Regulation · EU AI Act readiness
EU AI Act enforcement starts 2 August 2026. Be ready.
From 2 August 2026 the European Commission's enforcement powers for general-purpose AI models enter into application. Article 50 transparency obligations take legal effect across every member state on the same day, with fines up to 3% of global annual turnover. Every framework, every audit, every regulator question starts with the same precondition: you cannot govern what you cannot see.
What happens on 2 August 2026
Three obligations bite simultaneously across the EU
GPAI enforcement powers
From 2 August 2026 the AI Office can request information from any provider of a general-purpose AI model, require model access for evaluations, mandate risk-mitigation measures, restrict market availability, or issue fines up to 3% of global annual turnover.
Article 50 transparency
Disclosure required whenever a person interacts with an AI system. Machine-detectable labelling on synthetic content. Explicit watermarking obligations on deepfakes. Effective in every member state from the same day.
Governance + penalties active
National competent authorities are designated. Notified bodies are operational. Penalty regimes vary by member state but the upper bands are harmonised — the maximum is 3% of global turnover for GPAI obligations and up to 7% for prohibited AI uses.
Existing GPAI models placed on the market before 2 August 2025 have until 2 August 2027 to comply — a 12-month grace window that is already half spent.
Who is affected
Not just AI providers — anyone deploying AI in the EU
The Act distinguishes providers (organisations that build or ship AI systems and models), deployers (organisations that use AI systems professionally), and distributors (organisations that make AI systems available on the EU market). Most of GreyScape's customers are deployers — and the Act still puts material obligations on them, especially when AI is used for hiring, credit, education, law enforcement, biometrics, or any of the other Annex III high-risk categories.
Providers
Build or ship AI systems / GPAI models. Hardest obligations: technical documentation, risk management, conformity assessment, post-market monitoring, registration in the EU database for high-risk systems.
Deployers (most of you)
Use AI systems in professional activity. Obligations: human oversight, input-data appropriateness, monitoring + logging of consequential decisions, inform people they're interacting with AI (Article 50), keep records for at least 6 months.
Distributors / importers
Make AI systems available on the EU market. Verify provider compliance markings, refuse market placement of non-conforming systems, cooperate with surveillance authorities.
How GreyScape maps to the Act
Where GreyScape's evidence fits each obligation
We are not a certification body and we do not promise compliance. What we do is produce the underlying evidence every framework requires: a current inventory of AI in use, attribution of who is using it for what, a tamper-evident audit log of every admin action, and exportable records that pass an internal or external audit.
| Obligation | Evidence GreyScape produces |
|---|---|
| Art. 13 — Transparency to deployers | Per-tool record card: provider, model, data residency, prompt retention, training-on-data policy, sub-processors. Updated each sync. |
| Art. 14 — Human oversight | Approval workflow log: every new AI workload scoped, justified, and approved before a service-account key is issued. |
| Art. 19 — Automatically generated logs | Per-provider usage log with timestamp, user, model, token count, and cost. Exportable to CSV or pushed via Public Reporting API. |
| Art. 26 — Deployer obligations | Tenant-wide AI inventory: every tool in use, every user, every dollar. Discovery-first so the inventory is comprehensive, not self-reported. |
| Art. 50 — Transparency to people | Approved-models policy + per-app classification (chat, code, image, agent) supports the disclosure required when humans interact with AI. |
| Art. 71 — EU database registration | Export of high-risk AI systems your organisation deploys, formatted for registration submission. |
| Art. 99 — Penalties / evidence on demand | Tamper-evident audit log of every admin action, every policy change, every approval — exportable as a signed evidence pack. |
How it works in the portal
Seven steps from inventory to regulator-ready evidence
The Act's obligations all assume you already know which AI systems you run, who owns them, on what models, for what purpose, with what oversight. GreyScape's discovered inventory becomes the spine of that work — every step below is a real surface in the portal, not a feature description.
- 1
Classify each AI system in the inventory
Open
/compliance/register. Every AI subscription GreyScape has discovered appears as a row marked Unclassified. Click any tool → the 6-section questionnaire asks for role under the Act (provider / deployer / importer / distributor), risk class (prohibited / high / limited / minimal), Annex III use-case selection if high-risk, internal owner, legal basis, and human-oversight design. - 2
See the whole estate in one register
The classified-systems table sorts by risk class (prohibited → high → limited → minimal → unclassified). Owner, classification status, Annex III count and monthly cost surface on the same row. Click any row to open the per-system detail page.
- 3
Track the gap to 2 August 2026
The
/compliance/dashboardshows a live countdown to enforcement plus four gap cards: unclassified systems, high-risk systems missing oversight documentation, classifications still in draft, and high-risk systems without an assigned internal owner. Each gap card links straight to the rows that need work. - 4
Work the obligation checklist per system
When a classification saves, the platform materialises the applicable obligations from the catalogue — Articles 4, 5, 9-17, 26 (each sub-paragraph), 27, 49, 50 (each sub-paragraph), 71 and 73 — based on the (role × risk class) combination. Each obligation is a row with status (pending / in_progress / complete / not_applicable), an optional due date, and free-text notes. Article 50 transparency triggers are flagged automatically from the tool name (chat, image, voice, video, deepfake-capable).
- 5
Attach evidence to the system
The evidence vault on each system holds the documents auditors and notified bodies ask for first: DPIA, conformity assessment certificate, instructions for use, vendor declarations, risk assessments, AI literacy training records, human oversight design documents. 10 MB per file, expiry tracking, downloadable from one click. Plus: Article 4 AI literacy tracking with bulk LMS imports, Article 73 serious-incident reporting workflow, and a SHA-256-chained audit log verifiable end-to-end via
/api/audit-log/verify. - 6
Complete the FRIA for high-risk systems
Article 27 requires a Fundamental Rights Impact Assessment for deployers of high-risk AI in essential public/private services. The structured template captures purpose, scope of use, affected categories, risks to fundamental rights, mitigation measures, and residual risk acceptability. Sign-off by a designated reviewer is recorded with timestamp.
- 7
One-click audit pack export
The detail page's Download audit pack button produces a single self-contained HTML document — the artefact a regulator, internal audit, customer vendor-risk team, or insurer asks for first. Includes classification rationale, Article 50 triggers, full obligation checklist with status + notes, evidence inventory (filenames + kind + uploader), FRIA, last 50 audit-log entries for the system, and a SHA-256 integrity hash. Prints to PDF cleanly.
Bonus: forward the audit trail to your SIEM
Article 26(6) requires deployers of high-risk AI to retain the automatically-generated logs for at least six months. GreyScape's SIEM forwarder (configured under /compliance/SIEM forwarding) pushes every audit event + every classification change + every shadow-AI discovery to your security stack via a generic JSON webhook — Splunk HEC, Microsoft Sentinel, Elastic, Datadog, LogScale, or any HTTPS endpoint with bearer-token auth. Per-stream toggles, idempotent cursor advance, automatic retry on failure.
What you get
The EU AI Act readiness pack
Every paid GreyScape tenant can request the readiness pack — a single ZIP containing the evidence most auditors and DPOs ask for first. Standard customers download it from inside the portal; Enterprise customers receive a quarterly refresh signed by us.
AI inventory snapshot (CSV + PDF)
Every AI tool in use across your tenant, with category, status, attribution, data-flow classification, and the discovery surface that flagged it. Snapshot dated and signed.
Tamper-evident admin audit log
Every admin action, every approval, every policy change since tenant creation. Cryptographic chaining so any later edit is detectable. Exportable JSON + PDF summary.
Mapping to Articles 13, 14, 19, 26, 50, 71, 99
A markdown + PDF document mapping each named Article to the GreyScape evidence that satisfies it, with example records. Updated when the underlying obligations change.
Sub-processor + data residency declarations
Our DPA, current sub-processor list, EU data residency confirmation, and the data classification we apply to each connector. Drop-in for your own Article 28 vendor record.
Customers on the Standard tier get on-demand access. Enterprise customers receive quarterly refreshes and a security review session before each refresh.
The cost of being unready
The Act's penalty bands are deliberately tiered to the severity of the obligation. Headline numbers in EUR:
- Up to €35M or 7% of global annual turnover — prohibited AI uses (Art. 5).
- Up to €15M or 3% of global annual turnover — non-compliance of high-risk AI systems, GPAI obligations.
- Up to €7.5M or 1% of global annual turnover — supplying incorrect information to authorities.
Member states set their own enforcement processes within those caps. Many have already designated competent authorities. For a regulator question that arrives next year, the answer you can give in the first 48 hours determines whether the rest of the conversation is comfortable or expensive.
Start the readiness work today
Connect one source in 10 minutes — a corporate-card feed, your SSO, or just forward your billing inbox. Your first AI inventory snapshot and audit-log trail begin populating immediately. Read-only on day one. No procurement gate.
Frequently asked
EU AI Act readiness — common questions
Does the EU AI Act apply to us if we're not in the EU?
Yes, in many cases. The Act is extraterritorial: it applies to providers placing AI systems on the EU market and to deployers whose AI output is used in the EU, regardless of where the organisation is established. A US SaaS company with European customers is in scope. A UK-based AI provider shipping to the EU is in scope.
What changes on 2 August 2026?
The Commission's enforcement powers for general-purpose AI models become operational, and Article 50 transparency obligations take legal effect across every member state simultaneously. The AI Office can issue fines up to 3% of global annual turnover for GPAI obligation breaches from that date.
Are we a provider or a deployer?
Most GreyScape customers are deployers — they use AI systems built by others (OpenAI, Anthropic, Google, AWS). Deployer obligations are lighter than provider obligations but still material: human oversight, monitoring, logging, transparency to affected people, and a documented record of high-risk use cases.
Does GreyScape certify our EU AI Act compliance?
No. Compliance certification is the role of notified bodies under the Act. What GreyScape produces is the underlying evidence — the AI inventory, the audit trail, the policy log — that every readiness assessment, internal audit, and notified-body review depends on.
What about ISO 42001 and NIST AI RMF?
The same evidence GreyScape produces maps directly to ISO/IEC 42001 (AI Management System) controls and to the NIST AI RMF 1.1 functions. The readiness pack includes a mapping table for both.
Continue reading
Related pages
- Shadow AI discovery → — the inventory work all the AI Act obligations start from.
- For security leaders → — how this maps to CISO obligations.
- Trust overview → — our own residency, sub-processors, and security stack.
- What we collect → — and just as important, what we deliberately don't.