EU AI Act
Stay ahead of the EU AI Act
The EU AI Act’s transparency obligations take effect on 2 August 2026. High-risk system obligations follow in December 2027. Here’s what applies when, and how Orq helps you meet it.
Trusted by European teams in production

Why this matters now
One deadline is weeks away
None of the obligations are paperwork. Each one needs to be built into the system before it applies.
Article 50 transparency obligations — chatbot disclosure and synthetic content labeling — apply from August 2nd, 2026. For high-risk AI systems, logging, monitoring, and human oversight take effect in December 2027. But audit trails and monitoring can’t be built retroactively. The work needs to start now, regardless of which deadline applies to you.
Article 4
AI literacy — providers and deployers must ensure staff have sufficient AI knowledge.
In force
Documentation, audit trails, and governance reporting that evidence literacy measures.
Article 5
Prohibited practices — unacceptable-risk AI systems banned outright.
In force
Policy enforcement and guardrails that support enforcement of internal bans on prohibited use patterns at the gateway level.
Article 50
Transparency obligations — chatbots disclose they are AI; synthetic content must be labelled.
Aug 2, 2026
Metadata tagging and content detection at the gateway level. Disclosure UX in your product remains your obligation; Orq provides the traces to evidence it.
Article 9
A living risk management system with ongoing post-deployment monitoring.
Dec 2027
Continuous observability across every request, with gateway-level policies for PII detection, redaction, bias, and other AI Act detection.
Article 12
Automatic, tamper-evident logging of every input, output, timestamp, tool call, API invoked, and decision taken — including the full agent action chain.
Dec 2027
Full request tracing on by default, covering every agent step: tool calls, API invocations, and decisions. Audit logs on all system and agent changes.
Article 13
Decisions a human can trace and interpret.
Dec 2027
End-to-end traces grouped into threads, with spans your team can inspect.
Article 14
Humans who can understand, intervene, override, and halt the system.
Dec 2027
Policies and guardrails at the AI gateway level, plus human-in-the-loop approval screens for tool use.
Article 15
Accuracy, robustness, and resistance to adversarial attacks.
Dec 2027
PII guardrails, fallback chains, routing rules, and automated red teaming for agents.
Article 26(6)
Deployers must retain system logs for at least 6 months in audit-ready form.
Dec 2027
Full audit logs, tamper-evident and exportable, retained and searchable across all agent and gateway activity.
Article 73
Report serious incidents within 2 to 15 days by severity; 2 days for critical-infrastructure incidents.
Dec 2027
Real-time alerts and full historical traces from the moment an issue occurs.
Article 50 is now the nearest deadline. High-risk obligations follow later, but audit trails and monitoring only work if they are already live before the deadline arrives.
Europe’s sovereignty framework for cloud and AI
CADA is part of the European Commission’s AI Continent Action Plan. It addresses data centre capacity, permitting, and over-reliance on non-EU cloud providers — then translates that into assurance levels public bodies can use to assess sovereignty risk.
Where orq.ai stands
Built toward SEAL-4 assurance
EU ownership, EU infrastructure, and software supply chain transparency with no third-country interference.
Level 1
Data processed and stored on infrastructure located in the EU.
Level 2
Provider demonstrates independence from third countries and transparency over its software supply chain.
Level 3
Provider is owned and controlled from the EU, meeting additional criteria such as personnel citizenship.
Level 4
Full transparency and control, with no third-country interference.
More regulation is on the way
EU AI regulation is moving quickly. We track new requirements as they land, so teams can adapt before deadlines turn into fire drills.
Auditability across the full lifecycle
Every prompt, response, tool call, API invoked, and agent decision logged and traceable — from development through production. The complete record an auditor needs, built in from day one.

We chose Orq.ai to replace our internal setup with a production-ready AI Gateway that meets our governance, scalability, and cost-monitoring requirements.

Benjamin Kleppe,
GenAI Lead at bunq

Connecting to Orq.ai’s platform means we no longer need to revise our own code. The platform provides full control over the functionality of the models, saving considerable time and manual adjustments.

Thomas Goijarts,
Founder, Caro health
How long do I need to keep system logs?
Article 26(6) requires deployers to retain system logs for at least six months in audit-ready form. Orq’s audit logs are tamper-evident, exportable, and searchable across agent and gateway activity.
How fast do I need to report a serious incident?
Article 73 requires reporting within 2 to 15 days, depending on severity. That depends on monitoring and alerting already being in place.
Does the EU AI Act apply to companies outside the EU?
The Act applies to providers and deployers of AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider is based.
How does Orq help with AI Act compliance?
Full request observability, automatic logging covering the full agent action chain, real-time monitoring, and router-level guardrails are built into the platform by default, ready before you need them.

