EU AI Act18 sectionsBy SpanForge

EU AI Act Compliance Roadmap 2025

Understand your EU AI Act obligations, assess your compliance gaps, and build audit-ready AI systems. A comprehensive roadmap for enterprise teams, AI startups, compliance leaders, and regulated-industry builders.

โ† All guides

EU AI Act Compliance Roadmap 2025

Building Governance-Ready AI Systems

Who This Guide Is For

This guide is designed for:

  • ๐Ÿข Enterprise AI Teams โ€” Building or deploying AI systems in the EU
  • ๐Ÿš€ AI Startups โ€” Serving EU customers with AI products
  • ๐Ÿ’ผ SaaS Companies โ€” Using or building LLMs and AI features
  • ๐Ÿฅ Healthcare & Finance Teams โ€” Using AI for high-risk decisions
  • ๐Ÿ‘ฅ HR Tech Teams โ€” Using AI for recruitment and talent decisions
  • ๐Ÿค AI Governance Leaders โ€” Building compliance infrastructure

If you're building or deploying AI in the EU, this guide is for you.

A Note on This Guide

This guide is designed for organizations building governance-ready AI systems in the EU. It provides a comprehensive overview of the EU AI Act, explains what operational AI governance looks like, and helps you assess where you stand.

What this guide does:

  • โœ… Explains what the law requires
  • โœ… Helps you understand your obligations
  • โœ… Shows you the scope of work ahead
  • โœ… Provides a framework for enterprise AI governance

What you'll need beyond this guide:

  • Legal counsel (for definitive interpretation)
  • Technical implementation support (for your specific systems)
  • Governance and monitoring infrastructure

Ready to discuss your governance strategy? Schedule a compliance assessment

Table of Contents

  1. Who This Guide Is For
  2. What This Law Actually Demands
  3. Why This Matters for Your Business
  4. What AI Is Completely Banned
  5. How the EU AI Act Is Structured
  6. The Annex III High-Risk Categories
  7. The 5 Essential Things You Must Do
  8. Technical Requirements
  9. Transparency & Synthetic Content
  10. Conformity Assessment & CE Marking
  11. Post-Market Monitoring
  12. Harmonized Standards
  13. Enforcement Timeline
  14. Foundation Models & GPAI
  15. Open-Source AI
  16. Compliance Readiness Assessment
  17. Getting Started
  18. About SpanForge
  19. Resources & Next Steps

Section 1: What This Law Actually Demands

The EU AI Act is the world's first comprehensive AI regulation. It came into force in August 2023. Many obligations are now active in 2025โ€“2026.

If you're building or deploying AI in the EU (or serving EU customers), this applies to you.

The Real Structure

The law categorizes AI by risk level, with different obligations for each:

  • BANNED (Prohibited): Certain AI uses are illegal โ€” period.
  • EXTREMELY HIGH-RISK: Requires pre-market conformity assessment + post-market monitoring.
  • HIGH-RISK (Annex III): Requires governance, monitoring, and audit trails.
  • GENERAL-PURPOSE AI: Foundation models have specific obligations.
  • LOWER-RISK: Minimal or transparency-only requirements.

The Simple Version

If you're using AI to make important decisions, the EU wants proof that:

  1. You thought about what could go wrong before you deployed it
  2. You're actively checking it's not breaking things in production
  3. You can show a human being approved important decisions
  4. You wrote it all down and kept records
  5. Your system is robust, accurate, and resilient to attacks

That's it. The law isn't asking for perfect AI. It's asking for audit-ready AI systems.

Section 2: Why This Matters for Your Business

The Financial Stakes

Violation TypeMaximum FineReal Example
High-risk AI without proper governanceโ‚ฌ30M or 6% of global revenueA โ‚ฌ500M fintech: โ‚ฌ30M fine
No audit trail or recordsโ‚ฌ20M or 4% of global revenueA โ‚ฌ250M insurtech: โ‚ฌ20M fine
False transparencyโ‚ฌ10M or 2% of global revenueA โ‚ฌ100M HR tech: โ‚ฌ10M fine
Deploying banned AIโ‚ฌ30M or 6% of global revenueGuaranteed enforcement

Beyond the Fine

  • Legal liability: You're liable if someone is harmed and you didn't comply
  • System shutdown: Regulators can order your AI to stop operating immediately
  • Customer trust destroyed: One compliance failure = lost deals and press coverage
  • Insurance problems: E&O insurance becomes impossible or expensive
  • Criminal liability: In extreme cases, individuals can face criminal charges

Real Example

A European fintech deployed AI for credit decisions. They had logs but no way to prove they assessed risk, monitored for bias, got human approval, or kept tamper-proof records.

When regulators investigated, they found: logs, yes. Compliance proof, no.

Result: โ‚ฌ2M fine + system shutdown + customer trust destroyed.

Section 3: What AI Is Completely Banned

Some AI systems are illegal under the EU AI Act. You cannot build, deploy, or offer them โ€” regardless of how well they work.

Explicitly Banned AI Systems

TypeWhat's BannedPenalty
Social ScoringAI that rates people's behavior across domainsโ‚ฌ30M or 6% revenue
Manipulative AIAI designed to manipulate people to override their interestsโ‚ฌ30M or 6% revenue
Exploitation of VulnerabilitiesAI targeting children or vulnerable peopleโ‚ฌ30M or 6% revenue
Biometric CategorizationAI categorizing by protected attributes (race, politics, religion, sexuality)โ‚ฌ30M or 6% revenue
Mass Facial RecognitionUntargeted facial recognition scraping from public spacesโ‚ฌ30M or 6% revenue

If any of these apply to you: Stop immediately. Get legal counsel. Don't deploy.

Section 4: How the EU AI Act Is Structured

You Have Roles Under the Act

RoleWhoObligations
ProviderCompany building or offering AIDesign, test, document, conformity assessment
DeployerCompany using AI in operationsRisk assessment, governance, monitoring
ImporterCompany importing AI into EUEnsure provider compliance
DistributorReseller of AI systemsPass through compliance info

You might be multiple roles with different obligations for each.

Risk Categories

PROHIBITED: Banned systems (Section 3)

EXTREMELY HIGH-RISK: Biometric identification for law enforcement, certain critical infrastructure

  • Requires pre-market conformity assessment
  • Independent third-party review required
  • Post-market monitoring mandatory

HIGH-RISK (Annex III): Most enterprise AI

  • Requires risk assessment, governance, monitoring, audit trails
  • Most common category for companies
  • Focus of this guide

GENERAL-PURPOSE AI: Foundation models (Section 14)

  • Different obligations for builders and deployers

LOWER-RISK: Content recommendation, chatbots

  • Transparency only

Section 5: The Annex III High-Risk Categories

The EU AI Act explicitly lists which applications are considered high-risk.

Official High-Risk Categories

CategoryWhat QualifiesExamples
Education & TrainingAI determining access to educationAdmissions screening, exam scoring
Employment & LaborAI recruiting, selecting, or evaluating employeesHiring screeners, performance AI
Credit & BankingAI assessing creditworthinessLoan approval, credit scoring
Law EnforcementAI used to detect crime or assess riskPredictive policing, crime risk scoring
Immigration & BorderAI evaluating asylum or border crossingVisa decisions, border assessment
Healthcare & MedicineAI diagnosing patients or recommending treatmentDiagnostic AI, treatment recommendations
Critical InfrastructureAI managing electricity, water, gas, transportationTraffic control, power grid optimization
Benefits & Social ServicesAI determining eligibility for government benefitsUnemployment benefits, housing assistance
Law Enforcement Risk AssessmentAI assessing crime/re-offense risk for criminal justiceBail decisions, sentencing recommendations

If your AI falls into any of these categories: You have high-risk obligations (Section 6).

Section 6: The 5 Essential Things You Must Do

This section applies to systems that are high-risk or fall into Annex III categories.

Building governance-ready AI systems requires these 5 foundational practices:

Thing 1: Classify Your AI Systems

Question: Does your AI fall into Annex III or affect fundamental rights?

Action: Audit your systems. List them. Mark which are high-risk.

Outcome: Clear inventory of which systems require operational governance controls

Thing 2: Do a Risk Assessment (Before Deployment)

Question: What could go wrong with this AI system?

Assessment should cover:

  1. What is this AI system designed to do?
  2. What could go wrong? (Be specific: bias? hallucinations? drift?)
  3. Who could be harmed if it goes wrong?
  4. How likely is it to fail?
  5. What's the impact if it fails?

Outcome: Documented risk assessment (your foundation for compliance)

Thing 3: Create Technical Documentation

Question: Can you prove how your system works and what it can/can't do?

Documentation should address:

  • What is this AI for?
  • How does it work?
  • What data does it use?
  • How well does it perform?
  • How secure is it?
  • Who reviews its decisions?

Outcome: Complete technical documentation (what regulators expect to see)

Thing 4: Establish Governance (Ongoing)

Question: Who's responsible? What's the policy? How are decisions made?

Governance should define:

  1. Who owns this AI system?
  2. Policy for deploying new versions
  3. Monitoring frequency and approach
  4. Incident response procedures
  5. Override approval process

Outcome: Written governance policy (your operational blueprint)

Thing 5: Maintain Records & Continuous Monitoring

Question: Can you prove everything about this system's performance?

Continuous governance requires tracking:

  • System performance over time
  • Problems identified and resolved
  • Policy changes and rationale
  • Human oversight decisions
  • Security and performance metrics

Outcome: Complete audit trail (proof of ongoing compliance)

Section 7: Technical Requirements

The Act explicitly requires systems to be accurate, robust, and secure.

Accuracy

  • Your system must perform as intended
  • Performance measured against stated use case
  • Regular testing and monitoring required

Robustness & Adversarial Protection

  • System must withstand attacks and edge cases
  • Tested against adversarial inputs
  • Resilience to distribution shift required

Cybersecurity

  • Data protection (encryption, access control)
  • Regular security audits
  • Vulnerability management
  • Incident response procedures

Section 8: Transparency & Synthetic Content

For AI systems that generate synthetic content, you must disclose when users are seeing AI-generated material.

What the Law Requires

If your AI generates synthetic content:

  • You must disclose to users when they're seeing AI-generated content
  • Exception: For parody, artistic, or research purposes (with context)

Implementation

  1. Does your AI generate synthetic content? If yes: You must disclose
  2. How will you disclose? Mark content with AI disclosure
  3. Are there exceptions? Clearly fictional context, research with context

Section 9: Conformity Assessment & CE Marking

Who Needs CE Marking?

Only extremely high-risk systems require full CE marking:

  • Biometric identification for law enforcement
  • Some critical infrastructure systems

Most high-risk AI systems don't require CE marking. They require:

  • Risk assessment
  • Technical documentation
  • Testing results
  • Governance proof

If You're Uncertain

The question to ask: "Is my system explicitly designed for biometric identification or critical infrastructure control?"

If no, you likely need governance and documentation, not CE marking.

Section 10: Post-Market Monitoring

Once your system is deployed, continuous governance requires ongoing obligations.

Post-Market Monitoring Requirements

You must:

  1. Continuously monitor performance
  2. Detect serious incidents (failures, bias, security breaches)
  3. Maintain incident records

Serious Incident Reporting

What counts as serious:

  • System failure causing harm
  • Significant bias affecting fundamental rights
  • Security breach
  • Regulatory violation

Reporting: Typically within 72 hours initial report, followed by detailed analysis

Important: Exact thresholds and timelines vary by sector and national authority. Work with legal counsel on your specific jurisdiction.

Section 11: Harmonized Standards

Harmonized standards are technical guidelines that specify how to implement EU AI Act requirements.

What They Are

Standards published by CEN (European Committee for Standardization) that provide guidance on:

  • Measuring fairness in AI
  • Testing robustness
  • Documenting training data
  • Implementing human oversight

How They Work

  1. Standards are developed by CEN
  2. Once published, they create presumption of conformity
  3. Following them makes compliance easier (but not automatic)

Current Status (2025โ€“2026)

  • Some standards published
  • More in development
  • Regulators increasingly reference standards
  • Expected: Core standards (2025โ€“2026), sectoral standards (2026โ€“2027)

Section 12: Enforcement Timeline

Enforcement is phased, not all-at-once.

Key Regulatory Milestones

Already active (2023โ€“2024):

  • August 2023: Act enters into force
  • August 2024: Prohibited AI rules take effect

Active in 2025โ€“2026:

  • June 2025: GPAI rules expected to become operational
  • 2025: Post-market monitoring expectations clarifying

Expected (2026โ€“2027):

  • 2026: Conformity assessment practices maturing
  • 2026โ€“2027: Harmonized standards expected

High-Risk System Trajectory

TimelineRegulatory ApproachWhat This Means
Now (2025)Guidance + early complianceRisk assessment + governance expected
2026Increased scrutinyDocumentation + proof expected
2027+Full maturityStricter audits + investigation

Important Notes

These timelines are directional, not absolute. They may shift based on delegated acts, standards publication, and national implementation approaches.

Section 13: Foundation Models & GPAI

If you build or deploy a foundation model or general-purpose AI (GPAI), you have additional obligations.

Examples of Foundation Models

  • ChatGPT, GPT-4, Claude
  • Mistral, Llama, other open-source LLMs
  • Any model trained on broad data adaptable to multiple tasks

If You Build a Foundation Model

You must:

  1. Provide technical documentation for deployers
  2. Implement safeguards against misuse
  3. Comply with copyright & licensing
  4. Report serious incidents to regulators

If You Deploy a Foundation Model

You must:

  1. Assess your use case for high-risk status
  2. Implement appropriate controls for your use case
  3. Test for harmful outputs relevant to your domain

Section 14: Open-Source AI

The Act has different rules for open-source GPAI models.

What Counts as Open-Source GPAI

Models where source code and model weights are publicly available.

Examples: Llama, Mistral, open-source versions of other models

Different Obligations for Open-Source Providers

Open-source GPAI providers have reduced obligations compared to proprietary models:

  • No pre-market conformity assessment required
  • No CE marking required
  • BUT: Must still provide technical documentation and disclose risks

If You Deploy Open-Source GPAI

You still have full obligations for your use case. Open-source doesn't change your deployment obligations.

Section 15: Compliance Readiness Assessment

Compliance is a journey, not a destination.

Building governance-ready AI systems is an ongoing practice.

Pre-Deployment Checklist

  • Risk assessment documented
  • Technical documentation created
  • Testing results available
  • Governance policy defined
  • Human oversight plan in place

Post-Deployment (First 3 Months)

  • Monitoring system operational
  • Regular reports generated
  • Governance policy updated based on learnings
  • Incident documentation maintained

Ongoing (Continuous Governance)

  • Consistent monitoring and reporting
  • Regular audits and testing
  • Complete documentation maintained
  • Continuous improvement cycle in place

What a Regulator Would Ask

If an auditor shows up, can you answer these?

  1. "Is this system high-risk, extremely high-risk, or GPAI?"
  2. "Show me your risk assessment."
  3. "Show me your technical documentation."
  4. "How do you monitor for problems?"
  5. "What problems have you found?"
  6. "How did you fix them?"
  7. "Who reviews important decisions?"
  8. "Show me your records."

If you can answer all 8 with documentation, you're significantly better positioned to demonstrate audit readiness.

SpanForge SDK: Implementing EU AI Act Obligations

The SpanForge SDK operationalizes EU AI Act requirements directly โ€” mapping your AI telemetry to specific Articles, generating HMAC-signed evidence packages, and producing the audit documentation conformity assessors expect.

Article-to-SDK Mapping

EU AI Act ClauseRequirementSpanForge CapabilityEvent Types
Art. 13 โ€” TransparencyExplainability of AI decisionssf_explain.explain() ยท @spanforge.governedexplanation.generated
Art. 14 โ€” Human OversightHITL review of high-risk AIHuman-in-the-Loop Workflow Enginehitl.queued, hitl.reviewed, hitl.escalated
Art. 14 โ€” Human OversightConsent for automated processingConsent boundary monitoringconsent.granted, consent.revoked, consent.violation
Annex IV.5 โ€” Technical DocumentationSafety and oversight audit trailsf-audit, HMAC audit chains, T.R.U.S.T. scorecardllm.guard.*, llm.audit.*, hitl.*
Art. 10 โ€” Data GovernanceTraining data PII auditSFPIIClient.audit_training_data()llm.redact.*

Generating Your EU AI Act Evidence Package

from spanforge.core.compliance_mapping import ComplianceMappingEngine

engine = ComplianceMappingEngine()
package = engine.generate_evidence_package(
    model_id="your-model-id",
    framework="eu_ai_act",
    from_date="2026-01-01",
    to_date="2026-03-31",
)

print(package.gap_report)     # clause-by-clause coverage gaps
print(package.attestation)    # HMAC-signed attestation for auditors

Or via CLI:

spanforge compliance generate \
  --model-id your-model-id \
  --framework eu_ai_act \
  --from 2026-01-01 \
  --to 2026-03-31

Key SDK Features for EU AI Act Compliance

  • Explainability โ€” sf_explain.explain(response, context) returns a signed ExplainRecord with Art. 13/14 clause mapping and decision_drivers on every call
  • Human-in-the-Loop โ€” Full state machine (PENDING โ†’ APPROVED / REJECTED โ†’ CLOSED) with SLA auto-escalation and role-based action matrix
  • Model Registry โ€” Register models with owner and risk_tier; attestations auto-warn on ungoverned models
  • CI/CD Gate Pipeline โ€” sf-gate evaluates release quality gates and blocks unsafe releases before production
  • T.R.U.S.T. Scorecard โ€” Five-pillar trust assessment (Transparency ยท Reliability ยท UserTrust ยท Security ยท Traceability) with SVG badge

SDK Reference: Compliance & Tenant Isolation ยท Evidence Export ยท Enterprise Integrations

Section 16: Getting Started

Building an operational AI governance infrastructure isn't a one-time project.

Your specific situation is more complex than this guide can address because:

  • Your systems are unique. Compliance obligations differ by system type, risk level, and deployment context.
  • Your architecture is unique. Implementation approaches vary significantly based on your infrastructure and data handling.
  • Your risks are unique. Some risks matter more for your use cases than others.
  • Your timeline is unique. Some companies can move fast; others need to coordinate across teams.

What You Need to Build Compliance-Ready Systems

To move from "I understand the law" to "I'm actually compliant," you need:

  1. Assessment: What are YOUR specific obligations?
  2. Custom approach: What does governance look like for YOUR systems?
  3. Implementation support: How do you actually build this?
  4. Continuous governance: How do you stay compliant as systems evolve?

Next Step

Schedule a 30-minute assessment.

During this call, we'll:

  • Understand your AI systems
  • Identify which ones are high-risk
  • Assess your current gaps
  • Create a recommended implementation approach
  • Discuss implementation timeline and next steps

Section 17: About SpanForge

SpanForge helps organizations build governance-ready AI systems. We provide the governance infrastructure, continuous monitoring, and operational compliance workflows needed to meet regulatory requirements and maintain customer trust. From assessment through implementation and beyond, we help you move from audit-ready concepts to audit-ready practice.

Section 18: Resources & Next Steps

What's Included in This Guide

  • Overview of EU AI Act requirements
  • Explanation of your obligations
  • Assessment framework
  • Understanding of compliance scope
  • Readiness checklist
  • Positioning for governance-ready AI systems

What You'll Need Beyond This Guide

  • Legal counsel: For definitive interpretation specific to your situation
  • Technical implementation support: For your specific systems and architecture
  • Governance and monitoring infrastructure: For continuous AI governance

This Is the Starting Point

This guide is designed to:

  • Build awareness of the requirements
  • Show you what's necessary for governance-ready AI
  • Help you assess your current state relative to obligations
  • Demonstrate the scope of work required

It's not designed to be a complete compliance solution. That's where comprehensive AI governance infrastructure comes in.

Schedule Your Assessment

Ready to understand your specific obligations?

Schedule a 30-minute assessment โ†’

We'll help you understand:

  • Your specific obligations
  • Current compliance readiness
  • Recommended implementation approach
  • Implementation timeline and next steps

Contact

Schedule Your Compliance Assessment

โ†’ sriram@getspanforge.com

We'll help you build governance-ready AI systems that:

  • Meet EU AI Act requirements
  • Pass regulatory scrutiny
  • Maintain customer trust
  • Enable European growth

Disclaimer

This is an educational guide, not legal advice.

Compliance with the EU AI Act depends on:

  • Your system's specific risk category
  • Your role under the Act (provider, deployer, importer, distributor)
  • Your deployment context and target users
  • Applicable technical and procedural standards
  • Regulatory interpretations, which continue to evolve

For definitive legal advice, consult with qualified legal counsel specializing in EU AI regulation.

Terminology: This guide uses "extremely high-risk" as a simplified operational term. Official Act terminology uses "high-risk," "prohibited," "GPAI," and "systemic-risk GPAI."

Timeline note: Enforcement timelines are based on current regulatory expectations but may evolve based on delegated acts, standards publication, and national implementation approaches.

EU AI Act Compliance Roadmap 2025
Building Governance-Ready AI Systems
Brought to you by SpanForge
May 2026

Ready to move from understanding to implementation?

Schedule an assessmentExplore the SDK
โ† Back to all guides
Explore more

Browse all compliance guides

See all guides
The platform

Explore the SpanForge SDK

Explore the platform
Talk to SpanForge

Schedule a compliance assessment

Get in touch