Skip to main content
EU AI Act compliance · UK + EU · 2026 deadlines

EU AI Act compliance without a compliance-team headcount.

Independent risk-classification of every AI system in your product, Article 11 technical documentation ready for the notified body, and a fixed remediation plan for anything that lands in the "high-risk" bucket. £8K audit + fixed build.

4AI Act audits shipped in 2026
£8Kaudit + risk classification
Aug 2026high-risk deadline for existing systems
Definition

What is EU AI Act compliance?

The EU AI Act (Regulation 2024/1689) classifies every AI system into four risk tiers, each with its own obligations. Prohibited practices cannot ship at all. High-risk systems need technical documentation, conformity assessment, human oversight, and post-market monitoring. Limited-risk systems carry transparency obligations. Minimal-risk systems carry none. Empyreal Infotech runs EU AI Act compliance as a fixed £8K audit that classifies every AI system in your product against the Annex III categories, followed by a fixed-price remediation plan for anything that lands in the high-risk tier. Delivered by senior engineers who read the primary text of the Act, not the marketing summaries.

The four risk tiers · Regulation 2024/1689

Every AI system falls into one of four buckets.

Tier 01 Article 5

Prohibited

Social scoring, real-time biometric ID in public spaces, exploitation of vulnerabilities, subliminal manipulation. These cannot ship to the EU market under any circumstance.

Cannot ship. Fine: up to €35M / 7% turnover.
Tier 02 Annex III · Article 6

High-risk

Recruitment, credit scoring, medical devices, critical infrastructure, education, law enforcement, migration, justice, biometrics. Anything Annex III lists.

Full obligations. Docs + oversight + assessment.
Tier 03 Article 50

Limited-risk

Chatbots, emotion recognition, biometric categorisation, deepfakes / AI-generated content. Users must be told they're interacting with AI.

Transparency only. Disclosure to the user.
Tier 04 No specific Article

Minimal-risk

Everything else. Spam filters, video-game AI, inventory forecasting, most enterprise ML that touches no protected decision. Voluntary codes of conduct only.

No obligation. Ship freely.
Deadlines · staggered enforcement

The Act came into force in stages. Most obligations are already live.

  1. Feb 2025 Live Prohibited practices in force

    Article 5 practices banned outright. AI literacy obligation on providers + deployers under Article 4. If you ship social-scoring or real-time biometric ID, stop.

  2. Aug 2025 Live GPAI + governance in force

    Obligations for general-purpose AI models (Chapter V), governance bodies operational, penalties under Article 99 enforceable. Notified bodies designated.

  3. Aug 2026 Next High-risk (Annex III) obligations in force

    The bulk of the Act. Every new high-risk system placed on the EU market must ship with the Article 11 technical documentation, human oversight design, data-governance evidence, and a passed conformity assessment.

  4. Aug 2027 Later High-risk in regulated products in force

    AI as a safety component of a regulated product (medical devices, cars, toys, radio equipment, etc.). Aligns with existing sectoral CE-marking regimes.

  5. Dec 2030 Later Legacy high-risk systems already deployed by public authorities

    Grace period for pre-existing high-risk systems in the public sector. Applies only to systems placed on the market before Aug 2026.

EU AI Act compliance · UK + EU · 2026 deadlines

What you get, every engagement.

01

Risk classification of every system

Every AI feature in your product mapped against the Act's Annex III. Written classification with the specific Article + recital you can cite in a filing.

02

Article 11 documentation pack

The technical documentation the Act requires (Article 11 + Annex IV): data governance, training methodology, testing evidence, human oversight design, cybersecurity posture. Written, not templated.

03

Conformity assessment prep

For high-risk systems: the pre-market conformity assessment pack that a notified body will accept. Practice-audit against the criteria. Not a slide deck.

04

Post-market monitoring wiring

Structured logging + drift detection + incident reporting workflow so the Article 61 + 72 obligations are met continuously, not scrambled at audit-time.

Every audit is Article-level

We cite the primary text, not a compliance-vendor summary.

  • Article 5

    Prohibited practices — social scoring, real-time biometric ID, subliminal manipulation, exploitation of vulnerabilities.

  • Article 6 · Annex III

    High-risk classification. The 8 Annex III categories that trigger full compliance obligations.

  • Article 9

    Risk management system — continuous, iterative, over the whole lifecycle.

  • Article 10

    Data governance — training, validation, and testing datasets meeting quality criteria.

  • Article 11 · Annex IV

    Technical documentation. The document pack the notified body reads. What we build.

  • Article 14

    Human oversight — the design + interface + escalation path the deployer sees.

  • Article 15

    Accuracy, robustness, cybersecurity — measurable across the whole lifecycle.

  • Article 43

    Conformity assessment procedures — self-assessment (Annex VI) vs notified-body (Annex VII).

  • Article 50

    Transparency obligations — chatbots, deepfakes, emotion recognition, biometric categorisation.

  • Article 61 · 72

    Post-market monitoring + serious-incident reporting workflow.

  • Article 99

    Penalties. Up to €35M or 7% of worldwide turnover for prohibited practices.

  • Chapter V

    General-purpose AI (GPAI) model obligations — model documentation + downstream cooperation.

How the engagement runs

The EU AI Act compliance engagement, week by week.

  1. 01
    Audit week (£8K)Days 1-5

    Inventory every AI system in your product, classify each against Annex III, name the high-risk ones, quantify the remediation gap. 30-page audit brief with the specific Article + recital citations.

    Audit week (£8K). Inventory every AI system, classify each against Annex III, name the high-risk ones, quantify the remediation gap.

  2. 02
    Documentation packWeek 2-3

    Article 11 + Annex IV technical documentation for every high-risk system. Written, not templated. Ready for the notified body: data governance, training methodology, testing evidence, human oversight design, cybersecurity posture.

    Documentation pack. Article 11 + Annex IV technical documentation for every high-risk system. Written, not templated. Ready for the notified body.

  3. 03
    Remediation buildWeek 3-8

    Human oversight UIs, data-governance pipelines, post-market monitoring wiring, cybersecurity controls. Whatever's missing gets built by the same senior engineers who wrote your audit.

    Remediation build. Human oversight UIs, data-governance pipelines, post-market monitoring wiring, cybersecurity controls. Whatever's missing gets built.

  4. 04
    Conformity assessment prepWeek 8-10

    Full pre-market conformity assessment pack. Practice-audit against Article 43 criteria. Named notified body pre-consultation where useful (we've worked with two designated bodies since Aug 2025).

    Conformity assessment prep. Full pre-market conformity assessment pack. Practice-audit against the criteria. Named notified body pre-consultation where useful.

  5. 05
    Ongoing monitoring retainerFrom month 3

    £5K/month for drift monitoring, Article 61 + 72 incident-reporting workflow ownership, and quarterly re-classification as your product evolves. Cancellable with 30 days' notice, any month.

    Ongoing monitoring retainer. £5K/month for drift monitoring, incident-reporting workflow ownership, and quarterly re-classification as your product evolves.

Common questions

Questions we get about EU AI Act compliance, with real answers.

The EU AI Act applies if your product is placed on the EU market OR its output is used in the EU — regardless of where your company is based. UK companies selling into the EU are covered. Provisions came into force on staggered dates through 2025 and 2026, with high-risk-system obligations for new systems effective August 2026.

Annex III lists the 8 categories: biometrics · critical infrastructure · education + vocational training · employment + worker management · essential services (credit, insurance, benefits) · law enforcement · migration + asylum + border · administration of justice + democratic processes. Plus AI used as a safety component of a regulated product (medical devices, cars, toys, etc.) under Annex I. If your system falls in any of these, it's high-risk.

£8K fixed for the audit + risk classification. Remediation cost depends on how many high-risk systems you have and how much of the Article 11 documentation, human oversight, and post-market monitoring is already in place. A typical single-high-risk-system client in 2026 spent £35-60K in remediation on top of the £8K audit. Retainer is £5K/month, cancellable with 30 days' notice.

No — the conformity assessment is either self-assessed (Annex VI, for most high-risk systems under Article 43) or performed by a notified body (Annex VII, for biometric categorisation + a few sectoral cases). We prepare the pack the notified body will accept and we sit in on the assessment call if you want us there. The filing itself has to come from your legal entity.

Article 99. Prohibited practices: up to €35M or 7% of worldwide annual turnover, whichever is higher. High-risk obligations: up to €15M or 3%. Transparency + reporting: up to €7.5M or 1.5%. Information supplied to authorities that turns out to be incorrect or misleading: up to €7.5M or 1%. SMEs and start-ups get the lower absolute number, not the percentage.

For high-risk systems being placed on the market after Aug 2026: only with a passed conformity assessment. For high-risk systems already deployed before Aug 2026: grace period rules under Article 111 apply, but you need documented reasonable steps toward compliance and a dated plan. For limited-risk systems (chatbots, deepfakes): transparency obligations only, easy to meet in-flight. For minimal-risk systems: ship freely. Ship with a paper trail either way.

Not yet. The UK's post-Brexit approach is sector-specific principles under existing regulators (ICO, FCA, MHRA, CMA) rather than horizontal legislation like the EU Act. However: (a) if you ship into the EU, you're covered by the EU Act regardless of UK residency, (b) UK sector regulators are increasingly referencing EU AI Act principles as best practice, and (c) an AI (Regulation) Bill is currently in the UK Parliament pipeline that may add horizontal obligations from 2027+.

Three specifics. One: we read the Regulation, not a summary — every classification cites the specific Article and recital number. Two: we're engineers, so the remediation pack (human oversight UI, data-governance pipeline, monitoring wiring) gets built, not handed off to your team as a slide deck. Three: fixed £8K + fixed remediation quote — no day-rate meter, no partner-hour vs analyst-hour mix. If you want a Big Four signature at the end, we hand over a clean pack that any of them will happily accept.

Book the compliance audit

Send a 5-line brief. That's it.

5 lines: which AI features you ship, which EU markets you sell into, whether any system falls in an Annex III category, and any live regulatory conversation. Mohit replies inside 24 hours.

Write to mohit@empyrealinfotech.com Replies in 24hSince 2019London + Rajkot