career-path-cloud-architect By Uplatz<\/a><\/h3>\nThe Risk-Based Pyramid: A Stratified Approach to Regulation<\/b><\/h3>\n
<\/p>\n
The cornerstone of the AI Act is its proportionate, risk-based approach, which classifies AI systems into a four-tiered pyramid of risk. This structure allows for a calibrated regulatory response, imposing the strictest rules on systems with the highest potential for harm while allowing innovation to flourish in low-risk applications.<\/span>2<\/span><\/p>\n <\/p>\n
Unacceptable Risk: Prohibited Practices<\/b><\/h4>\n
<\/p>\n
At the apex of the pyramid are AI practices deemed to pose an “unacceptable risk” because they represent a clear threat to the safety, livelihoods, and fundamental rights of people. These systems are outright banned from the EU market.<\/span>6<\/span> The Act provides an exhaustive list of eight prohibited practices <\/span>17<\/span>:<\/span><\/p>\n\n- Harmful Manipulation:<\/b> Systems that deploy subliminal, manipulative, or deceptive techniques to materially distort a person’s behavior, impairing their ability to make an informed decision and causing significant harm.<\/span>11<\/span><\/li>\n
- Exploitation of Vulnerabilities:<\/b> AI that exploits the vulnerabilities of a specific group of persons due to their age, disability, or social or economic situation to distort their behavior in a manner that causes significant harm.<\/span>11<\/span> An example is a voice-activated toy that encourages dangerous behavior in children.<\/span>1<\/span><\/li>\n
- Social Scoring:<\/b> The evaluation or classification of individuals or groups over a certain period based on their social behavior or personal characteristics, where the resulting score leads to detrimental or unfavorable treatment that is unjustified or disproportionate.<\/span>2<\/span><\/li>\n
- Real-Time Remote Biometric Identification:<\/b> The use of such systems in publicly accessible spaces for law enforcement purposes is banned, with very narrow and strictly defined exceptions for serious crimes like terrorism, all requiring prior judicial authorization.<\/span>1<\/span><\/li>\n
- Untargeted Scraping of Facial Images:<\/b> The untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases.<\/span>17<\/span><\/li>\n
- Emotion Recognition in the Workplace and Education:<\/b> The use of AI to infer emotions of individuals in the workplace or in educational institutions, except for medical or safety reasons.<\/span>11<\/span><\/li>\n
- Biometric Categorization:<\/b> Systems that use biometric data to categorize individuals based on sensitive attributes such as race, political opinions, trade union membership, religious beliefs, or sexual orientation.<\/span>11<\/span><\/li>\n
- Predictive Policing:<\/b> AI systems that perform risk assessments of individuals to predict the risk of them committing a criminal offense based solely on profiling or personality traits.<\/span>17<\/span><\/li>\n<\/ol>\n
<\/p>\n
High-Risk AI Systems (HRAIS): The Core of the Regulation<\/b><\/h4>\n
<\/p>\n
The vast majority of the AI Act’s regulatory burden is focused on High-Risk AI Systems (HRAIS), a category that is not prohibited but is subject to a stringent set of legal requirements and conformity assessments before it can be placed on the market.<\/span>8<\/span> An AI system is classified as high-risk if it falls into one of two main categories <\/span>1<\/span>:<\/span><\/p>\n\n- Category 1 (Annex I):<\/b> The AI system is a product, or a safety component of a product, that is already covered by existing EU product safety legislation (the “New Legislative Framework”). This includes products like medical devices, machinery, toys, vehicles, and lifts. A system in this category is only considered high-risk if the underlying product safety legislation already requires it to undergo a third-party conformity assessment.<\/span>8<\/span><\/li>\n
- Category 2 (Annex III):<\/b> The AI system falls into one of eight specific, exhaustively listed areas where its use poses a significant risk to health, safety, or fundamental rights.<\/span>8<\/span> These areas are:<\/span><\/li>\n<\/ol>\n
\n- Biometric identification and categorization of natural persons.<\/span><\/li>\n
- Management and operation of critical infrastructure.<\/span><\/li>\n
- Education and vocational training (e.g., scoring exams, assessing access to institutions).<\/span><\/li>\n
- Employment, workers management, and access to self-employment (e.g., CV-sorting software for recruitment).<\/span><\/li>\n
- Access to and enjoyment of essential private and public services and benefits (e.g., credit scoring).<\/span><\/li>\n
- Law enforcement.<\/span><\/li>\n
- Migration, asylum, and border control management (e.g., automated examination of visa applications).<\/span><\/li>\n
- Administration of justice and democratic processes.<\/span><\/li>\n<\/ul>\n
A crucial nuance within the regulation is a derogation clause for systems listed in Annex III. Such a system is <\/span>not<\/span><\/i> considered high-risk if it does not pose a “significant risk of harm to the health, safety or fundamental rights of natural persons” and does not “materially influence the outcome of decision making”.<\/span>19<\/span> This provides an “off-ramp” for simpler applications, such as those performing narrow procedural tasks or improving the result of a previously completed human activity. However, this is not a simple loophole. The default classification for an Annex III system is high-risk. To utilize the derogation, the provider must take the affirmative step of documenting a thorough assessment justifying its conclusion and must register this assessment in the public EU database.<\/span>8<\/span> This effectively shifts the burden of proof to the provider, who must be prepared to defend their assessment to national competent authorities. Any system that performs profiling of natural persons is always considered high-risk, with no possibility of derogation.<\/span>19<\/span><\/p>\n <\/p>\n
Limited Risk: The Mandate for Transparency<\/b><\/h4>\n
<\/p>\n
For AI systems that do not qualify as high-risk but may still pose risks of deception or manipulation, the Act imposes specific, lighter transparency obligations.<\/span>11<\/span> The goal is to ensure that individuals are aware and can make informed decisions. Key requirements include:<\/span><\/p>\n\n- AI Interaction Disclosure:<\/b> Deployers of systems intended to interact with humans, such as chatbots, must ensure that individuals are informed that they are interacting with an AI system.<\/span>11<\/span><\/li>\n
- AI-Generated Content Labeling:<\/b> Content generated or manipulated by AI systems, such as “deepfakes” or other synthetic audio, image, video, or text, must be clearly and verifiably labeled as artificially generated.<\/span>1<\/span><\/li>\n<\/ul>\n
<\/p>\n
Minimal Risk: Freedom with Encouragement<\/b><\/h4>\n
<\/p>\n
The base of the pyramid comprises the vast majority of AI applications, which are deemed to pose minimal or no risk. This category includes systems like AI-enabled video games or spam filters.<\/span>6<\/span> These systems are not subject to any legal obligations under the Act, and their use is permitted freely. However, the Act encourages providers of such systems to voluntarily adopt codes of conduct to uphold principles of trustworthy AI.<\/span>13<\/span><\/p>\n <\/p>\n
Obligations for High-Risk AI Systems: A Comprehensive Compliance Framework<\/b><\/h3>\n
<\/p>\n
Providers and, to a lesser extent, deployers of HRAIS must adhere to a comprehensive set of requirements detailed in Chapter 3 of the Act. These obligations are designed to ensure safety and protect fundamental rights throughout the system’s entire lifecycle.<\/span><\/p>\n <\/p>\n
Quality Management System (QMS)<\/b><\/h4>\n
<\/p>\n
Under Article 17, providers must establish, document, and maintain a robust Quality Management System. This system is the organizational backbone for ensuring compliance with the Act. It must include a strategy for regulatory compliance, as well as systematic procedures for the design, design control, development, quality assurance, and testing of the HRAIS.<\/span>11<\/span><\/p>\n <\/p>\n
Risk Management System<\/b><\/h4>\n
<\/p>\n
Article 9 mandates a continuous and iterative Risk Management System that runs throughout the AI system’s entire lifecycle.<\/span>16<\/span> This process requires the provider to systematically identify known and reasonably foreseeable risks to health, safety, and fundamental rights. Following identification, these risks must be estimated and evaluated, and appropriate risk management measures must be adopted to ensure that any residual risk associated with the system is judged acceptable.<\/span>16<\/span><\/p>\n <\/p>\n
Data Governance and Quality<\/b><\/h4>\n
<\/p>\n
To combat the risk of discriminatory outcomes, Article 10 imposes strict data governance obligations. Training, validation, and testing datasets must be subject to appropriate governance and management practices. Crucially, these datasets must be relevant, sufficiently representative, and, to the best extent possible, free of errors and complete for the system’s intended purpose.<\/span>16<\/span> This requires a proactive examination of datasets for potential biases and the implementation of measures to detect, prevent, and mitigate them.<\/span>22<\/span> The quality of the data is not just a technical consideration; it is a legal requirement fundamental to the safety and fairness of the HRAIS.<\/span><\/p>\n <\/p>\n
Technical Documentation and Record-Keeping<\/b><\/h4>\n
<\/p>\n
Providers must create and maintain extensive technical documentation <\/span>before<\/span><\/i> the HRAIS is placed on the market, as stipulated in Article 11.<\/span>16<\/span> The specific contents, detailed in Annex IV, are designed to provide a clear and comprehensive demonstration of the system’s compliance with the Act’s requirements.<\/span>23<\/span> This documentation includes a general description of the system, its intended purpose, the methods used in its development, datasheets describing the training data, validation and testing procedures, and information on the risk management system and post-market monitoring plan.<\/span>23<\/span><\/p>\nIn parallel, Article 12 requires that HRAIS be designed with logging capabilities. These systems must automatically and securely record events (logs) throughout their lifetime to ensure a level of traceability appropriate to the system’s intended purpose.<\/span>11<\/span> These logs are essential for monitoring the system’s operation, investigating incidents, and verifying compliance. Deployers are obligated to keep these logs for a period of at least six months.<\/span>24<\/span><\/p>\n <\/p>\n
Transparency and Human Oversight<\/b><\/h4>\n
<\/p>\n
A core principle of the Act is ensuring effective human control over high-risk systems. Article 13 mandates transparency, requiring providers to supply deployers with clear and adequate information, including instructions for use. This information must detail the system’s capabilities, limitations, accuracy levels, and the specific human oversight measures that are necessary for its safe operation.<\/span>16<\/span><\/p>\nArticle 14 builds on this by requiring that HRAIS be designed and developed in such a way that they can be effectively overseen by natural persons during their period of use. This includes implementing appropriate human-machine interface tools, such as the ability to intervene in the system’s operation or a “stop” button to halt it safely.<\/span>16<\/span> The individuals assigned to oversight must have the necessary competence, training, and authority to understand the system’s outputs, monitor for anomalies, and decide when to disregard, override, or reverse a decision.<\/span>16<\/span><\/p>\n <\/p>\n
Accuracy, Robustness, and Cybersecurity<\/b><\/h4>\n
<\/p>\n
Under Article 15, HRAIS must be designed to achieve an appropriate level of accuracy, robustness, and cybersecurity for their intended purpose.<\/span>17<\/span> Robustness entails resilience against errors, faults, or inconsistencies that may occur within the system or the environment in which it operates. Cybersecurity requires that the system be resilient against attempts by unauthorized third parties to alter its use, behavior, or performance, which could exploit system vulnerabilities.<\/span>16<\/span><\/p>\n <\/p>\n
Obligations for Deployers<\/b><\/h4>\n
<\/p>\n
While the majority of obligations fall on providers, Article 26 outlines specific responsibilities for deployers of HRAIS. They must use the system in accordance with its instructions for use, assign competent and trained individuals for human oversight, monitor the system’s operation, and keep the automatically generated logs.<\/span>13<\/span> If a deployer has reason to believe a system presents a risk, they must inform the provider and relevant authorities. Furthermore, before using an HRAIS in a workplace, employers must inform workers’ representatives and the affected workers.<\/span>24<\/span> For certain public sector deployers, a Fundamental Rights Impact Assessment must be conducted and published prior to putting the system into service.<\/span>2<\/span><\/p>\nTable 1: Checklist of Key Obligations for High-Risk AI System Providers<\/b><\/p>\n\n\n\n| Compliance Area<\/span><\/td>\n | Obligation<\/span><\/td>\n | AI Act Article(s)<\/span><\/td>\n | Description of Required Action<\/span><\/td>\n<\/tr>\n\n| Governance & Management<\/b><\/td>\n | Quality Management System (QMS)<\/span><\/td>\n | Art. 17<\/span><\/td>\n | Establish, document, and maintain a QMS covering regulatory strategy, design, development, verification, and post-market monitoring procedures.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Risk Management System<\/span><\/td>\n | Art. 9<\/span><\/td>\n | Implement a continuous, iterative risk management process to identify, analyze, evaluate, and mitigate foreseeable risks throughout the AI system’s lifecycle.<\/span><\/td>\n<\/tr>\n\n| Data<\/b><\/td>\n | Data Governance & Quality<\/span><\/td>\n | Art. 10<\/span><\/td>\n | Ensure training, validation, and testing datasets are relevant, representative, and free of errors and biases. Implement appropriate data governance and management practices.<\/span><\/td>\n<\/tr>\n\n| Documentation<\/b><\/td>\n | Technical Documentation<\/span><\/td>\n | Art. 11, Annex IV<\/span><\/td>\n | Draw up and maintain comprehensive technical documentation before market placement, demonstrating compliance with all HRAIS requirements.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Record-Keeping (Logging)<\/span><\/td>\n | Art. 12, Art. 19<\/span><\/td>\n | Design the system to automatically generate and store logs of its operation to ensure traceability. Keep these logs under provider control where applicable.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | EU Declaration of Conformity<\/span><\/td>\n | Art. 47, Annex V<\/span><\/td>\n | Draw up and sign a formal declaration stating that the HRAIS complies with the Act’s requirements. Keep it for 10 years.<\/span><\/td>\n<\/tr>\n\n| Operations & Safety<\/b><\/td>\n | Transparency & Information<\/span><\/td>\n | Art. 13<\/span><\/td>\n | Provide deployers with clear, adequate instructions for use, including the system’s purpose, capabilities, limitations, and required oversight measures.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Human Oversight<\/span><\/td>\n | Art. 14<\/span><\/td>\n | Design the system to be effectively overseen by humans, including measures for intervention, and ensure overseers are competent.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Accuracy, Robustness, Cybersecurity<\/span><\/td>\n | Art. 15<\/span><\/td>\n | Design and develop the system to achieve appropriate levels of performance, resilience against errors, and protection against vulnerabilities.<\/span><\/td>\n<\/tr>\n\n| Market Access<\/b><\/td>\n | Conformity Assessment<\/span><\/td>\n | Art. 43<\/span><\/td>\n | Undergo the relevant conformity assessment procedure (either internal control or third-party assessment by a Notified Body) to verify compliance.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | CE Marking<\/span><\/td>\n | Art. 48<\/span><\/td>\n | Affix the CE marking visibly and legibly to the HRAIS (or its packaging\/documentation) after successful conformity assessment.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Registration<\/span><\/td>\n | Art. 49<\/span><\/td>\n | Register the provider and the standalone HRAIS in the public EU database before placing it on the market or putting it into service.<\/span><\/td>\n<\/tr>\n\n| Post-Market<\/b><\/td>\n | Post-Market Monitoring<\/span><\/td>\n | Art. 72<\/span><\/td>\n | Establish and document a post-market monitoring system to proactively collect and analyze performance data throughout the system’s lifecycle.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Incident Reporting<\/span><\/td>\n | Art. 73<\/span><\/td>\n | Report any serious incidents caused by the HRAIS to the market surveillance authorities of the relevant Member States without undue delay.<\/span><\/td>\n<\/tr>\n\n| <\/td>\n | Corrective Actions<\/span><\/td>\n | Art. 20<\/span><\/td>\n | Take necessary corrective actions if the HRAIS is found not to be in conformity with the requirements. Inform distributors, importers, and deployers.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nConformity, Certification, and Market Access<\/b><\/h3>\n <\/p>\n To legally place an HRAIS on the EU market, providers must navigate a formal process of conformity assessment, certification, and registration, which is central to the Act’s product safety approach.<\/span>26<\/span><\/p>\nAs mandated by Article 43, every HRAIS must undergo a conformity assessment <\/span>before<\/span><\/i> it is placed on the market or put into service.<\/span>13<\/span> The specific procedure depends on the type of system. For certain HRAIS, particularly those that are safety components of products under Annex I, a third-party conformity assessment conducted by an independent “Notified Body” is mandatory.<\/span>11<\/span> These bodies are designated by national authorities to assess the conformity of products before they are placed on the market. For other HRAIS, providers may be permitted to conduct an internal control or self-assessment.<\/span>27<\/span><\/p>\nUpon the successful completion of the conformity assessment, the provider must, under Article 47, draw up and sign a formal EU Declaration of Conformity. This legal document attests that the HRAIS meets all the relevant requirements of the Act.<\/span>20<\/span> Following this declaration, the provider is obligated under Article 48 to affix the “Conformit\u00e9 Europ\u00e9enne” (CE) marking to the HRAIS.<\/span>20<\/span> The CE marking must be visible, legible, and indelible. For digital-only systems, a digital CE marking is permitted.<\/span>27<\/span> This marking signals to regulators and consumers that the product complies with EU law and allows it to move freely within the single market.<\/span> | | | | | | | | | | | | | | | |
![\"\"](\"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2025\/10\/AI-Governance-Compliance-1-1024x576.jpg\")
<\/p>\n