EU AI Act

Regulation (EU) 2024/1689 — World's first comprehensive AI regulation, risk-based

The AI Act introduces binding obligations on developers, distributors and users of AI systems in the European market. Risk-based approach: prohibited practices (Art. 5), high-risk systems (Annex III), transparency, GPAI. ISO 42001 does NOT discharge the binding obligations.

What is the EU AI Act?

Regulation (EU) 2024/1689, adopted on 13 June 2024, is the world's first comprehensive regulatory framework for artificial intelligence. It imposes binding — not voluntary — obligations on providers, deployers, importers and distributors of AI systems placed on the European market.

The approach is risk-based across 4 levels: prohibited AI practices (Art. 5: social scoring, cognitive manipulation, biometric identification in public spaces), high-risk systems (Annex III: critical infrastructure, education, employment, access to essential services, law enforcement, migration, justice), limited-risk systems (transparency obligations), minimal-risk systems (codes of conduct).

Phased application: prohibited practices from 2 February 2025, GPAI from 2 August 2025, high-risk systems from 2 August 2026, full application from 2 August 2027. Penalties up to EUR 35 million or 7% of global annual turnover (Art. 99).

Who is in scope

  • Providers placing AI systems on the EU market
  • Deployers using high-risk AI systems
  • Importers and distributors of AI systems
  • GPAI (General-Purpose AI) providers — foundation models
  • Public-sector organisations (FRIA Art. 27)
  • Non-EU operators whose outputs are used in the Union

Key obligations

The AI Act establishes obligations stratified by role (provider/deployer/importer) and by risk level. Pyxis maps 18 articles of the regulation to dedicated MFA controls.

Prohibited AI practices (Art. 5)
Risk management system (Art. 9)
Data governance and data quality (Art. 10)
Technical documentation (Art. 11)
Automatic logging (Art. 12)
Transparency to deployers (Art. 13)
Human oversight (Art. 14)
Accuracy, robustness, cybersecurity (Art. 15)
Conformity assessment (Art. 43) + CE marking
EU Database registration (Art. 49)
GPAI obligations (Art. 53, 55)
Post-market monitoring (Art. 72) + serious incident reporting (Art. 73)

How Kynosure helps

One unified assessment scores AI Act compliance alongside every other applicable EU framework, treating AI Act and ISO 42001 as distinct frameworks.

PYXIS — Multi-Framework Assessment

Pyxis scores EU AI Act compliance as a distinct primary framework, NOT consolidated into ISO 42001. The research behind Pyxis recognises that ISO 42001 (voluntary standard) covers only ~70-80% of AI Act requirements: critical gaps in Art. 11 (technical documentation), Art. 12 (logging), Art. 13 (transparency), Art. 14 (human oversight), Art. 43 (conformity assessment), CE marking and EU Database registration. Profiled by role (provider, deployer, importer), severity-ranked gaps, methodology-backed PDF.

Face the AI Act without multiplying assessments

Run the unified assessment and score the EU AI Act alongside ISO 42001, ISO 27001 and all other applicable frameworks — one questionnaire, clear distinction between binding obligations and voluntary standards.

Start your assessment Explore Pyxis