The EU AI Act: the architecture choices that produce defensible compliance by 2 August 2026.
What the world's first comprehensive AI law actually requires — risk tiers, Articles 9–15 obligations, penalties up to €35M, the 2 Aug 2026 deadline — and the engineering choices we ship to 50+ regulated enterprises.
The EU AI Act, defined.
The EU AI Act is Regulation (EU) 2024/1689 — the world's first comprehensive horizontal regulation of AI. Adopted in June 2024, in force from August 2024. It takes a risk-tiered approach: AI systems are classified by their risk to health, safety and fundamental rights into four tiers — prohibited, high-risk, limited risk, minimal — and obligations scale with risk.
It applies extraterritorially. If the output of your AI system is used in the EU — a credit score for an EU customer, an HR shortlist for an EU role, an insurance quote for an EU policyholder — the Act applies to you, regardless of where you are established. The headline enforcement date for enterprise is 2 August 2026, when the Articles 9–15 high-risk obligations become enforceable.
For the underlying terms — EU AI Act, sovereign AI, RAG, agentic AI, evaluation — see the enterprise AI glossary.
A practical map of where enterprise workloads land
Article 5 — social scoring by public authorities, real-time remote biometric ID in public (with narrow exceptions), emotion recognition in workplaces and education, untargeted facial scraping, predictive policing on profiling, manipulation through subliminal techniques.
Annex III — biometric ID, critical infrastructure, education, employment / HR, access to essential private and public services (credit scoring, insurance pricing), law enforcement, migration, justice. The tier most enterprise workloads land in.
Article 50 — chatbots and conversational AI must disclose they are AI. Deepfakes and synthetic content labelled. Emotion-recognition and biometric-categorisation systems notify natural persons.
Everything else — spam filters, inventory-prediction models, recommendation systems where the use case is not in another tier, video-game AI. No specific obligations beyond voluntary codes.
The dates that drive programme planning
Articles 9 through 15 — the substance of compliance
These seven articles define what it actually means for a high-risk AI system to be compliant. Each is an architectural choice made early — or a retrofit cost incurred late.
Risk management
Continuous, documented risk-management process across the AI lifecycle. Identify, estimate, evaluate, mitigate risks to health, safety and fundamental rights.
Data governance
Training, validation, testing data must be relevant, representative, free of errors. Bias detection and mitigation built in.
Technical documentation
Annex IV dossier per system — architecture, training data, evaluation, version history, intended purpose, performance metrics.
Record-keeping
Automatic logging across the lifecycle, retained for traceability — sufficient to reconstruct any decision on demand.
Transparency to deployers
Provider gives deployers instructions for use — capabilities, limitations, oversight measures, output interpretation.
Human oversight
Measures designed so a human can monitor, intervene, override and shut down. Not human-in-name-only.
Accuracy, robustness, cybersecurity
Performance metrics declared and met. Resilient to errors, faults, adversarial inputs. Protected against unauthorised modification.
€35M or 7% of global turnover. And worse.
Article 99 sets administrative fines. But the binding constraint for tier-1 enterprises is rarely the fine — it's market withdrawal, public disclosure, and the AI Liability Directive's presumption of causation.
The 12-point engineering compliance checklist
The architectural choices that produce defensible compliance — mapped to MindMap's reference sovereign stack and shipped to 50+ regulated enterprises since 2022.
MindMap's reference architecture pre-satisfies Articles 9–15.
Sovereign architecture, audit trail in the customer SIEM, eval-gated deployment, bounded-autonomy agents — these are not features MindMap added because of the AI Act. They are the architectural pattern we have shipped to 50+ regulated enterprises since 2022, because the bank, the insurer and the hospital required it.
The EU AI Act has codified what regulators in BFSI and healthcare have been asking for all along. The full article-by-article mapping is in the 18-page whitepaper.
Four phases. Six to nine months. Audit-ready production.
Assess (4–6 weeks)
Portfolio inventory · risk-tier classification against Annex III · gap analysis against Articles 9–15 · board-ready exposure report and 90-day action plan.
Architect (2–4 weeks)
Reference architecture design · sovereign deployment for high-risk workloads · integration with the customer's existing GRC, SIEM, ITSM and identity stack · CIO-signoff package.
Implement (6–24 weeks per workload)
Sovereign-cluster build · model serving · RAG · agent runtime · audit layer · eval-set build · technical documentation (Annex IV) · conformity-assessment workflow.
Operate (ongoing)
Continuous risk-management cycle · drift monitoring · eval refresh · serious-incident reporting workflow · quarterly compliance review with the customer's risk function.
Where this lives in the MindMap stack
Download the whitepaper →
18-page engineering whitepaper. 12 chapters. Articles 9–15 mapped. Free, gated PDF.
Sovereign AI pillar →
The architectural pattern that pre-satisfies Articles 10, 12, 14 and 15 by design.
Agentic AI pillar →
Bounded-autonomy agents — the implementation pattern for Article 14 human oversight.
Enterprise RAG pillar →
Grounded, cited answers — the implementation pattern for Article 13 transparency.
AI for BFSI →
Sector-specific application — credit scoring (Annex III), customer comms (Article 50).
Enterprise AI glossary →
Plain-language definitions for EU AI Act, GDPR, DPDP, HIPAA, SAMA and 35 other terms.
EU AI Act — the questions buyers ask
What is the EU AI Act?
The EU AI Act is Regulation (EU) 2024/1689, the world's first comprehensive horizontal regulation of AI. It classifies AI systems by risk into four tiers — prohibited, high-risk, limited risk, minimal — and applies obligations proportionate to risk. The Act entered into force on 1 August 2024 with staggered enforcement: prohibitions from February 2025, GPAI rules from August 2025, high-risk Annex III systems from 2 August 2026, and Annex I systems from August 2027.
When does the EU AI Act become enforceable?
The headline deadline is 2 August 2026, when the high-risk-system obligations in Articles 9–15 become enforceable for AI systems falling under Annex III categories — biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Prohibited practices have been enforceable since 2 February 2025. GPAI obligations have applied since 2 August 2025. Annex I high-risk systems (product-safety components) become enforceable on 2 August 2027.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies extraterritorially under Article 2(1)(c) — to any provider or deployer whose AI system outputs are used in the EU, regardless of where the provider or deployer is established. If your AI-driven decision affects an EU resident (a credit score, an HR shortlist, an insurance quote), the Act applies. Your headquarters can be anywhere; the relevant question is where the output is used.
What are the four risk tiers under the EU AI Act?
Prohibited (Article 5) — social scoring, untargeted facial scraping, emotion recognition in workplaces, real-time biometric ID with narrow exceptions. High-risk (Annex III) — biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Limited risk (Article 50) — chatbots, deepfakes and synthetic content require disclosure. Minimal risk — everything else, no specific obligations beyond voluntary codes.
What are the high-risk system obligations under Articles 9–15?
Article 9: risk management system across the AI lifecycle. Article 10: data governance including bias detection. Article 11: technical documentation per Annex IV. Article 12: automatic logging and record-keeping. Article 13: transparency to deployers. Article 14: human oversight measures. Article 15: accuracy, robustness and cybersecurity. Plus parallel obligations including quality management system (Article 17), conformity assessment (Article 43), CE marking (Article 48), EU database registration (Article 49), post-market monitoring (Article 72) and serious-incident reporting (Article 73).
What are the penalties under the EU AI Act?
Maximum administrative fines under Article 99: up to €35 million or 7% of global annual turnover for prohibited practices; up to €15 million or 3% for high-risk non-compliance; up to €7.5 million or 1% for misleading information. Beyond financial penalties: market withdrawal of non-compliant systems, prohibition of specific uses, public disclosure of non-compliance, and a presumption of causation in civil liability under the proposed AI Liability Directive.
Are foundation models and GPAI regulated separately?
Yes. Articles 53–55 establish a parallel regime for general-purpose AI models — broad-capability models like LLMs and large multimodal models. Baseline obligations include technical documentation, downstream-provider documentation, EU copyright compliance and a public summary of training data. Systemic-risk GPAI models (training compute above 10²⁵ FLOPs) face additional obligations including adversarial testing, EU-level risk assessment, serious-incident reporting and cybersecurity protection.
How does MindMap Digital help with EU AI Act compliance?
MindMap Digital delivers EU AI Act compliance through a four-phase engagement model. Phase 1 (Assess, 4–6 weeks): portfolio inventory, risk-tier classification, gap analysis, board-ready remediation plan. Phase 2 (Architect, 2–4 weeks): reference architecture design, integration with the customer's GRC/SIEM/ITSM stack. Phase 3 (Implement, 6–24 weeks per workload): sovereign-cluster build, model serving, eval harness, Annex IV documentation, conformity assessment workflow. Phase 4 (Operate, ongoing): continuous risk management, drift monitoring, incident reporting, quarterly compliance review.
How is MindMap's reference architecture mapped to EU AI Act obligations?
Article 9 (risk management) — risk-tier classification baked into every engagement, continuous cycle. Article 10 (data governance) — sovereign architecture keeps data inside the perimeter, lineage tracked, bias detection on every fine-tuning. Article 11 (technical documentation) — Annex IV documentation auto-generated as code in customer Git. Article 12 (record-keeping) — Langfuse in-perimeter, every prompt and tool call streamed to the customer's SIEM. Article 13 (transparency to deployers) — operator manuals shipped with every deployment. Article 14 (human oversight) — bounded-autonomy tool registry, permission gates, low-confidence routing. Article 15 (accuracy/robustness/cybersecurity) — eval harness gating every change, adversarial testing including prompt-injection red-teaming, namespace-level egress blocking.
Sixty days to 2 August 2026. Where will your enterprise be?
The 18-page MindMap whitepaper · the 12-point engineering checklist · the article-by-article mapping. Free.