The EU AI Act, made operational

Classify and govern AI under the EU AI Act

Inventory your AI systems, classify them by risk tier, and stand up the high-risk obligations — risk management, data governance, logging, human oversight — mapped to ISO 42001 and the NIST AI RMF.
Start free trialBook a demo

What is the EU AI Act?

The EU AI Act — Regulation (EU) 2024/1689 — is the world's first comprehensive law governing artificial intelligence. It entered into force on August 1, 2024 and regulates AI based on the risk it poses rather than the technology itself. Like the GDPR, it applies extraterritorially: it reaches providers and deployers outside the EU whenever an AI system's output is used within the Union.

The risk-based tiers

The Act sorts AI into four tiers:

  • Unacceptable risk — a short list of prohibited practices (for example, social scoring and certain manipulative or biometric-categorization uses). These have been banned since February 2, 2025.
  • High risk — AI used as a safety component of regulated products (Annex I) or in listed sensitive domains (Annex III) such as employment, education, essential services, law enforcement, and biometrics. High-risk systems carry the full weight of the Act's obligations.
  • Limited risk — systems such as chatbots and generative content tools that carry transparency duties (users must know they are interacting with AI; synthetic content must be marked).
  • Minimal risk — everything else, which is largely unregulated.

Separately, general-purpose AI (GPAI) models carry their own obligations, which began applying on August 2, 2025.

The timeline (and the Digital Omnibus)

The Act phases in over several years. Prohibited practices applied from February 2, 2025; GPAI obligations from August 2, 2025; and high-risk obligations were scheduled for August 2, 2026. In 2026, EU institutions reached a provisional "Digital Omnibus" agreement that would defer the high-risk obligations — Annex III use-based systems to December 2, 2027 and Annex I product-embedded AI to August 2, 2028 — along with targeted simplifications. That deferral only becomes law once formally adopted and published in the Official Journal; until then, August 2, 2026 remains the operative deadline, so in-scope organizations should keep preparing.

High-risk obligations

Providers of high-risk AI must implement a risk management system, data and data-governance practices, technical documentation, automatic logging, transparency and instructions for use, human oversight, and appropriate accuracy, robustness, and cybersecurity — then pass a conformity assessment and maintain post-market monitoring. Deployers carry their own, lighter set of duties.

How episki helps

episki implements the EU AI Act as a working program: an inventory of your AI systems with provider/deployer roles, a risk-tier classifier that surfaces the obligations that actually apply, and the high-risk requirements tracked as controls with evidence and owners. Because it cross-maps to ISO 42001 and the NIST AI RMF, your AI Act readiness reuses the AI governance work you are already doing.

EU AI Act outcomes with episki

Quantify the impact security and compliance brings to your business.
4 risk tiers
Unacceptable, high, limited, and minimal risk classified per AI system.
High-risk ready
Annex III obligations implemented as controls with evidence and owners.
42001 mapped
AI Act obligations cross-walked to ISO 42001 and the NIST AI RMF.

Why teams choose episki for EU AI Act

Framework-specific automation, collaboration, and reporting in one workspace.
Risk classification, done right
Classify each AI system into the Act's risk tiers and apply the right obligations.
  • Prohibited-practice screening
  • High-risk (Annex III / Annex I) determination
  • Transparency duties for limited-risk systems
High-risk obligations as controls
The Annex III obligations implemented and evidenced, not described.
  • Risk management system and data governance
  • Technical documentation, logging, and transparency
  • Human oversight, accuracy, robustness, and cybersecurity
One AI program, many frameworks
AI Act work reuses your ISO 42001 and NIST AI RMF evidence.
  • Crosswalk to ISO 42001 (AIMS)
  • Crosswalk to the NIST AI RMF
  • GPAI / foundation-model tracking

EU AI Act readiness inside episki

What an in-scope provider or deployer needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

  • AI system inventory with provider/deployer role per system
  • Risk-tier classification (prohibited, high, limited, minimal)
  • Risk management system for high-risk AI
  • Data governance and technical documentation
  • Logging, human oversight, and transparency measures
  • Conformity assessment and post-market monitoring evidence
EU AI Act accelerators

AI Act readiness accelerators

Move from "are we in scope?" to a defensible high-risk program.
Risk-tier classifier
Walk each AI system through the Act's tiers and surface the applicable obligations.
High-risk obligation tracker
Owners, evidence, and status for each Annex III requirement.
ISO 42001 / NIST AI RMF crosswalk
Reuse your AI management system evidence against AI Act obligations.

EU AI Act frequently asked questions

Other compliance frameworks

CCPA / CPRACIS ControlsCMMCCSA STARCyber EssentialsDORAFedRAMPFFIECGDPRGLBAHIPAAHITRUST CSFISO 22301ISO 27001ISO 27017ISO 27018ISO 27701ISO 42001LGPDNIS2NIST 800-171NIST 800-53NIST AI RMFNIST CSFNY DFS Part 500PCI DSSPIPEDAPOPIASOC 1 Type I/IISOC 2 Type I/IISOC 3SOXStateRAMPTISAX

Build EU AI Act readiness in episki

Classify your AI, stand up the high-risk obligations, and reuse the work for ISO 42001 and the NIST AI RMF.
Start free trialBook a walkthrough