EU AI Act

Framework

Entered into force 1 August 2024. Applies in waves through 2027. Penalties up to €35M or 7% of global turnover for prohibited-use breaches.

In force 1 Aug 2024 4 risk tiers Up to €35M / 7% penalties

The timeline

2 Feb 2025

Prohibited practices

Social scoring, manipulative AI, real-time biometric ID in public spaces, predictive policing, untargeted face-image scraping. AI literacy obligations apply to providers and deployers.
2 Aug 2025

GPAI obligations

Transparency, technical documentation, copyright policy, training-data summary. Penalty regime activates. GPAI models on the market before this date have a 2-year grace period.
2 Aug 2026

High-risk systems

Risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy / robustness / cybersecurity, conformity assessment, post-market monitoring.
2 Aug 2027

Embedded high-risk

High-risk AI in regulated products (medical devices, machinery, toys etc.) must comply. GPAI models on the market before 2 Aug 2025 must be fully compliant.

Sources: European Commission, artificialintelligenceact.eu.

ISO 42001 + NIST AI RMF — the management-system spine

The AI Act is a product-regulation regime, but its risk-management and quality-management articles (Articles 9, 10, 17) align directly to ISO 42001 clauses 6.1 and 8.2–8.3 and to the NIST AI RMF Govern / Map functions. CSA and EU AI Compass crosswalks suggest implementing 42001 + AI RMF gets you roughly 60–70% of the way to AI Act compliance for the management-system side.

Argitron ships an AI-system inventory, impact-assessment workflows, lifecycle stage gates, post-market monitoring, and the documentation pack the Act expects.

The board read about the AI Act. You need a defensible answer.

ISO 42001 + NIST AI RMF + Argitron's AI-system inventory + impact-assessment workflows. Free under 25 assets.

Start free See pricing Talk to a human →