What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework specifically regulating artificial intelligence. Adopted in March 2024, it uses a risk-based approach to classify AI systems into four tiers - unacceptable risk (banned), high risk (extensive obligations), limited risk (transparency requirements), and minimal risk (voluntary codes). Like GDPR, it has extraterritorial scope, applying to any organization worldwide whose AI systems are used within the EU.

What does my company need to do to comply with the EU AI Act?

To comply with the EU AI Act, organizations using AI must: implement automatic logging of all AI interactions with 6+ month retention (Articles 12, 19), establish human oversight including a kill switch to halt AI systems (Article 14), deploy data governance controls including masking and access restrictions for sensitive data (Article 10), set up continuous risk monitoring and incident reporting workflows (Articles 9, 73), ensure staff AI literacy (Article 4, already in force), and maintain comprehensive technical documentation (Article 11). Areebi provides all of these capabilities in a single platform.

Does the EU AI Act require a kill switch for AI systems?

Yes. Article 14(4)(e) of the EU AI Act explicitly requires that persons overseeing high-risk AI systems must be able to 'intervene in the operation of the high-risk AI system or interrupt the system through a stop button or a similar procedure that allows the system to come to a halt in a safe state.' This is a mandatory human oversight requirement for all high-risk AI systems. Areebi's admin kill switch provides exactly this capability - instant, company-wide AI shutdown with a full audit trail.

What logging is required under the EU AI Act?

Article 12 requires high-risk AI systems to have automatic logging capabilities that record events over the system's entire lifetime. Logs must enable traceability, risk identification, and post-market monitoring. Article 19 requires both providers and deployers to retain these automatically generated logs for a minimum of 6 months. Logs must be available to market surveillance authorities on request. Areebi's immutable audit logging captures every AI interaction with user identity, timestamps, prompts, responses, and policy decisions.

Does the EU AI Act apply to companies outside the EU?

Yes. Like GDPR, the EU AI Act has extraterritorial reach. It applies to any organization that places AI systems on the EU market, puts them into service in the EU, or produces AI outputs used within the EU. This means US, UK, Australian, and other non-EU companies serving European customers, employees, or partners must comply. Non-compliance exposes organizations to the same penalty framework regardless of where they are headquartered.

Is ChatGPT or enterprise AI considered high-risk under the EU AI Act?

General-purpose AI models like GPT-4, Claude, and Gemini are regulated separately as GPAI models under the EU AI Act, not directly classified as high-risk. However, enterprise applications built on these models become high-risk when deployed in domains listed in Annex III - including employment and HR decisions, credit scoring, education, law enforcement, and critical infrastructure management. The classification follows the use case, not the underlying model. Most enterprise AI copilots and productivity tools fall under limited risk with transparency obligations.

What is the difference between the August 2025 and August 2026 EU AI Act obligations?

August 2, 2025 activated GPAI model provider obligations, AI literacy requirements (Article 4), the full penalty regime, and governance infrastructure. August 2, 2026 is when full high-risk AI system obligations take effect - including conformity assessments, deployer obligations (Article 26), human oversight requirements (Article 14), logging mandates (Article 12), data governance (Article 10), and risk management (Article 9). Organizations should be preparing now, as building compliance infrastructure takes months.

EU AI Act Compliance

EU AI ActIndustry Cross-Reference

EU AI Act Compliance for Technology AI

Technology AI must meet EU AI Act obligations including Article 15, Article 10 and Articles 11, 12; Annex IV. Areebi enforces and evidences these controls for technology and SaaS providers.

The Compliance Challenge

Source code and intellectual property leaking into external model providers - and EU AI Act expects it to be controlled and evidenced.

EU AI Act obligations such as Article 15 and Article 10 are continuous, but general AI tools generate none of the required evidence.

Shadow AI sprawl across engineering and go-to-market teams leaves technology and SaaS providers exposed when the AICPA Trust Services Criteria as the de facto enterprise trust bar and EU and UK data protection authorities for AI handling personal data ask for proof.

Demonstrating how an automated decision was reached - required for Technology AI - is impossible without per-interaction logging and human-oversight records.

How Areebi Helps You Comply

Access control + security Controls

Areebi operationalises EU AI Act Article 15 (access control + security) for Technology AI with enforced policy and logged evidence, not documentation alone.

Data handling + minimisation Controls

Areebi operationalises EU AI Act Article 10 (data handling + minimisation) for Technology AI with enforced policy and logged evidence, not documentation alone.

Audit trail + documentation Controls

Areebi operationalises EU AI Act Articles 11, 12; Annex IV (audit trail + documentation) for Technology AI with enforced policy and logged evidence, not documentation alone.

Vendor + third-party risk Controls

Areebi operationalises EU AI Act Articles 25, 28 (vendor + third-party risk) for Technology AI with enforced policy and logged evidence, not documentation alone.

Post-market monitoring + drift Controls

Areebi operationalises EU AI Act Article 72 (post-market monitoring + drift) for Technology AI with enforced policy and logged evidence, not documentation alone.

Technology AI Under EU AI Act

Technology vendors that ship AI features to EU users are providers under the EU AI Act, so Article 50 transparency duties for chatbots and synthetic content - and, where a general-purpose AI model is involved, the Article 51 to 55 GPAI obligations - apply on top of any high-risk classification. Software and SaaS companies are shipping AI copilots, retrieval features and agents into their products and internal workflows faster than their governance can keep up.

EU AI Act (Regulation 2024/1689) applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used in the EU. Includes non-EU providers serving EU users. Its penalty exposure - Up to EUR 35 million or 7% of global turnover (Article 99) - and effective timeline (August 1, 2024 (staggered through August 2, 2027)) mean technology and SaaS providers cannot treat AI as out of scope. The data most at stake in this sector includes customer data processed by AI features, proprietary source code and intellectual property, personal data of end users in multiple jurisdictions and model prompts, outputs and training data, processed across AI coding assistants and copilots, customer-support automation and retrieval over knowledge bases, AI product features built on third-party model APIs and internal agents with access to systems and data.

Areebi gives technology and SaaS providers a single governed control plane - data-loss prevention, immutable audit logging and policy enforcement - mapped to the EU AI Act obligations set out below, with the parent EU AI Act guide and Technology solutions for the wider programme.

EU AI Act Obligations That Matter Most for Technology AI

The obligations below are the EU AI Act requirements most material to Technology AI, each tied to its source clause. Technology AI programmes should treat these as the control backbone:

Access control + security (Article 15): Article 15 requires accuracy, robustness, and cybersecurity for high-risk AI systems. For technology and SaaS providers, this bites hardest on source code and intellectual property leaking into external model providers.
Data handling + minimisation (Article 10): Article 10 sets quality, governance, and bias-testing requirements for training, validation, and test datasets. For technology and SaaS providers, this bites hardest on shadow AI sprawl across engineering and go-to-market teams.
Audit trail + documentation (Articles 11, 12; Annex IV): Articles 11-12 require technical documentation (Annex IV) and automated logging for high-risk AI systems. For technology and SaaS providers, this bites hardest on AI features shipping outside the audited control boundary buyers expect.
Vendor + third-party risk (Articles 25, 28): Article 25 (provider becoming deployer / change of role) and Article 28 (importers and distributors due diligence). For technology and SaaS providers, this bites hardest on customer data exposed through ungoverned AI features.
Post-market monitoring + drift (Article 72): Article 72 requires a post-market monitoring system for high-risk providers, with documented plan. For technology and SaaS providers, this bites hardest on shadow AI sprawl across engineering and go-to-market teams.
Governance + accountability (Articles 17, 26): Article 17 requires a quality management system for high-risk providers; deployers need internal governance under Article 26. For technology and SaaS providers, this bites hardest on source code and intellectual property leaking into external model providers.
Incident + serious-incident reporting (Article 73): Article 73 requires serious-incident reporting to the market surveillance authority within 15 days (immediately for fatalities or critical infrastructure). For technology and SaaS providers, this bites hardest on customer data exposed through ungoverned AI features.

Because these duties are continuous rather than point-in-time, technology and SaaS providers need tooling that produces ongoing evidence - not a one-off assessment.

How Areebi Supports EU AI Act Compliance for Technology AI

Areebi maps platform controls to the EU AI Act obligations above so technology and SaaS providers can evidence compliance continuously:

Article 12 logging obligations satisfied by immutable audit log with 6-month minimum retention.
DLP + provider routing supports Article 10 data-governance and Article 15 cybersecurity.
Per-tenant evaluation harness aligned with Article 14 human-oversight workflows.
Incident-response runbook templates align with Article 73 reporting window.

The same controls address this sector's sharpest risks - source code and intellectual property leaking into external model providers and customer data exposed through ungoverned AI features - by keeping every AI interaction inside an enforced, logged boundary that the AICPA Trust Services Criteria as the de facto enterprise trust bar and EU and UK data protection authorities for AI handling personal data expect to see evidenced.

EU AI Act Compliance Checklist

Confirm which Technology AI systems fall in scope of EU AI Act (Regulation 2024/1689) (EU AI Act)

Address access control + security per Article 15: Article 15 requires accuracy, robustness, and cybersecurity for high-risk AI systems.

Address data handling + minimisation per Article 10: Article 10 sets quality, governance, and bias-testing requirements for training, validation, and test datasets.

Address audit trail + documentation per Articles 11, 12; Annex IV: Articles 11-12 require technical documentation (Annex IV) and automated logging for high-risk AI systems.

Address vendor + third-party risk per Articles 25, 28: Article 25 (provider becoming deployer / change of role) and Article 28 (importers and distributors due diligence).

Address post-market monitoring + drift per Article 72: Article 72 requires a post-market monitoring system for high-risk providers, with documented plan.

Address governance + accountability per Articles 17, 26: Article 17 requires a quality management system for high-risk providers; deployers need internal governance under Article 26.

Address incident + serious-incident reporting per Article 73: Article 73 requires serious-incident reporting to the market surveillance authority within 15 days (immediately for fatalities or critical infrastructure).

Stand up continuous evidence (audit logs, oversight records) to prove EU AI Act compliance to the AICPA Trust Services Criteria as the de facto enterprise trust bar and EU and UK data protection authorities for AI handling personal data

Frequently Asked Questions

Does EU AI Act apply to Technology AI?

Technology vendors that ship AI features to EU users are providers under the EU AI Act, so Article 50 transparency duties for chatbots and synthetic content - and, where a general-purpose AI model is involved, the Article 51 to 55 GPAI obligations - apply on top of any high-risk classification. EU AI Act (Regulation 2024/1689) applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used in the EU. Includes non-EU providers serving EU users. In practice that means technology and SaaS providers running AI coding assistants and copilots, customer-support automation and retrieval over knowledge bases, AI product features built on third-party model APIs and internal agents with access to systems and data must bring those systems into scope.

Which EU AI Act requirements matter most for Technology AI?

The obligations with the sharpest impact are access control + security (Article 15), data handling + minimisation (Article 10) and audit trail + documentation (Articles 11, 12; Annex IV). These govern how technology and SaaS providers handle customer data processed by AI features and proprietary source code and intellectual property and how automated decisions about individuals are overseen and explained.

What are the penalties for EU AI Act non-compliance?

EU AI Act (Regulation 2024/1689) carries Up to EUR 35 million or 7% of global turnover (Article 99). For technology and SaaS providers the bigger exposure is often commercial - lost partner and reinsurer trust, and regulator scrutiny from the AICPA Trust Services Criteria as the de facto enterprise trust bar and EU and UK data protection authorities for AI handling personal data - which is why continuous, evidenced controls matter.

How does Areebi help Technology AI meet EU AI Act?

Areebi enforces EU AI Act controls at the point of AI use - Article 12 logging obligations satisfied by immutable audit log with 6-month minimum retention. Every interaction is logged immutably, so technology and SaaS providers can evidence Article 15 and Article 10 on demand rather than reconstructing it after the fact.

Related Resources

Ready to achieve EU AI Act compliance for your AI?

See how Areebi maps to EU AI Act requirements with a personalised demo.

Get a Demo Free AI Risk Assessment

Related resources

Compliance

SOC 2 Compliance for Technology AI

Technology AI must meet SOC 2 obligations including CC6.1-CC6.8, C1.1-C1.2; P1-P8 (Privacy) and CC4.1-CC4.2; full TSC. Areebi enforces and evidences these controls for technology and SaaS providers.

GDPR Compliance for Technology AI

Technology AI must meet GDPR obligations including Article 32, Articles 5, 6, 9 and Articles 5(2), 24, 30. Areebi enforces and evidences these controls for technology and SaaS providers.

HIPAA Compliance for Insurance AI

Insurance AI must meet HIPAA obligations including 45 CFR 164.520, 45 CFR 164.502(b); 164.514 and 45 CFR 164.524-528. Areebi enforces and evidences these controls for insurers.

SOC 2 Compliance for Insurance AI

Insurance AI must meet SOC 2 obligations including CC2.1-CC2.3; P1.1, C1.1-C1.2; P1-P8 (Privacy) and P5.1-P5.2. Areebi enforces and evidences these controls for insurers.

Fine-tuning vs RAG vs prompt engineering: the 2026 compliance trade-off matrix

A regulator-grounded comparison of fine-tuning, RAG, and prompt engineering across data residency, GDPR right to erasure, EU AI Act provider obligations, audit completeness, drift, and cost.

Illustrative Scenario: Mid-Market SaaS AI Governance in Under 2 Weeks

Illustrative scenario for a mid-market B2B SaaS archetype (150-250 employees) deploying Areebi's Secure Essentials tier to establish AI governance across engineering, marketing, support, and sales teams. Design targets based on industry benchmarks for shadow-AI discovery and risk-score improvement.

Taking longer than expected.

Reload the page