1 · AI SDK inventory of your repositories
AI SDKs, ML frameworks, model artefacts, and Annex III patterns found in nominated repositories, with file, line, branch and commit provenance. Exported as SARIF 2.1.0, JSON, or CSV.
EU AI Act Governance
EU AI Act evidence that starts in your code and ends in a human-approved register
Document AI systems, conformity, and Article 27 FRIA with code evidence and AI-assisted drafting grounded in your own records. Code Scan AI Governance mode is live today; the AI System Register and 30 Member-State conformity templates are available on opt-in. Classification stays human-approved.
Your walkthrough delivers:an AI SDK inventory of nominated repositories with file/line/branch/commit provenance, an Article 50 transparency-scope flagging pass, and a walked-through draft EU AI Act assessment on one of your detected systems.
Key takeaways
- The EU AI Act is Regulation (EU) 2024/1689 (EUR-Lex), a risk-based law for AI systems in the EU. Obligations differ by role (provider vs deployer), system type, and risk tier.
- Article 50 transparency obligations start to apply on 2 August 2026; prohibited-practice rules already apply and high-risk provisions phase in through 2028. See the EU AI Act Ireland guide for the full timeline and Irish enforcement model.
- An “AI System Register” is not a named statutory artefact, but the underlying duties are: Article 11 / Annex IV technical documentation, Article 49 EU-database registration, and an Article 27 FRIA for in-scope Annex III deployers. For AI that processes personal data, the DPC (Ireland) and ICO (UK) still expect a current Article 30 RoPA and an Article 35 DPIA.
- Code Scan AI Governance mode is live today; the AI System Register and 30 Member-State conformity templates are available on opt-in (early access). Classification stays human-approved — no language model in the write path.
What you walk away with
Three concrete artifacts from a first engagement
A walkthrough is a working session, not a slide deck. Your team leaves with three portable outputs: Code Scan results, a draft assessment, and an inventory view.
2 · Article 50 transparency-scope flagging
Chatbots, AI-generated content libraries, and biometric or emotion-classification SDKs flagged for DPO review against Article 50 transparency scenarios.
3 · Walked-through draft EU AI Act assessment
One detected AI system taken through the conformity questionnaire, Article 27 FRIA section where in scope, AI-drafted answers, human approval, and a sample four-field classify-back.
Code Scan, made concrete
What every finding looks like
Code Scan never returns “AI was detected, somewhere”. Every signal carries the exact file, line, branch and commit where it was found — so a reviewer can pull the actual code, verify the detection, and decide what to do. The provisional EU AI Act risk-tier and article citations are signals for human review, not legal determinations.
Findings export as SARIF 2.1.0, JSON, CSV, and a 10-section EU AI Act governance narrative drafted for human review.
src/api/transcribe.ts:14:5
DetectedOpenAI SDK · audio.transcriptions.createGPAIYes — OpenAI is a GPAI provider (Art. 51)Risk hintLimited risk — Art. 50 transparency may applyCitationsArt. 50 · Art. 51ForYour DPO / AI lead to review
EU AI Act answer
Where Acompli fits in EU AI Act work
The EU AI Act (Regulation (EU) 2024/1689) is a risk-based framework for AI systems in the European Union. Obligations differ by role, system type, and risk level.
The timetable is phased: prohibited-practice rules already apply, Article 50 transparency obligations begin on 2 August 2026, and high-risk provisions continue phasing in through 2028.
Acompli helps organisations document EU AI Act obligations with AI-assisted drafting, human approval, and an audit-ready evidence trail. Read the full Ireland guide.
What software supports EU AI Act inventory and conformity documentation?
Acompli supports EU AI Act documentation with Code Scan AI Governance mode today: code-level AI evidence with file, line, branch, and commit provenance for review. Opt-in modules add the AI System Register, 30 Member-State conformity templates, AI-assisted answer drafting, and user-entered ISO 42001 / NIST AI RMF crosswalks. Classification fields copy from human-approved assessments, not from an LLM.
What is the difference between an AI System Register and a GDPR Article 30 RoPA?
A GDPR Article 30 RoPA documents personal-data processing; an AI System Register is the multi-framework analogue for AI systems. The two join on the per-system data register, so an AI system that processes personal data links to the relevant RoPA activity.
| Dimension | Article 30 RoPA | AI System Register |
|---|---|---|
| Legal basis | GDPR Article 30 (EU & UK GDPR) | EU AI Act (Reg. (EU) 2024/1689); no single named-register article |
| Unit of record | Processing activity | AI system |
| Key fields | Purpose, legal basis, data categories, recipients, retention, transfers | Provider/deployer role, risk tier, Annex III category, GPAI flag, Article 6(3) flag, conformity status |
| Regulator expectation | DPC (Ireland) and ICO (UK) in any audit or inquiry | Article 11/Annex IV docs, Article 49 EU-database, Article 27 FRIA where in scope |
| Acompli status | Live core module | Available on opt-in (early access); classification human-approved |
Can code scanning support EU AI Act compliance?
Code scanning can produce reviewable engineering evidence of AI SDKs, model artefacts, automated-decision patterns, biometric libraries, and Annex III signals present in a codebase. These support the DPO or AI governance lead, but do not replace the deployer's legal determination.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops an AI system or general-purpose AI model and places it on the EU market under its own name; a deployer uses an AI system under its authority. Providers carry most pre-market duties; deployers carry use-time duties, including an Article 27 FRIA for certain high-risk uses.
| Obligation area | Provider | Deployer |
|---|---|---|
| Role | Develops and places on the EU market under its own name | Uses the system under its own authority |
| Pre-market duties | Risk management, Article 11/Annex IV documentation, conformity assessment, CE marking, Article 49 registration | Generally none (relies on the provider's conformity) |
| Use-time duties | Post-market monitoring and corrective action | Human oversight (Article 14), monitoring, log retention (Article 12) |
| FRIA (Article 27) | Not the FRIA duty-holder | Required for certain high-risk Annex III uses |
What ships
What is live, opt-in, or out of scope
Acompli sells AI governance and evidence management, not automated EU AI Act compliance. Nothing in the platform makes a binding legal determination, blocks deployments, files Article 27(3) notifications, or completes EU filing steps for you. Every draft is reviewed and approved by a person; the register's classification fields are copied from the human-approved answer, with no language model in the write path.
Last reviewed: 2 June 2026. EU AI Act Ireland guide · Code Scan AI Governance mode.
Available today (live, visible)
- Code Scan AI Governance mode— zero-copy GitHub scans for AI SDK, model artefact, automated-decision, biometric, and Annex III pattern signals, each with provenance and article-cited hints for review.
- AI Governance SDK Knowledge Library— staff-curated AI SDK and vendor references with GPAI status, Annex III area, FRIA hint, and article citations.
- Code Scan exports— SARIF 2.1.0, JSON, CSV, and a 10-section AI Act governance narrative draft for human review.
- External GRC Integration API — scoped, read-only REST/OpenAPI feed for organisations with the AI Register add-on enabled.
Available on opt-in (per-organisation enablement)
- AI System Register — one governed record per AI system, joined to the relevant RoPA activity, ISO 42001 / NIST AI RMF crosswalks, and audit history.
- EU AI Act conformity assessments— one generic template plus 30 Member-State variants, with conditional paths for prohibited, high-risk, GPAI, transparency, FRIA, provider, and deployer scenarios.
- FRIA Article 27 section — guided through the seven statutory inputs, with deployer self-attestation for trigger scope and Member-State reference.
- AI-assisted answer drafting — drafts grounded in your Knowledge Base. Every answer is flagged
needs_review; approved classification fields write deterministically to the register. - EU AI Act Risk Analysis— drafts article-cited risks from an assessment's evidence for a human reviewer to confirm or amend.
- Executive reporting — board rows for total / high-risk / GPAI systems, conformity coverage, and missing-evidence metrics.
Not included today
- Code-scan-to-AI-Register direct discovery (Code Scan currently feeds a draft assessment, not a register entry).
- A dedicated “AI Act evidence pack” report from Code Scan.
- AI Register webhook / push sync and ServiceNow / Jira destination-profile mapping.
- EU-database submission (Acompli records registration status and URL only).
- Conformity review-cadence reminders and substantial-modification reclassification workflows.
The lifecycle
From repository evidence to a human-approved register
Code Scan evidence capture is live today. AI Register and conformity-assessment surfaces are enabled per organisation as opt-in modules, with human approval at the control point.
Discover
Code Scan connects to nominated repositories through zero-copy GitHub access and surfaces AI SDKs, model artefacts, automated-decision patterns, biometric libraries, agent tool registries, and Annex III signals. Each finding carries provenance and article citations for review.
Inventory (on opt-in)
Each AI system gets a governed record carrying role, risk tier, Annex III category, GPAI flag, conformity references, the relevant RoPA activity, and user-entered ISO 42001 / NIST AI RMF crosswalks.
Assess (on opt-in)
Launch an EU AI Act conformity assessment from a register entry. The platform drafts answers from your Knowledge Base, flags each answer
needs_review, and keeps evidence lineage visible.Human review & approve
A person reviews the drafted answers and progresses the assessment. Nothing becomes a classification until a human approves.
Classify back
On approval, four tagged classification answers write deterministically back to the AI system record, with no language model in the write path and an audit event that cites the source assessment.
Report & export
The inventory and findings roll up into board metrics, auditor-ready exports, governance narratives, and scoped read-only API feeds for GRC tools.
EU AI Act questions answered
Practical questions about buyer evaluation, inventory records, DPIAs, RoPA links, Article 27, Article 50, and market-specific governance.
What software supports EU AI Act inventory and conformity documentation?
Acompli supports EU AI Act documentation with code-level AI evidence available today through Code Scan AI Governance mode — which surfaces AI SDK, model artefact, automated-decision, and high-risk pattern signals from connected GitHub repositories with file, line, branch, and commit provenance for human review. Additional capabilities available on opt-in include an AI System Register (a multi-framework analogue of Article 30), 30 Member-State conformity assessment templates with conditional gating for prohibited, high-risk, GPAI, transparency, and FRIA paths, AI-assisted answer drafting grounded in your organisation's own knowledge base, and user-entered crosswalks to ISO 42001 and NIST AI RMF controls — with the four EU AI Act classification fields (risk tier, Annex III category, Article 6(3) flag, GPAI flag) copied deterministically from human-approved assessments, and a full audit history.
What is the difference between an AI System Register and a GDPR Article 30 RoPA?
A GDPR Article 30 Record of Processing Activities documents personal-data processing across an organisation. An AI System Register is the multi-framework analogue for AI systems: each entry carries the EU AI Act role and risk tier, Annex III category, GPAI flag, Article 6(3) exemption flag and reasoning, conformity status, Annex VIII record (CE marking, EU-database registration status, Annex IV technical-documentation reference), and crosswalks to ISO 42001 and NIST AI RMF controls. The two registers join on the per-system data register, so an AI system that processes personal data links to the relevant RoPA activity.
Can code scanning support EU AI Act compliance?
Code scanning can produce reviewable engineering evidence of which AI SDKs, model artefacts, automated-decision patterns, biometric or emotion-classification libraries, and Annex III–relevant components are actually present in a codebase, each finding carrying file, line, branch, and commit provenance and a provisional EU AI Act risk-tier hint with article citations. These are signals for human review by a DPO or AI governance lead — they support, but do not replace, the deployer's legal determination of risk tier, conformity, or FRIA scope.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops an AI system or general-purpose AI model and places it on the EU market or puts it into service under its own name. A deployer uses an AI system under its authority (other than in a personal non-professional activity). Providers carry the bulk of pre-market obligations: risk management, technical documentation, conformity assessment, CE marking, and EU-database registration for high-risk systems. Deployers carry use-time obligations: human oversight, monitoring, log retention, and — for certain high-risk uses — a Fundamental Rights Impact Assessment under Article 27.
Is an AI System Register a legal requirement in Ireland and the UK?
A formal "AI System Register" is not itself a named statutory artefact in Irish or UK law — but the underlying obligations that fill one are. Under the EU AI Act (Regulation (EU) 2024/1689), providers and deployers of high-risk AI must keep technical documentation under Article 11 and Annex IV, register high-risk systems in the EU database under Article 49, and — for Annex III deployers in scope of Article 27 — produce and notify a FRIA. For any AI system that processes personal data, the Data Protection Commission (DPC) expects a current Article 30 RoPA, a DPIA where Article 35 thresholds are met, and Schrems II–compliant transfer documentation. In the UK, the ICO sets parallel expectations under the Data Protection Act 2018 alongside the government's pro-innovation principles framework. An AI System Register is the practical way to keep that evidence in one place. Acompli enables the AI System Register as an opt-in early-access module; Code Scan AI Governance mode is live in the platform now and contributes the engineering evidence.
How should Irish and UK firms compare EU AI Act compliance tools?
The useful evaluation criteria are: (1) does the tool keep one governed record per AI system with the four classification fields the Act actually uses (risk tier, Annex III category, Article 6(3) exemption flag, GPAI flag) — not a free-text field; (2) does it join AI Act evidence to GDPR governance (Article 30 RoPA, DPIA, Schrems II transfer documentation) the DPC and ICO already expect; (3) does it keep human approval in the write path, with an audit history; (4) does it produce engineering evidence (which AI SDKs and Annex III patterns are actually in your code) or only paper assessments; (5) does it have Member-State conformity overlays, since national competent authorities differ. Acompli ships Code Scan AI Governance mode today; the AI System Register and the 30 Member-State conformity templates are available on opt-in.
More detailed questions
How do GDPR DPIAs and Article 30 records feed an AI System Register?
A high-risk AI system under Annex III that processes personal data triggers both regimes. The GDPR DPIA (Article 35) and the Article 30 RoPA entry describe the personal-data side: purpose, legal basis, categories of people, retention, recipients, international transfers, and risk mitigations. The AI System Register adds the AI-side fields the EU AI Act requires: provider/deployer role, risk tier, Annex III category, GPAI flag, Article 6(3) exemption reasoning, Annex VIII conformity record, and FRIA reference where Article 27 applies. The two join on the per-system data register, so DPC and ICO evidence is reused rather than re-keyed. Acompli's AI Register add-on (available on opt-in) is designed so the existing RoPA is the personal-data spine for AI-system entries.
What should AI Act inventory software track for an Annex III high-risk system?
For an Annex III system the inventory should carry: the deployer/provider role, the precise Annex III sub-category, the Article 6(3) exemption flag and reasoning (where claimed), whether the system uses or is a GPAI model, the Articles 8–15 control evidence (risk management, data governance, technical documentation under Article 11/Annex IV, automatic logging under Article 12, transparency, human oversight under Article 14, accuracy/robustness/cybersecurity under Article 15), the Annex VIII conformity record (conformity assessment route, CE marking status, EU-database registration reference under Article 49), the Article 27 FRIA reference if the deployer is in scope, and — for any personal data — the linked Article 30 RoPA activity and Schrems II transfer impact assessment. Acompli's AI System Register is enabled as an opt-in early-access module structured around these fields; classifications write deterministically from the human-approved assessment.
How do Article 50 transparency obligations apply to Irish-deployed chatbots and AI-generated content?
From 2 August 2026 deployers of AI systems that interact with people must inform users they are interacting with an AI system, providers of synthetic-content systems must mark AI-generated audio, image, video, and text in a machine-readable way, and deployers of emotion-recognition or biometric-categorisation systems must inform people exposed to them. For Irish organisations the practical step is to identify chatbots, content-generation tools, and biometric SDKs already in production (Code Scan AI Governance mode surfaces these from connected GitHub repositories with file/line/branch/commit provenance), then document the user-facing notification, the marking mechanism, and the deployer's record — for human review by the DPO. Acompli supports the documentation; the notification and labelling design remain the deployer's decision.
Does an Annex III AI system processing personal data also need a GDPR DPIA?
Yes, almost always. The DPC's list of mandatory DPIA cases under Article 35 GDPR explicitly includes large-scale or innovative use of new technologies (which captures most Annex III AI), automated decision-making with legal or similarly significant effects, and systematic monitoring. A FRIA under EU AI Act Article 27 is additional, not a substitute — it covers fundamental-rights risks beyond data protection (non-discrimination, dignity, redress) and, where in scope, is notified to the national competent authority. The two assessments share evidence: purpose, categories of people, risks, mitigations, oversight. Acompli's AI Register add-on (available on opt-in) is built so DPIA evidence and FRIA evidence reuse a single Knowledge Base, with the four AI-Act classification fields copied deterministically from the human-approved assessment.
Market-specific questions
Deutsch
Welche Software unterstützt die Dokumentation der EU-KI-Verordnung im Unternehmen?
Acompli unterstützt die Dokumentation zur EU-KI-Verordnung mit KI-Nachweisen auf Code-Ebene, die heute über Code Scan AI Governance mode verfügbar sind — Signale zu KI-SDKs, Modellartefakten, automatisierten Entscheidungen und Hochrisiko-Mustern aus verbundenen GitHub-Repositorys werden mit Datei-, Zeilen-, Branch- und Commit-Nachweis für die menschliche Prüfung ausgegeben. Zusätzliche Funktionen sind auf Opt-in-Basis verfügbar: ein KI-Systemregister (rahmenübergreifendes Pendant zu Artikel 30), 30 mitgliedstaatsspezifische Konformitätsbewertungsvorlagen mit bedingter Verzweigung für verbotene Praktiken, Hochrisiko-KI, GPAI, Transparenz und FRIA, KI-gestützte Antwortentwürfe verankert in der Wissensbasis Ihrer Organisation, sowie von Ihrem Team gepflegte Kontrollabbildungen für ISO 42001 und NIST AI RMF (Crosswalk — keine automatische rechtliche Klassifikation) — mit den vier EU-KI-Verordnungs-Klassifikationsfeldern (Risikostufe, Anhang-III-Kategorie, Artikel-6-Absatz-3-Flag, GPAI-Flag), die deterministisch aus von Menschen genehmigten Bewertungen übernommen werden, und einer vollständigen Auditspur.
Wie unterscheiden sich Anbieter und Betreiber unter der EU-KI-Verordnung?
Ein Anbieter entwickelt ein KI-System oder ein Allzweck-KI-Modell und bringt es unter eigenem Namen in der EU in Verkehr oder in Betrieb. Ein Betreiber nutzt ein KI-System unter eigener Verantwortung (außer in einer privaten, nicht beruflichen Tätigkeit). Anbieter tragen den Großteil der Pflichten vor Markteintritt: Risikomanagement, technische Dokumentation, Konformitätsbewertung, CE-Kennzeichnung und EU-Datenbank-Registrierung für Hochrisiko-Systeme. Betreiber tragen die Pflichten während der Nutzung: menschliche Aufsicht, Überwachung, Protokollaufbewahrung und — für bestimmte Hochrisiko-Anwendungen — eine Grundrechte-Folgenabschätzung nach Artikel 27.
Ist ein KI-Systemregister in Deutschland gesetzlich vorgeschrieben?
Ein "KI-Systemregister" ist als solches kein in der DSGVO oder im BDSG benannter Artefakt. Die zugrundeliegenden Pflichten sind es aber: Anbieter und Betreiber von Hochrisiko-KI nach EU-KI-Verordnung (Verordnung (EU) 2024/1689) führen technische Dokumentation nach Artikel 11 und Anhang IV, registrieren Hochrisiko-Systeme in der EU-Datenbank nach Artikel 49, und — für Anhang-III-Betreiber im Anwendungsbereich von Artikel 27 — erstellen und notifizieren eine Grundrechte-Folgenabschätzung. Für jedes KI-System, das personenbezogene Daten verarbeitet, erwartet die Aufsicht (DSK-Beschlüsse, Landesdatenschutzbeauftragte) ein aktuelles Verzeichnis von Verarbeitungstätigkeiten nach Artikel 30 DSGVO, eine Datenschutz-Folgenabschätzung nach Artikel 35 DSGVO und nach Schrems II eine vollständige Transferdokumentation. Ein KI-Systemregister ist die praktische Form, diese Nachweise zusammenzuführen. Acompli stellt das KI-Systemregister heute auf Opt-in-Basis bereit (Early-Access); Code Scan AI Governance mode ist heute in der Plattform live und liefert die technische Beweisbasis.
Wie sollten deutsche Unternehmen EU-KI-Verordnung-Tools vergleichen?
Sinnvolle Vergleichskriterien: (1) ein einziger geordneter Datensatz pro KI-System mit den vier Klassifikationsfeldern, die die Verordnung tatsächlich verwendet (Risikostufe, Anhang-III-Kategorie, Artikel-6(3)-Flag, GPAI-Flag) — kein Freitextfeld; (2) Verbindung der KI-Act-Nachweise mit der DSGVO-Governance (Artikel-30-Verzeichnis, DSFA, Schrems-II-Transferdokumentation), wie sie die Aufsichtsbehörden ohnehin erwarten; (3) menschliche Freigabe im Schreibpfad mit vollständiger Auditspur; (4) tatsächliche Engineering-Nachweise (welche KI-SDKs und Anhang-III-Muster sind im Code) statt nur Papierbewertungen; (5) mitgliedstaatsspezifische Konformitätsvorlagen, da die zuständigen nationalen Behörden unterschiedlich sind. Acompli liefert Code Scan AI Governance mode heute; das KI-Systemregister und die 30 mitgliedstaatsspezifischen Konformitätsvorlagen sind auf Opt-in-Basis verfügbar.
Wie fließen DSFA und Verzeichnis von Verarbeitungstätigkeiten (VVT) in ein KI-Systemregister ein?
Ein Hochrisiko-KI-System nach Anhang III, das personenbezogene Daten verarbeitet, fällt unter beide Regime. Die DSFA nach Artikel 35 DSGVO und der Eintrag im Verzeichnis nach Artikel 30 DSGVO beschreiben die personenbezogene Seite: Zweck, Rechtsgrundlage, betroffene Personengruppen, Aufbewahrung, Empfänger, internationale Übermittlungen, Risikominimierung. Das KI-Systemregister ergänzt die von der EU-KI-Verordnung geforderten Felder: Rolle als Anbieter/Betreiber, Risikostufe, Anhang-III-Kategorie, GPAI-Flag, Begründung zur Artikel-6(3)-Ausnahme, Anhang-VIII-Konformitätsdatensatz und FRIA-Verweis nach Artikel 27. Beide Register werden über das systemspezifische Datenregister verknüpft, sodass DSK- und Aufsichts-relevante Nachweise einmal gepflegt werden. Acompli's KI-Register-Add-on (auf Opt-in-Basis verfügbar) ist so aufgebaut, dass das bestehende Verzeichnis die personenbezogene Datenbasis für KI-Systemeinträge bildet.
Was muss eine KI-Inventarsoftware für ein Hochrisiko-Anhang-III-System nachweisen?
Für ein Anhang-III-System sollte das Inventar Folgendes erfassen: Rolle als Betreiber/Anbieter, exakte Anhang-III-Unterkategorie, Artikel-6(3)-Flag mit Begründung, ob ein GPAI-Modell genutzt oder bereitgestellt wird, die Nachweise zu Artikeln 8 bis 15 (Risikomanagement, Datenqualität, technische Dokumentation nach Artikel 11/Anhang IV, automatische Protokollierung nach Artikel 12, Transparenz, menschliche Aufsicht nach Artikel 14, Genauigkeit/Robustheit/Cybersicherheit nach Artikel 15), den Anhang-VIII-Konformitätsdatensatz (Konformitätsbewertungsverfahren, CE-Kennzeichnung, Eintrag in der EU-Datenbank nach Artikel 49), den FRIA-Verweis nach Artikel 27, sofern der Betreiber in den Anwendungsbereich fällt, und — bei personenbezogenen Daten — die verknüpfte Artikel-30-VVT-Aktivität sowie die Schrems-II-Transferprüfung. Acompli's KI-Systemregister (auf Opt-in-Basis / Early-Access verfügbar) ist um diese Felder herum aufgebaut; Klassifikationen werden deterministisch aus der vom Menschen freigegebenen Bewertung übernommen.
Francais
Quel logiciel prend en charge la documentation de conformité à la loi sur l'IA ?
Acompli prend en charge la documentation de la loi sur l'IA avec des preuves d'IA au niveau du code disponibles aujourd'hui via Code Scan AI Governance mode — qui fait remonter les signaux SDK d'IA, artefacts de modèle, décisions automatisées et motifs à haut risque des dépôts GitHub connectés, avec traçabilité fichier, ligne, branche et commit pour la revue humaine. Des capacités supplémentaires sont disponibles sur option : un registre des systèmes d'IA (équivalent multi-cadre de l'article 30), 30 modèles d'évaluation de conformité par État membre avec un branchement conditionnel pour les pratiques interdites, à haut risque, GPAI, transparence et FRIA, une rédaction de réponses assistée par IA ancrée dans la base de connaissances de votre organisation, et des correspondances de contrôles ISO 42001 et NIST AI RMF saisies par votre équipe (crosswalk — pas une classification juridique automatisée) — avec les quatre champs de classification (niveau de risque, catégorie Annexe III, indicateur article 6(3), indicateur GPAI) copiés déterministiquement à partir des évaluations approuvées par une personne, et un historique d'audit complet.
Quelle est la différence entre fournisseur et déployeur selon la loi sur l'IA ?
Un fournisseur développe un système d'IA ou un modèle d'IA à usage général et le met sur le marché de l'UE ou en service sous son propre nom. Un déployeur utilise un système d'IA sous son autorité (autre que dans une activité personnelle non professionnelle). Les fournisseurs assument la majeure partie des obligations pré-commercialisation : gestion des risques, documentation technique, évaluation de conformité, marquage CE et enregistrement dans la base de données de l'UE pour les systèmes à haut risque. Les déployeurs assument les obligations d'usage : surveillance humaine, suivi, conservation des journaux, et — pour certains usages à haut risque — une analyse d'impact sur les droits fondamentaux au titre de l'article 27.
Le registre des systèmes d'IA est-il une obligation légale en France ?
Un "registre des systèmes d'IA" n'est pas en soi un artefact nommément exigé par le RGPD ou la loi Informatique et Libertés. En revanche, les obligations sous-jacentes le sont. Au titre du Règlement (UE) 2024/1689, les fournisseurs et déployeurs de systèmes d'IA à haut risque tiennent la documentation technique de l'article 11 et de l'annexe IV, enregistrent les systèmes à haut risque dans la base de données européenne au titre de l'article 49, et — pour les déployeurs d'annexe III relevant de l'article 27 — réalisent et notifient une AIPD/FRIA. Pour tout système d'IA traitant des données personnelles, la CNIL attend un registre des traitements (article 30 RGPD) à jour, une AIPD (article 35 RGPD) lorsque les seuils sont atteints, et une documentation de transferts conforme à Schrems II. Un registre des systèmes d'IA est la façon pratique de regrouper ces preuves. Le registre IA d'Acompli est disponible aujourd'hui en accès anticipé (opt-in) ; le mode Code Scan AI Governance est, lui, en production dans la plateforme.
Comment les organisations françaises devraient-elles comparer les outils de conformité à la loi sur l'IA ?
Critères d'évaluation utiles : (1) un enregistrement gouverné par système d'IA avec les quatre champs de classification réellement exigés par le texte (niveau de risque, catégorie annexe III, indicateur article 6(3), indicateur GPAI) — pas un champ libre ; (2) liaison des preuves "loi IA" à la gouvernance RGPD (registre article 30, AIPD, documentation des transferts Schrems II) déjà attendue par la CNIL ; (3) approbation humaine dans le chemin d'écriture, avec historique d'audit ; (4) preuves d'ingénierie réelles (quels SDK d'IA et quels motifs d'annexe III sont effectivement dans le code) plutôt qu'évaluations purement papier ; (5) modèles de conformité par État membre, puisque les autorités nationales compétentes diffèrent. Acompli livre Code Scan AI Governance mode aujourd'hui ; le registre des systèmes d'IA et les 30 modèles d'évaluation de conformité par État membre sont disponibles en option (opt-in).
Comment une AIPD et un registre article 30 alimentent-ils un registre des systèmes d'IA ?
Un système d'IA à haut risque relevant de l'annexe III qui traite des données personnelles déclenche les deux régimes. L'AIPD (article 35 RGPD) et l'entrée du registre article 30 décrivent le volet "données personnelles" : finalité, base légale, catégories de personnes, conservation, destinataires, transferts internationaux, mesures d'atténuation. Le registre des systèmes d'IA ajoute les champs exigés par la loi sur l'IA : rôle fournisseur/déployeur, niveau de risque, catégorie annexe III, indicateur GPAI, justification de l'exemption article 6(3), enregistrement de conformité annexe VIII, et référence à la FRIA lorsque l'article 27 s'applique. Les deux registres sont reliés via le registre de données par système, ce qui évite de ressaisir les preuves attendues par la CNIL. Le module Registre IA d'Acompli (disponible en opt-in) est conçu pour que le registre article 30 existant serve de colonne vertébrale "données personnelles" aux entrées de systèmes d'IA.
Nederlands
Welk platform ondersteunt EU AI-verordening compliance documentatie?
Acompli ondersteunt documentatie voor de EU AI-verordening met code-niveau AI-bewijs dat vandaag beschikbaar is via Code Scan AI Governance mode — die AI-SDK-, modelartefact-, geautomatiseerde-besluit- en hoog-risico-patroonsignalen uit verbonden GitHub-repositories naar boven haalt, met bestand-, regel-, branch- en commit-herleidbaarheid voor menselijke beoordeling. Aanvullende mogelijkheden zijn op opt-in beschikbaar: een AI-systeemregister (een multi-kader equivalent van artikel 30 AVG), 30 lidstaatspecifieke conformiteitsbeoordelingsmodellen met conditionele vertakking voor verboden praktijken, hoog-risico, GPAI, transparantie en FRIA-paden, AI-ondersteund antwoordontwerp verankerd in de kennisbank van uw organisatie, en door uw team ingevulde ISO 42001- en NIST AI RMF-controlemappings (crosswalk — geen automatische juridische classificatie) — met de vier EU AI-verordening klassificatievelden (risiconiveau, bijlage III-categorie, artikel 6(3)-vlag, GPAI-vlag) deterministisch overgenomen uit door mensen goedgekeurde beoordelingen, en een volledige audithistorie.
Is een AI-systeemregister een wettelijke verplichting in Nederland?
Een "AI-systeemregister" is op zichzelf geen artefact dat de AVG of de UAVG bij naam voorschrijft. De onderliggende verplichtingen wel. Onder Verordening (EU) 2024/1689 houden aanbieders en gebruiksverantwoordelijken van hoog-risico AI technische documentatie aan onder artikel 11 en bijlage IV, registreren zij hoog-risico systemen in de EU-databank onder artikel 49, en stellen — voor bijlage-III-gebruiksverantwoordelijken die binnen de reikwijdte van artikel 27 vallen — een FRIA op en notificeren deze. Voor elk AI-systeem dat persoonsgegevens verwerkt verwacht de Autoriteit Persoonsgegevens (AP) een actueel verwerkingsregister (artikel 30 AVG), een DPIA (artikel 35 AVG) wanneer de drempels worden gehaald, en een Schrems II-conforme transferdocumentatie. Een AI-systeemregister is de praktische manier om dat bewijsmateriaal op één plek te houden. Het AI-register van Acompli is vandaag beschikbaar als opt-in (early-access); Code Scan AI Governance mode draait vandaag in het platform en levert het engineering-bewijs.
Hoe voeden DPIA's en het verwerkingsregister (VVT) een AI-systeemregister?
Een hoog-risico AI-systeem onder bijlage III dat persoonsgegevens verwerkt valt onder beide regimes. De DPIA (artikel 35 AVG) en het verwerkingsregister-record (artikel 30 AVG) beschrijven de persoonsgegevens-zijde: doel, rechtsgrondslag, categorieën betrokkenen, bewaartermijnen, ontvangers, internationale doorgiften, risicobeperkende maatregelen. Het AI-systeemregister voegt de velden toe die de EU AI-verordening vraagt: rol als aanbieder/gebruiksverantwoordelijke, risiconiveau, bijlage III-categorie, GPAI-vlag, motivering van de artikel 6(3)-uitzondering, bijlage VIII-conformiteitsrecord, en FRIA-verwijzing waar artikel 27 van toepassing is. Beide registers worden gekoppeld via het systeem-specifieke gegevensregister, zodat AP-bewijs niet opnieuw hoeft te worden ingevoerd. De AI-register-add-on van Acompli (beschikbaar op opt-in) is zo gebouwd dat het bestaande verwerkingsregister de persoonsgegevens-ruggengraat vormt voor AI-systeem-records.
Regulatory signals
What the newsroom is tracking on the AI Act
Selected EU AI Act news from acompli.ie — implementation timelines, omnibus negotiations, Member-State readiness, and regulator guidance.
EDPB Adopts First Harmonized DPIA Template to Standardise Assessments Across Europe
The European Data Protection Board has published the first EU-wide harmonized template for Data Protection Impact Assessments, aiming to replace the patchwork of national formats and bring consistency to one of the GDPR's most important compliance tools.
Read update →AI Act Transparency Code of Practice Due for Finalisation Ahead of August Deadline
The European Commission is finalising the Code of Practice on marking and labelling AI-generated content, with Article 50 transparency obligations - including deepfake disclosure and machine-readable content marking - taking effect on 2 August 2026.
Read update →EU AI Omnibus Deal: Deadlines Extended and Nudifier Apps Banned
The European Parliament and Council reached a political agreement on 7 May 2026 on the AI Omnibus, extending high-risk AI deadlines by up to two years and introducing the EU's first explicit ban on AI-generated non-consensual intimate imagery.
Read update →See how EU AI Act governance fits your organisation
Talk to us about Code Scan AI Governance mode (available today) and how the AI System Register with deterministic classify-back, FRIA Article 27, and the 30 Member-State conformity templates — available as an opt-in module — apply to the systems you actually deploy.