EU AI Act — Regulation (EU) 2024/1689
EU AI Act — Regulation (EU) 2024/1689
EU AI Act — Regulation (EU) 2024/1689 — 79% covered.
141 requirements · 98 enforced · 19 designed · 16 advisory · 0 deferred.
Source: https://eur-lex.europa.eu/eli/reg/2024/1689/oj · License: EU Open Data — public domain
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Annex III — High-risk use-case classes | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 10 — Data and data governance | 6 | 5 | 0 | 1 | 0 | 88% |
| Art 11-12 — Technical documentation & record-keeping | 4 | 4 | 0 | 0 | 0 | 100% |
| Art 13 — Transparency to deployers | 9 | 7 | 2 | 0 | 0 | 89% |
| Art 14 — Human oversight | 12 | 10 | 1 | 1 | 0 | 90% |
| Art 15 — Accuracy, robustness & cybersecurity | 5 | 5 | 0 | 0 | 0 | 100% |
| Art 16-29 — Provider/deployer obligations | 3 | 3 | 0 | 0 | 0 | 100% |
| Art 50-52 — Transparency to natural persons | 2 | 1 | 0 | 1 | 0 | 63% |
| Art 6 — High-risk classification | 4 | 4 | 0 | 0 | 0 | 100% |
| Art 72 — Post-market monitoring & incidents | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 9 — Risk management system | 9 | 9 | 0 | 0 | 0 | 100% |
| Art 86 — Right to explanation | 2 | 2 | 0 | 0 | 0 | 100% |
| Title I — General provisions | 6 | 3 | 1 | 2 | 0 | 67% |
| Art 5 — Prohibited practices | 8 | 8 | 0 | 0 | 0 | 100% |
| Art 12 — Record-keeping | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 16 — Provider obligations | 9 | 5 | 3 | 1 | 0 | 75% |
| Art 17 — Quality management system | 1 | 0 | 1 | 0 | 0 | 50% |
| Art 18 — Documentation keeping | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 19 — Automatically generated logs | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 20 — Corrective actions | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 21 — Cooperation with competent authorities | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 22 — Authorised representatives | 1 | 0 | 0 | 1 | 0 | 25% |
| Art 23 — Importer obligations | 1 | 0 | 0 | 1 | 0 | 25% |
| Art 24 — Distributor obligations | 1 | 0 | 0 | 1 | 0 | 25% |
| Art 25 — Provider responsibility along value chain | 1 | 0 | 0 | 1 | 0 | 25% |
| Art 26 — Deployer obligations | 7 | 4 | 2 | 1 | 0 | 75% |
| Art 27 — Fundamental-rights impact assessment | 2 | 0 | 1 | 1 | 0 | 38% |
| Art 28 — Notifying authorities | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 29 — Application for notification | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 43 — Conformity assessment | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 44 — Certificates | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 47 — EU declaration of conformity | 1 | 0 | 1 | 0 | 0 | 50% |
| Art 48 — CE marking | 1 | 0 | 0 | 1 | 0 | 25% |
| Art 49 — Registration in EU database | 1 | 0 | 1 | 0 | 0 | 50% |
| Art 50 — Transparency obligations | 2 | 1 | 1 | 0 | 0 | 75% |
| Art 51 — GPAI with systemic risk | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 52 — GPAI notification | 1 | 0 | 1 | 0 | 0 | 50% |
| Art 53 — GPAI provider obligations | 4 | 3 | 1 | 0 | 0 | 88% |
| Art 55 — GPAI systemic-risk obligations | 4 | 4 | 0 | 0 | 0 | 100% |
| Art 56 — Codes of practice | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 60 — Real-world testing | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 72 — Post-market monitoring | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 73 — Serious incident reporting | 3 | 3 | 0 | 0 | 0 | 100% |
| Art 74 — Market surveillance | 1 | 1 | 0 | 0 | 0 | 100% |
| Art 85 — Right to lodge complaint | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 99 — Penalties | 1 | 0 | 0 | 0 | 0 | 0% |
| Art 113 — Entry into force | 1 | 0 | 0 | 1 | 0 | 25% |
| Annex I — Union harmonisation legislation | 1 | 0 | 0 | 1 | 0 | 25% |
| Annex II — Law-enforcement offences list | 1 | 0 | 0 | 0 | 0 | 0% |
| Annex IV — Technical documentation | 1 | 1 | 0 | 0 | 0 | 100% |
| Annex V — EU declaration of conformity | 1 | 0 | 1 | 0 | 0 | 50% |
| Annex VI — Internal-control conformity assessment | 1 | 1 | 0 | 0 | 0 | 100% |
| Annex VII — Notified-body conformity assessment | 1 | 0 | 0 | 1 | 0 | 25% |
| Annex VIII — EU database registration | 1 | 0 | 1 | 0 | 0 | 50% |
| Annex IX — Annex III registration | 1 | 0 | 1 | 0 | 0 | 50% |
| Annex X — JHA large-scale IT systems | 1 | 0 | 0 | 0 | 0 | 0% |
| Annex XI — GPAI technical documentation | 1 | 1 | 0 | 0 | 0 | 100% |
| Annex XII — Downstream-integrator information | 1 | 1 | 0 | 0 | 0 | 100% |
| Annex XIII — GPAI systemic-risk criteria | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
eu-ai-act.Annex3 |
High-risk AI systems enumerated in Annex III (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes) | enforced | audit_events: kye.model.capability_profile.v1, kye.purpose.permission.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A10.2 |
Training, validation and testing data sets shall be subject to data-governance practices | enforced | audit_events: kye.evidence.model_params.v1, kye.model.influence_envelope.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A10.3 |
Data sets shall be relevant, sufficiently representative, free of errors and complete | advisory | constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A10.5 |
Processing of special-category personal data for bias detection and correction (lawful-basis exception) | enforced | audit_events: kye.purpose.grant.v1, kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A11.1 |
Draw up technical documentation of the high-risk AI system before placing on market (Annex IV) | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A11.2 |
Keep technical documentation up to date throughout the AI system lifecycle | enforced | audit_events: kye.signal.drift.detected.v1, kye.resilience.improvement_record.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A12.1 |
Automatic recording of events (logs) over the lifetime of the high-risk AI system | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.observed_action.v1, kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/35-STREAMING-LOGS.md |
eu-ai-act.A12.3 |
Logging shall enable monitoring of operation with respect to risks identified under Art 9 | enforced | audit_events: kye.evidence.decision_map.v1, kye.risk.score.v1, kye.signal.evidence.sealed.v1engines: internal, internalworm_tables: decisions, evidence_packconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A13.1 |
Design and develop high-risk AI systems to ensure sufficient transparency to deployers | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1, kye.assurance.adoption_stage.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md, constitution/36-GOVERNEDUI.md |
eu-ai-act.A13.3.a |
Instructions for use shall identify provider, intended purpose, performance, known limitations | enforced | audit_events: kye.model.capability_profile.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A13.3.d |
Instructions for use shall include human-oversight measures, including the technical measures put in place | enforced | audit_events: kye.assurance.adoption_stage.v1, kye.governedui.evidence_timeline.v1engines: internalgovernedui_modules: kye.governedui.module.authority_scope.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.1 |
High-risk AI systems shall be designed to be effectively overseen by natural persons | enforced | audit_events: kye.assurance.adoption_stage.v1, kye.purpose.grant.v1engines: internal, internalgovernedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.4.a |
Oversight persons can properly understand the relevant capacities and limitations of the system | designed | audit_events: kye.model.capability_profile.v1, kye.governedui.evidence_timeline.v1governedui_modules: kye.governedui.module.entity_passport.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.4.d |
Oversight persons can intervene on the operation or interrupt the system through a stop button | enforced | audit_events: kye.purpose.grant.revoked.v1, kye.assurance.adoption_stage.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A14.5 |
For Annex III §1(a) biometric-identification systems, no action shall be taken on the basis of identification unless verified and confirmed by at least two natural persons | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.2 |
Human oversight shall aim to prevent or minimise risks to health, safety or fundamental rights for the period the system is in use | enforced | audit_events: kye.oversight.envelope_set.v1, kye.oversight.envelope_breach.v1, kye.oversight.drift_alert.v1engines: internal, internalgovernedui_modules: kye.governedui.module.oversight_envelope.v1, kye.governedui.module.authority_drift.v1constitution_refs: constitution/36-GOVERNEDUI.md, constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A14.4.b |
Oversight persons remain aware of the possible tendency of automatically relying or over-relying on the output (automation bias) | enforced | audit_events: kye.oversight.drift_alert.v1, kye.resilience.drift.detected.v1governedui_modules: kye.governedui.module.oversight_envelope.v1, kye.governedui.module.authority_drift.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/36-GOVERNEDUI.md |
eu-ai-act.A15.1 |
Achieve an appropriate level of accuracy, robustness, and cybersecurity throughout the lifecycle | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.compliance.attestation.v1, kye.signal.stress_test.high_risk_detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A15.3 |
Levels of accuracy and relevant accuracy metrics declared in the instructions for use | enforced | audit_events: kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A15.4 |
Resilience against errors, faults or inconsistencies and against feedback loops (concept drift) | enforced | audit_events: kye.resilience.drift_event.v1, kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A15.5 |
Cybersecurity measures against attempts by unauthorised third parties to alter use, behaviour or performance | enforced | audit_events: kye.purpose.admissibility.v1, kye.agent.refusal.v1, kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
eu-ai-act.A17 |
Provider shall put in place a quality management system documented in written policies, procedures and instructions | enforced | audit_events: kye.compliance.attestation.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
eu-ai-act.A26.1 |
Deployer shall use the high-risk AI system in accordance with instructions for use | enforced | audit_events: kye.purpose.admissibility.v1, kye.purpose.grant.v1, kye.agent.refusal.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A27 |
Deployers that are bodies governed by public law shall perform a fundamental-rights impact assessment | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A50.1 |
Providers shall ensure AI systems intended to interact directly with natural persons are designed so persons are informed they are interacting with an AI | enforced | audit_events: kye.model.capability_profile.v1, kye.evidence.observed_action.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A50.2 |
Providers of generative AI shall mark outputs as artificially generated or manipulated in a machine-readable format | advisory | audit_events: kye.evidence.observed_action.v1, kye.evidence.tool_call_pin.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A6.1 |
Classification of AI systems as high-risk per Annex I safety-component criteria | enforced | audit_events: kye.model.capability_profile.v1, kye.evidence.decision_map.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A6.2 |
Classification of AI systems as high-risk per Annex III enumerated use-cases | enforced | audit_events: kye.model.capability_profile.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A72.1 |
Providers shall establish a post-market monitoring system and report serious incidents to national authorities | enforced | audit_events: kye.signal.stress_test.high_risk_detected.v1, kye.resilience.drift_event.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A9.1 |
Establish, implement, document and maintain a risk-management system across the AI lifecycle | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A9.2 |
Identify and analyse known and reasonably foreseeable risks to health, safety and fundamental rights | enforced | audit_events: kye.risk.score.v1, kye.model.capability_profile.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A9.5 |
Adopt appropriate and targeted risk-management measures to eliminate or reduce identified risks | enforced | audit_events: kye.purpose.admissibility.v1, kye.purpose.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A9.8 |
Test the AI system for purposes of identifying the most appropriate risk-management measures | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A13.RATIONALE |
Transparency to deployers — the governance decision is rendered in a structured, human-readable rationale a deployer can inspect and pass on | enforced | audit_events: kye.decision_rationale.v1, kye.evidence.pack.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A14.RATIONALE |
Human oversight — the rationale records the natural-person intervention (approve / reject / modify / interrupt) and the oversight mode in force | enforced | audit_events: kye.decision_rationale.v1, kye.evidence.pack.v1engines: internal, internalgovernedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/36-GOVERNEDUI.md |
eu-ai-act.A86.RATIONALE |
Right to explanation — an affected person receives a clear, meaningful, contestable account of why the decision was reached and how to contest it | enforced | audit_events: kye.decision_rationale.v1, kye.dispute.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A1 |
Subject matter — harmonised rules for placing on market, putting into service and use of AI systems in the Union | advisory | constitution_refs: constitution/25-EDGE-GOVERNANCE.md |
eu-ai-act.A2.1 |
Scope — applies to providers, deployers, importers, distributors, product manufacturers and affected persons in the Union | enforced | audit_events: kye.jurisdiction.attestation.v1engines: internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
eu-ai-act.A2.3 |
Exclusions — military, defence, national security, scientific research and personal non-professional activity | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A3.1 |
Definition — 'AI system' means a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that infers from input how to generate outputs | enforced | audit_events: kye.entity.model.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A3.63 |
Definition — 'general-purpose AI model' means an AI model trained on a large amount of data using self-supervision at scale, displaying significant generality | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A4 |
AI literacy — providers and deployers must take measures to ensure a sufficient level of AI literacy of their staff and other persons dealing with the system on their behalf | designed | constitution_refs: constitution/39-LEARN-RAIL.md, constitution/10-PARTNER.md |
eu-ai-act.A5.1.a |
Prohibited practice — subliminal techniques beyond a person's consciousness or purposefully manipulative techniques materially distorting behaviour | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalrule_packs: kye:rule-pack:eu-ai-actconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A5.1.b |
Prohibited practice — exploitation of vulnerabilities due to age, disability or social/economic situation | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A5.1.c |
Prohibited practice — social scoring leading to detrimental treatment outside the original collection context | enforced | audit_events: kye.purpose.admissibility.v1, kye.data_use_manifest.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A5.1.d |
Prohibited practice — risk assessment of natural persons solely on profiling or personality-trait assessment for predicting criminal offences | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A5.1.e |
Prohibited practice — untargeted scraping of facial images for facial-recognition databases | enforced | audit_events: kye.data_use_manifest.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A5.1.f |
Prohibited practice — emotion recognition in workplace and educational institutions (except for medical or safety reasons) | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A5.1.g |
Prohibited practice — biometric categorisation systems that infer race, political opinions, trade-union membership, religious or philosophical beliefs, sex life or sexual orientation | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A5.1.h |
Prohibited practice — real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions) | enforced | audit_events: kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A6.3 |
Derogation — Annex III system not considered high-risk if it does not pose a significant risk and meets one of the conditions in 6(3)(a)-(d) | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A6.4 |
Provider documenting Art 6(3) derogation assessment and registering in the EU database | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A9.3 |
Risk-management measures shall give due consideration to the effects on persons under 18 and other vulnerable groups | enforced | audit_events: kye.risk.score.v1, kye.consequence_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A9.4 |
Risk-management measures shall be such that the relevant residual risk is judged acceptable | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A9.6 |
High-risk AI systems shall be tested for the purpose of identifying the most appropriate and targeted risk management measures | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.scenario_run.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A9.7 |
Testing of high-risk AI systems shall be performed against prior defined metrics and probabilistic thresholds appropriate to intended purpose | enforced | audit_events: kye.scenario.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A9.9 |
Risk-management process for high-risk systems intended for credit institutions covered by Union financial-services law shall be integrated with the institution's existing risk management | enforced | audit_events: kye.connector.evidence_import.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A10.1 |
High-risk AI systems using techniques involving training of models with data shall be developed on the basis of training, validation and testing data sets that meet quality criteria | enforced | audit_events: kye.data_use_manifest.v1, kye.evidence.model_params.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A10.4 |
Data sets shall, to the extent required by the intended purpose, take into account the characteristics or elements particular to the specific geographical, contextual, behavioural or functional setting | enforced | audit_events: kye.data_use_manifest.v1, kye.jurisdiction.attestation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A10.6 |
Special categories of personal data may be processed for bias detection where strictly necessary, with safeguards | enforced | audit_events: kye.purpose.admissibility.v1, kye.data_use_manifest.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A12.2 |
Logs shall enable monitoring of the operation of the high-risk AI system with regard to the occurrence of situations that may result in the system presenting a risk | enforced | audit_events: kye.signal.drift.detected.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/35-STREAMING-LOGS.md, constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A13.2 |
High-risk AI systems shall be accompanied by instructions for use in an appropriate digital or other format | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/39-LEARN-RAIL.md, constitution/11-CONTENT.md |
eu-ai-act.A13.3.b |
Instructions for use shall include performance, robustness and cybersecurity characteristics including degradation conditions | enforced | audit_events: kye.model.capability_profile.v1, kye.compliance.attestation.v1constitution_refs: constitution/39-LEARN-RAIL.md |
eu-ai-act.A13.3.c |
Instructions for use shall include any known or foreseeable circumstance leading to risks to health, safety or fundamental rights | enforced | audit_events: kye.consequence_map.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A13.3.e |
Instructions for use shall include human-oversight measures including technical measures to facilitate interpretation of the outputs | enforced | governedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A13.3.f |
Instructions for use shall include the expected lifetime of the system and any necessary maintenance/care measures | designed | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A14.2 |
Human oversight shall aim at preventing or minimising risks to health, safety or fundamental rights that may emerge when high-risk system is used | enforced | audit_events: kye.purpose.admissibility.v1engines: internalgovernedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.3 |
Oversight measures shall be commensurate with risks, level of autonomy and context of use | enforced | audit_events: kye.purpose.permission.v1, kye.risk.score.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
eu-ai-act.A14.4.b |
Oversight persons shall remain aware of automation bias | advisory | governedui_modules: kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md, constitution/39-LEARN-RAIL.md |
eu-ai-act.A14.4.c |
Oversight persons shall be able to correctly interpret the high-risk AI system's output considering tools and methods available | enforced | audit_events: kye.evidence.decision_map.v1governedui_modules: kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A14.4.e |
Oversight persons shall be able to decide, in any particular situation, not to use the high-risk system or to disregard, override or reverse the output | enforced | audit_events: kye.approval_decision.v1, kye.purpose.grant.revoked.v1engines: internalgovernedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A15.2 |
Levels of accuracy and the relevant accuracy metrics shall be declared in the accompanying instructions of use | enforced | audit_events: kye.model.capability_profile.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A16.a |
Providers shall ensure high-risk AI systems comply with Section 2 requirements | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
eu-ai-act.A16.b |
Providers shall indicate name, registered trade name and contact address on the system or its packaging/accompanying documentation | enforced | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A16.c |
Providers shall have a quality-management system in place per Article 17 | designed | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
eu-ai-act.A16.d |
Providers shall keep the technical documentation per Article 11 for 10 years after placing the system on the market | enforced | audit_events: kye.audit_retention_policy.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A16.e |
Providers shall keep the logs automatically generated by their high-risk AI system per Article 19 | enforced | audit_events: kye.audit_chain_entry.v1, kye.audit_retention_policy.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
eu-ai-act.A16.f |
Providers shall ensure that the high-risk AI system undergoes the relevant conformity-assessment procedure per Article 43 | enforced | audit_events: kye.assurance.tier1_readiness.v1, kye.compliance.attestation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A16.g |
Providers shall draw up an EU declaration of conformity per Article 47 | designed | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A16.h |
Providers shall affix the CE marking on the high-risk AI system per Article 48 | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A16.i |
Providers shall register the system in the EU database per Article 49 | designed | audit_events: kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A17.1 |
Providers shall put in place a quality management system that ensures compliance with this Regulation | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
eu-ai-act.A18 |
Provider shall keep the documentation referred to in Articles 11, 17, 20, 21 and 49 at disposal of the national competent authorities for 10 years | enforced | audit_events: kye.audit_retention_policy.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A19 |
Providers shall keep automatically-generated logs for at least 6 months unless a longer period is required by sectoral Union law | enforced | audit_events: kye.audit_retention_policy.v1, kye.audit_chain_entry.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A20 |
Providers that consider or have reason to consider that a placed system is not in conformity shall take corrective actions | enforced | audit_events: kye.signal.incident.opened.v1, kye.purpose.grant.revoked.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A21 |
Providers shall, upon reasoned request of a national competent authority, provide all information and documentation necessary to demonstrate conformity | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.evidence.pack.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A22 |
Providers established in third countries shall, before making available on the Union market, appoint an authorised representative in the Union | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A23 |
Importers shall verify provider's conformity-assessment procedure, technical documentation and CE marking before placing the system on the market | advisory | audit_events: kye.assurance.audit_pilot.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A24 |
Distributors shall, before making a high-risk AI system available, verify that it bears CE marking, has the EU DoC and instructions for use, and that the provider/importer have complied with Articles 16(b)(c)(d) and 23(3) | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A25 |
Any distributor, importer, deployer or third party that puts a high-risk AI system on market under its own name shall be considered a provider and shall assume provider obligations | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A26.2 |
Deployers shall assign human oversight to natural persons who have the necessary competence, training, authority and support | enforced | audit_events: kye.purpose.permission.v1engines: internalgovernedui_modules: kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A26.3 |
Deployers shall ensure that input data is relevant and sufficiently representative | enforced | audit_events: kye.data_use_manifest.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A26.5 |
Deployers shall monitor the operation of the high-risk AI system on the basis of instructions for use and inform the provider of incidents per Article 72 | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A26.6 |
Deployers shall keep the logs automatically generated for at least 6 months | enforced | audit_events: kye.audit_retention_policy.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
eu-ai-act.A26.7 |
Deployers that are employers shall inform workers' representatives and affected workers before putting into service a high-risk AI system in the workplace | designed | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A26.8 |
Deployers shall register themselves in the EU database before using a high-risk AI system listed in Annex III | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A26.11 |
Deployers shall use the information provided per Article 13 to comply with their data-protection impact assessment obligation under GDPR Article 35 | designed | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A27.1 |
Deployers that are bodies governed by public law, private operators providing public services, or operators deploying Annex III §5(b)/(c) systems shall perform a fundamental-rights impact assessment (FRIA) | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
eu-ai-act.A27.3 |
Once the FRIA is performed, the deployer shall notify the market surveillance authority of its results | designed | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A28 |
Each Member State shall designate or establish at least one notifying authority | out-of-scope | (no enforcement cited) |
eu-ai-act.A29 |
Conformity-assessment bodies shall submit an application for notification to the notifying authority | out-of-scope | (no enforcement cited) |
eu-ai-act.A43 |
For Annex III high-risk systems other than §1, providers shall follow the conformity-assessment procedure based on internal control (Annex VI) | enforced | audit_events: kye.assurance.tier1_readiness.v1, kye.compliance.attestation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A44 |
Certificates issued by notified bodies shall be in a Union official language and shall be valid for the period they indicate, not exceeding 5 years | out-of-scope | (no enforcement cited) |
eu-ai-act.A47 |
Provider shall draw up a written, machine-readable EU declaration of conformity for each high-risk AI system | designed | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.A48 |
CE marking shall be affixed visibly, legibly and indelibly on the high-risk AI system, or where not possible, on its packaging or documentation | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.A49.1 |
Provider shall register itself and each Annex III high-risk system in the EU database before placing on market or putting into service | designed | audit_events: kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A50.3 |
Deployers of emotion-recognition or biometric-categorisation systems shall inform natural persons exposed | enforced | audit_events: kye.consent.acceptance.v1, kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A50.4 |
Deployers of AI generating or manipulating image, audio or video content (deep fakes) shall disclose that the content has been artificially generated or manipulated | designed | audit_events: kye.evidence.pack.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A51 |
General-purpose AI model with systemic risk shall be designated based on high-impact capabilities or by Commission decision | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
eu-ai-act.A52 |
Provider of a GPAI model meeting the Art 51 condition shall notify the Commission within 2 weeks | designed | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A53.1.a |
Providers of GPAI models shall draw up and keep up-to-date the technical documentation | enforced | audit_events: kye.evidence.pack.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.A53.1.b |
Providers of GPAI models shall make information available to providers of AI systems that intend to integrate the GPAI | enforced | audit_events: kye.model.capability_profile.v1constitution_refs: constitution/15-MCP-AND-SDK.md |
eu-ai-act.A53.1.c |
Providers of GPAI models shall put in place a policy to comply with Union law on copyright and related rights | enforced | audit_events: kye.data_use_manifest.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A53.1.d |
Providers of GPAI models shall draw up and make publicly available a sufficiently detailed summary about the content used for training | designed | audit_events: kye.data_use_manifest.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
eu-ai-act.A55.1.a |
Providers of GPAI models with systemic risk shall perform model evaluation including adversarial testing | enforced | audit_events: kye.scenario_run.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A55.1.b |
Providers of GPAI models with systemic risk shall assess and mitigate possible systemic risks | enforced | audit_events: kye.risk.score.v1, kye.consequence_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
eu-ai-act.A55.1.c |
Providers of GPAI models with systemic risk shall keep track of, document and report serious incidents to the AI Office and national authorities | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A55.1.d |
Providers of GPAI models with systemic risk shall ensure an adequate level of cybersecurity protection | enforced | constitution_refs: constitution/51-NO-SPOF.md, constitution/35-STREAMING-LOGS.md |
eu-ai-act.A56 |
AI Office and AI Board shall develop codes of practice for GPAI providers | out-of-scope | (no enforcement cited) |
eu-ai-act.A60 |
Real-world testing of high-risk AI systems outside AI regulatory sandboxes shall meet additional conditions | enforced | audit_events: kye.scenario_run.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A72.2 |
Post-market monitoring system shall actively and systematically collect, document and analyse relevant data on the performance of high-risk AI systems | enforced | audit_events: kye.signal.drift.detected.v1, kye.audit_chain_entry.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
eu-ai-act.A73.1 |
Providers shall report serious incidents to the market surveillance authorities of the Member States within 15 days | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A73.2 |
Reports of serious incidents resulting in death or serious damage to health shall be made within 10 days | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A73.3 |
Reports of widespread infringement, breach of fundamental rights, or critical infrastructure disruption shall be made within 2 days | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
eu-ai-act.A74 |
Market-surveillance authorities shall be given full access to documentation, training/validation/testing data sets and source code where necessary | enforced | audit_events: kye.assurance.audit_pilot.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.A85 |
Any natural or legal person having grounds to consider that there has been an infringement may submit complaints to the relevant market-surveillance authority | out-of-scope | (no enforcement cited) |
eu-ai-act.A86 |
Affected persons subject to a decision taken on the basis of output from a high-risk AI system that produces legal effects shall have the right to obtain clear and meaningful explanations from the deployer | enforced | audit_events: kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/36-GOVERNEDUI.md |
eu-ai-act.A99 |
Penalties — Member States shall lay down rules on penalties for infringement, up to EUR 35M or 7% of global annual turnover for Art 5 breaches | out-of-scope | (no enforcement cited) |
eu-ai-act.A113 |
Entry into force and application — staggered: prohibitions Art 5 from 2025-02-02; GPAI Art 53/55 from 2025-08-02; remainder from 2026-08-02; Annex I high-risk products from 2027-08-02 | advisory | constitution_refs: constitution/25-EDGE-GOVERNANCE.md |
eu-ai-act.AnnexI |
Annex I — List of Union harmonisation legislation under which high-risk AI systems are covered if they are safety components | advisory | constitution_refs: constitution/26-COMMERCIAL.md |
eu-ai-act.AnnexII |
Annex II — List of criminal offences for biometric-identification carve-out | out-of-scope | (no enforcement cited) |
eu-ai-act.AnnexIV |
Annex IV — Technical documentation content for high-risk AI systems (9 sections) | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.model_params.v1engines: internalconstitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.AnnexV |
Annex V — EU declaration of conformity content (9 fields) | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.AnnexVI |
Annex VI — Conformity-assessment procedure based on internal control (3-step) | enforced | audit_events: kye.assurance.tier1_readiness.v1, kye.assurance.audit_pilot.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.AnnexVII |
Annex VII — Conformity-assessment procedure based on assessment of QMS and technical documentation by notified body | advisory | audit_events: kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
eu-ai-act.AnnexVIII |
Annex VIII — Information for registration in EU database (provider section + system section) | designed | audit_events: kye.evidence.pack.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.AnnexIX |
Annex IX — Information to be submitted upon registration of high-risk AI systems referenced in Annex III §1-7 (specific use cases) | designed | audit_events: kye.evidence.pack.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.AnnexX |
Annex X — Union legislative acts on large-scale IT systems in the area of freedom, security and justice | out-of-scope | (no enforcement cited) |
eu-ai-act.AnnexXI |
Annex XI — Technical documentation for GPAI providers (training + model attributes) | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.model_params.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
eu-ai-act.AnnexXII |
Annex XII — Information for downstream providers integrating a GPAI model | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1constitution_refs: constitution/15-MCP-AND-SDK.md |
eu-ai-act.AnnexXIII |
Annex XIII — Criteria for designation of GPAI models with systemic risk | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |