EU AI Act · Regulation (EU) 2024/1689

EU AI Act compliance software connected to your GDPR records

Identify the AI in your estate, classify its risk, and build the register and conformity evidence — connected to your RoPA, DPIAs and supplier records, not stranded in a separate tool.

For privacy, legal, compliance and engineering teams: provider and deployer workflows, policy and conformity evidence, review tasks and audit-ready registers.

On this page
01

The control point

Classifications become records only after human approval

Nothing becomes a classification until a human approves it. Acompli can draft classifications, surface evidence and suggest obligations. Your team reviews, edits and approves the final AI system record.

Key takeaways

  • The EU AI Act is Regulation (EU) 2024/1689 (EUR-Lex), a risk-based law for AI systems in the EU. Obligations differ by role (provider vs deployer), system type, and risk tier.
  • Article 50 transparency obligations apply from 2 August 2026; prohibited-practice rules already apply. Under current law, Annex III high-risk obligations follow from 2 August 2026; the provisionally agreed Digital Omnibus (not yet in force) would move them to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). See the EU AI Act Ireland guide for the full timeline and Irish enforcement model.
  • An “AI System Register” is not a named statutory artefact, but the underlying duties are: Article 11 / Annex IV technical documentation, Article 49 EU-database registration for providers of Annex III high-risk systems (merely using a high-risk tool does not trigger registration), and an Article 27 FRIA for in-scope Annex III deployers. For AI that processes personal data, the DPC (Ireland) and ICO (UK) still expect a current Article 30 RoPA and an Article 35 DPIA.
  • Code Scan AI Governance mode is live today; the AI System Register and 30 Member-State conformity templates are available on opt-in (early access). Classification stays human-approved — no language model in the write path.
02

AI Act triage

AI governance starts with role, risk and evidence

This replaces a generic workflow with the real buyer question: what is the system, what role do we play, what risk tier applies, does GDPR overlap, and what documentation follows? Acompli frames its EU AI Act work around exactly this triage — role, then risk tier, then GDPR overlap, then documentation — with a human approving each determination.

AI system review gateEvery system enters one governed triage
  • System typeWhat the system is and does
  • Operator roleProvider, deployer, importer, distributor
  • Risk tierProhibited, high, limited or minimal
  • GDPR overlapPersonal data links to privacy records
  • DocumentationWhat conformity evidence follows
03

AI evidence architecture

AI Act work has to reuse GDPR and technical evidence

This shows why Acompli's AI module cannot be isolated: Code Scan, supplier records, RoPA, data maps, DPIAs and risk answers all feed the AI governance record and follow-up artifacts.

Evidence reused

  • Code Scan findings
  • Supplier declarations
  • RoPA context
  • Data map
  • DPIA & FRIA answers
  • Risk records
AI governance recordClassification, GDPR overlap and conformity in one place

Follow-up artefacts

  • FRIA where required
  • Conformity checklist
  • Article 50 transparency
  • Post-market monitoring

The AI module reuses GDPR and technical evidence — it is not a separate silo.

04

What you walk away with

Three concrete artifacts from a first engagement

A walkthrough is a working session, not a slide deck. Your team leaves with three portable outputs: Code Scan results, a draft assessment, and an inventory view. Acompli drafts each of these from your own repositories and evidence; your reviewers approve anything that becomes a record.

Book a walkthrough →

1 · AI SDK inventory of your repositories

AI SDKs, ML frameworks, model artefacts, and Annex III patterns found in nominated repositories, with file, line, branch and commit provenance. Exported as SARIF 2.1.0, JSON, or CSV.

2 · Article 50 transparency-scope flagging

Chatbots, AI-generated content libraries, and biometric or emotion-classification SDKs flagged for DPO review against Article 50 transparency scenarios.

3 · Walked-through draft EU AI Act assessment

One detected AI system taken through the conformity questionnaire, Article 27 FRIA section where in scope, AI-drafted answers, human approval, and a sample four-field classify-back.

05

Code Scan, made concrete

What every finding looks like

Code Scan never returns “AI was detected, somewhere”. Every signal carries the exact file, line, branch and commit where it was found — so a reviewer can pull the actual code, verify the detection, and decide what to do. The provisional EU AI Act risk-tier and article citations are signals for human review, not legal determinations.

Findings export as SARIF 2.1.0, JSON, CSV, and a 10-section EU AI Act governance narrative drafted for human review. Acompli Code Scan runs zero-copy against nominated GitHub repositories, so this provenance arrives without duplicating your codebase.

src/api/transcribe.ts:14:5
branch: main · commit: 7a4f2e1
DetectedOpenAI SDK · audio.transcriptions.createGPAIYes — OpenAI is a GPAI provider (Art. 51)Risk hintLimited risk — Art. 50 transparency may applyCitationsArt. 50 · Art. 51ForYour DPO / AI lead to review
06

EU AI Act answer

Where Acompli fits in EU AI Act work

Acompli helps organisations document EU AI Act obligations with AI-assisted drafting, human approval, and an audit-ready evidence trail. Read the full Ireland guide.

What is the difference between an AI System Register and a GDPR Article 30 RoPA?

A GDPR Article 30 RoPA documents personal-data processing; an AI System Register is the multi-framework analogue for AI systems. The two join on the per-system data register, so an AI system that processes personal data links to the relevant RoPA activity.

DimensionArticle 30 RoPAAI System Register
Legal basisGDPR Article 30 (EU & UK GDPR)EU AI Act (Reg. (EU) 2024/1689); no single named-register article
Unit of recordProcessing activityAI system
Key fieldsPurpose, legal basis, data categories, recipients, retention, transfersProvider/deployer role, risk tier, Annex III category, GPAI flag, Article 6(3) flag, conformity status
Regulator expectationDPC (Ireland) and ICO (UK) in any audit or inquiryArticle 11/Annex IV docs, Article 49 EU-database registration for providers of Annex III high-risk systems, Article 27 FRIA where in scope
Acompli statusLive core moduleAvailable on opt-in (early access); classification human-approved

What is the difference between a provider and a deployer under the EU AI Act?

A provider develops an AI system or general-purpose AI model and places it on the EU market under its own name; a deployer uses an AI system under its authority. Providers carry most pre-market duties; deployers carry use-time duties, including an Article 27 FRIA for certain high-risk uses.

Obligation areaProviderDeployer
RoleDevelops and places on the EU market under its own nameUses the system under its own authority
Pre-market dutiesRisk management, Article 11/Annex IV documentation, conformity assessment, CE marking, Article 49 registrationGenerally none (relies on the provider's conformity)
Use-time dutiesPost-market monitoring and corrective actionHuman oversight (Article 14), monitoring, log retention (Article 12)
FRIA (Article 27)Not the FRIA duty-holderRequired for certain high-risk Annex III uses
07

Choosing a tool

The four kinds of EU AI Act compliance software

Teams evaluating EU AI Act compliance software meet four different kinds of tool, built for different jobs. Most privacy, legal and compliance teams need the one that documents and governs the AI systems against the law — not the ones that monitor models in production.

Tool typeWhat it doesTypical toolsWho needs it
Enterprise AI governanceMap AI systems against the Act, run risk assessments, and build the register and technical documentation.OneTrust, Credo AI, AcompliPrivacy, legal and compliance teams meeting Annex III, FRIA and Article 50 duties.
GRC automationDraft AI policies, track compliance tasks, and fold AI into SOC 2 / ISO programmes.Vanta, DrataSecurity teams already running a wider GRC programme.
LLM observabilityContinuously test model outputs, log incidents, and watch for bias or drift.LangSmith, FiddlerEngineering teams operating live models.
Runtime control planesEnforce policy on AI calls in production.Specialist runtime toolsPlatform teams gating deployments at runtime.

Acompli sits in the first row — the document-and-govern tool — but differs from the global platforms in one way that matters to privacy teams: it keeps the AI System Register connected to your GDPR records— the Article 30 RoPA, DPIAs and supplier records — rather than in a separate silo, surfaces the AI actually present in your code with Code Scan, and keeps every classification human-approved. Code Scan AI Governance mode is live today; the register and conformity templates are available on opt-in (early access).

08

AI System Register

What should an AI System Register track?

An AI System Register is the working inventory behind EU AI Act readiness. It should record the system, the role, the risk-tier reasoning, the evidence and the human review history in one place. For most private deployers this is an internal governance record, not an EU-database filing; Article 49 registration is narrower and mainly applies to providers of Annex III high-risk systems and public-authority deployers. Acompli's AI System Register — available on opt-in (early access) — is structured around exactly these fields; the right-hand column shows how each one is recorded.

Register fieldWhy it mattersLegal / audit anchorAcompli record
System identityName, supplier, version, business owner, lifecycle stage and whether the system is built, bought or embedded in SaaS.Annex IV technical documentationOne early-access register entry per AI system, joined to the relevant supplier, system and owner records.
Operator roleProvider, deployer, importer, distributor or product manufacturer status, because obligations change by role.Article 26 deployer dutiesRole assessment is drafted for review and written only from the human-approved assessment.
Purpose and use contextBusiness process, user group, affected persons, geography and how the output is used in decisions.Annex VIII registration informationAssessment answers and knowledge-base evidence remain traceable to the reviewer and source record.
Risk classificationRisk tier, Annex III category, Article 6(3) reasoning and GPAI flag, with the reason preserved.Article 6 / Annex IIIFour classification fields copy deterministically from the human-approved assessment; no language model writes them directly.
Technical documentationDesign, intended purpose, data, performance, limitations and conformity evidence for high-risk systems.Article 11 / Annex IVConformity templates are available on opt-in (early access), with source evidence and review history attached.
EU-database registration statusWhether Article 49 applies, the EU-database URL or reference, and the reason no registration is required if it does not apply.Article 49 / Article 71Acompli records registration status and URL; it does not submit entries to the EU database.
FRIA and affected groupsWhether Article 27 applies, affected groups, specific fundamental-rights risks, oversight and mitigation measures.Article 27 FRIAFRIA sections are available on opt-in (early access) and can reuse DPIA evidence where the facts overlap.
Transparency scenarioWhether the system interacts with people, generates or manipulates content, or performs emotion recognition or biometric categorisation.Article 50 transparencyCode Scan AI Governance mode can flag chatbots, generative-content libraries and biometric or emotion-classification SDKs for review.
GDPR evidence linkArticle 30 RoPA activity, DPIA status, lawful basis, personal-data categories, transfers and supplier records.Article 30 RoPA / Article 35 DPIAThe register is designed to sit on the existing GDPR evidence spine instead of duplicating it in a separate AI silo.
Monitoring, logs and reviewHuman oversight, log retention, incidents, substantial changes, next review date and approval history.Article 12 logs / Article 9 risk managementEach reviewed decision keeps owner, status, approval history and evidence; operational monitoring remains the organisation's responsibility.
09

What ships

What is live, opt-in, or out of scope

Acompli sells AI governance and evidence management, not automated EU AI Act compliance. Nothing in the platform makes a binding legal determination, blocks deployments, files Article 27(3) notifications, or completes EU filing steps for you. Every draft is reviewed and approved by a person; the register's classification fields are copied from the human-approved answer, with no language model in the write path.

Last reviewed: 24 June 2026. EU AI Act Ireland guide · Code Scan AI Governance mode.

What to look for in EU AI Act compliance software

  1. One governed record per AI system carrying the four classification fields the Act uses — risk tier, Annex III category, Article 6(3) exemption flag and GPAI flag — not a free-text note.
  2. AI Act evidence joined to the GDPR governance the DPC (Ireland) and ICO (UK) already expect: the Article 30 RoPA, the Article 35 DPIA, and Schrems II transfer documentation.
  3. Human approval in the write path, with a full audit history.
  4. Real engineering evidence of which AI SDKs and Annex III patterns are actually in your code, not only paper assessments.
  5. Member-State conformity overlays, since national competent authorities differ.

Available today (live, visible)

  • Code Scan AI Governance mode— zero-copy GitHub scans for AI SDK, model artefact, automated-decision, biometric, and Annex III pattern signals, each with provenance and article-cited hints for review.
  • AI Governance SDK Knowledge Library— staff-curated AI SDK and vendor references with GPAI status, Annex III area, FRIA hint, and article citations.
  • Code Scan exports — engineering and governance formats, including a 10-section AI Act governance narrative drafted for human review.
  • External GRC Integration API — scoped, read-only REST/OpenAPI feed for organisations with the AI Register add-on enabled.

Available on opt-in (early access)

  • AI System Register — one governed record per AI system, joined to the relevant RoPA activity, an Article 35 DPIA softwarerecord where thresholds are met, ISO 42001 / NIST AI RMF crosswalks, and audit history.
  • EU AI Act conformity assessments— one generic template plus 30 Member-State variants, with conditional paths for prohibited, high-risk, GPAI, transparency, FRIA, provider, and deployer scenarios.
  • FRIA Article 27 section — guided through the seven statutory inputs, with deployer self-attestation for trigger scope and Member-State reference.
  • AI-assisted answer drafting — drafts grounded in your Knowledge Base. Every answer is flagged needs_review; approved classification fields write deterministically to the register.
  • EU AI Act Risk Analysis— drafts article-cited risks from an assessment's evidence for a human reviewer to confirm or amend.
  • Executive reporting — board rows for total / high-risk / GPAI systems, conformity coverage, and missing-evidence metrics.

Not included today

  • Code-scan-to-AI-Register direct discovery (Code Scan currently feeds a draft assessment, not a register entry).
  • A dedicated “AI Act evidence pack” report from Code Scan.
  • AI Register webhook / push sync and ServiceNow / Jira destination-profile mapping.
  • EU-database submission (Acompli records registration status and URL only).
  • Conformity review-cadence reminders and substantial-modification reclassification workflows.

EU AI Act FAQ

EU AI Act questions answered

Practical questions about tool evaluation, inventory records, DPIAs, RoPA links, Article 27, Article 50, and market-specific governance.

Does the EU AI Act apply to my company?

The EU AI Act (Regulation (EU) 2024/1689) applies extraterritorially: it covers providers placing AI systems on the EU market irrespective of where they are established, deployers established or located in the EU, and providers or deployers located in a third country — including the UK — where the output produced by the AI system is used in the Union. Your obligations depend on your role: a provider develops an AI system or general-purpose AI model and places it on the market under its own name, carrying the pre-market duties; a deployer uses an AI system under its own authority and carries use-time duties such as human oversight and, for certain high-risk Annex III uses, an Article 27 FRIA. Risk tier decides how heavy those duties are — minimal-risk systems have no specific obligations, limited-risk systems carry only Article 50 transparency duties, and only systems listed in Annex III or caught by Article 6 are high-risk. Irish and UK firms selling into or operating in the EU are in scope even without an EU establishment where their system's output is used in the Union. Acompli structures each system against role and risk tier using the four classification fields the Act uses; classification stays human-approved.

What is EU AI Act compliance software?

EU AI Act compliance software keeps one governed record of AI systems, operator roles, risk tiers, evidence, transparency duties, review decisions and audit history. In Acompli, Code Scan AI Governance mode is live today; the AI System Register and conformity templates are available on opt-in (early access), and classification remains human-approved.

What types of EU AI Act compliance software are there?

EU AI Act compliance software falls into four kinds, built for different jobs: enterprise AI governance tools that map AI systems against the Act, run risk assessments and build the register and technical documentation (OneTrust, Credo AI, Acompli); GRC automation that drafts AI policies and folds AI into SOC 2 and ISO programmes (Vanta, Drata); LLM observability that tests model outputs and watches for bias (LangSmith, Fiddler); and runtime control planes that enforce policy on AI in production. Most privacy, legal and compliance teams need the first kind — the document-and-govern tool. Acompli sits there, keeping the AI System Register connected to the Article 30 RoPA, DPIA and supplier records rather than in a separate silo, with Code Scan surfacing the AI actually present in code and every classification human-approved.

What is the best EU AI Act governance software?

The best fit depends on whether you need technical model testing (bias, robustness and LLM evaluation) or governed compliance records that hold up to an audit: dedicated AI-assurance tools specialise in the former, while Acompli governs each AI system as a connected, human-approved EU AI Act record tied to its DPIA and the Article 30 RoPA. For a balanced, unbiased view of the market - an evidence-based comparison drawn from public sources that is honest about where competitors are stronger than Acompli - we have compiled capability charts and vendor-by-vendor breakdowns for you to consider in our EU AI Act software comparison guide and our full comparison library.

How should you choose EU AI Act compliance software?

Choose EU AI Act compliance software by the evidence it keeps for each AI system and the approval controls around that evidence: (1) one governed record per AI system with the four classification fields the Act uses: risk tier, Annex III category, Article 6(3) exemption flag and GPAI flag; (2) AI Act evidence joined to GDPR governance the DPC and ICO already expect, including Article 30 RoPA, DPIA and Schrems II transfer documentation; (3) human approval in the write path with a full audit history; (4) engineering evidence showing which AI SDKs and Annex III patterns are actually in your code; and (5) Member-State conformity overlays, since national competent authorities differ. Acompli ships Code Scan AI Governance mode today; the AI System Register and the 30 Member-State conformity templates are available on opt-in (early access).

What is an AI System Register?

A governed record of each AI system: its provider or deployer role, risk tier, Annex III category, GPAI flag, conformity references and links to the related Article 30 processing records. The EU AI Act does not name a register as a single artefact, but its duties assume one. Acompli's AI System Register is available on opt-in (early access); classification stays human-approved with no language model in the write path.

More detailed questions
What is AI risk classification software?

AI risk classification software structures the EU AI Act questions that decide whether a system is prohibited, high-risk, limited-risk or minimal-risk: role, Annex III category, GPAI status, Article 6(3) reasoning and transparency scope. Acompli can draft and surface evidence, but a human approves the final classification.

How does Acompli support provider and deployer obligations?

The register records which role you hold for each system, because the duties differ: providers carry conformity assessment, technical documentation and Article 49 EU-database registration for Annex III high-risk systems; deployers carry human oversight, monitoring and - for certain high-risk uses - an Article 27 FRIA. Acompli's assessments cover both tracks, with the FRIA sections available on opt-in (early access).

Does Acompli automatically classify AI systems?

No. Acompli can suggest a classification and surface relevant evidence, but a human approves the final classification.

What evidence should AI Act compliance software keep?

The trail behind every decision: where each AI system was found (file, line, branch and commit for code-detected systems), the drafted answers and their sources, reviewer decisions and approvals, classification fields, conformity references and exportable records. Acompli keeps that evidence on the system record, alongside the Article 30 and DPIA records the DPC and ICO still expect for AI that processes personal data.

What software supports EU AI Act inventory and conformity documentation?

Acompli supports EU AI Act documentation with code-level AI evidence available today through Code Scan AI Governance mode — which surfaces AI SDK, model artefact, automated-decision, and high-risk pattern signals from connected GitHub repositories with file, line, branch, and commit provenance for human review. Additional capabilities available on opt-in (early access) include an AI System Register (a multi-framework analogue of Article 30), 30 Member-State conformity assessment templates with conditional gating for prohibited, high-risk, GPAI, transparency, and FRIA paths, AI-assisted answer drafting grounded in your organisation's own knowledge base, and user-entered crosswalks to ISO 42001 and NIST AI RMF controls — with the four EU AI Act classification fields (risk tier, Annex III category, Article 6(3) flag, GPAI flag) copied deterministically from human-approved assessments, and a full audit history.

What is the difference between an AI System Register and a GDPR Article 30 RoPA?

A GDPR Article 30 Record of Processing Activities documents personal-data processing across an organisation. An AI System Register is the multi-framework analogue for AI systems: each entry carries the EU AI Act role and risk tier, Annex III category, GPAI flag, Article 6(3) exemption flag and reasoning, conformity status, Annex VIII record (CE marking, EU-database registration status, Annex IV technical-documentation reference), and crosswalks to ISO 42001 and NIST AI RMF controls. The two registers join on the per-system data register, so an AI system that processes personal data links to the relevant RoPA activity.

Can code scanning support EU AI Act compliance?

Code scanning can produce reviewable engineering evidence of which AI SDKs, model artefacts, automated-decision patterns, biometric or emotion-classification libraries, and Annex III–relevant components are actually present in a codebase, each finding carrying file, line, branch, and commit provenance and a provisional EU AI Act risk-tier hint with article citations. These are signals for human review by a DPO or AI governance lead — they support, but do not replace, the deployer's legal determination of risk tier, conformity, or FRIA scope.

What is the difference between a provider and a deployer under the EU AI Act?

A provider develops an AI system or general-purpose AI model and places it on the EU market or puts it into service under its own name. A deployer uses an AI system under its authority (other than in a personal non-professional activity). Providers carry the bulk of pre-market obligations: risk management, technical documentation, conformity assessment, CE marking, and EU-database registration for Annex III high-risk systems. Deployers carry use-time obligations: human oversight, monitoring, log retention, and — for certain high-risk uses — a Fundamental Rights Impact Assessment under Article 27.

See how EU AI Act governance fits your organisation

Start with the systems you actually deploy and the GDPR evidence you already maintain. Talk to us about Code Scan AI Governance mode (available today) and the AI System Register and conformity templates available on opt-in (early access).

Pricing is based on your compliance estate — data controllers, legal entities, jurisdictions and integrations — never per seat; the AI System Register and conformity-assessment library are opt-in early access. See Acompli pricing.