The EU AI Act, for US and Canadian companies.
The Act's extraterritorial reach mirrors GDPR's. If your AI system is placed on the EU market or its output is used in the EU, you're in scope — regardless of where your company sits. We map the high-risk obligations into the architecture, not into a compliance retrofit after launch.
Four tiers. The middle one is where most of the work lives.
Prohibited
Social scoring by public authorities, real-time biometric ID in public spaces (with carve-outs), emotion recognition in workplaces and schools, untargeted facial scraping, certain manipulative or exploitative systems. Don't build these.
High-risk
Annex III categories: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, justice administration. Plus AI as safety components of regulated products. This is where most of our customers' obligations land.
Limited-risk
Transparency obligations: users must know they're interacting with AI; deepfakes and AI-generated content must be marked. Chat agents and content tools land here at minimum.
Minimal-risk
Everything else. No specific obligations beyond voluntary codes of conduct.
What a high-risk system has to do, mapped to architecture decisions.
Risk management system
Continuous, iterative process across the AI system lifecycle. Includes pre-deployment risk identification, mitigation design, and post-market re-assessment.
Data governance
Training, validation, and test datasets reviewed for relevance, representativeness, and bias. Documented data lineage. Continuous monitoring for data drift.
Technical documentation
Annex IV requires substantial documentation: system architecture, model design, validation results, monitoring plan. We produce it as part of the build, not as a retrofit.
Record-keeping
Automatic event logging of operational events. Logs retained for the lifetime of the high-risk system or per local law.
Transparency for users
Information about the AI system's capabilities, limitations, and how to interpret its output. User-facing notice where direct interaction occurs.
Human oversight
Designed to enable effective oversight by natural persons during the period of use. Specific override capabilities for high-stakes decisions.
Accuracy & robustness
Performance levels appropriate to the intended use. Resilience against errors, faults, and adversarial inputs. Cybersecurity measures.
Conformity assessment
Most high-risk systems can self-assess under Annex VI. Some (biometric, where harmonized standards don't exist) require notified-body assessment.
General-purpose AI providers: a different (mostly upstream) concern.
GPAI provider obligations (transparency, copyright, systemic-risk disclosures for the largest models) primarily apply to model creators — Anthropic, OpenAI, Google, Meta, Mistral. As an AI deployer or application provider, you're not the GPAI provider. You consume the GPAI under contract.
What you do need to verify: that the GPAI you use is compliant with its own obligations (or transitioning to compliance per the Act's timeline) and that your vendor agreement gives you the technical information you'd need to satisfy any transparency requirement for your downstream high-risk system.
Frequently asked questions
Does the EU AI Act apply to us if we're US-based?
Yes, if you put an AI system into service in the EU, or if your AI system's output is used in the EU. The extraterritorial scope mirrors GDPR's. A US-based health-tech company serving European hospitals, a US PE firm with European LPs receiving AI-generated reporting, or a US legal AI vendor with European law-firm customers all fall in scope for the relevant articles.
What's the difference between general-purpose AI and high-risk AI under the Act?
General-purpose AI (GPAI) is the model itself — Claude, Llama, GPT, etc. — and has obligations on model providers (transparency, copyright, systemic-risk disclosures for the largest models). High-risk AI is application-level — your specific AI system deployed in a high-risk category like healthcare diagnostics, employment screening, credit scoring, or critical infrastructure. Most of our customers care primarily about high-risk classification because they're building applications, not foundation models.
When does the high-risk classification trigger?
Annex III of the Act lists the high-risk categories: biometric ID, critical infrastructure, education access, employment decisions, essential services access, law enforcement, migration / asylum / border control, administration of justice. Plus AI systems that are themselves safety components of EU-regulated products. Healthcare diagnostic AI is on the list; healthcare administrative AI may not be. The classification is fact-specific — we map it during the Discovery Sprint.
What's required for a high-risk AI system?
Risk management system, data governance, technical documentation, record-keeping, transparency information for users, human oversight, accuracy and robustness, conformity assessment, registration in the EU database, post-market monitoring, and incident reporting. We bake the technical documentation and human-oversight design into the architecture, then walk through the conformity assessment with your team.