EU AI Act Compliance
The EU AI Act is Europe’s landmark AI regulation, taking effect August 2026. It requires organizations using high-risk AI to conduct risk assessments, maintain audit trails, provide explanations to users, and notify authorities of serious incidents within 72 hours. TruthVouch automates compliance with all 37 articles.
What Is the EU AI Act?
The EU AI Act categorizes AI systems by risk level and assigns requirements accordingly:
| Risk Level | Definition | Examples | Requirements |
|---|---|---|---|
| Unacceptable | AI poses unacceptable risk to safety or rights | Social scoring, subliminal manipulation | Prohibited — cannot be deployed |
| High-Risk | Could significantly harm safety, rights, or equal opportunities | Hiring tools, loan approval, facial recognition | Risk assessment, documentation, audit trail, explanation, human oversight |
| Limited-Risk | Lacks transparency to users | Chatbots, content recommendation | Transparency disclosures |
| Minimal-Risk | No meaningful risk | Spam detection, spell checker | No requirements |
TruthVouch EU AI Act Coverage
Compliance AI covers 37 articles of the EU AI Act:
Article Categories
Prohibited Practices (Articles 5):
- Subliminal manipulation
- Exploiting vulnerabilities
- Social scoring for public administration
- Real-time biometric identification in public spaces (with narrow exceptions)
High-Risk Requirements (Articles 6-51):
- Risk classification
- Risk assessment documentation (Annex III)
- Data governance
- Technical documentation (Annex IV)
- Bias and fairness testing
- Human oversight mechanisms
- Audit trails
- Post-deployment monitoring
- Incident reporting (Article 73)
Transparency Requirements (Article 52):
- Notification when interacting with AI systems
- Disclosure of AI-generated content (for high-risk systems)
Post-Market Surveillance (Article 72):
- Ongoing monitoring of system performance
- Reporting serious incidents to authorities
Article 73 Incident Reporting:
- Notify authority within 72 hours of serious incidents
- Documented incident response process
Risk Classification
The first step in EU AI Act compliance is classifying your AI systems. Compliance AI auto-classifies based on four risk factors:
1. System Type
- Generative AI: Higher risk (potentially high-risk)
- Recommendation engines: Medium-high risk
- Biometric systems: High risk
- Decision-making systems: High risk
- Utility tools (spam detection, autocomplete): Minimal risk
2. Decision Scope
- Autonomous decision: High-risk (no human involvement)
- Assisted decision: Medium risk (human reviews result)
- Informational only: Lower risk (humans make decision)
3. Affected Population
- Children or vulnerable groups: Higher risk
- General public: Medium risk
- Internal use only: Lower risk
4. Data Sensitivity
- Sensitive categories (health, biometric, racial, financial): High-risk
- Limited personal data: Medium risk
- Non-personal or pseudonymized: Lower risk
Auto-Classification Logic
Unacceptable Risk: - Social scoring system for public services - Real-time biometric identification in public spaces (except law enforcement exceptions) - Subliminal/manipulation systems
High-Risk: - Autonomous hiring or promotion decisions - Autonomous financial decisions (loans, insurance, benefits) - Biometric systems (facial recognition, fingerprint, iris) - Content moderation at scale - Educational system performance evaluation - Emotion recognition systems in safety-critical contexts
Limited-Risk: - Chatbots and content generation - Recommendation engines - Spam detection - Content moderation (human-in-the-loop)
Minimal-Risk: - Spell checker - Syntax highlighting - Non-decision informational toolsCompliance Roadmap by Risk Level
High-Risk Systems: Full Compliance Checklist
-
Risk Assessment (Annex III)
- AI system description
- Intended purpose and foreseeable misuse
- Identification of risks to health, safety, rights
- Evaluation of likelihood and severity
- Existing and proposed safeguards
- TruthVouch: Generates via DPIA & Algorithmic Assessment
-
Technical Documentation (Annex IV)
- Training dataset description
- Performance metrics (accuracy, precision, recall, F1)
- Bias and fairness testing results
- Robustness and adversarial testing
- Explainability methodology
- Model card
- TruthVouch: Auto-generates from system profile
-
Data Governance
- Data quality assurance procedures
- Bias detection and mitigation
- Training data documentation
- TruthVouch: Linked to your data connectors
-
Audit Trail
- Immutable log of system outputs and decisions
- User interactions
- System modifications
- Incident reports
- TruthVouch: Auto-collected via infrastructure connectors
-
Human Oversight
- Clear responsibility for human review
- Tools for humans to understand decisions
- Process for humans to override/reject automated decisions
- TruthVouch: Policy definition and enforcement
-
Post-Market Monitoring
- Plan for continuous monitoring
- Procedures to detect performance degradation
- Trigger points for retraining or redeployment
- TruthVouch: Tracks via infrastructure connectors and incident reporting
-
Incident Reporting (Article 73)
- 72-hour notification to authority
- Documented serious incident process
- TruthVouch: Pre-built playbook + authority notification dispatch
Limited-Risk Systems: Transparency Requirements
Required for all AI systems except high-risk and minimal-risk:
-
User Notification
- Clearly disclose that AI system generated content
- Example: “This response was generated by AI”
-
AI-Generated Content Labeling
- Mark deep fakes, synthetic media, AI-generated text
- Provide explanation of how content was created
-
Compliance AI Support:
- Notifications: Template library for user disclosures
- Content Labeling: Integration with C2PA (Coalition for Content Provenance and Authenticity) for tamper-proof AI content labels
Minimal-Risk Systems: No Requirements
No compliance burden. These include:
- Spell checkers
- Syntax highlighting
- Email spam filters
- Standard search result ranking (unless personalized)
Key Features: Article 73 Incident Reporting
What Is a “Serious Incident”?
An incident that has or could have:
- Caused death or serious injury
- Caused significant harm to health, environment, or critical infrastructure
- Violated fundamental rights or freedoms
- Resulted in significant economic loss
Reporting Process
- Incident occurs → Auto-trigger incident management workflow
- Assess severity → Is it serious per Article 73?
- If serious:
- Document incident in timeline
- Assign to incident response team
- Start 72-hour clock
- 72-hour deadline:
- TruthVouch alerts when deadline approaches
- Auto-draft notification to EU authority (DPA, national regulator)
- Interim report if full investigation incomplete
- Follow-up reporting:
- Detailed findings within 15 days
- Root cause analysis
- Corrective actions
- Close incident → Archive documentation
TruthVouch Features:
- Article 73 Playbook — Pre-filled template for incident type
- Authority Notification Dispatch — Auto-generates and tracks notifications
- 72-hour Deadline Alert — Automated reminders
- Timeline View — Chronological incident record
- Evidence Attachment — Link investigation records, logs, fixes
Annex IV Technical Documentation
High-risk systems must maintain Annex IV documentation:
Contents
| Section | What to Document | Examples |
|---|---|---|
| System Description | What the system does, version, intended use | ”Customer service chatbot v2.1, deployed to website” |
| Training Data | Dataset size, composition, quality checks | ”1M conversation pairs, 98% accuracy on test set” |
| Performance Metrics | Accuracy, precision, recall, F1, ROC-AUC | ”Accuracy: 92%, Precision: 89%, Recall: 94%“ |
| Bias & Fairness | Disparate impact analysis by demographics | ”Gender gap: 1.2%, Age gap: 0.8%“ |
| Explainability | How decisions are explained to users | ”SHAP values, feature importance” |
| Robustness | Adversarial testing, edge cases | ”Tested on 50K adversarial examples” |
| Deployment & Monitoring | Where system runs, monitoring plan | ”AWS, daily performance checks” |
| Modifications | Version history, changes | ”Retrained monthly, last update 2026-02-15” |
TruthVouch: Auto-generates PDF Annex IV from your system profile and model card data.
Biased Against Bias: Testing & Monitoring
EU AI Act Annex III requires fairness assessment. Compliance AI auto-runs tests:
Tests Included
- Demographic Parity — Does system treat groups equally on average?
- Equalized Odds — Do error rates match across groups?
- Disparate Impact — Is 80% rule violated (4/5ths rule)?
- Predictive Parity — Are predictions equally accurate across groups?
Example: Hiring Tool
Test if recommendation rate differs by gender:
- Male applicants: 45% recommended
- Female applicants: 42% recommended
- Disparate impact: 93.3% (rule of 80 is met)
- Conclusion: No significant gender bias detected
Monitoring: Compliance AI watches for bias drift post-deployment and alerts if test results change.
Conformity Assessment Routes
For high-risk systems, you have two conformity assessment options:
Route 1: Internal Assessment
- Conduct risk assessment (Annex III)
- Create technical documentation (Annex IV)
- Test for bias and fairness
- Document audit trail
- Implement human oversight
- Set up post-deployment monitoring
- File declaration of conformity
TruthVouch Support: Auto-generates assessments, documentation, testing results
Route 2: Third-Party Audit
- Same as Route 1, plus
- Hire notified body (accredited auditor)
- Auditor reviews documentation
- Issues conformity certificate
- File with declaration of conformity
TruthVouch Support: Generates audit-ready documentation; integrates with auditor tools (OSCAL export, evidence mapping)
Prohibited AI Systems
The EU AI Act bans certain AI systems entirely. Compliance AI flags if your system falls into prohibited categories:
Prohibited Categories (Article 5)
| Prohibition | Why | Example |
|---|---|---|
| Subliminal Manipulation | Bypasses conscious decision-making | Hidden persuasion, microtargeted ads |
| Exploitation of Vulnerabilities | Targets individuals by age, disability, mental illness | Predatory targeting of children or elderly |
| Social Scoring | Public sector automated social evaluation | Denying services based on AI-computed “trustworthiness” |
| Real-Time Biometric ID in Public | Privacy violation | Facial recognition in public squares (limited law enforcement exceptions exist) |
TruthVouch Action: If your system matches a prohibited category, you’ll see a STOP alert. The system cannot be deployed in the EU until redesigned.
Transition: August 2026 Launch
The EU AI Act takes effect August 2, 2026. Rules phase in by risk level:
| Phase | Date | What Applies |
|---|---|---|
| Prohibited Practices | Aug 2, 2025 (NOW!) | Social scoring, subliminal manipulation banned |
| Governance Requirements | Aug 2, 2026 | High-risk systems must meet all requirements |
| Transparency Requirements | Aug 2, 2026 | Limited-risk systems must disclose |
| Notified Bodies | Aug 2, 2026 | Conformity assessment bodies available |
Compliance Deadline: If you have high-risk systems in the EU, you must be compliant by August 2026. Start now.
Next Steps
- Run your first EU AI Act scan: Running Scans
- Generate risk assessment: DPIA & Algorithmic Assessment
- Set up incident reporting: Incident Management
- Understand risk classification: Risk Classification
- Compare with GDPR: GDPR Compliance