Compliance · EU AI Act · High-risk AI
The EU AI Act moved its deadlines. The burden of proof did not move with them.
The EU AI Act, in force August 2024, was originally scheduled to bring its high-risk-system obligations into application August 2026. The AI Omnibus extended those deadlines: Annex III high-risk systems now apply 2 December 2027, and Annex I safety-component systems apply 2 August 2028. Prohibited practices have been in force since 2 February 2025, and general-purpose AI obligations since 2 August 2025. The extension bought engineering teams calendar time. It did not change what the high-risk classification asks for: documented explainability, human oversight, and a risk-management system that can be evidenced after the fact.
§ 01 The high-risk burden
Annex III, Annex I, and the controls every classification expects.
Annex III enumerates the high-risk use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes. Annex I covers AI as a safety component of products already in regulated categories (toys, machinery, medical devices, vehicles, others). Both classifications converge on the same operator-facing controls: risk-management system, data and data governance, technical documentation, record-keeping, transparency and information to deployers, human oversight, accuracy and robustness and cybersecurity.
Two of those, record-keeping and human oversight, presuppose a durable, attributable trail that survives the engagement. An auditor cannot review what an operator says happened. The Act assumes the operator can produce the evidence of what did happen, agent by agent and action by action.
The Omnibus moved the calendar. It did not move the question an examiner is going to ask.
§ 02 The evidence
Record-keeping and human oversight, by construction.
The substrate makes record-keeping and human oversight properties of the action. Every agent action is attributed to a specific agent under a specific policy you write, and hash-chained into a tamper-evident audit trail kept inside your boundary. Approvals, refusals, and escalations are durable events alongside actions.
This material is informational, not legal or regulatory advice. The EU AI Act is enforced by Member State competent authorities and the AI Office at the EU level; obligations depend on classification and operator role (provider, deployer, importer, distributor). The substrate produces the record; it does not by itself make a deployment compliant. Assess your specific obligations with qualified counsel.
§ 03 Questions
EU AI Act timelines and obligations, answered.
When do EU AI Act high-risk obligations actually apply?
Per the AI Omnibus extension, Annex III high-risk obligations apply 2 December 2027, and Annex I safety-component obligations apply 2 August 2028. The original Act timeline called for high-risk applicability 2 August 2026; the Omnibus extended both. Prohibited practices have been in force since 2 February 2025, and general-purpose AI obligations since 2 August 2025.
What does the high-risk classification ask operators to produce?
Seven things at the operator level: a risk-management system, data and data governance, technical documentation, record-keeping, transparency and information to deployers, human oversight, and accuracy and robustness and cybersecurity. Record-keeping and human oversight specifically assume a durable, attributable trail an examiner can interrogate after the fact.
What does the substrate produce against the high-risk obligations?
Every agent action is attributed to a specific agent under a specific policy you write, hash-chained into a tamper-evident audit trail kept inside your boundary. Human-oversight interventions, policy refusals, escalations, and approvals are recorded as durable events alongside actions. The record satisfies the record-keeping obligation by construction and is what an examiner reviews for human-oversight evidence.
Is this legal or regulatory advice?
No. This material is informational. The EU AI Act is enforced by Member State competent authorities and the AI Office; obligations depend on classification and operator role. The substrate produces the record; it does not by itself make a deployment compliant. Assess your specific obligations with qualified EU counsel.