Skip to main content

EU AI Act Compliance

The EU AI Act (Regulation 2024/1689) introduces mandatory requirements for AI systems based on risk classification. Annex III high-risk systems face the strictest obligations, with penalties up to 7% of global revenue.

ARQERA's governance API and evidence chain provide the technical infrastructure to meet these requirements.

Key Deadlines

DateRequirement
August 2, 2025Prohibited AI practices banned
August 2, 2026High-risk AI system obligations enforced (Annex III)
August 2, 2027Full regulation in effect for all AI systems

How ARQERA Maps to EU AI Act Requirements

Article 9 — Risk Management System

Requirement: Continuous, iterative risk management throughout the AI system lifecycle.

ARQERA implementation: Every action is evaluated against 8 governance laws before execution. The risk_level context field enables risk classification, and the Safety Dominance law ensures high-risk actions receive additional scrutiny.

result = client.governance.evaluate(
"model.deploy",
description="Deploy fraud detection model to production",
context={
"risk_level": "high",
"is_irreversible": False,
"confidence_score": 0.94,
},
)

Article 11 — Technical Documentation

Requirement: Maintain detailed technical documentation describing the AI system and its risk management process.

ARQERA implementation: Every governance evaluation is recorded as a tamper-proof evidence artifact. Use the Evidence API to export documentation for auditors.

curl -X POST "https://api.arqera.io/api/v1/evidence/export" \
-H "X-API-Key: $ARQERA_API_KEY" \
-d '{
"format": "pdf",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-06-30T23:59:59Z",
"include_chain_verification": true
}'

Article 12 — Record-Keeping

Requirement: Automatic logging of events throughout the high-risk AI system's lifetime.

ARQERA implementation: The evidence chain provides cryptographically-linked, immutable records of every governance decision. The hash chain ensures logs cannot be tampered with.

# Verify chain integrity
curl "https://api.arqera.io/api/v1/evidence/verify" \
-H "X-API-Key: $ARQERA_API_KEY"

Article 14 — Human Oversight

Requirement: High-risk AI systems must allow human oversight and intervention.

ARQERA implementation: The escalate verdict implements human-in-the-loop governance. When an action exceeds the AI's autonomy bounds, it is queued for human approval.

result = client.governance.evaluate(
"user.data.delete",
description="Delete inactive user accounts",
context={
"risk_level": "high",
"is_irreversible": True,
"has_approval": False, # No human approval yet
},
)

# result.verdict will be "escalate" — requires human approval
if result.needs_approval:
queue_for_human_review(result)

Article 15 — Accuracy, Robustness, Cybersecurity

Requirement: Appropriate levels of accuracy, robustness, and cybersecurity.

ARQERA implementation: The confidence_score and min_confidence context fields enforce accuracy thresholds. The Monotonic Truth law prevents truth degradation. The Bounded Autonomy law constrains AI actions to verified capabilities.


Compliance Checklist

Use ARQERA to satisfy these Annex III requirements:

RequirementARQERA FeatureHow to Verify
Risk managementGovernance Evaluate APIEvery action has a risk verdict
Technical documentationEvidence Export APIPDF/JSON exports for auditors
Record-keepingEvidence ChainHash-verified immutable logs
Human oversightEscalate verdictApproval queues and audit trail
Accuracy monitoringConfidence thresholdsGovernance context fields
Incident reportingEvidence Search APISearch by verdict, action, date
TransparencyPer-law evaluationsExplainable governance decisions

Compliance Dashboard

ARQERA provides a built-in compliance dashboard in the web application:

  • Governance Verdict History — view all evaluations with filtering
  • Evidence Completeness — track coverage across compliance frameworks
  • Evidence Export — one-click exports for specific frameworks
  • Chain Verification — real-time integrity monitoring

Navigate to Governance > Compliance in the ARQERA dashboard to access these features.


What You Need to Do (Customer Obligations)

ARQERA provides the governance infrastructure. But as a deployer of high-risk AI, you have obligations too. Here's a practical checklist:

Before August 2, 2026 (High-Risk Deadline)

#ObligationArticleWhat You DoWhat ARQERA Provides
1Classify your AI systemsArticle 6Determine which of your AI use cases fall under Annex IIIRisk Classification API — assign risk levels per action type
2Register in the EU databaseArticle 49Submit your high-risk systems to the EU AI databaseAI Transparency Register — export registration data
3Appoint a human overseerArticle 14Designate who reviews escalated decisionsApproval workflows — HARD tier actions queue for named approvers
4Document your AI systemsArticle 11Maintain technical documentation for each high-risk systemEvidence Export API — generate PDF/JSON documentation on demand
5Establish loggingArticle 12Ensure all AI decisions are recorded immutablyEvidence Chain — automatic, cryptographically-signed logging
6Test for biasArticle 10Validate training data and model outputs for discriminationGovernance evaluation includes Non-Discrimination law
7Inform usersArticle 13Tell users when they're interacting with AITransparency logging — every AI action recorded with disclosure flag

Ongoing Obligations

ObligationFrequencyARQERA Support
Monitor system performanceContinuousConfidence scores tracked per governance evaluation
Report serious incidentsWithin 72 hoursEvidence search by severity — export incident timeline
Update risk assessmentAnnual or on material changeCompliance Assessment API — run /compliance/eu-ai-act/assess
Retain logsDuration of AI system lifecycle + 10 yearsEvidence retention tiers (HOT → WARM → COLD, up to 7 years)
Cooperate with authoritiesOn requestEvidence Export — full audit trail in auditor-friendly formats

Prohibited Practices (Already Enforced)

ARQERA's governance engine automatically blocks actions matching Article 5 prohibited practices:

  • Social scoring systems
  • Subliminal manipulation techniques
  • Exploitation of vulnerable groups
  • Real-time biometric identification in public spaces
  • Predictive policing
  • Emotion inference in workplace/education
  • Untargeted facial image scraping

These are enforced at the API level — your application cannot execute these action types through ARQERA, regardless of configuration.

Penalties

ViolationFine
Prohibited AI practicesUp to €35M or 7% of global annual turnover
High-risk obligationsUp to €15M or 3% of global annual turnover
Incorrect information to authoritiesUp to €7.5M or 1% of global annual turnover

Getting Started

  1. Run a compliance assessment: Navigate to Governance > Compliance > EU AI Act in the dashboard, or call POST /compliance/eu-ai-act/assess
  2. Review gaps: The assessment generates prioritised remediation steps with severity levels
  3. Export for your legal team: Use the Evidence Export API to generate documentation for legal review
  4. Set up monitoring: Enable compliance drift detection to catch regressions automatically

Next Steps