AI Regulation Selector

Select the regulatory framework to apply to client programs. Only one framework may be active at a time. Non-selected frameworks are lowlighted.

Select Active Regulatory Framework
Active: 1. EU_AI_LAWLast updated: Wed, 15 Jul 2026 07:26:34 GMTNext scheduled update: Sat, 18 Jul 2026 00:00:00 GMT

# EU AI Law - Regulatory Framework

Overview

Regulation (EU) 2024/1689 - the EU Artificial Intelligence Act - entered into force on 1 August 2024 and applies progressively through 2027. It establishes a risk-based framework classifying AI systems into four tiers: Unacceptable Risk (banned), High Risk (mandatory conformity), Limited Risk (transparency obligations), and Minimal Risk (voluntary codes).

Overlay regulations relevant to the Axis Platform:

  • DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) - ICT risk management for financial entities
  • ISO/IEC 42001:2023 - AI Management System standard
  • SOC 2 Type II - service organisation controls
  • GDPR (Regulation (EU) 2016/679) - personal data processing requirements

Risk Classification

Unacceptable Risk (Article 5 - Prohibited)

Systems that are prohibited outright:

  • Subliminal manipulation causing harm
  • Exploitation of vulnerabilities of specific groups
  • Real-time biometric identification in public spaces (limited law-enforcement exceptions apply)
  • Social scoring by public authorities
  • Predictive policing based solely on profiling
  • Emotion recognition in workplace/education (limited exceptions)
  • Biometric categorisation inferring sensitive attributes

Axis Audit Obligation: Confirm no deployed AI system falls within Article 5. Evidence must be captured per migration step.

High Risk (Annex III - Conformity Required)

CategoryExamples
Biometric identificationRemote biometric ID, emotion recognition
Critical infrastructureAI in energy, water, transport networks
EducationAdmission, assessment, monitoring tools
EmploymentRecruitment, HR management, performance evaluation
Essential servicesCredit scoring, insurance risk, benefits eligibility
Law enforcementRisk assessment, evidence evaluation, polygraph
Migration and borderRisk assessment, document verification
Administration of justiceFact-finding, legal interpretation support

Conformity obligations for High-Risk AI (Articles 9-15):

  1. Risk management system (Art. 9)
  2. Data and data governance (Art. 10)
  3. Technical documentation (Art. 11)
  4. Record-keeping and logging (Art. 12)
  5. Transparency to deployers (Art. 13)
  6. Human oversight measures (Art. 14)
  7. Accuracy, robustness, cybersecurity (Art. 15)

Limited Risk

  • Chatbots: must disclose AI nature to users
  • Deep fakes: must label synthetic content
  • Emotion recognition outputs: must disclose to affected persons

Minimal Risk

No mandatory obligations. Voluntary adherence to codes of practice recommended.


GPAI Models (General Purpose AI - Articles 51-56)

  • Systemic risk threshold: 10^25 FLOPs training compute triggers enhanced obligations
  • Documentation and copyright compliance (Article 53)
  • Systemic risk providers: red-team testing, incident reporting to AI Office, cybersecurity measures (Article 55)

Axis Audit Obligation: Catalogue any GPAI model API usage. Verify provider compliance status.


Governance Structure

BodyRole
European AI OfficePrimary enforcer for GPAI; co-ordination for high-risk AI
National Competent AuthoritiesMember-state enforcement of provider/deployer obligations
AI BoardAdvisory; co-ordinates NCAs
Scientific PanelTechnical advice on GPAI systemic risk

Application Timeline

DateEvent
1 Aug 2024Regulation in force
2 Feb 2025Chapter I and II apply (definitions, prohibited practices)
2 Aug 2025GPAI obligations and governance apply
2 Aug 2026High-risk AI (Annex III) obligations apply; penalties apply
2 Aug 2027Annex I embedded systems obligations apply

Penalties

ViolationMaximum Fine
Prohibited practice (Article 5)EUR 35M or 7% global annual turnover
Other obligationsEUR 15M or 3% global annual turnover
Misleading information to authoritiesEUR 7.5M or 1% global annual turnover

DORA Overlay (Financial Entities - Regulation (EU) 2022/2554)

  • ICT risk management framework (Articles 5-16)
  • ICT-related incident classification and reporting (Articles 17-23)
  • Digital operational resilience testing (Articles 24-27)
  • ICT third-party risk management (Articles 28-44)

Axis Audit Obligation: For financial-sector clients, cross-reference AI system risk posture against DORA ICT risk registers.


ISO/IEC 42001:2023 Overlay

  • Clause 6.1 - Risk and opportunity assessment for AI systems
  • Clause 8.4 - AI system impact assessment
  • Clause 9.1 - Monitoring, measurement, and evaluation
  • Clause 10 - Continual improvement

GDPR Overlay

For AI systems processing personal data:

  • Article 22 - Automated individual decision-making (right to explanation)
  • Article 25 - Data protection by design and default
  • Article 35 - DPIA required for high-risk AI processing personal data
  • Article 37 - Data Protection Officer designation

Axis Audit Obligation: Flag any AI system subject to Article 22 for human oversight review.

Run Compliance Analysis

Select frameworks to evaluate: