Frequently asked questions

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and imposes different obligations depending on that classification. It covers providers (companies that build AI), deployers (companies that use AI), importers, and distributors.

The EU AI Act has a phased rollout: • February 2, 2025 — Prohibited AI practices ban took effect • August 2, 2025 — GPAI model obligations and governance rules applied • August 2, 2026 — Transparency obligations (Article 50) apply in 0 days • December 2, 2027 — High-risk AI obligations (Annex III) apply in 0 days (extended by the Digital Omnibus) The transparency deadline was NOT extended — it applies as originally scheduled.

Yes. If your AI system's output is used in the EU, or if it affects people located in the EU, the Act applies regardless of where your company is based. This includes US, UK, and other non-EU companies serving EU customers. Geographic restrictions in your Terms of Service help but are not bulletproof.

The EU AI Act uses four risk tiers: • Unacceptable risk — Banned outright (social scoring, real-time biometric surveillance, emotion recognition in workplaces/schools) • High-risk — Heavy obligations: technical documentation, risk management, conformity assessment, post-market monitoring. Defined by Annex III use cases (HR, credit, education, healthcare, law enforcement) • Limited risk — Transparency obligations: tell users they're talking to AI, label AI-generated content • Minimal risk — No mandatory obligations, voluntary codes of conduct encouraged

A provider develops, trains, and places an AI system on the market. A deployer uses someone else's AI system in their business under their own authority. For example, if you use HireVue for screening, HireVue is the provider and you are the deployer. Providers carry heavier obligations (technical documentation, conformity assessment). Deployers have lighter but still binding obligations (human oversight, transparency, log retention).

Fines are tiered by violation severity: • Prohibited practices: Up to €35 million or 7% of global annual turnover • High-risk non-compliance: Up to €15 million or 3% of global annual turnover • Incorrect information to authorities: Up to €7.5 million or 1% of global annual turnover SMEs and startups get proportionate caps. Beyond fines, non-compliant AI systems can be withdrawn from the EU market entirely.

The Digital Omnibus deal extended the Annex III high-risk AI obligations deadline from August 2, 2026 to December 2, 2027 — giving companies 16 extra months. Critically, it did NOT extend Article 50 transparency obligations, which still apply August 2, 2026. It also did NOT change prohibited practices, which are already in effect.

Traditional EU AI Act compliance consulting costs €50K–€200K and takes months. ActReady automates 80% of the work — classification, documentation generation, obligation tracking — for a fraction of the cost. You still review and approve everything, but the heavy lifting is done by AI. We generate the same documents a consultant would, in minutes instead of weeks.

No. ActReady is a compliance management tool, not a law firm. We help you classify systems, generate documentation, track obligations, and organise your compliance work. For complex legal questions — especially around liability, enforcement, or novel use cases — we recommend consulting a qualified legal professional. ActReady gives you 90% of the compliance structure; legal counsel fills the remaining 10%.

We generate all major EU AI Act compliance documents: • Annex IV technical documentation (9 sections) • Risk management plans (Article 9) • Human oversight plans (Article 14) • Transparency notices (Article 50) • Data governance documentation (Article 10) • Post-market monitoring plans (Article 72) Each document is tailored to your specific AI system, risk level, and domain. Export as PDF or Word.

Yes. The guided risk classifier requires no account at all — answer a few questions and get your risk tier instantly with article references. Paid plans add the AI Classifier, which accepts free-text descriptions and uses AI to classify your system. Both classifiers cover all Annex III high-risk categories, prohibited practices, and GPAI rules.

Absolutely. The free plan gives you full access to the risk classifier with no signup. All paid plans include a 14-day free trial with full access to every feature. Save 20% with annual billing. Cancel anytime during the trial with zero charges.

Four plans: • Free (€0) — Risk classifier, no signup needed • Starter (€29/mo or €23/mo annual) — Up to 3 AI systems, 5 documents/month, obligation tracker • Pro (€79/mo or €63/mo annual) — Unlimited systems and documents, risk map, AI training, Trust Center • Enterprise (€199/mo or €159/mo annual) — Multi-org, white-label reports, vendor risk, dedicated support All paid plans include a 14-day free trial.

Yes. ActReady uses Supabase for database hosting (SOC 2 Type II certified), Clerk for authentication (SOC 2 Type II), and Vercel for deployment. All data is encrypted in transit (TLS 1.3) and at rest. We never share your data with third parties. When we use AI to generate documents, your system descriptions are processed but never stored by the AI provider.

Start with classification. Use our free risk classifier to determine whether your AI system is minimal, limited, or high-risk. This drives everything else — your obligations, your timeline, and your budget. Once you know your risk tier, the compliance roadmap in the dashboard shows you exactly what to do next.

It depends on your risk tier and how many AI systems you have: • Minimal risk: No mandatory obligations — classification takes 5 minutes and you're done • Limited risk: Transparency disclosures take 1–3 days of engineering work • High-risk (deployer): 1–2 weeks of structured work covering human oversight, monitoring, and transparency • High-risk (provider): 3–6 months for full compliance including documentation, risk management system, and conformity assessment ActReady significantly reduces these timelines by automating document generation and providing guided workflows.

Each AI system needs its own classification and compliance treatment. ActReady lets you register multiple systems, classify each one independently, generate separate documentation for each, and track obligations per system. The dashboard gives you an aggregated view across all systems.

Only if you are a provider of a high-risk AI system. Most high-risk systems can use self-assessment (internal conformity assessment under Annex VI). Biometric identification systems used for law enforcement require a third-party assessment by a notified body. Deployers do not need conformity assessments.

Article 49 requires providers and deployers of high-risk AI systems to register in the EU database before placing the system on the market or putting it into service. The database is public and includes information about the system, its provider, and its intended purpose. ActReady helps you prepare the required Annex VIII information.

If you use a GPAI model in your product, the model provider (OpenAI, Anthropic, Google) has their own obligations. But if you integrate a GPAI model into a high-risk system, you become the provider of that high-risk system and carry the full provider obligations. Using a foundation model does not exempt you from EU AI Act obligations for your downstream system.

By August 2, 2026, you need Article 50 transparency obligations in place: • AI interaction notices — tell users when they're interacting with AI • Emotion recognition disclosures — if applicable • Biometric categorisation disclosures — if applicable • Synthetic content labeling — mark AI-generated text, images, audio, and video as AI-generated These apply to ALL AI systems that interact with users or generate content, regardless of risk level.

Enforcement varies by member state, but the regulation allows fines of up to €15 million or 3% of global annual turnover for transparency violations. In practice, early enforcement will likely focus on complaints and the most visible violations. But waiting for enforcement to begin is not a compliance strategy — the obligations are binding from day one.

Yes. Member states are required to designate national competent authorities by August 2, 2025. The EU AI Office is already operational. While large-scale enforcement campaigns are unlikely on day one, the infrastructure is being built. More importantly, enterprise customers are already asking about EU AI Act compliance in procurement — market pressure may hit before regulatory pressure.

A chatbot is limited risk, not high-risk. Your only mandatory obligation is transparency: tell users they are interacting with an AI system. That's typically a banner, a label, or a disclosure in your interface. No conformity assessment, no technical documentation, no risk management system. A developer can implement this in a day.