AI Act Compliance Framework

PREAMBLE

This AI Act Compliance Framework for [AI System Name] adopted by [Company] on [Date] ensures compliance with EU Regulation 2024/1689 (AI Act). Legal Framework: Risk-based regulation; high-risk systems require conformity assessments, documentation, human oversight.

1. AI SYSTEM CLASSIFICATION

System Name: [e.g., Content Moderation AI]
Risk Level: ☐ Prohibited ☐ High-Risk ☐ Limited Risk ☐ Minimal Risk

High-Risk Categories (REQUIRE COMPLIANCE per Art. 6):

High-Risk Category	Applies?	Mitigation Measures
Biometric identification (facial recognition)	☐ Yes ☐ No	[Accuracy testing, bias audit]
Employment/HR decisions (hiring, promotion)	☐ Yes ☐ No	[Human oversight, appeal process]
Credit/loan decisions	☐ Yes ☐ No	[Transparency, explainability]
Law enforcement (criminal risk assessment)	☐ Yes ☐ No	[Accuracy >99%, regular audits]
Migration/asylum decisions	☐ Yes ☐ No	[Human review mandatory]

2. DOCUMENTATION & TRANSPARENCY (ARTICLES 11-13)

2.1 Technical Documentation Required:

✓ System description & purpose
✓ Training data: source, volume, preprocessing
✓ Performance metrics: accuracy, precision, recall
✓ Bias testing results
✓ Hardware/software specifications
✓ Risk mitigation measures

2.2 Transparency (User Disclosures): Users informed [AI is being used / decision made by AI] before interaction per Art. 13.

3. HIGH-RISK COMPLIANCE REQUIREMENTS (ARTICLES 8-9)

3.1 Conformity Assessment: Third-party testing + documentation review OR internal assessment + notified body review.

3.2 Human Oversight (Art. 14): Humans must review AI decisions with [authority to override / ability to understand reasoning].

3.3 Bias & Fairness Testing (Art. 15): Regular testing for gender, racial, age bias. Target accuracy: [>95%] across all demographic groups.

3.4 Data Governance: Training data documented, tested for representativeness, bias-checked per Art. 10.

4. PROHIBITED AI PRACTICES (ARTICLE 5)

STRICT PROHIBITION - NO COMPLIANCE POSSIBLE:

✗ Subliminal manipulation (hidden messaging)
✗ Exploitation of vulnerable groups (children, disabilities)
✗ Real-time biometric identification in public spaces (with narrow law enforcement exceptions)
✗ Emotion recognition systems in workplace/education
✗ Social credit systems for punitive purposes

5. INCIDENT REPORTING & MONITORING (ARTICLES 72-73)

5.1 Serious Incident Threshold: Incident causing death, injury, discrimination, significant property damage = MUST report to authorities within [15 days].

5.2 Continuous Monitoring: Monitor system performance post-deployment. If accuracy degrades >5%, investigate + document.

5.3 Record Keeping: Maintain incident logs for [3 / 5 years].

6. PENALTIES & ENFORCEMENT

Fines (Art. 84): Up to EUR 30 Million or 6% global revenue for high-risk violations. Up to EUR 10 Million or 2% for transparency violations.

7. NOTIFIED BODY & THIRD-PARTY ASSESSMENT (ARTICLES 48-51)

7.1 Notified Body Registration: High-risk AI systems MUST be assessed by notified body per EU AI Act Articles 48-51. Notified body:

Reviews technical documentation for compliance
Performs audit + evaluation of risk management system
Verifies data governance + bias testing practices
Issues conformity assessment or rejection notice

7.2 CE Marking: Upon successful assessment, system receives CE marking (mandatory visual display per Art. 48). Marking includes: CE logo + notified body identification number + year of marking.

8. POST-MARKET SURVEILLANCE & PERFORMANCE MONITORING

8.1 Continuous Monitoring: After deployment, Developer SHALL:

Monitor system performance in real-world conditions vs. testing benchmarks
Track accuracy degradation (trigger investigation if >5% drift)
Log user complaints, edge-case failures, safety incidents
Maintain complaint register with remediation actions taken
Document all system updates + retraining activities

8.2 Serious Incident Reporting: Within 15 days of discovery, report serious incidents to national authorities if:

- Death or serious injury caused by system malfunction
- Discrimination or violation of fundamental rights
- Unauthorized system access or data breach
- System used in violation of approved ODD
- Persistent accuracy/performance degradation

9. RECORD KEEPING & AUDIT TRAIL (ARTICLES 66-67)

9.1 Documentation Retention: Maintain technical documentation + compliance records for [3 / 5 years] minimum per jurisdiction:

Risk management logs + mitigation measures implemented
Training/validation/test data logs (anonymized)
Bias testing results + accuracy benchmarks
System modifications + version history
Incident reports + corrective actions
User complaints + responses

9.2 Authority Access: Upon request, provide full audit trail to national AI authorities, data protection authorities, notified bodies within [10 business days].

10. PHASE-IN TIMELINE & COMPLIANCE DEADLINES

EU AI Act Enforcement Schedule:

Phase	Deadline	Applies To
Phase 1	Feb 2025	Prohibited AI (enforcement)
Phase 2	Aug 2025	High-Risk AI (conformity assessments)
Phase 3	Jan 2026	General compliance + fines

Action Items for this System:

☐ By [Date]: Conduct internal compliance audit
☐ By [Date]: Identify + engage notified body
☐ By [Date]: Submit to notified body for assessment
☐ By [Date]: Receive CE marking + compliance certification
☐ Ongoing: Implement post-market surveillance program

11. GOVERNING LAW & ENFORCEMENT

Law: EU Regulation 2024/1689 (AI Act) | Applies to all AI systems deployed in EU
Enforcement: National AI authorities + DPA (data protection) + Product safety authorities
Appeals: Administrative remedy with national regulator, then EU level appeals

CRITICAL AI ACT COMPLIANCE: AI Act Phase 2-3 enforcement begins Aug 2025. High-risk systems MUST have: (1) Risk management system documented, (2) Notified body assessment + CE marking, (3) Human oversight + explainability enabled, (4) Post-market surveillance ongoing, (5) Incident reporting capability. Penalties: EUR 30M or 6% global revenue for high-risk violations + EUR 10M or 2% for transparency. Prohibited AI systems: ZERO tolerance, immediate fines. Failure to remove prohibited systems = fines within 30 days.

System Owner: [Name] | Compliance Date: [Date] | Next Review: [Quarterly] | Notified Body: [Name & Registration]