Step 1: Verify the Banned Categories (Immediate Action)
Before analyzing storage, logging, or model governance, confirm whether your system falls into any of the prohibited categories under Article 5. If it does, operating the software in the EU is not permitted.
- Untargeted scraping of facial images from CCTV or public footage to build biometric databases.
- Emotion recognition systems used in workplaces or educational institutions.
- Social scoring algorithms that rank citizens based on social behavior, creditworthiness, or personal traits.
- Subliminal or manipulative techniques designed to distort user behavior and cause physical or psychological harm.
Step 2: Determine Your Risk Tier
The EU AI Act is built around a risk-tier system. Your engineering overhead is driven by the category your system occupies:
| Risk Classification | Technical Implication | Example Systems |
|---|---|---|
| Prohibited | Total market ban | Dark-pattern behavioral manipulation |
| High-Risk | Full Annex IV technical documentation required | Resume filtering, loan scoring, medical diagnostics |
| Limited Risk | Mandatory end-user transparency rules | Customer service chatbots, AI image generators |
| Minimal Risk | No regulatory overhead | Spam filters, basic video game AI |
Step 3: Audit Your Core Data Pipelines
If your software is high-risk, your development pipeline must support strict quality and traceability requirements.
- Data Governance: Ensure training, validation, and test datasets are under active provenance review. Audit for systematic bias before deployment.
- Continuous Logging: Embed automated event logging in your system architecture to capture runtime performance, decision data, and operational trace logs.
- Model Change Control: Track model versions, data sources, and fine-tuning changes so you can demonstrate a compliant update path.
Next Action Item
Unsure which category your current software fits into? Don’t guess your way through dense legal text.
Take 5 minutes to run your software architecture through our free, automated EU AI Act Compliance Checker to get an instant risk assessment report.