Prohibited
Social scoring, real-time biometric ID in public spaces, exploitation of vulnerabilities, subliminal manipulation. These cannot ship to the EU market under any circumstance.
Independent risk-classification of every AI system in your product, Article 11 technical documentation ready for the notified body, and a fixed remediation plan for anything that lands in the "high-risk" bucket. £8K audit + fixed build.
The EU AI Act (Regulation 2024/1689) classifies every AI system into four risk tiers, each with its own obligations. Prohibited practices cannot ship at all. High-risk systems need technical documentation, conformity assessment, human oversight, and post-market monitoring. Limited-risk systems carry transparency obligations. Minimal-risk systems carry none. Empyreal Infotech runs EU AI Act compliance as a fixed £8K audit that classifies every AI system in your product against the Annex III categories, followed by a fixed-price remediation plan for anything that lands in the high-risk tier. Delivered by senior engineers who read the primary text of the Act, not the marketing summaries.
Social scoring, real-time biometric ID in public spaces, exploitation of vulnerabilities, subliminal manipulation. These cannot ship to the EU market under any circumstance.
Recruitment, credit scoring, medical devices, critical infrastructure, education, law enforcement, migration, justice, biometrics. Anything Annex III lists.
Chatbots, emotion recognition, biometric categorisation, deepfakes / AI-generated content. Users must be told they're interacting with AI.
Everything else. Spam filters, video-game AI, inventory forecasting, most enterprise ML that touches no protected decision. Voluntary codes of conduct only.
Article 5 practices banned outright. AI literacy obligation on providers + deployers under Article 4. If you ship social-scoring or real-time biometric ID, stop.
Obligations for general-purpose AI models (Chapter V), governance bodies operational, penalties under Article 99 enforceable. Notified bodies designated.
The bulk of the Act. Every new high-risk system placed on the EU market must ship with the Article 11 technical documentation, human oversight design, data-governance evidence, and a passed conformity assessment.
AI as a safety component of a regulated product (medical devices, cars, toys, radio equipment, etc.). Aligns with existing sectoral CE-marking regimes.
Grace period for pre-existing high-risk systems in the public sector. Applies only to systems placed on the market before Aug 2026.
Every AI feature in your product mapped against the Act's Annex III. Written classification with the specific Article + recital you can cite in a filing.
The technical documentation the Act requires (Article 11 + Annex IV): data governance, training methodology, testing evidence, human oversight design, cybersecurity posture. Written, not templated.
For high-risk systems: the pre-market conformity assessment pack that a notified body will accept. Practice-audit against the criteria. Not a slide deck.
Structured logging + drift detection + incident reporting workflow so the Article 61 + 72 obligations are met continuously, not scrambled at audit-time.
We cite the primary text, not a compliance-vendor summary.
Prohibited practices — social scoring, real-time biometric ID, subliminal manipulation, exploitation of vulnerabilities.
High-risk classification. The 8 Annex III categories that trigger full compliance obligations.
Risk management system — continuous, iterative, over the whole lifecycle.
Data governance — training, validation, and testing datasets meeting quality criteria.
Technical documentation. The document pack the notified body reads. What we build.
Human oversight — the design + interface + escalation path the deployer sees.
Accuracy, robustness, cybersecurity — measurable across the whole lifecycle.
Conformity assessment procedures — self-assessment (Annex VI) vs notified-body (Annex VII).
Transparency obligations — chatbots, deepfakes, emotion recognition, biometric categorisation.
Post-market monitoring + serious-incident reporting workflow.
Penalties. Up to €35M or 7% of worldwide turnover for prohibited practices.
General-purpose AI (GPAI) model obligations — model documentation + downstream cooperation.
Inventory every AI system in your product, classify each against Annex III, name the high-risk ones, quantify the remediation gap. 30-page audit brief with the specific Article + recital citations.
Audit week (£8K). Inventory every AI system, classify each against Annex III, name the high-risk ones, quantify the remediation gap.
Article 11 + Annex IV technical documentation for every high-risk system. Written, not templated. Ready for the notified body: data governance, training methodology, testing evidence, human oversight design, cybersecurity posture.
Documentation pack. Article 11 + Annex IV technical documentation for every high-risk system. Written, not templated. Ready for the notified body.
Human oversight UIs, data-governance pipelines, post-market monitoring wiring, cybersecurity controls. Whatever's missing gets built by the same senior engineers who wrote your audit.
Remediation build. Human oversight UIs, data-governance pipelines, post-market monitoring wiring, cybersecurity controls. Whatever's missing gets built.
Full pre-market conformity assessment pack. Practice-audit against Article 43 criteria. Named notified body pre-consultation where useful (we've worked with two designated bodies since Aug 2025).
Conformity assessment prep. Full pre-market conformity assessment pack. Practice-audit against the criteria. Named notified body pre-consultation where useful.
£5K/month for drift monitoring, Article 61 + 72 incident-reporting workflow ownership, and quarterly re-classification as your product evolves. Cancellable with 30 days' notice, any month.
Ongoing monitoring retainer. £5K/month for drift monitoring, incident-reporting workflow ownership, and quarterly re-classification as your product evolves.
The EU AI Act applies if your product is placed on the EU market OR its output is used in the EU — regardless of where your company is based. UK companies selling into the EU are covered. Provisions came into force on staggered dates through 2025 and 2026, with high-risk-system obligations for new systems effective August 2026.
Annex III lists the 8 categories: biometrics · critical infrastructure · education + vocational training · employment + worker management · essential services (credit, insurance, benefits) · law enforcement · migration + asylum + border · administration of justice + democratic processes. Plus AI used as a safety component of a regulated product (medical devices, cars, toys, etc.) under Annex I. If your system falls in any of these, it's high-risk.
£8K fixed for the audit + risk classification. Remediation cost depends on how many high-risk systems you have and how much of the Article 11 documentation, human oversight, and post-market monitoring is already in place. A typical single-high-risk-system client in 2026 spent £35-60K in remediation on top of the £8K audit. Retainer is £5K/month, cancellable with 30 days' notice.
No — the conformity assessment is either self-assessed (Annex VI, for most high-risk systems under Article 43) or performed by a notified body (Annex VII, for biometric categorisation + a few sectoral cases). We prepare the pack the notified body will accept and we sit in on the assessment call if you want us there. The filing itself has to come from your legal entity.
Article 99. Prohibited practices: up to €35M or 7% of worldwide annual turnover, whichever is higher. High-risk obligations: up to €15M or 3%. Transparency + reporting: up to €7.5M or 1.5%. Information supplied to authorities that turns out to be incorrect or misleading: up to €7.5M or 1%. SMEs and start-ups get the lower absolute number, not the percentage.
For high-risk systems being placed on the market after Aug 2026: only with a passed conformity assessment. For high-risk systems already deployed before Aug 2026: grace period rules under Article 111 apply, but you need documented reasonable steps toward compliance and a dated plan. For limited-risk systems (chatbots, deepfakes): transparency obligations only, easy to meet in-flight. For minimal-risk systems: ship freely. Ship with a paper trail either way.
Not yet. The UK's post-Brexit approach is sector-specific principles under existing regulators (ICO, FCA, MHRA, CMA) rather than horizontal legislation like the EU Act. However: (a) if you ship into the EU, you're covered by the EU Act regardless of UK residency, (b) UK sector regulators are increasingly referencing EU AI Act principles as best practice, and (c) an AI (Regulation) Bill is currently in the UK Parliament pipeline that may add horizontal obligations from 2027+.
Three specifics. One: we read the Regulation, not a summary — every classification cites the specific Article and recital number. Two: we're engineers, so the remediation pack (human oversight UI, data-governance pipeline, monitoring wiring) gets built, not handed off to your team as a slide deck. Three: fixed £8K + fixed remediation quote — no day-rate meter, no partner-hour vs analyst-hour mix. If you want a Big Four signature at the end, we hand over a clean pack that any of them will happily accept.
5 lines: which AI features you ship, which EU markets you sell into, whether any system falls in an Annex III category, and any live regulatory conversation. Mohit replies inside 24 hours.