A practical compliance library for the EU regulatory stack
EU AI Act, GDPR, NIS2, the Cyber Resilience Act — written for product managers, founders, and compliance leads at startups and SMEs. No marketing fluff, no legal jargon, no copy-paste lawyer disclaimers. Source-referenced answers to the questions that actually come up.
EU AI Act
-
EU AI Act compliance checklist for SMEs
A practical, source-referenced compliance checklist for European startups and SMEs that use or build AI systems. Written for product and operations teams, not lawyers.
-
Is my AI system high-risk under the EU AI Act?
A decision tree to classify AI systems under Articles 6 and Annex III of the EU AI Act, with concrete SaaS, HR, finance, and healthcare examples for European SMEs.
-
EU AI Act deadlines 2026 — what applies when
The EU AI Act timeline after the Digital Omnibus delay: prohibited practices (Feb 2025), GPAI (Aug 2025), high-risk (Dec 2027), regulated products (Aug 2028).
-
Article 6(3)(d) explained: the preparatory-task carve-out
The EU AI Act's Article 6(3)(d) carve-out lets some AI systems escape high-risk classification by performing a preparatory task. Here's exactly when it applies.
-
EU AI Act fines and penalties — what's at stake
The EU AI Act's three-tier fine structure: €35M / 7% for prohibited practices, €15M / 3% for high-risk breaches, €7.5M / 1% for misinformation. SME perspective.
-
GPAI obligations under the EU AI Act
What the EU AI Act requires of general-purpose AI model providers — and what changes if you fine-tune or significantly modify a GPAI model on the EU market.
-
Annex III high-risk categories explained
The eight Annex III categories of high-risk AI under the EU AI Act, with worked examples in biometrics, employment, credit, education, and infrastructure.
-
AI literacy under Article 4 — what's required
Article 4 of the EU AI Act requires staff AI literacy from every provider and deployer. What it means in practice, and how to document a programme regulators accept.
-
How to register a high-risk AI system in the EU database
The EU AI Act Article 49 registration process for high-risk AI systems — what data goes in, who submits it, and what happens after the 2 December 2027 deadline.
-
EU AI Act vs ISO 42001 — what's the difference
ISO/IEC 42001 is the international AI management system standard. How it differs from the EU AI Act, where the two reinforce each other, and which to start with.
-
Transparency obligations for chatbots and AI-generated content
EU AI Act Article 50 transparency: when you must tell users they're talking to AI, how to label deepfakes, and what counts as adequate disclosure.
-
EU AI Act deployer obligations — Article 26 explained
Most European companies are deployers, not providers, under the EU AI Act. Article 26 is the practical obligation set: human oversight, logging, transparency.
-
Audit-ready compliance dossier template for the EU AI Act
What a regulator-ready EU AI Act compliance dossier actually contains — section by section, with the Annex IV mapping for high-risk providers.
-
Article 5 prohibited AI practices — the eight banned uses
Article 5 of the EU AI Act bans eight specific AI practices outright. Enforceable since February 2025. What's banned, what's allowed, and the narrow exceptions.
-
Conformity assessment for high-risk AI systems
Article 43 conformity assessment: internal control vs notified body, what gets assessed, and the practical timeline before a high-risk system goes to market.
-
EU AI Act for HR-tech and recruitment AI
Most HR and recruitment AI is high-risk under Annex III point 4. What the EU AI Act requires of ATS, candidate scoring, and performance management tools.
-
EU AI Act for fintech and credit-scoring AI
Credit-decisioning, insurance-pricing, and fraud-detection AI under Annex III point 5 — what fintech providers and deployers must do before 2 December 2027.
-
EU AI Act for healthcare AI
Healthcare AI under the EU AI Act: Annex II medical devices expected from August 2028, Annex III essential services from December 2027, plus the MDR overlap.
-
Article 14 human oversight — how to design it
Article 14 requires human oversight built into every high-risk AI system. What 'meaningful review' actually means in product design, and patterns that satisfy regulators.
-
When does a change become 'substantial modification' under the EU AI Act?
Article 43(4) requires a new conformity assessment when an AI system undergoes substantial modification. How to draw the boundary in routine ML retraining.
-
Post-market monitoring and serious-incident reporting
Articles 72 and 73 of the EU AI Act: how providers must monitor AI systems in the wild, and the 15-day clock for reporting serious incidents to supervisory authorities.