EU AI Act — Regulation 2024/1689

AI Act compliance by August.
446 agents auditing your systems.

Sturna documents decisions, generates the audit trail regulators will demand, and keeps your AI stack compliant — before the enforcement deadline. August 2, 2026 is real. The fines are real. Are you ready?

⚠️
Enforcement deadline: August 2, 2026 Article 99 maximum: €35M or 7% of global annual revenue — whichever is higher. For a $500M revenue company, that's €35M. For a $5B company, it's €350M. The CFO needs to see this.
--
Days
:
--
Hours
:
--
Minutes
:
--
Seconds
Until August 2, 2026 High-Risk AI Enforcement Deadline
Annex III high-risk classification
Article 9 risk management documentation
Article 14 human oversight enforcement
446 agents — full audit trail
August 2026 enforcement ready

The fine structure is not a bluff.
Know what applies to you.

The EU AI Act defines four risk tiers with escalating penalties. High-risk violations can reach €30M or 6% global turnover. Prohibited AI violations carry the maximum: €35M or 7%.

Prohibited AI
€35M
or 7% of global annual revenue — whichever is higher
Examples: Real-time biometric categorization in public spaces, AI scoring systems for essential services access, social scoring by public authorities, manipulation through subliminal techniques.
High-Risk AI
€30M
or 6% of global annual turnover — whichever is higher
Examples: Hiring and employment decisions, credit scoring, AI in critical infrastructure, medical devices, law enforcement, administration of justice. Annex III categories.
Limited Risk
€15M
or 3% of global annual turnover — whichever is higher
Examples: Chatbots, deepfake disclosures, general-purpose AI models. Transparency obligations apply — non-compliance is the violation.
Minimal Risk
€7.5M
or 1.5% of global annual turnover — whichever is higher
Examples: Spam filters, AI in video games, inventory management. No conformity assessment required, but national enforcement still applies.

How much is your organization exposed?

Enter your annual global revenue. We apply Article 99(3): max(€35,000,000, revenue × 7%).

Your maximum penalty exposure

Four risk tiers. Different obligations.
Know which applies to your AI systems.

Tier Classification Key Requirements Conformity Path
PROHIBITED Prohibited AI (Chapter II) Complete prohibition. Must cease operation and remove from market immediately. National market surveillance authorities enforce. No path — prohibited
HIGH RISK High-Risk AI (Annex III) Risk management system (Art.9) · Data governance (Art.10) · Technical documentation (Art.11) · Accuracy & robustness (Art.15) · Human oversight (Art.14) · Transparency (Art.13) · Logging (Art.12) Conformity assessment required before deployment
LIMITED Limited Risk (Art.50–52) Transparency obligations: AI-generated content must be disclosed. Deepfakes require clear marking. Chatbots must identify as AI. Self-declaration sufficient
MINIMAL Minimal Risk (Art.51) No mandatory requirements under the AI Act. Voluntary codes of conduct encouraged. National supervisory authorities retain enforcement authority. No assessment required

446 agents. Every requirement in scope.

Sturna's multi-agent system maps each EU AI Act requirement to a dedicated specialist agent. Each agent maintains its own audit record in the HMAC-signed chain.

52
Data Governance Agents
Art. 10 — data quality, bias detection, lineage tracking
48
Risk Management Agents
Art. 9 — systematic risk identification, mitigation logging
71
Human Oversight Agents
Art. 14 — oversight enforcement, intervention logging, override trails
44
Transparency Agents
Art. 13 — disclosure enforcement, AI-marking compliance, documentation
83
Technical Documentation Agents
Art. 11 — system architecture records, version control, change logs
68
Accuracy & Robustness Agents
Art. 15 — adversarial testing, accuracy benchmarks, regression tracking
80
Audit Trail Agents
Art. 12 — append-only logging, WORM compliance, HMAC chain integrity

Interactive Compliance Checklist

Run a live assessment against our multi-agent engine. Each button calls the Sturna API in real time — responses are from the same agents that run enterprise pilots.

Is your AI system high-risk under Annex III?
Does your documentation meet Annex IV requirements?
How does your GDPR program map to EU AI Act obligations?

Every Article 9–15 requirement,
covered by dedicated agents.

High-risk AI systems must meet seven documented requirements before deployment. Sturna implements them as operational agent capabilities — not checklist documentation.

📋

Risk Management System (Art. 9)

Continuous risk identification and mitigation documented in real time. Each risk event is logged with severity, affected agents, and remediation steps. Audit-ready, not retrospective.

EU AI Act Art. 9 — Risk Management
🗄️

Data Governance (Art. 10)

Training data quality controls, bias detection across all model versions, and data lineage tracking. Bias events are flagged and logged with the specific training corpus implicated.

EU AI Act Art. 10 — Data Governance
📄

Technical Documentation (Art. 11)

Automated system architecture records, version control, and change logs for every deployment. The documentation package is pre-formatted for conformity assessment submission.

EU AI Act Art. 11 — Technical Documentation
🔍

Transparency & Disclosure (Art. 13)

AI-generated outputs are marked. Users are informed when they interact with AI systems. Deepfakes generated or processed by your AI are flagged with provenance metadata.

EU AI Act Art. 13 — Transparency
👁️

Human Oversight (Art. 14)

Article 14 compliance: every high-risk output has a human oversight gate. Agents log every oversight action — approval, modification, or override — in the append-only audit chain.

EU AI Act Art. 14 — Human Oversight
🎯

Accuracy & Robustness (Art. 15)

Continuous accuracy benchmarks run against production outputs. Adversarial regression tests on every deployment. Drift detection triggers automated reassessment with documented results.

EU AI Act Art. 15 — Accuracy & Robustness
🔐

HMAC-Signed Audit Trail (Art. 12)

Every event — query, response, verification decision, human override — written to an append-only WORM log. Each entry is HMAC-SHA256 signed with the previous entry's hash. Tamper-evident by construction.

EU AI Act Art. 12 — Record Keeping
⚠️

Post-Market Monitoring (Art. 72)

Systematic monitoring for serious incidents and non-compliance after deployment. Serious incident reports are prepared and submitted to national authorities within the required timeframes.

EU AI Act Art. 72 — Post-Market Monitoring

Articles that matter most for enterprise deployments.

Art. 6
Classification Rules
Determines whether your AI system is high-risk, limited, or minimal. Sturna maps your system against all Annex III categories and produces a classification record.
Required for high-risk
Art. 9
Risk Management
Documented risk management system covering the AI system's lifecycle. Must be updated continuously as risks evolve.
Required for high-risk
Art. 10
Data Governance
Training data quality controls, bias mitigation strategies, and representativeness documentation for training datasets.
Required for high-risk
Art. 11
Technical Documentation
Pre-deployment technical records including system architecture, training methodology, validation results. Must be updated for post-market changes.
Required for high-risk
Art. 12
Record Keeping
Automatic logging of system operation, including inputs, outputs, and timeframe. Records must be retained for regulatory scrutiny.
Required for high-risk
Art. 13
Transparency
Users must be informed they are interacting with an AI system. System capabilities and limitations must be disclosed. Deepfakes must be marked.
Required for high-risk
Art. 14
Human Oversight
Mechanisms that allow humans to understand, supervise, and intervene in AI decisions. Humans must be able to override, correct, or disable the system.
Required for high-risk
Art. 15
Accuracy & Robustness
AI systems must achieve appropriate accuracy, robustness, and cybersecurity standards. Accuracy metrics must be documented and maintained.
Required for high-risk
Art. 16
Provider Obligations
Register high-risk systems in the EU database before deployment. Maintain CE marking. Report serious incidents to national authorities.
Required for high-risk
Art. 50
Transparency for Limited Risk
Chatbots must disclose AI nature. Deepfakes must be clearly labeled as AI-generated. Emotion recognition systems must inform users.
Applies to limited risk

Independently verified. Benchmarkable.

📊
Live Benchmark Scores
Real performance metrics on adversarial test sets. Accuracy, recall, false positive rate — not self-reported.
View benchmark results →
🔬
MARCH Adversarial Verification
3-gate adversarial testing. Compliance-scout → adversary-verifier → convergence-synthesizer. Every deployment triggers regression.
See verification runs →
🔐
HMAC Audit Chain
Every agent event logged with SHA-256 chain integrity. WORM append-only. Reviewable by regulators, auditors, or legal counsel.
See audit trail →
Conformity Documentation
Article 9–16 documentation package generated automatically. Pre-formatted for submission to your national authority.
View documentation →
EU AI Act Pilot

Get compliant before August 2026 enforcement.

Two months is not a lot of runway for a conformity assessment. Sturna starts the documentation process immediately — 446 agents generate the audit trail while you work through the classification exercise. Deposit credits month 1. No lock-in.

  • Annex III classification exercise (Art. 6)
  • Article 9 risk management system documentation
  • Article 11 technical documentation package
  • Article 12 audit trail implementation
  • Article 14 human oversight enforcement
  • Article 15 accuracy and robustness benchmarks
  • 446 agents — full HMAC-signed audit chain
  • Convert or get pro-rated refund at day 30
$2,500
one-time pilot deposit
✓ Credits your first month of service
🔒 Payments secured by Stripe
Pro-rated refund if pilot doesn't deliver
No annual contract required
Conformity documentation package included
Architecture Comparison

How Sturna Compares
to Legacy AI Infrastructure

Three routing paradigms. One built for regulated industries.

Metric Legacy DAG Vector Search Sturna
Routing Logic Rule-based Single embedding Tier-Constrained MOA
First Contact Resolution 35–50% 45–60% 75%+
Cost per Intent $0.1200 $0.0800 $0.0108
Guardian Framework 4-role, 5-trigger
zk-SNARK Proof ✓ Live
Source Count Internal only Paid APIs only 38 free sources
Audit-Ready Output Log file only Log file only ✓ HMAC-SHA256
Regulatory Frame No No SEC 17a-4 · HIPAA · EU AI Act
$2,500 Pilot — Start in 4 Weeks → See Live Benchmarks ↗

Questions from compliance leads and CTOs

Does the EU AI Act apply to US companies?
Yes — if your AI system is deployed in the EU or its outputs affect people in the EU. "Deployment in the EU" includes offering a SaaS product to EU users, operating AI-assisted hiring for EU subsidiaries, or processing data from EU residents. The extraterritorial scope (Article 2) catches non-EU providers whose systems are placed on the EU market or whose outputs affect EU persons.
What does "high-risk" actually mean for my system?
Annex III lists 8 categories of high-risk AI. The most common for enterprise deployments are: AI systems used in employment decisions (hiring, promotion, termination), AI in access to essential services (credit scoring, insurance underwriting), and AI used in law enforcement or administration of justice. Sturna's classification agent maps your specific use case against all Annex III categories and produces a written classification record for your DPO or legal counsel.
What's the August 2, 2026 deadline about?
The EU AI Act entered into force on August 1, 2024. High-risk AI systems that were already on the market before August 1, 2024 have until August 2, 2026 to achieve conformity. New high-risk systems deployed after August 1, 2024 must be conformant before going live. Prohibited AI rules apply from February 2, 2025. GPAI model requirements apply from August 1, 2025.
What is a conformity assessment?
A conformity assessment is an independent verification that your high-risk AI system meets all requirements in Articles 9–15. For most systems, this involves a self-assessment against the technical standards — but some Annex III categories (e.g., AI in safety components, medical devices, or law enforcement) require involvement of a Notified Body. Sturna prepares the self-assessment documentation package; your legal team or external auditor reviews it.
Is the $2,500 pilot deposit refundable?
Yes. If at day 30 the pilot hasn't demonstrably advanced your conformity assessment or generated useful audit documentation, you receive a pro-rated refund of unused days. The deposit converts to month 1 of service upon kickoff — it is not a fee for evaluation.
How is this different from DORA (Digital Operational Resilience Act)?
DORA applies specifically to financial sector entities — banks, investment firms, insurance, crypto-asset providers — and covers ICT risk management, incident reporting, and third-party risk. The EU AI Act applies across all sectors and covers AI system design, deployment, and operation. An AI system used by a bank is subject to both DORA (financial resilience) and the EU AI Act (AI risk classification). Sturna supports both regulatory frameworks with separate agent pools.

Get your full compliance assessment

We'll run all 446 agents against EU AI Act obligations and send you a full report — your risk tier, documentation gaps, and recommended remediation steps.

✓ We'll be in touch. Your assessment report is being prepared.

Start your API trial

Run EU AI Act assessments programmatically against your own AI systems. Free API key. No credit card required.

Get API Key →