Hard2bit

Regulation (EU) 2024/1689 · AESIA · GPAI · High risk · Annex III

EU AI Act compliance

Complete compliance programme for Regulation (EU) 2024/1689: system classification, art. 9 risk management, data governance, technical documentation, transparency and human oversight, art. 15 technical testing, post-market monitoring and AI literacy. Hard2bit covers the technical-organisational side; we coordinate the legal side with your in-house counsel.

Book a meeting · 30 min See application timeline
Reg. (EU) 2024/1689 System classification Art. 9 risk management Art. 15 testing Art. 4 AI literacy ISO/IEC 42001 compatible Legal coordination

Executive summary

The EU AI Act is the first horizontal regulation worldwide on artificial intelligence. Prohibited practices and the AI literacy obligation apply since February 2025. General-purpose AI (GPAI) obligations and the sanctioning regime since August 2025. The big block, high-risk, applies from August 2026. Those arriving late find themselves with a new operational framework, potential fines up to €35 million or 7% of turnover and, increasingly, enterprise clients requiring compliance evidence as a procurement condition.

The good news: compared with NIS2 or DORA, the EU AI Act has a reasonably tractable structure if approached methodically. The foundational piece is correct classification of each AI system. From there, obligations decompose into standardisable blocks: governance, risk, data, documentation, transparency, human oversight, technical testing, post-market vigilance. Our GRC department, with proven experience in NIS2, DORA, ENS, ISO 27001 and GDPR, applies the same rigorous method to the EU AI Act.

Classification is the foundational piece

Misclassifying down exposes to fines. Misclassifying up applies costly obligations that do not apply. The most important decision of the programme.

GRC + technical + legal coordination

We cover classification, governance, risk, art. 15 technical testing and operation. The legal side (AESIA representation, sanction defence) we coordinate with your in-house counsel.

ISO/IEC 42001 compatible

ISO 42001 AIMS is the natural operational framework to sustain EU AI Act compliance. Deploying one supports the other.

Application timeline

EU AI Act obligations come into force in a staggered way. Knowing what applies when is key to prioritising the programme correctly.

2 FEB
2025

Prohibited practices + AI literacy

Art. 5 catalogue of prohibited practices applies (subliminal manipulation, social scoring, real-time biometrics in public spaces with exceptions, etc.) plus art. 4 AI literacy obligation for staff operating or developing AI systems. Any organisation with personnel using or developing AI should ALREADY have an AI literacy plan in place.

2 AUG
2025

GPAI + governance + sanctioning regime

General-purpose AI models obligations apply (arts. 51-55), including the GPAI with systemic risk category. Full governance (AI Office, AESIA in Spain, sectoral authorities) and the sanctioning regime come fully into force.

2 AUG
2026

High-risk (most) + general obligations

The big block applies: Annex III high-risk, obligations of providers, deployers, importers, distributors, authorised representatives, EU database registration, conformity assessment and CE marking. Most of the compliance programme must be operational by this date.

2 AUG
2027

High-risk Annex I (regulated products)

Annex I high-risk applies: AI systems integrated in products already regulated by sectoral legislation (machinery, medical devices, vehicles, etc.). End of the application calendar; from here regime fully operational.

Source: Regulation (EU) 2024/1689, art. 113 (entry into force and staggered application). Subject to subsequent delegated and implementing acts.

AI system classification by risk level

The regulation defines five categories. Correct classification is the first and most important decision of the programme.

Category 1 · Prohibited (art. 5)

Systems not permitted in the EU

Subliminal manipulation with harm; exploitation of vulnerabilities (age, disability, socioeconomic situation); social scoring by public authorities; individualised predictive policing solely by profiling; massive scraping of facial images for recognition; real-time biometrics in public spaces by law enforcement (with strictly defined exceptions); emotion inference at work and education (except medical or safety reasons). Fine up to €35M or 7%.

Category 2 · High-risk (Annex I + III)

The bulk of the programme

Two routes. Annex I: AI systems integrated in products regulated by sectoral legislation (machinery, medical devices, toys, vehicles, lifts). Annex III: eight areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and borders, justice and democratic processes). Full obligations: arts. 9-15 + conformity assessment + CE marking + EU database registration. Fine up to €15M or 3%.

Category 3 · GPAI (art. 51-55)

General-purpose AI models

Base models trained with large data volumes for general uses (GPT-4 class, Claude, Gemini, Llama, large Mistral). Obligations of technical documentation, copyright compliance policy, training corpus summary, transparency with downstream integrators. Subcategory: GPAI with systemic risk (compute threshold > 10^25 FLOPs): reinforced obligations, adversarial evaluation, serious incident notification to the AI Office.

Category 4 · Limited risk (art. 50)

Transparency obligations

Chatbots: inform the user that they are interacting with an AI. Systems generating synthetic content (deepfakes, images and video): mark the content as artificially generated in machine-readable format. Emotion recognition or biometric categorisation systems outside high-risk: inform the person exposed. Category with limited but present obligations; cannot be ignored.

Category 5 · Minimal risk

The rest (the vast majority)

Spam filters, non-critical recommenders, internal support agents without access to critical systems, AI in video games, etc. No specific regulatory obligations. Voluntary code of conduct and alignment with reference frameworks (NIST AI RMF, ISO/IEC 42001) recommended as best practice and to anticipate future categorisations.

Obligations by category · practical summary

Simplified mapping of technical-organisational obligations per category. After classification, this is the work plan.

Obligation High-risk GPAI Limited
Risk management system (art. 9) Fully required Equivalent policy
Data governance and quality (art. 10) Required (training/test/val) Summary + copyright policy
Technical documentation (art. 11 + Annex IV) Fully required Tech doc + model card Minimal
Logging system (art. 12) Required (traceability) Applicable to systemic
Transparency to users (art. 13/50) Required To downstream integrators Required art. 50
Human oversight (art. 14) Required (HITL)
Accuracy, robustness, cybersecurity (art. 15) Required + testing Required + red team (systemic)
Quality management system (art. 17) Required (provider) Equivalent policy
Conformity assessment + CE marking Required (provider)
EU database registration (art. 49) Required (provider)
Post-market monitoring (art. 72) Required Applicable to systemic
Serious incident notification (art. 73/55) Required (high-risk) Required (systemic)
FRIA · fundamental rights impact (art. 27) Public sector / essential
AI literacy (art. 4) Affected staff Affected staff Affected staff

Indicative summary. Exact scope depends on the client's role (provider, deployer, importer, distributor) and the specific category within Annex III.

What Hard2bit covers and what we coordinate with your legal team

Honesty policy: the EU AI Act programme is technical-organisational + legal. Hard2bit covers the technical-organisational side with proven experience in analogous frameworks (NIS2, DORA, ENS, ISO 27001, GDPR). The pure legal side we coordinate with your legal team or the firm you designate. This role separation is documented contractually.

What we do

Technical-organisational block

  • AI systems inventory and technical classification
  • Risk management system (art. 9) deployed and operated
  • Data governance and quality (art. 10)
  • Technical documentation (art. 11 + Annex IV)
  • Logging and traceability system (art. 12)
  • Transparency mechanisms (arts. 13 + 50)
  • Operational human oversight (art. 14)
  • Art. 15 technical testing (accuracy, robustness, cybersecurity)
  • Quality management system (art. 17)
  • Post-market monitoring procedures (art. 72)
  • Serious incident notification procedures (art. 73 / 55)
  • AI literacy programme (art. 4) + training materials
  • Internal policies, AI committee, role assignment
  • ISO/IEC 42001 compatibility if certification is sought

What we coordinate with your legal

Pure legal block

  • Designation of authorised representative in EU (art. 22)
  • EU declaration of conformity (signature)
  • Filings before AESIA and sectoral authorities (CNMV, AEPD, etc.)
  • Legal defence in case of inspection or sanction
  • B2B and B2C contractual clauses derived from compliance
  • Pure legal advice on regulation interpretation
  • Administrative or judicial actions related

If you do not have in-house legal counsel specialised in AI and need references, we can suggest firms with which we have already coordinated on analogous projects. No commercial agreement between Hard2bit and those firms.

How we deliver the programme

Five phases. The first is always the initial diagnostic: it conditions the rest of the programme and allows closing firm price without estimates.

1. Initial diagnostic (3-5 weeks)

AI systems inventory across the organisation (provider, deployer or both per system), classification of each one, applicable obligations map, gap analysis against current state and roadmap prioritised over 6/12/24 months. Closed deliverable so the client can decide on full programme scope.

2. Governance + AI literacy (4-6 weeks)

AI committee, AI policy, role assignment (AI lead, models lead, risk lead), internal AI systems register, mandatory art. 4 AI literacy programme with materials and training for affected staff. Block that can start in parallel with others without technical dependency.

3. Technical compliance (8-16 weeks)

Art. 9 risk management system, art. 10 data governance, art. 11 technical documentation, art. 12 logs, art. 13/50 transparency, art. 14 human oversight, art. 15 technical testing (includes adversarial red teaming for high-risk and GPAI systemic).

4. Operation + monitoring (ongoing)

Post-market vigilance, serious incident notification procedure, periodic review of the risk system, register update, support for new AI systems entering scope, coordination with client legal for external filings.

5. Evidence and auditor (on demand)

When the client receives inspection from AESIA / sectoral authority, or requests conformity assessment for high-risk, we prepare the evidence dossier, accompany the inspector/assessor, draft technical responses. The legal side of the inspection is led by your legal team.

Priority sectors · Annex III

Annex III's eight areas define most high-risk cases. If your AI system operates in any of them, high probability of falling into high-risk.

Biometrics

Remote biometric identification, biometric categorisation, emotion recognition (with nuances).

Critical infrastructure

AI systems used as safety components in management and operation of digital infrastructure, road traffic, water, gas, heating, electricity supply.

Education and vocational training

Access to educational institutions, assessment of learning outcomes, level assignment, supervision during exams.

Employment, personnel management

Recruitment and selection, promotion/termination/task allocation decisions, performance monitoring.

Essential public and private services

Access to social benefits, credit scoring, setting life and health insurance premiums, dispatch of emergency services.

Law enforcement

Victim risk assessment, lie detectors (with conditions), evidence assessment, investigative profiling, individualised predictive policing (with restrictions).

Migration, asylum and border control

Lie detectors, migration risk assessment, asylum application examination, biometric identification.

Justice and democratic processes

Assistance to judicial authorities in interpreting and applying law, systems influencing election results or voting behaviour.

Fines and consequences of non-compliance

Sanctioning regime (arts. 99-101) applicable since 2 August 2025. Three tiers by infraction.

Tier 1 · highest

€35M

or 7% global turnover

For using prohibited practices (art. 5). The higher amount of the two applies. Sanctionable by national or sectoral authority.

Tier 2 · intermediate

€15M

or 3% global turnover

For breaching high-risk, GPAI or transparency obligations. Also the higher amount applies.

Tier 3 · lower

€7.5M

or 1% global turnover

For supplying incorrect, incomplete or misleading information to authorities. Risk present even in responses to routine information requests.

Beyond the financial sanction, reputational and commercial risk is high. Through 2026-2027 enterprise clients will start requiring EU AI Act compliance evidence as a procurement condition, the same way it happened with GDPR in 2018-2019. Late companies get left out of RFPs.

When it fits and when it does not

Fits very well

When it is worth it

  • Organisation with AI systems in production or pre-production
  • Sector with high probability of Annex III (banking, healthcare, HR, public sector, infrastructure)
  • B2B AI provider with enterprise clients who will request evidence
  • Companies with staff using or developing AI (AI literacy already applicable)
  • You are pursuing ISO/IEC 42001 certification as foundation
  • You operate or sell general-purpose models (GPAI)
  • Enterprise client requires compliance evidence from you

Fits less well

When it is not the first move

  • You have no AI system deployed nor planned in 12 months: punctual consulting is enough
  • You only use third-party AI SaaS without developing anything: limited obligations, focus on AI literacy + supplier due diligence
  • You only need the legal block (representation, defence): go directly to a specialised law firm
  • Your GDPR is not yet consolidated: different logical order, GDPR first

Objections we hear and how we answer

«This is regulation, our law firm handles it»

Law firms cover the pure legal side well. But the EU AI Act also requires a permanent technical-organisational programme (risk management, data, technical documentation, logs, testing, post-market monitoring). That side is rarely within a law firm's scope. We work in coordination: we cover the technical and management side, they cover legal.

«We already have GDPR and a CISO. Isn't that enough?»

GDPR covers personal data processing and, partially, automated decisions (art. 22). The EU AI Act regulates entire AI systems: even without personal data, there are obligations (transparency, robustness, human oversight, etc.). The CISO covers technical cybersecurity but rarely the full AI governance lifecycle. They are complementary; they do not replace each other.

«We only use GPT-4 / Claude. We do not develop AI»

If you use them as an internal tool without building a proprietary AI system, obligations are limited but exist: art. 4 AI literacy for affected staff applies NOW since February 2025, GPAI provider due diligence, and if you integrate them in critical flows you could become 'deployer' of a high-risk system with derived obligations.

«There is still time, August 2026 is far away»

For high-risk in August 2026 yes, but February 2025 (prohibited practices + AI literacy) and August 2025 (GPAI + sanctioning regime) already apply. Additionally, the typical compliance roadmap is 12-24 months; starting in H1 2026 is reasonable, in H2 2026 we already start running late for high-risk.

«Fines are deterrent but, will AESIA actually act?»

Fair question. Reality: 2025-2026 will likely be a learning phase and exemplary cases phase. But the real risk is not just the fine: it is procurement risk (enterprise clients start requiring it), reputational risk if there is a public incident, and the contagion effect when added to already consolidated GDPR.

«It is expensive»

Compared with the fine risk (up to €35M or 7%), a €35-90k programme for high-risk compliance of 1-3 systems is a reasonable ratio. And it pays back: the technical documentation it generates also serves ISO/IEC 42001, GDPR art. 22 and future enterprise clients requesting evidence. Not sunk cost, operational base.

How we measure programme progress

Six indicators shared in monthly AI committee.

% AI systems inventoried

Master indicator. No inventory = no classification = no compliance. Target: 100% in 90 days.

% systems correctly classified

Classification reviewed and validated by GRC + legal. Target: 100% systems in production.

% applicable obligations covered

Per system and category. Calculated against the diagnostic obligations map. Target: 100% pre-August 2026 for high-risk.

% affected staff with AI literacy completed

Art. 4 already applicable. Target: 100% staff operating or developing with AI.

Serious incidents notified on time

For high-risk and GPAI systemic. Target: 100% within regulatory deadline. Zero delays.

Risk system review on schedule

Art. 9 requires continuous review. Target: documented review minimum every 6 months + after substantial change.

EU AI Act glossary

AI System

Machine-based system designed to operate with varying levels of autonomy and that, for explicit or implicit objectives, infers from input how to generate outputs (definition art. 3.1).

GPAI

General-Purpose AI Model. AI model trained with large data volumes for general uses (GPT, Claude, Gemini, Llama, large Mistral). Obligations arts. 51-55.

GPAI systemic risk

GPAI subcategory by capability or use. Initial threshold: compute > 10^25 FLOPs. Reinforced obligations + serious incident notification.

Annex III

List of 8 high-risk use areas: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and borders, justice.

FRIA

Fundamental Rights Impact Assessment (art. 27). Mandatory for high-risk in public sector or essential services.

AESIA

Spanish AI Supervision Agency. National authority designated for Spain. Sanctioning alongside sectoral authorities (AEPD, CNMV, etc.).

AI Office

European Commission body for GPAI governance and coordination between Member States.

Deployer

Natural or legal person using an AI system under their authority. Specific obligations in arts. 26-27 when high-risk.

Provider

Person who develops an AI system or GPAI and places it on the market under their name or brand. Broader obligations.

CE marking

EU conformity mark. Mandatory on Annex I high-risk AI systems after conformity assessment.

AI literacy

Art. 4 obligation. Ensuring sufficient level of AI knowledge in staff operating or developing AI systems. Applicable since 2-Feb-2025.

ISO/IEC 42001

AIMS · AI Management System. International standard serving as operational framework to sustain EU AI Act compliance.

Related services at Hard2bit

AI Security (consulting)

AI governance, ISO/IEC 42001, acceptable use policy, agent threat modelling. Complements the EU AI Act programme.

View AI Security →

AI agents & MCP audit

Art. 15 technical red teaming: accuracy, robustness and cybersecurity. Direct evidence for AESIA inspector.

Audit AI agent →

NormexAI · compliance platform

SaaS compliance management platform. Suitable to sustain inventory and evidence for EU AI Act.

View NormexAI →

ISO/IEC 27001

ISMS framework; ISO 42001 inherits from 27001. If you have 27001 deployed, the jump to 42001 is reasonable.

Certify ISO 27001 →

GDPR compliance

Partial overlap with EU AI Act on automated decisions (art. 22) and DPIA (GDPR art. 35 vs FRIA art. 27 AI Act).

GDPR compliance →

NIS2 readiness

If you are critical infrastructure, NIS2 + EU AI Act overlap. Coordinated programme avoids double effort.

Comply with NIS2 →

DORA readiness

Financial sector: DORA + EU AI Act. We coordinate compliances to avoid duplicating documentation and testing.

Comply with DORA →

Integrated audit

When EU AI Act is part of a broader scope including infrastructure, identity and processes.

View integrated audit →

Incident response

Serious incident notification (art. 73 high-risk / art. 55 GPAI systemic) requires real IR capability.

Trigger IR →

Frequently asked questions

What exactly is the EU AI Act and who does it apply to?

Regulation (EU) 2024/1689 on artificial intelligence is the first horizontal regulation in the world for AI systems. It applies to any organisation placing on the EU market or using AI systems: providers (those who develop and commercialise), deployers (those who use it in their organisation), importers and distributors. It also applies to providers outside the EU if their system or its outputs are used in the EU. Risk-based classification is the central piece: prohibited, high-risk, GPAI, limited risk and minimal. Each level has different obligations and different application dates.

When do the obligations apply? Are we still on time?

Staggered calendar: 2 February 2025 prohibited practices and AI literacy obligation (art. 4) already apply. 2 August 2025 general-purpose AI models (GPAI) obligations, governance and sanctioning regime. 2 August 2026 high-risk enters general application, along with most provider and deployer obligations. 2 August 2027 high-risk product safety systems (Annex I) and residual cases. 2026 is the year of highest compliance pressure; preparing the programme in H1 2026 gives reasonable margin. After that, reactive mode under AESIA or sectoral authority pressure.

Is my AI system 'high-risk'? How do I know?

Two routes to high-risk. Annex I (safety systems of products regulated by specific legislation: machinery, toys, medical devices, vehicles, lifts, protective equipment, etc.). Annex III (eight use areas): biometrics, critical infrastructure, education and vocational training, employment (selection, evaluation, task allocation), access to essential public and private services, law enforcement, migration and border control, justice and democratic processes. Correct classification is the founding decision of the programme: misclassifying down exposes you to fines; misclassifying up applies unnecessarily costly obligations. We do this as the first phase of the project.

What does your compliance programme actually do?

Five blocks. Diagnostic and classification: AI systems inventory across the organisation, classification of each one (prohibited / high-risk / GPAI / limited / minimal) and obligations map. Governance: policies, role assignment, AI committee, internal AI systems register. Risk (art. 9): documented risk management system, continuous evaluation, mitigations. Technical compliance: data governance (art. 10), technical documentation (art. 11), logs (art. 12), transparency (art. 13), human oversight (art. 14), accuracy, robustness and cybersecurity (art. 15). Continuous operation: post-market monitoring, serious incident management (art. 73 / GPAI / provider), AESIA reporting, auditor evidence.

What do you do and what do you NOT do?

We do: technical classification of systems, art. 9 risk management system, art. 10 data governance, art. 11 technical documentation, art. 12 logging system, transparency and human oversight mechanisms (arts. 13 and 14), art. 15 technical testing (accuracy, robustness and cybersecurity — includes adversarial red teaming), post-market monitoring, serious incident notification procedures, art. 4 AI literacy training, internal policies and governance. We do not: legal representation before AESIA, legal defence in sanctions, notarial conformity of declarations, pure legal advice. For that we coordinate with the client's legal team or the firm they designate. We do draft the technical documentation that firm will need to sign.

How much does it cost and how long does it take?

Depends on number and criticality of AI systems. Initial diagnostic (inventory + classification + obligations map + roadmap) with 2-5 systems: 3-5 weeks, €8-18k. Full high-risk deployment programme with 1-3 systems: 12-24 weeks, 1-2 GRC consultants + 1 technical, €35-90k. GPAI or multi-system enterprise programme: 24-40 weeks, €50-160k. Continuous operation (periodic review, new systems, reporting) is delivered as a monthly subscription or handed over to the internal team with training. Before quoting we run the initial diagnostic to size accurately.

How does it fit with ISO/IEC 42001? And with GDPR?

ISO/IEC 42001 (Artificial Intelligence Management System, AIMS) is the natural operational framework to support EU AI Act compliance: the management system covers most organisational obligations (governance, risk, continuous improvement) and the annexes cover technical controls. Deploying 42001 does not certify EU AI Act but generates the evidence base. With GDPR there is partial overlap: GDPR art. 22 (automated decisions) still applies when the AI system decides on people; GDPR DPIA complements the EU AI Act art. 27 Fundamental Rights Impact Assessment (FRIA) for high-risk systems in public sector or essential services. The two coexist, they do not replace each other.

We are providers of a system used in Europe but established outside the EU. Does it apply?

Yes. The regulation applies extraterritorially when: the AI system is placed on the EU market (regardless of where it is developed), the deployer is established in the EU, or the outputs of the system are used in the EU. The organisation must designate an authorised representative in the EU (art. 22) for the high-risk systems in its catalogue. We coordinate with your international legal counsel for the designation; we cover the technical and programme management side directly.

Fines are high. What is the real risk?

Three tiers. Up to €35 million or 7% of total worldwide annual turnover of the previous financial year for using prohibited practices (art. 5). Up to €15 million or 3% for breaching high-risk, GPAI or transparency obligations. Up to €7.5 million or 1% for incorrect information to authorities. The national authority (AESIA in Spain) and sectoral authorities (CNMV, AEPD, etc.) can impose these sanctions. Beyond the fine, reputational and commercial risk is high: enterprise clients will start requiring compliance evidence as procurement condition through 2026-2027.

How do we start a project with Hard2bit?

30-minute call to understand the context (what AI systems you have or are deploying, position in the chain: provider, deployer or both, sector, current GRC resources). If it fits, a 2-hour technical-organisational walkthrough with product/engineering + Compliance/DPO. From there we propose an initial diagnostic (3-5 weeks) with firm proposal after the diagnostic. No commitments until signature. If we see the organisation does not yet have AI systems in production or is in a very early phase, we recommend punctual orientation consulting instead of a full programme.

Is your organisation ready for the EU AI Act?

30-minute call to understand your AI systems, sector and position. Initial diagnostic 3-5 weeks with firm proposal after diagnostic. No commitments until signature. Coordination with your legal team or references to specialised law firms if needed.

Book a meeting · 30 min Contact