AI Act apply to non-EU companies?

Yes. Like the GDPR, the EU AI Act has extraterritorial reach. It applies to any provider placing an AI system on the EU market or putting it into service in the EU, regardless of where the provider is established. It also applies to deployers of AI systems located within the EU. Non-EU companies with EU customers or operations must comply with the same requirements as EU-based organizations.

What is a Conformity Assessment under the EU AI Act?

A Conformity Assessment is the process by which high-risk AI systems are evaluated for compliance before being placed on the market. For most high-risk AI systems, this can be a self-assessment by the provider against the technical requirements in the Act. For certain categories (e.g., biometric identification, critical infrastructure), independent third-party assessment by a notified body is required. Organizations must document the assessment and issue an EU Declaration of Conformity.

Ready for the EU AI Act?

Ensure your AI systems are compliant and secure. Book a readiness assessment today.

Book Discovery Call