Regulation (EU) 2024/1689 · High-risk in force 2 Aug 2026

The AI Act is here. You need an authorised representative — and a file cabinet.

If you're a non-EU provider of a high-risk AI system — or a GPAI model above the compute threshold — you must appoint an authorised representative in the EU, maintain an Annex IV technical file, and respond to market surveillance authorities. We handle all three.

Book a demo → Classify our system

Annex IV · Technical Documentation Technical Dossier

C E

High-risk Annex III · 5(b) — credit scoring

LendSight v3.2 — automated creditworthiness system

01General description of the system4 pp.

02Design specifications & data governance12 pp.

03Risk management system8 pp.

04Performance metrics & evaluation6 pp.

05Post-market monitoring plandrafting

Provider LendSight, Inc. Palo Alto, CA

EU Representative EU Presence Art. 22 · Filed 22 Apr 2026

Risk classification

Where does your system actually land?

The AI Act regulates by risk tier — and the obligations between tiers are a step function, not a slope. Most teams we talk to are either in High-Risk or Limited-Risk, often unclear which. We classify precisely.

TIER 1BANNED

Unacceptable risk

Social scoring, real-time remote biometric ID in public, subliminal manipulation, untargeted scraping for facial databases. Prohibited outright since 2 Feb 2025.

TIER 2← most of our clients

High-risk AI systems

Hiring & HR screening · creditworthiness · critical infrastructure · medical devices · law enforcement · border control · education admission · biometric categorisation. Full Annex III list. Requires: authorised rep, tech file, QMS, conformity assessment, CE mark, post-market monitoring, serious-incident reporting.

TIER 3TRANSPARENCY

Limited risk

Chatbots, emotion recognition, deepfakes, AI-generated content. Transparency obligations: users must be told they're interacting with AI, content must be marked. Applies from 2 Aug 2026.

TIER 4LIGHT TOUCH

Minimal risk

Spam filters, game NPCs, AI-enhanced productivity tools. Voluntary codes of conduct only.

Plus · GPAI models

General-purpose AI models have their own regime.

Any GPAI provider — above or below the 10²⁵ FLOP threshold — has Chapter V obligations. Non-EU GPAI providers must appoint an authorised representative (Art. 54) regardless of risk tier. In force since 2 Aug 2025.

GPAI checklist →

The cost of non-compliance

The AI Act carries the highest fines in EU tech law.

MAX FINE¹

€35M

Or 7% of global annual turnover — for prohibited practices. The highest fine ceiling of any EU tech regulation, above both GDPR and DSA.

HIGH-RISK PENALTY¹

€15M

Or 3% of global turnover for most Chapter III obligations breaches — documentation, post-market monitoring, conformity.

PROHIBITED SINCE²

Feb 2025

Unacceptable-risk practices already enforced. National authorities are issuing guidance and first fines through 2025.

HIGH-RISK DEADLINE²

Aug 2026

Full Chapter III applies. Representative, tech file, conformity assessment, CE mark, and post-market plan all required.

1. AI Act Art. 99 — administrative-fine ceilings per obligation type (prohibited / high-risk / other).
2. Regulation (EU) 2024/1689, Art. 113 — staggered entry-into-application schedule.

What you get

One representative. Every obligation.

Art. 22 / 54 appointment

Named authorised representative registered with the EU's AI database. Listed on your documentation, in your CE declaration, and on your product UI where required.

Risk classification

Precise Annex III analysis for every system and use case. Documented decision, defensible under audit. Re-assessed when you ship material changes.

Technical file (Annex IV)

Structured, versioned, Annex IV–compliant. Stored for 10 years. Available on request to any market surveillance authority in any member state.

Conformity assessment

Self-assessment coordinated end-to-end — or notified body liaison where required. EU Declaration of Conformity drafted, signed, filed. CE marking support.

Post-market monitoring

Monitoring plan, incident logging, serious-incident reporting to national authorities within 15 days. Annex VIII registration upkeep.

Market surveillance liaison

When authorities write in, we respond — in the national language, within deadline, with the right slice of the tech file attached.

Technical file

The documentation market surveillance actually asks for.

Annex IV lists exactly what the technical file must contain for a high-risk system. Your authorised representative keeps it, updates it, and makes it available on request. We structure it, co-author it with your team, and store it for 10 years.

/acme-hire-screener-v2.1/

📁 01-system-description/

intended-purpose.md✓ signed

deployer-instructions.md✓ signed

system-architecture.pdf✓ signed

📁 02-design-specifications/

model-card.md✓ signed

training-data-summary.md✓ signed

data-governance.md⋯ draft v3

📁 03-risk-management/

risk-register.xlsx✓ signed

bias-testing-results.pdf✓ signed

fundamental-rights-impact.md⋯ review

📁 04-conformity/

self-assessment.pdf✓ signed

EU-declaration-of-conformity.pdf✓ filed

CE-marking-record.pdf✓ filed

📁 05-post-market/

monitoring-plan.md✓ signed

incident-log.csv✓ live

Your technical file lives in our secure archive — versioned, timestamped, readable by market surveillance authorities in any member state. When a request comes in, we respond with the relevant package within the statutory deadline. Your team doesn't scramble.

✓Every Annex IV requirement covered with a dedicated artefact
✓Versioned — every model update triggers a file increment
✓10-year retention, as required under Art. 18
✓Co-authored with your ML, security, and legal teams
✓One-click export for market surveillance requests

Enforcement timeline

The dates that actually matter.

2 FEB 2025

Prohibited practices

Unacceptable-risk uses banned outright. €35M fine ceiling already in force.

2 AUG 2025

GPAI obligations

GPAI providers publish model cards, document training data, appoint EU rep if non-EU.

NOW · PREP WINDOW

Build your tech file

High-risk providers should have the tech file structured and rep appointment in progress.

2 AUG 2026

High-risk in force

Full Chapter III obligations apply. Authorised rep required. Conformity assessments due.

2 AUG 2027

Annex I products

AI systems embedded in regulated products (medical devices, toys, lifts, etc.) fall under the full regime.

Proof

AI teams shipping to Europe, defensibly.

From frontier GPAI labs to hiring-tech startups to health-AI providers — Article 22/54 appointments filed, tech files structured, classification defensible.

GPAI · > 10²⁵ FLOPs

"Our model cards, training-data summary, and systemic-risk doc were ready before the August deadline. No scramble. We shipped to the EU on schedule."

Ayaan Rashid Head of Policy · Frontier GPAI lab

"We thought we were limited-risk. Their classification call put us in high-risk — that answer alone saved us a €15M exposure."

Carla Vitti CPO · Hiring-tech SaaS

"The doctree on day one looked terrifying. By month three it was just another shared workspace. Regulators get a clean package."

Niko Mendoza CTO · Medical AI, Series B

"Post-market monitoring was a checkbox we'd have wing-ed. Their plan is sector-specific, real, and we've already filed two serious-incident reports."

Hana Yi VP Compliance · Education AI

120+Art. 22 / 54 appointments

10 yrTechnical file retention

< 15 dSerious-incident filings

100%Conformity declarations on file

Pricing

Priced by risk tier, not by parameter count.

Transparency

$899/month

Limited-risk + GPAI under threshold

Chatbots, deepfakes, generative tools, and GPAI below the 10²⁵ FLOP threshold. Covers Chapter IV transparency and GPAI Chapter V.

Included

Art. 54 authorised representative
GPAI model card & training data summary
Transparency UI copy & audit
Annex VIII registration upkeep
Up to 25 authority inquiries / yr

Start Transparency →

Most chosen

Full Compliance

$2,499/month

High-risk · Annex III systems

Full Chapter III programme for high-risk AI: Annex III systems in HR, credit, medical, critical infra, education, law enforcement.

Everything in Transparency, plus

Art. 22 authorised representative
Annex IV tech file hosted & versioned
Conformity assessment coordination
EU Declaration of Conformity drafted
Post-market monitoring plan
Serious-incident reporting (15-day)

Book a demo →

Frontier

Custom

GPAI systemic · notified-body systems

GPAI models with systemic risk (> 10²⁵ FLOPs), notified-body AI products, or sector-regulated AI (medical devices, lifts, toys).

Everything in Full Compliance, plus

Systemic risk assessment
Adversarial testing coordination
Notified body liaison
Cybersecurity & robustness evaluations
AI Office direct line
Dedicated AI policy counsel

Talk to sales →

Often purchased together

AI teams who take this also take.

AI Compliance Bundle

Three products. One engagement. 15% off.

AI systems process personal data. That means GDPR and AI Act. Take both under one engagement, plus the public-facing trust hub enterprise buyers look for.

You save $4,824 / yr

THIS PAGE

AI Act Representative

Art. 22 / 54 rep, Annex IV tech file, conformity & post-market monitoring.

Full Compliance$2,499 / mo

ADD

GDPR Representative

Your AI processes EU personal data — Art. 27 rep is mandatory, and high-scrutiny.

Flat$127 / mo

ADD

Privacy Center

Enterprise buyers ask for a public trust hub. Ship one in an afternoon.

Plus$57 / mo

BUNDLE TOTAL

$2,683 / mo $2,281/ mo · 15% off Book a bundle call →

Common questions

What ML & legal teams ask us first.

Our AI isn't "high-risk." Do we still need you?

Maybe. If you're GPAI (you train or serve a foundation model) and non-EU, Article 54 requires an authorised representative even for low-risk deployment. If you're limited-risk (chatbots, deepfakes, emotion-detection UI), you have transparency obligations but don't need a rep. We'll tell you in 30 minutes.

What's the line between high-risk and everything else?

Annex III is the definitive list. The frequent ones for startups: employment screening, creditworthiness, education admission, law enforcement, and access to essential services. If your system is used in one of those contexts — even as a tool inside a larger product — you're in.

Do we need a notified body?

Most high-risk systems qualify for self-assessment. Exceptions: biometric identification systems, and Annex I products where a notified body is already in the loop for safety certification. We coordinate either path.

Can you be both our GDPR and AI Act rep?

Yes — same entity, different mandates. One engagement, two appointments, unified archive. Most of our high-risk AI clients take both.

What about the UK?

The UK is pursuing a sectoral, principles-based approach — no UK AI Act equivalent yet. We track it and will advise when a UK representative regime emerges.

Can we switch representatives later?

Yes. Authorised representative appointments are terminable with reasonable notice. We help with the handover, file the change with the relevant market surveillance authority, and export your technical file. 30-day termination, no punitive clauses.

Ship into Europe, defensibly.

30-minute classification call. Tech-file index by next week. A named representative before 2 August 2026 — with everything Annex IV asks for.

Book classification call → Bundle with GDPR Rep