Social scoring, manipulative AI, real-time biometric ID.
Article 5 prohibitions. Enforced since February 2025. Maximum fines of €35M or 7% of global turnover.
SERVICE PRACTICE · EU AI ACT
AI Act conformity and governance.
We classify your AI systems against Annex III high-risk categories, prepare the conformity assessment and technical documentation, implement Article 9 risk management and Article 14 human oversight, and stand up an ISO 42001 management system. GPAI and prohibited-practice reviews included.
AI.GOV.DESK · LAST 30 DAYS● LIVE
AI systems classified7 high-risk64
Conformity files prepared12
Article 9 risk reviews23
Article 35 DPIAs combined8
GPAI dependency assessments14
Transparency notices reviewed47
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / EU AI ACT IN 60 SECONDS
Risk tiers.
Annex III systems: HR, credit, education, law enforcement.
Articles 8-15 obligations: risk management, data governance, technical documentation, human oversight, accuracy.
General-purpose AI models with systemic risk.
Foundation and frontier models. Transparency, model cards, copyright compliance, systemic-risk obligations from August 2025.
TIER 1 · OPERATOR FAILURES
Up to €15M or 3% turnover
Article 99 fines for non-compliance with conformity obligations or supplying incorrect information.
TIER 2 · PROHIBITED PRACTICES
Up to €35M or 7% turnover
Article 99 maximum tier. For Article 5 prohibited AI practices and their deployment.
§ 02 / ARTICLES IN SCOPE
Provider and deployer obligations.
PROVIDER OBLIGATIONS · ARTICLES 8-22
Art. 9Risk management systemContinuous, iterative risk-management process throughout the lifecycle.
Art. 10Data and data governanceTraining, validation and test data quality, bias examination, representativeness.
Art. 11-12Technical documentation and logsComprehensive documentation prepared before placing on market. Automatic log keeping.
Art. 14Human oversightEffective oversight by natural persons during the period the system is in use.
Art. 15Accuracy, robustness and cybersecurityAppropriate level of accuracy, robustness and cybersecurity throughout lifecycle.
DEPLOYER AND GPAI · ARTICLES 26, 50-55
Art. 26Deployer obligationsUse according to instructions, human oversight, monitoring, incident reporting.
Art. 27Fundamental rights impact assessmentFRIA before deployment by public bodies and high-risk system deployers in scope.
Art. 50Transparency obligationsDisclose AI-generated content, deepfakes, emotion recognition, biometric categorisation.
Art. 53-55GPAI obligationsTechnical documentation, copyright policy, training data summary, model evaluations for systemic-risk models.
§ 03 / ENGAGEMENT MODELS
Engagement models.
FULLMOST POPULAR
AI Act Programme Implementation
System inventory and classification, conformity assessment, technical documentation, Article 9 risk management, Article 14 human oversight, integration with GDPR Article 35 DPIAs.
- →System inventory and classification
- →Conformity assessment and technical file
- →Article 9 + Article 14 implementation
- →GDPR Art. 35 DPIA integration
GAP3-4 WK
AI Act Gap Assessment
Independent review against AI Act obligations relevant to your role (provider, deployer, GPAI). Maturity baseline, prioritised gap register, executive readout.
- →System risk classification
- →Gap register, priority-scored
- →Risk-weighted roadmap
- →Board-ready readout
ISO5-7 MO
ISO 42001 AI Management System
Build the AI management system aligned with ISO 42001. Suitable for organisations seeking external certification or buyer-led assurance.
- →ISO 42001 AIMS build
- →AI policy stack
- →Internal audit programme
- →Certification audit support
§ 04 / SCOPE
Scope of work.
01 / 04
Inventory and classification
- AI system inventory and ownership
- Annex III high-risk mapping
- Prohibited practice screening (Art. 5)
- Provider vs deployer role analysis
- GPAI dependency assessment
02 / 04
Conformity and documentation
- Conformity assessment procedure
- Technical documentation (Art. 11)
- EU declaration of conformity
- CE marking and registration
- Post-market monitoring plan
03 / 04
Risk and oversight controls
- Article 9 risk management system
- Article 10 data governance
- Article 14 human oversight design
- Article 15 accuracy and robustness
- Incident reporting workflow (Art. 73)
04 / 04
People and evidence
- AI literacy training (Art. 4)
- Fundamental rights impact assessment
- Article 50 transparency notices
- Authority correspondence
- Annual programme report
§ 05 / GDPR AND AI ACT, TOGETHERSee sample technical file indexPDF · 12 PP
Joint DPIA and conformity assessment.
High-risk AI systems usually process personal data. Article 35 DPIA obligations and AI Act conformity assessment overlap. Our template covers both, and the technical documentation references both obligation sets.
Combined DPIA template
Included
Conformity file
We prepare
Authority registration
We file
Annual programme report
Included
SAMPLE.TECH.FILE.INDEXOCT 2026
System description and intended purposeSection 1
Risk management documentation (Art. 9)Section 2
Data and data governance (Art. 10)Section 3
Logging architecture (Art. 12)Section 4
Human oversight design (Art. 14)Section 5
Post-market monitoring planSection 8
SIGNED. PETRA NOVAK, COUNSEL. AI GOVERNANCE
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01HR-tech · Series C
Annex III conformity for 7 production AI systems before deadline.
7
Systems
3
High-risk filings
✓
Launch held
SCOPEAI Act · Annex III · DPIA integration
CASE 02Foundation-model provider
GPAI obligations met before August 2025 deadline. Model card and copyright policy filed.
2
GPAI models
2
Model cards
0
Authority queries
SCOPEGPAI · Art. 53-55 · Model documentation
CASE 03EU bank · Tier 2
Combined GDPR Article 35 and AI Act conformity for credit-scoring system.
4
Models reviewed
4 mo
Time to readiness
0
Critical findings
SCOPEAI Act · GDPR · Combined DPIA
§ 07 / WHY THIS MATTERS
AI Act enforcement.
€35M / 7%
Maximum fine for prohibited AI practices
Feb 2025
Prohibitions and AI literacy now enforceable
Aug 2025
GPAI obligations active
Aug 2026
High-risk and most other provisions apply
TREND 01
Provider vs deployer is not always obvious
Fine-tuning a foundation model can shift you from deployer to provider. Authorities have made clear that significant modifications change the obligation set.
TREND 02
Fundamental rights impact assessments are a new artefact
Article 27 FRIAs are required for public bodies and certain private high-risk deployments. The template is distinct from a GDPR DPIA, but the two are typically integrated.
TREND 03
Documentation is the real bottleneck
Most organisations can classify their systems quickly. The slow step is producing Article 11 technical documentation that withstands a notified body review.
§ 08 / FAQ
Common questions.
01When do AI Act obligations actually apply to us?+
Prohibitions and AI literacy obligations applied from February 2025. GPAI obligations from August 2025. High-risk system obligations from August 2026 (with some sector-specific extensions). Deployers of high-risk systems have a 24-month window from market placement to comply with operational duties.
02Are we a provider or a deployer?+
You are a provider if you develop or have an AI system developed and place it on the market under your name. You are a deployer if you use an AI system under your authority. Significant modifications to a third-party system can make you a provider. We confirm in the classification step.
03How does the AI Act interact with GDPR?+
High-risk AI systems usually process personal data, so Article 35 DPIA obligations under GDPR apply in parallel. Our practice produces a combined DPIA covering both regulations. The technical documentation under Article 11 references the GDPR records architecture.
04What if we use a third-party foundation model?+
You are a deployer for that model. Your obligations include human oversight, monitoring, transparency disclosures, and incident reporting. If you significantly fine-tune the model, you may become a provider for the fine-tuned version, which triggers full provider obligations.
05Do we need ISO 42001?+
No, the AI Act does not mandate ISO 42001. The standard is useful as a structured AI management framework and increasingly requested by buyers and tenders. Organisations seeking external certification or buyer-led assurance often pursue both AI Act conformity and ISO 42001.
06How do you support an authority enquiry?+
We respond on your behalf, prepare the evidence pack, brief executives, and attend the meeting. The technical documentation we prepared under Article 11 is the primary evidence. Pre-supervisory readiness reviews are part of the AI Act programme retainer.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 36 pages
AI Act Implementation Guide
Phased implementation roadmap aligned with the AI Act application timeline. Annex III mapping and FRIA template included.
Download ↓EMAIL REQUIRED
GUIDEPDF · 12 pages
Provider vs Deployer Decision Tree
Visual decision tree covering provider, deployer, importer and distributor roles. Covers fine-tuning and significant modification scenarios.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
Combined DPIA and AI Act FRIA Template
Single template covering Article 35 GDPR DPIA and Article 27 AI Act fundamental rights impact assessment.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
Data Protection and GDPR
Article 35 DPIA extends to combined GDPR and AI Act assessments. Same DPO, same records spine.
Open practice →Cybersecurity and ISO 27001
Article 15 cybersecurity obligations for high-risk AI overlap with ISO 27001 Annex A controls.
Open practice →Incident Response
Article 73 serious incident reporting for high-risk systems. Same crisis-team coordination.
Open practice →11 / GET STARTED
Start your AI Act programme.
Free initial meeting. Clear next steps. Indicative pricing within one business day.