Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

Regulatory · EU AI Act

EU AI Act compliance — defensible evidence for GPAI and high-risk systems.

The EU AI Act's GPAI obligations are now in force; high-risk Annex III obligations follow (likely December 2, 2027). acipta is the agent-based defensibility platform — workflow-grounded — that produces signed, replayable evidence mapped to the specific articles you must satisfy.

EU AI Act alongside SOC 2, HIPAA, GDPR, CCPA & WCAG 2.1 AA — one evidence chain.

Deterministic Precision. Experiential Intuition. Autonomous Agents.

The deadlines that matter

GPAI is enforcing. Annex III is coming.

Two clocks, decomposed. Treating them as one is how programs miss the near one.

IN FORCE

GPAI obligations enforce

Articles 51–56 under Regulation (EU) 2024/1689. Now in force — not delayed.

~DEC 2, 2027

High-risk (Annex III)

Risk management, Article 12 logging, FRIA, technical documentation. Timeline likely shifts here — not for GPAI.

NOW

Evidence architecture

The defensible-evidence decision is made before the deadline, not during the audit. Commit the chain early.

What you must produce

The Act asks for specific artifacts — produce them as evidence.

Compliance here is documentary and ongoing. acipta produces each artifact as signed, replayable evidence rather than a one-time PDF.

01

Technical documentation

GPAI model documentation and training-data summaries, maintained and version-pinned — not a stale binder.

02

Article 12 logging

Automatic, tamper-evident records of high-risk system operation — signed at write time and replayable.

03

FRIA + risk records

Fundamental Rights Impact Assessments and risk-management records mapped per-article, reusable across frameworks.

Evidence obligations

The evidence the Act asks high-risk providers and deployers to retain

The EU AI Act is unusually specific about records. For high-risk systems the practical question is not "do we have a policy?" but "can we produce the artifact, on request, from our own systems?" Here is what the Act asks for — described informationally, not as legal advice — and how workflow-grounded evidence, signed at write time, maps to each need.

What the Act asks forWhat that means in practiceHow signed, replayable evidence maps
Technical documentation
Article 11 · Annex IV
A maintained description of the system — intended purpose, architecture, data and validation approach, performance — kept current across the lifecycle, not written once for a certificate.Documentation artifacts are version-pinned on a signed evidence chain: every revision is attributable and tamper-evident, so the version you produce later is provably the version that existed at the time.
Automatic logging & record-keeping
Articles 12 · 19
High-risk systems must automatically record events across their lifetime — enough to trace when the system ran, on what inputs, and how it behaved — with logs retained for at least the period the Act prescribes.Operational records are captured in the workflow where the event happened and signed at write time. Each record is tamper-evident and replayable, so "show us what the system did" is answered from the record, not reconstructed from memory.
Human-oversight records
Articles 14 · 26
Natural persons must be able to effectively oversee high-risk systems — which in practice means being able to show who reviewed what, when a person intervened, and what they decided.Human decisions are first-class evidence: reviewer identity, the decision, and its timing are signed into the same chain as the automated events they governed — oversight you can demonstrate, not just describe.
Conformity assessment artifacts
Article 43 · Annexes VI–VII
The assessment procedure and the artifacts around it — the documentation the assessment relied on, the EU declaration of conformity that follows it — must remain available to authorities long after the assessment closes.The evidence a conformity claim rested on stays reproducible: the underlying records can be re-verified deterministically years later, rather than re-assembled by whoever still remembers the project.
Post-market monitoring
Article 72
Providers must keep monitoring high-risk systems after deployment and document how field performance feeds back into risk management.Monitoring is documented as it happens: records accumulate continuously on one chain, so the post-market file is a byproduct of operating the system rather than a quarterly reconstruction.

GPAI model providers carry a lighter but already-live documentation duty — model documentation, training-data summaries, a copyright policy, and information-sharing with the AI Office — and the same mapping logic applies: each artifact is produced as a signed record rather than a static file, so what you shared, and when, remains demonstrable later.

Which of these obligations attach to you depends on your role under the Act — provider, deployer, importer, distributor — and on the risk tier of each system. That determination is a legal judgment: none of the above is legal advice, and counsel stays in the loop. What acipta owns is the machinery underneath that judgment — evidence that is reproducible, attributable, tamper-evident, replayable, and signed at write time — so that when counsel or an authority asks what happened, the answer comes from the record. See how the platform works for the substrate these records live on.

GPAI vs high-risk

Know which obligations attach to you.

The Act assigns duties by role and risk tier. acipta maps evidence to whichever applies — and to the other frameworks you carry.

GPAI

Model providers

Transparency, documentation, copyright policy, AI Office information-sharing. Live now.

HIGH-RISK

Annex III deployers/providers

Risk management, logging, FRIA, conformity documentation. The heavier tier.

BOTH

One chain

acipta produces per-article evidence for either, on the same signed, replayable substrate as your SOC 2 / HIPAA / GDPR program.

Per-article mapping

Trace every requirement to its evidence — article by article

Requirement-to-evidence mapping should be a lookup, not a meeting. A companion page traces the mapping in detail.

Companion resource

Per-article and per-CFR requirement mapping

"Which article does this artifact satisfy?" has a lookup answer: the mapping page traces individual EU AI Act articles — alongside U.S. CFR citations for HIPAA and other regimes — to the specific evidence artifacts that answer them.
Browse the per-article and per-CFR requirement mapping to see how Article 12 logging, FRIA records, and technical documentation each resolve to concrete signed artifacts — and how one artifact can serve more than one framework at the same time.
That reuse is the point, not a lucky overlap of wording. Mapping each control once and letting every framework that references it draw on the same evidence is the core idea behind compliance intelligence.
FAQ

EU AI Act compliance — questions

Short answers to the questions compliance and engineering leaders ask most about the Act — and about what evidence actually settles them.

Is the EU AI Act GPAI deadline delayed?

No. General-purpose AI (GPAI) model obligations under Articles 51–56 are now in force. The high-risk Annex III timeline is the part likely to shift (toward December 2, 2027); GPAI is not.

What does the EU AI Act actually require me to produce?

For GPAI: technical documentation, training-data summaries, a copyright policy, and information sharing with the AI Office. For high-risk (Annex III): a risk management system, logging (Article 12), a Fundamental Rights Impact Assessment (FRIA), and audit-ready technical documentation.

Does this apply to us if we only use AI, not build models?

Likely yes for high-risk use, and increasingly for deployers. The obligations attach to the role you play (provider, deployer, importer) and the risk tier of the system — acipta maps evidence to whichever articles apply to you.

How does acipta help specifically?

acipta produces signed, replayable evidence mapped to the specific EU AI Act articles — Article 12 logging, FRIA records, technical documentation — alongside your other frameworks, on one evidence chain. Defensible if the AI Office asks years later.

What records do deployers of high-risk systems need to retain?

Deployers carry their own duties under the Act — using systems according to the provider's instructions, assigning human oversight, and keeping the logs the system generates for at least the period the Act prescribes. In practice that means retaining operational logs, oversight and intervention records, and the Fundamental Rights Impact Assessment where one is required. Which duties apply is a role-and-tier determination that belongs with counsel.

Does acipta replace our legal counsel or GRC team?

No. acipta is not legal advice and does not decide which obligations apply to you — counsel stays in the loop for that judgment. What the platform owns is the evidence layer underneath it: records signed at write time, tamper-evident, attributable, and replayable, so the people making the legal calls argue from the record rather than from reconstruction.

Keep reading

Where EU AI Act evidence fits in the wider program

RUNTIME

AI agent governance

The Act's oversight and logging expectations get sharper when your AI takes actions, not just answers. How runtime evidence works for AI agents.

REUSE

Compliance intelligence

Map a control once and let EU AI Act, SOC 2, HIPAA, and GDPR draw on the same evidence. What compliance intelligence means.

SUBSTRATE

The platform

Seven GA suites, 115 agents, one signed evidence chain with deterministic replay. See the platform.

Defensible from day one.

acipta is the agent-based defensibility platform — workflow-grounded. Per-article EU AI Act evidence on one chain with multiple frameworks. Public Early Access July 12, 2026; Full GA August 23, 2026.

Last reviewed · Reviewed by the acipta compliance & accessibility team.

Was this page helpful?