EU AI ACT READINESS
Article 6 Enforcement Begins August 2, 2026
High-risk AI systems on the EU market need a defensible compliance posture by the enforcement deadline. Ayliea classifies systems against Annex III, generates conformity assessment drafts, monitors GPAI vendor obligations, and maps EU AI Act obligations to ISO 42001 + NIST AI RMF controls. From $1,200/yr.
The Enforcement Clock Is Running — Even If You're a US Company
The EU AI Act applies extraterritorially. Article 2 brings any AI system in scope when it's placed on the EU market, put into service in the EU, or when the output is used in the EU — regardless of where the provider is established. US healthtech using AI for EU patient triage. US edtech using AI for EU student assessment. US lenders using AI for EU credit decisions. All covered. Geography of incorporation is not a defense.
Article 5 prohibitions are already enforceable (since February 2, 2025). GPAI provider obligations are already enforceable (since August 2, 2025). The next major deadline — Article 6 high-risk AI system obligations — begins August 2, 2026. National competent authorities and the EU AI Office have signaled they will not accept "we didn't know" defenses past the enforcement date. The 60-day-out window is when most affected organizations realize they need a dedicated AI governance posture, not a checkbox on their existing SOC 2 program.
WHAT YOU GET
Three Product Surfaces That Address EU AI Act Readiness
EU AI Act tracking surface
Classify each AI system against Annex III risk categories — employment, education, credit, asylum, critical infrastructure, law enforcement. Attach narrative + evidence per system. Countdown badges per deadline. Tracks compliance status against the enforcement timeline.
Conformity assessment generator
Article 6 requires conformity assessment documentation for high-risk AI systems before market placement. Ayliea generates draft Annex IV technical documentation and Annex VIII registration data from your AI System Registry — combining the framework data you've already entered with the AI BOM and AI Risk Score.
AI Vendor Watch — GPAI sub-processor monitoring
GPAI model providers (OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI) must comply with transparency, copyright, and code-of-conduct obligations as of August 2, 2025. AI Vendor Watch monitors their public policy pages weekly and alerts the org owner on critical and high-severity changes — including sub-processor additions that affect your downstream EU AI Act compliance.
ENFORCEMENT TIMELINE
Four Dates That Matter
The EU AI Act is a phased rollout. Each phase brings different obligations and different penalty bands. Plan against the deadlines that affect your AI deployments specifically.
Article 5 Prohibited Practices — in force
Social scoring by public authorities, real-time biometric identification in public spaces (with exceptions), emotion recognition in workplace/education, manipulative dark patterns, scraping facial images for facial recognition databases. Penalties up to €35M or 7% global turnover.
GPAI Model Obligations — in force
General-Purpose AI providers (OpenAI, Anthropic, Google, AWS, Mistral, etc.) must publish transparency summaries of training data, code of practice for copyright compliance, and technical documentation. Systemic-risk GPAI gets additional obligations (evaluation, adversarial testing, incident reporting).
Article 6 High-Risk AI Systems — enforcement begins
Risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity, quality management, conformity assessment, and EU database registration for Annex III categories. Penalties up to €15M or 3% global turnover for non-compliance.
Embedded AI in Regulated Products — deferred
Article 6 obligations for AI embedded in regulated products covered by other EU legislation (medical devices, machinery, in-vitro diagnostics, automotive). Industry-specific harmonisation continues in parallel.
Full timeline maintained by the EU AI Act service desk and the European AI Office. Always cross-reference with the official timeline before acting on regulatory deadlines — EU AI Act primary text.
COMPLIANCE QUESTIONS
Six Questions Every In-Scope Org Should Answer
The questions a compliance lead or external counsel will ask when scoping EU AI Act readiness. Ayliea provides product-grounded evidence for each one.
Which AI systems are 'high-risk' under Article 6?
Annex III categories: biometric identification and categorization, critical infrastructure (transport, water, gas, electricity), education and vocational training, employment and worker management, access to essential private and public services (credit, lending, insurance), law enforcement, migration/asylum/border control, and administration of justice. Ayliea's EU AI Act tracking surface lets you classify each system in your AI BOM against these categories.
What does Article 6 actually require by August 2, 2026?
For each high-risk AI system: a risk management system (Article 9), data governance (Article 10), technical documentation (Article 11, Annex IV), record-keeping/logs (Article 12), transparency (Article 13), human oversight (Article 14), accuracy/robustness/cybersecurity (Article 15), quality management (Article 17), conformity assessment (Article 43), and EU database registration (Article 49). Ayliea maps each obligation to controls in our AI-specific frameworks (ISO 42001, NIST AI RMF, AISS).
Are we already covered by GPAI obligations as of August 2, 2025?
If you use an integrated General-Purpose AI model (GPT, Claude, Gemini), the provider must comply with GPAI obligations: transparency about training data summary, copyright code of practice, technical documentation. Your downstream obligations: don't use the model for prohibited practices (Article 5) and use it within the provider's terms. AI Vendor Watch monitors your GPAI providers' public policies weekly.
How do penalties work?
Article 99: up to €35M or 7% of global turnover (whichever is higher) for prohibited practices (Article 5). Up to €15M or 3% turnover for non-compliance with Article 5–10 obligations. Up to €7.5M or 1.5% turnover for incorrect, incomplete, or misleading information to national authorities. National competent authorities are the EU AI Office (oversight) + 27 Member State authorities. Penalties scale with severity, duration, and impact.
What's the relationship to ISO 42001 and NIST AI RMF?
ISO 42001 (AI Management System, 2023) and NIST AI RMF (Risk Management Framework, 2024) are voluntary standards. EU AI Act is binding regulation. The standards provide implementation patterns — an ISO 42001-certified AI Management System addresses Article 9 risk management; NIST AI RMF GOVERN/MAP/MEASURE/MANAGE addresses Articles 9, 10, 13, 17. Ayliea ships both frameworks plus dedicated EU AI Act tracking so the same controls satisfy multiple obligation surfaces.
What about US companies with EU customers?
The EU AI Act applies extraterritorially. If you place an AI system on the EU market, put it into service in the EU, or if the output is used in the EU, you're in scope regardless of where you're established. US healthtech using AI for EU patient triage, US edtech using AI for EU student assessment, US lenders using AI in EU credit decisions — all in scope. Ayliea's tracking surface handles classification regardless of where your company is incorporated.
Classify your AI systems against Annex III in 30 minutes
Free, no credit card. Take the AISS assessment plus the EU AI Act risk classification, see where each system lands against Annex III, and decide whether the $1,200/yr Pro tier earns its keep before Aug 2 enforcement.