EU AI Act - Docs

Observatory ships with 18 EU AI Act requirements pre-mapped to operational controls. The scope of each requirement depends on the risk tier of the app (minimal / limited / high), set in the AI Registry.

Requirement scope by risk tier

Risk tier	Number of EU AI Act requirements in scope
Minimal	Transparency obligations only
Limited	Transparency + user information
High	All 18 requirements
Unacceptable	Banned — flagged for removal

If an app’s tier is set incorrectly, the wrong requirements light up. Confirm the tier before reading status.

The 18 mapped requirements

These are grouped roughly along the Act’s structure. Observatory tracks them individually; the grouping is for readability.

Risk management and quality (Articles 9, 17)

Requirement	Backing controls
Risk management system	Risk Dashboard + Assessments
Quality management system	Audit Trail + Evidence

Data and data governance (Article 10)

Requirement	Backing controls
Training data governance	Manual evidence (data lineage docs)
Validation and testing data	Datasets + Experiments
Bias detection in training	Manual evidence + drift monitor on protected attributes

Technical documentation (Articles 11, 12, 13)

Requirement	Backing controls
Technical documentation	Manual evidence + registry metadata
Record-keeping (logging)	Telemetry + 7-year retention setting
Transparency to users	Manual evidence + UI screenshots

Human oversight (Article 14)

Requirement	Backing controls
Human-in-the-loop	Manual evidence + tool definitions
Override mechanisms	Manual evidence

Accuracy and robustness (Article 15)

Requirement	Backing controls
Accuracy levels	Evaluations + Experiments
Cybersecurity	Policies (prompt-injection) + Audit Trail
Robustness to errors	Alerts + Drift Monitor

Post-market monitoring (Article 61)

Requirement	Backing controls
Post-market monitoring plan	Manual evidence (the plan document)
Continuous monitoring data	Telemetry + Analytics
Serious-incident reporting	Alerts with `incident` tag + Audit Trail

Notifications (Article 62)

Requirement	Backing controls
Conformity assessment	Assessments template
Registration in EU database	Manual evidence (registration confirmation)

Status semantics

Each requirement evaluates to:

Met — all backing controls have approved, in-date evidence
Partial — some controls met, others have gaps
Gap — at least one control has no current evidence
Out of scope — risk tier doesn’t trigger this requirement

The Article-level roll-up is the worst status of its requirements (any Gap → Gap).

Producing the audit pack

The EU AI Act view supports a one-click export of the audit pack:

Per-requirement evidence list with timestamps
Backing telemetry summaries
Assessment results
Gap analysis with remediation plan

POST /api/compliance/export?framework=eu-ai-act&app_id=...

Returns a ZIP with PDF and JSON outputs.

Gap analysis & heatmap

Cross-framework view that includes EU AI Act.

NIST AI RMF

Many EU AI Act requirements overlap with NIST controls.

Documentation Index

​Requirement scope by risk tier

​The 18 mapped requirements

​Risk management and quality (Articles 9, 17)

​Data and data governance (Article 10)

​Technical documentation (Articles 11, 12, 13)

​Human oversight (Article 14)

​Accuracy and robustness (Article 15)

​Post-market monitoring (Article 61)

​Notifications (Article 62)

​Status semantics

​Producing the audit pack

​Related resources