The EU AI Act for Enterprise.
The world's first comprehensive horizontal AI regulation comes into force for high-risk systems on 2 August 2026. This whitepaper covers what the Act is, what it isn't, who it applies to, the four risk tiers, the Articles 9–15 obligations, the penalties — and the 12-point engineering checklist that produces defensible compliance. Plus the MindMap reference architecture mapped article-by-article.
Free. PDF. In your inbox in 30 seconds.
Tell us where to send it. No follow-up sales sequence — we'll send the PDF, and we'll reach out only if you'd like to talk.
Twelve chapters. About 15 minutes.
Written by the team that has shipped sovereign AI to 50+ regulated enterprises — banks, insurers, hospitals, government — since 2022. Not legal commentary, engineering practice: the architectural choices that produce defensible compliance.
What the EU AI Act is
The world's first comprehensive horizontal AI regulation — risk-tiered, extraterritorial, in force since August 2024.
What it is NOT
Five common misconceptions — and what the Act actually says.
The four risk tiers
Prohibited · High-risk · Limited risk · Minimal — a practical map of where enterprise workloads land.
The enforcement timeline
The dates that drive programme planning — including the 2 Aug 2026 deadline for Annex III high-risk systems.
High-risk obligations
Articles 9–15 mapped: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy / robustness / cybersecurity.
Provider vs deployer
Who you are determines which obligations apply — and the Article 25 trap that turns deployers into providers.
GPAI + foundation models
Article 53 + 55 obligations — and the sovereign open-weights advantage.
Penalties + enforcement
€35M · 7% of global turnover · market withdrawal · public disclosure. The financial and reputation exposure.
12-point engineering checklist
The architectural choices that produce defensible compliance — mapped to MindMap's reference sovereign stack.
MindMap article-by-article
How the reference architecture pre-satisfies Articles 9 through 15 — not as paperwork retrofit, as design choice.
How MindMap helps
The four-phase engagement: Assess (4–6 wk) → Architect (2–4 wk) → Implement (6–24 wk per workload) → Operate (ongoing).
90-day CIO action plan
The minimum viable programme to put your enterprise on a defensible path to the 2 August 2026 deadline.
Built for the leaders who own the answer to the regulator.
Chief Risk + Chief Compliance Officers
Designing the enterprise AI governance programme that will face the regulator. Need a defensible architecture and a board-ready exposure picture.
Chief Information Officers
Owning the architecture choice between cloud LLM APIs and sovereign deployment for high-risk workloads. Need the engineering trade-offs in front of the legal arguments.
Chief AI Officers + Heads of AI
Standing up the AI portfolio, classifying workloads, deciding which use cases pause until 2 August 2026 and which need acceleration.
General Counsel + Data Protection Officers
Translating Articles 9 through 15 into operational artefacts the technical team will actually implement. The 12-point checklist is built for this conversation.
Engineering practice, not legal commentary.
- ✓Article-by-article mapping of obligations to MindMap's reference architecture — not abstract compliance hand-waving.
- ✓12-point engineering checklist drawn from the architectures we have shipped to 50+ regulated enterprises since 2022.
- ✓Distinguishes provider vs deployer, base-model vs system, GPAI vs Annex III — the classifications that actually drive obligations.
- ✓Includes the Article 25 "deployer-becomes-provider" trap, the extraterritoriality scope, and the legacy-systems clock to 2030.
Read the whitepaper. Then talk to engineers who've mapped this for 50+ regulated enterprises.
Free PDF. No sales sequence. Just the architecture and the obligations, side by side.