RegCore.AIRegCore.AI

EU AI Act: High-Risk System Compliance

A practitioner playbook for Annex III classification, Article 9 risk management, Article 10 data governance, Annex IV technical documentation, provider/deployer allocation, and evidence-backed operation before the 2 August 2026 high-risk obligations apply.

PublishedMay 12, 2026
Length69 pages · PDF
FormatRegulator readable · cited
LanguageEnglish (en-CA)
Abstract

What this paper is for.

Regulation (EU) 2024/1689, the EU AI Act, applies most high-risk AI system obligations on 2 August 2026. Extraterritorial reach captures providers and deployers outside the Union where AI system outputs are used in the EU. This revised paper treats the high-risk AI system as an evidence object: classification, Article 5 screening, Article 9 risk management, Article 10 data governance, Article 14 human oversight, Article 15 performance and cyber controls, GPAI dependency diligence, post-market monitoring, serious incident reporting, and Annex IV technical-file compilation.

Key findings

The takeaways our research desk stands behind.

  • High-risk compliance is a file-production discipline: the defensible deliverable is an evidence-backed technical file mapped to Articles 9-15 and Annex IV.
  • Article 10 data governance is the hardest clause to retrofit; provenance, representativeness, bias controls, data suitability and retention need design-time ownership.
  • Human oversight under Article 14 must be operational: named overseers, authority to intervene or stop use, competence evidence, escalation routes and run records.
  • GPAI dependency diligence now belongs in the high-risk system file: provider evidence, limitations, evaluation posture, incident history, training-data summaries and change notices.
  • The same evidence spine can satisfy EU AI Act, GDPR, DORA, ISO/IEC 42001, NIST AI RMF and OSFI E-23 when controls are indexed to one system inventory.
Table of contents

What is inside.

  1. Executive summary
  2. Scope, extraterritoriality and enforcement calendar
  3. Article 5 prohibited-practices screen
  4. High-risk classification: Annex III and product overlays
  5. Article 9: Risk management system
  6. Article 10: Data governance and quality
  7. Article 11 and Annex IV technical documentation
  8. Article 12 logging and record-keeping
  9. Article 13 transparency and user information
  10. Article 14 human oversight
  11. Article 15 accuracy, robustness and cybersecurity
  12. GPAI dependencies and value-chain responsibilities
  13. Post-market monitoring and serious incident reporting
  14. Provider and deployer operating model
  15. Conformity assessment and EU declaration of conformity
  16. Cross-walk to OSFI E-23, NIST AI RMF and ISO/IEC 42001
  17. Appendix: Annex IV compilation checklist
Frameworks covered

Regulator and standards reach.

EU AI ActGDPRDORAISO/IEC 42001NIST AI RMF
Intended audience

General Counsel, Data Protection Officers, Chief AI Officers and AI risk teams in cross-border institutions.

Related on the site

Keep reading.

Framework
EU AI Act
Playbook
EU AI Act High-Risk System
Service pillar
AI Governance