EU AI Act Compliance Requirements

The EU AI Act isn’t theory anymore — it’s live law. And for Medical AI teams, it just became a business-critical mandate. If your AI product powers diagnostics, clinical decision support, or imaging you’re now officially building a high-risk AI system in the EU. What does that mean? ⚖️ Article 9 — Risk Management System Every model update must link to a live, auditable risk register. Tools like Arterys (Acquired by Tempus AI) Cardio AI automate cardiac function metrics. They must now log how model updates impact critical endpoints like ejection fraction. ⚖️ Article 10 — Data Governance & Integrity Your datasets must be transparent in origin, version, and bias handling. PathAI Diagnostics faced public scrutiny for dataset bias, highlighting why traceable data governance is now non-negotiable. ⚖️ Article 15 — Post-Market Monitoring & Control AI drift after deployment isn’t just a risk — it’s a regulatory obligation. Nature Magazine Digital Medicine published cases of radiology AI tools flagged for post-deployment drift. Continuous monitoring and risk logging are mandatory under Article 61. At lensai.tech, we make this real for medical AI teams: - Risk logs tied to model updates and Jira tasks - Data governance linked with Confluence and MLflow - Post-market evidence generation built into your dev workflow Why this matters: 76% of AI startups fail audits due to lack of traceability. The EU AI Act penalties can reach €35M or 7% of global revenue Want to know how the EU AI Act impacts your AI product? Tag your product below — I’ll share a practical white paper breaking it all down.

It’s been a big month in AI governance - and I’m catching up with key developments. One major milestone: the EU has officially released the final version of its General-Purpose AI (GPAI) Code of Practice on July 10, 2025. Link to all 3 chapters: https://lnkd.in/gCnZSQuj While the EU AI Act entered into force in August 2024, with certain bans and literacy requirements already applicable since February 2025, the next major enforcement milestone arrives on August 2, 2025—when obligations for general-purpose AI models kick in. The Code of Practice, though voluntary, serves as a practical bridge toward those requirements. It offers companies a structured way to demonstrate good-faith alignment—essentially a soft onboarding path to future enforceable standards. * * * The GPAI Code of Practice, drafted by independent experts through a multi-stakeholder process, guides model providers on meeting transparency, copyright, and safety obligations under Articles 53 and 55 of the EU AI Act. It consists of three separately authored chapters: → Chapter 1: Transparency GPAI providers must: -Document what their models do, how they work, input/output formats, and downstream integration. - Share this information with the AI Office, national regulators, and downstream providers. The Model Documentation Form centralizes required disclosures. It’s optional but encouraged to meet Article 53 more efficiently. → Chapter 2: Copyright This is one of the most complex areas. Providers must: - Maintain a copyright policy aligned with Directives 2001/29 and 2019/790. - Respect text/data mining opt-outs (e.g., robots.txt). - Avoid crawling known infringing sites. - Not bypass digital protection measures. They must also: - Prevent infringing outputs. - Include copyright terms in acceptable use policies. - Offer a contact point for complaints. The Code notably sidesteps the issue of training data disclosure—leaving that to courts and future guidance. → Chapter 3: Safety and Security (Applies only to systemic-risk models like GPT-4, Gemini, Claude, LLaMA.) Providers must: - Establish a systemic risk framework with defined tiers and thresholds. - Conduct pre-market assessments and define reevaluation triggers. - Grant vetted external evaluators access to model internals, chain-of-thought reasoning, and lightly filtered versions—without fear of legal retaliation (except in cases of public safety risk). - Report serious incidents. - Monitor post-market risk. - Submit Safety and Security Reports to the AI Office. * * * Industry reactions are mixed: OpenAI and Anthropic signed on. Meta declined, citing overreach. Groups like CCIA warn it may burden signatories more than others. Many call for clearer guidance—fast. Regardless of EU regulation or US innovation, risk-managed AI is non-negotiable. Strong AI governance is the baseline for trustworthy, compliant, and scalable AI. - Reach out to discuss! #AIGovernance

Article 14 of the EU AI Act requires human oversight of high risk AI Systems who are trained in operating the system AND who are trained to overcome Automation Bias. The law requires this training and education because the lawmakers (Dragos Tudorache, Axel Voss et al.) know that everyone of us suffers from Automation Bias - every single one of us. ForHumanity provides these learning objectives as a means to satisfy the legal requirement for human overseers to overcome automation bias. Thelearning objectives describe the following: 🔅 Definition and descriptions of Automation Bias 🔅 Examples of Automation Bias in real life - how it truly impacts all of us.  🔅 Why Automation Bias matters 🔅 What does one need to know and do to overcome Automation Bias 🔅 How to recognize Automation Bias for remedy 🔅 How to overcome Automation Bias 🔅 Taking Action Automation bias causes us to: 😲 drive into lakes, 😧 produce ChatGPT - New! tutorials for doctors that have non-existent sources 😧 produce court briefs with faulty case law 😡 use facial recognition technology with embedded bias for years before quitting 😖 treat inferences as "facts" 😭 trust machines over people and these are but a few of the harms caused by automation bias. Overcoming automation bias teaches students how to approach these tools with a healthy skepticism and to establish skills and tools to overcome our own bias. We believe that good training tools founded on these principles will result in human oversight that meets the requirements of the law and will reduce the negative impacts of automation bias to all of humanity. These learning objectives are available for wide usage from academic endeavors to commercial teaching platforms under license. But most important, we think that humanity is better off when we can mitigate the automation bias that we all suffer from. Many thanks to a dedicated team that worked weekly for the past 9 months, including Michael Simon, CIPP-US/E, CIPM Katrina Ingram Steve English Ren Tyler, CPACC Anne Heubi Inbal Karo Maud Stiernet and Natalia Vyurkova #independentaudit #infrastructureoftrust #automationbias #euaiact

European Commission issues Q&A on #AI. What do you need to know? 🔹️The legal framework will apply to both public and private actors inside and outside the EU as long as the AI system is placed on the Union market or its use affects people located in the EU. 🔹️It can concern both providers (e.g. a developer of a CV-screening tool) and deployers of high-risk AI systems (e.g. a bank buying this screening tool 🔹️ Importers of AI systems will also have to ensure that the foreign provider has already carried out the appropriate conformity assessment procedure, bears a European Conformity (CE) marking and is accompanied by the required documentation and instructions of use. 🔹️ There are 4 levels of risk: minimal, high, unacceptable and transparency. - unacceptable risk includes: = Social scoring = Exploitation of vulnerabilities of persons, use of subliminal techniques; = Real-time remote biometric identification in publicly accessible spaces by law enforcement, subject to narrow exceptions; = Biometric categorisation = Individual predictive policing; Emotion recognition in the workplace and education institutions, unless for medical or safety reasons (i.e. monitoring the tiredness levels of a pilot); = Untargeted scraping of internet or CCTV for facial images to build-up or expand databases. 🔹️ The risk classification is based on the intended purpose 🔹️ Annexed to the Act is a list of use cases which are considered high-risk. 🔹️ AI system shall always be considered high-risk if it performs profiling of natural persons. 🔹️Before placing a high-risk AI system on the EU market or putting it into service, providers must subject it to a conformity assessment. For biometric systems a third-party conformity assessment is required. 🔹️ Providers of high-risk AI systems will also have to implement quality and risk management systems 🔹️ Providers of Gen AI models must disclose certain information to downstream system providers. Such transparency enables a better understanding of these models. 🔹️AI systems must be technically robust to guarantee that the technology is fit for purpose and false positive/negative results are not disproportionately affecting protected groups (e.g. racial or ethnic origin, sex, age etc.) 🔹️ High-risk systems will also need to be trained and tested with sufficiently representative datasets to minimise the risk of unfair biases embedded in the model 🔹️They must also be traceable and auditable, ensuring that appropriate documentation is kept, including of the data used to train the algorithm that would be key in ex post investigations. 🔹️Providers of non-high-risk applications can ensure that their AI system is trustworthy by developing their own voluntary codes of conduct or adhering to codes of conduct adopted by other representative associations. #dataprivacy #dataprotection #AIprivacy #AIgovernance #privacyFOMO https://lnkd.in/es8JSXhN image by rawpixel.com on freepik

In a few weeks, on August 2, 2025, a legal line in the sand for AI will be drawn The EU’s AI Act is about to make history. No, it doesn’t ban training on copyrighted content. However, it does make transparency and copyright compliance mandatory for any general-purpose AI model offered in the EU, regardless of where it’s built. If your AI model learns from creative works, you’ll need: • A copyright compliance policy • A public summary of training data • Technical safeguards for infringing outputs • Clear, machine-readable labeling of AI-generated content And here’s what many overlook: Even if you didn’t train the model, if your company uses a non-compliant one to serve EU clients, you’re liable too. The AI Act is opt-out-based: creators must explicitly signal that they don’t want to be included. But for the first time, they have a lever. And for AI, it’s a wake-up call: the days of opaque scraping are numbered. The EU has drawn the line. The real question is: who follows next, how, and when? Read my breakdown of what Article 53 means for developers, rights holders, and anyone building with GPAI: https://lnkd.in/eP95hJcP #AI #Copyright #EUAIAct #GenerativeAI #GPAI #Innovation #DigitalRights #Compliance #ContentCreators #ArtificialIntelligence #visualcontent #visualtech

The European Commission published official guidelines for general-purpose AI (GPAI) providers under the EU AI Act. This is especially relevant for any teams working with foundation models like GPT, Llama, Claude, and open-source versions. A few specifics I think people overlook: -If your model uses more than 10²³ FLOPs of training compute and can generate text, images, audio, or video, guess what…you’re in GPAI territory. -Providers (whether you’re training, fine-tuning, or distributing models) must: -Publish model documentation (data sources, compute, architecture) Monitor systemic risks like bias or disinformation -Perform adversarial testing -Report serious incidents to the Commission -Open-source gets some flexibility, but only if transparency obligations are met. Important dates: August 2, 2025: GPAI model obligations apply August 2, 2026: Stronger rules kick in for systemic risk models August 2, 2027: Legacy models must comply For anyone already thinking about ISO 42001 or implementing Responsible AI programs, this feels like a natural next step. It’s not about slowing down innovation…it’s about building AI that’s trustworthy and sustainable. https://lnkd.in/eJBFZ8Ki