EU AI Act: High-Risk System Compliance

What this paper is for.

Regulation (EU) 2024/1689, the EU AI Act, applies its high-risk obligations on August 2, 2026. Extraterritorial reach captures any provider or deployer placing AI on the EU market, plus any system whose output is used in the EU. This paper walks the full conformity assessment path for Canadian, US and UK institutions: classification, obligations, technical file, post-market monitoring, and how the same artifacts answer OSFI E-23, NIST AI RMF, and ISO 42001.

The takeaways our research desk stands behind.

• Extraterritorial scope captures institutions without an EU establishment. Output-based reach is the trigger most teams miss.
• Article 10 data governance is the hardest clause to retrofit; plan for it from day one.
• Annex IV technical documentation is the deliverable, not the sum of internal artifacts.
• GPAI obligations cascade to deployers through contractual flow-down. Due diligence must be documented.
• Serious incident reporting windows are short: 15 days baseline, 10 days for death cases, and 2 days for widespread infringement or critical infrastructure disruption.

What is inside.

1. Executive summary
2. Scope, extraterritoriality, and staged enforcement
3. Prohibited practices: Article 5 screening
4. High-risk classification: Annex III walkthrough
5. Article 9: Risk management system
6. Article 10: Data governance and quality
7. Article 11: Technical documentation (Annex IV)
8. Article 13: Transparency and user information
9. Article 14: Human oversight
10. Article 15: Accuracy, robustness, cybersecurity
11. GPAI obligations and model provider diligence
12. Post-market monitoring and incident reporting
13. Conformity assessment routes
14. Cross-walk: OSFI E-23, NIST AI RMF, ISO 42001
15. Deployer vs provider obligations
16. Appendix: Annex IV compilation checklist

Regulator and standards reach.

Keep reading.