EU AI Act Compliance
The EU AI Act (Regulation 2024/1689) introduces mandatory requirements for AI systems based on risk classification. Annex III high-risk systems face the strictest obligations, with penalties up to 7% of global revenue.
ARQERA's governance API and evidence chain provide the technical infrastructure to meet these requirements.
Key Deadlines
| Date | Requirement |
|---|---|
| August 2, 2025 | Prohibited AI practices banned |
| August 2, 2026 | High-risk AI system obligations enforced (Annex III) |
| August 2, 2027 | Full regulation in effect for all AI systems |
How ARQERA Maps to EU AI Act Requirements
Article 9 — Risk Management System
Requirement: Continuous, iterative risk management throughout the AI system lifecycle.
ARQERA implementation: Every action is evaluated against 8 governance laws before execution. The risk_level context field enables risk classification, and the Safety Dominance law ensures high-risk actions receive additional scrutiny.
result = client.governance.evaluate(
"model.deploy",
description="Deploy fraud detection model to production",
context={
"risk_level": "high",
"is_irreversible": False,
"confidence_score": 0.94,
},
)
Article 11 — Technical Documentation
Requirement: Maintain detailed technical documentation describing the AI system and its risk management process.
ARQERA implementation: Every governance evaluation is recorded as a tamper-proof evidence artifact. Use the Evidence API to export documentation for auditors.
curl -X POST "https://api.arqera.io/api/v1/evidence/export" \
-H "X-API-Key: $ARQERA_API_KEY" \
-d '{
"format": "pdf",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-06-30T23:59:59Z",
"include_chain_verification": true
}'
Article 12 — Record-Keeping
Requirement: Automatic logging of events throughout the high-risk AI system's lifetime.
ARQERA implementation: The evidence chain provides cryptographically-linked, immutable records of every governance decision. The hash chain ensures logs cannot be tampered with.
# Verify chain integrity
curl "https://api.arqera.io/api/v1/evidence/verify" \
-H "X-API-Key: $ARQERA_API_KEY"
Article 14 — Human Oversight
Requirement: High-risk AI systems must allow human oversight and intervention.
ARQERA implementation: The escalate verdict implements human-in-the-loop governance. When an action exceeds the AI's autonomy bounds, it is queued for human approval.
result = client.governance.evaluate(
"user.data.delete",
description="Delete inactive user accounts",
context={
"risk_level": "high",
"is_irreversible": True,
"has_approval": False, # No human approval yet
},
)
# result.verdict will be "escalate" — requires human approval
if result.needs_approval:
queue_for_human_review(result)
Article 15 — Accuracy, Robustness, Cybersecurity
Requirement: Appropriate levels of accuracy, robustness, and cybersecurity.
ARQERA implementation: The confidence_score and min_confidence context fields enforce accuracy thresholds. The Monotonic Truth law prevents truth degradation. The Bounded Autonomy law constrains AI actions to verified capabilities.
Compliance Checklist
Use ARQERA to satisfy these Annex III requirements:
| Requirement | ARQERA Feature | How to Verify |
|---|---|---|
| Risk management | Governance Evaluate API | Every action has a risk verdict |
| Technical documentation | Evidence Export API | PDF/JSON exports for auditors |
| Record-keeping | Evidence Chain | Hash-verified immutable logs |
| Human oversight | Escalate verdict | Approval queues and audit trail |
| Accuracy monitoring | Confidence thresholds | Governance context fields |
| Incident reporting | Evidence Search API | Search by verdict, action, date |
| Transparency | Per-law evaluations | Explainable governance decisions |
Compliance Dashboard
ARQERA provides a built-in compliance dashboard in the web application:
- Governance Verdict History — view all evaluations with filtering
- Evidence Completeness — track coverage across compliance frameworks
- Evidence Export — one-click exports for specific frameworks
- Chain Verification — real-time integrity monitoring
Navigate to Governance > Compliance in the ARQERA dashboard to access these features.
What You Need to Do (Customer Obligations)
ARQERA provides the governance infrastructure. But as a deployer of high-risk AI, you have obligations too. Here's a practical checklist:
Before August 2, 2026 (High-Risk Deadline)
| # | Obligation | Article | What You Do | What ARQERA Provides |
|---|---|---|---|---|
| 1 | Classify your AI systems | Article 6 | Determine which of your AI use cases fall under Annex III | Risk Classification API — assign risk levels per action type |
| 2 | Register in the EU database | Article 49 | Submit your high-risk systems to the EU AI database | AI Transparency Register — export registration data |
| 3 | Appoint a human overseer | Article 14 | Designate who reviews escalated decisions | Approval workflows — HARD tier actions queue for named approvers |
| 4 | Document your AI systems | Article 11 | Maintain technical documentation for each high-risk system | Evidence Export API — generate PDF/JSON documentation on demand |
| 5 | Establish logging | Article 12 | Ensure all AI decisions are recorded immutably | Evidence Chain — automatic, cryptographically-signed logging |
| 6 | Test for bias | Article 10 | Validate training data and model outputs for discrimination | Governance evaluation includes Non-Discrimination law |
| 7 | Inform users | Article 13 | Tell users when they're interacting with AI | Transparency logging — every AI action recorded with disclosure flag |
Ongoing Obligations
| Obligation | Frequency | ARQERA Support |
|---|---|---|
| Monitor system performance | Continuous | Confidence scores tracked per governance evaluation |
| Report serious incidents | Within 72 hours | Evidence search by severity — export incident timeline |
| Update risk assessment | Annual or on material change | Compliance Assessment API — run /compliance/eu-ai-act/assess |
| Retain logs | Duration of AI system lifecycle + 10 years | Evidence retention tiers (HOT → WARM → COLD, up to 7 years) |
| Cooperate with authorities | On request | Evidence Export — full audit trail in auditor-friendly formats |
Prohibited Practices (Already Enforced)
ARQERA's governance engine automatically blocks actions matching Article 5 prohibited practices:
- Social scoring systems
- Subliminal manipulation techniques
- Exploitation of vulnerable groups
- Real-time biometric identification in public spaces
- Predictive policing
- Emotion inference in workplace/education
- Untargeted facial image scraping
These are enforced at the API level — your application cannot execute these action types through ARQERA, regardless of configuration.
Penalties
| Violation | Fine |
|---|---|
| Prohibited AI practices | Up to €35M or 7% of global annual turnover |
| High-risk obligations | Up to €15M or 3% of global annual turnover |
| Incorrect information to authorities | Up to €7.5M or 1% of global annual turnover |
Getting Started
- Run a compliance assessment: Navigate to Governance > Compliance > EU AI Act in the dashboard, or call
POST /compliance/eu-ai-act/assess - Review gaps: The assessment generates prioritised remediation steps with severity levels
- Export for your legal team: Use the Evidence Export API to generate documentation for legal review
- Set up monitoring: Enable compliance drift detection to catch regressions automatically
Next Steps
- Evidence & Audit Trails — learn how the evidence chain works
- Evidence API — programmatic access to evidence
- The 8 Governance Laws — understand what each law checks