EU AI Act

Stay ahead of the EU AI Act

The EU AI Acts transparency obligations take effect on 2 August 2026. High-risk system obligations follow in December 2027. Heres what applies when, and how Orq helps you meet it.

Trusted by European teams in production

hear.com
bunq
yoco
hear.com
bunq
yoco
hear.com
bunq
yoco
hear.com
bunq
yoco

Why this matters now

One deadline is weeks away

None of the obligations are paperwork. Each one needs to be built into the system before it applies.

Article 50 transparency obligations chatbot disclosure and synthetic content labeling apply from August 2nd, 2026. For high-risk AI systems, logging, monitoring, and human oversight take effect in December 2027. But audit trails and monitoring cant be built retroactively. The work needs to start now, regardless of which deadline applies to you.

The Articles

What the EU AI Act requires, article by article

The Articles

What the EU AI Act requires, article by article

ARTICLE

WHAT IT REQUIRES

WHEN

HOW ORQ.AI DELIVERS IT

Article 4

AI literacy — providers and deployers must ensure staff have sufficient AI knowledge.

In force

Documentation, audit trails, and governance reporting that evidence literacy measures.

Article 5

Prohibited practices — unacceptable-risk AI systems banned outright.

In force

Policy enforcement and guardrails that support enforcement of internal bans on prohibited use patterns at the gateway level.

Article 50

Transparency obligations — chatbots disclose they are AI; synthetic content must be labelled.

Aug 2, 2026

Metadata tagging and content detection at the gateway level. Disclosure UX in your product remains your obligation; Orq provides the traces to evidence it.

Article 9

A living risk management system with ongoing post-deployment monitoring.

Dec 2027

Continuous observability across every request, with gateway-level policies for PII detection, redaction, bias, and other AI Act detection.

Article 12

Automatic, tamper-evident logging of every input, output, timestamp, tool call, API invoked, and decision taken — including the full agent action chain.

Dec 2027

Full request tracing on by default, covering every agent step: tool calls, API invocations, and decisions. Audit logs on all system and agent changes.

Article 13

Decisions a human can trace and interpret.

Dec 2027

End-to-end traces grouped into threads, with spans your team can inspect.

Article 14

Humans who can understand, intervene, override, and halt the system.

Dec 2027

Policies and guardrails at the AI gateway level, plus human-in-the-loop approval screens for tool use.

Article 15

Accuracy, robustness, and resistance to adversarial attacks.

Dec 2027

PII guardrails, fallback chains, routing rules, and automated red teaming for agents.

Article 26(6)

Deployers must retain system logs for at least 6 months in audit-ready form.

Dec 2027

Full audit logs, tamper-evident and exportable, retained and searchable across all agent and gateway activity.

Article 73

Report serious incidents within 2 to 15 days by severity; 2 days for critical-infrastructure incidents.

Dec 2027

Real-time alerts and full historical traces from the moment an issue occurs.

Article 50 is now the nearest deadline. High-risk obligations follow later, but audit trails and monitoring only work if they are already live before the deadline arrives.

Beyond the AI Act

EU AI regulation goes beyond the AI Act

The Cloud and AI Development Act, GDPR, and other EU regulations all touch how AI systems handle data, infrastructure, and accountability. orq.ai tracks them so you don't have to.

Beyond the AI Act

EU AI regulation goes beyond the AI Act

The Cloud and AI Development Act, GDPR, and other EU regulations all touch how AI systems handle data, infrastructure, and accountability. orq.ai tracks them so you don't have to.

Cloud and AI Development Act

Cloud and AI Development Act

Europe’s sovereignty framework for cloud and AI

CADA is part of the European Commission’s AI Continent Action Plan. It addresses data centre capacity, permitting, and over-reliance on non-EU cloud providers — then translates that into assurance levels public bodies can use to assess sovereignty risk.

Where orq.ai stands

Built toward SEAL-4 assurance

EU ownership, EU infrastructure, and software supply chain transparency with no third-country interference.

Level 1

Data processed and stored on infrastructure located in the EU.

Level 2

Provider demonstrates independence from third countries and transparency over its software supply chain.

Level 3

Provider is owned and controlled from the EU, meeting additional criteria such as personnel citizenship.

Level 4

Full transparency and control, with no third-country interference.

GDPR still applies to AI systems

Personal data requirements remain part of the compliance picture. Orq supports compliance with tailored evaluators and detectors, with DPA and SCCs available on request.

GDPR still applies to AI systems

Personal data requirements remain part of the compliance picture. Orq supports compliance with tailored evaluators and detectors, with DPA and SCCs available on request.

More regulation is on the way

EU AI regulation is moving quickly. We track new requirements as they land, so teams can adapt before deadlines turn into fire drills.

How Orq helps

Compliance, built in

How Orq helps

Compliance, built in

Full observability & real-time monitoring

Every request traced, logged, and timestamped automatically, with alerts the moment something needs attention.

Full observability & real-time monitoring

Every request traced, logged, and timestamped automatically, with alerts the moment something needs attention.

Auditability across the full lifecycle

Every prompt, response, tool call, API invoked, and agent decision logged and traceable — from development through production. The complete record an auditor needs, built in from day one.

Human oversight, built in

Apply guardrails and policies at the router level, and adjust them in real time.

Human oversight, built in

Apply guardrails and policies at the router level, and adjust them in real time.

PII and risk guardrails

Screen requests for sensitive data automatically and route around risk before it reaches a model.

PII and risk guardrails

Screen requests for sensitive data automatically and route around risk before it reaches a model.

One system, full lifecycle

Routing, evaluation, and governance run on the same platform across the entire AI lifecycle.

One system, full lifecycle

Routing, evaluation, and governance run on the same platform across the entire AI lifecycle.

EU-built infrastructure

EU entity, EU-hosted, no CLOUD Act exposure.

EU-built infrastructure

EU entity, EU-hosted, no CLOUD Act exposure.

Testimonials

Teams that run on our EU AI gateway

Testimonials

Teams that run on our EU AI gateway

We chose Orq.ai to replace our internal setup with a production-ready AI Gateway that meets our governance, scalability, and cost-monitoring requirements.

Benjamin Kleppe,

GenAI Lead at bunq

Connecting to Orq.ai’s platform means we no longer need to revise our own code. The platform provides full control over the functionality of the models, saving considerable time and manual adjustments.

Thomas Goijarts,

Founder, Caro health

FAQs

What teams ask us about the EU AI Act

FAQs

What teams ask us about the EU AI Act

When do the EU AI Act’s obligations take effect?

Three time buckets: Article 4 and Article 5 have been in force since February 2025. Article 50 transparency obligations apply from 2 August 2026. High-risk system obligations apply from December 2027 for Annex III systems.

When do the EU AI Act’s obligations take effect?

Three time buckets: Article 4 and Article 5 have been in force since February 2025. Article 50 transparency obligations apply from 2 August 2026. High-risk system obligations apply from December 2027 for Annex III systems.

Does the deadline change mean I can wait to prepare?

No. Audit logging and post-deployment monitoring rely on a history that only exists if the system has been logging it all along.

Does the deadline change mean I can wait to prepare?

No. Audit logging and post-deployment monitoring rely on a history that only exists if the system has been logging it all along.

Am I a provider or a deployer — and does it matter?

It matters significantly. If you build a product on top of a foundation model, you may be a deployer of that model and a provider of the AI system your customers use. Full provider obligations can still apply.

Am I a provider or a deployer — and does it matter?

It matters significantly. If you build a product on top of a foundation model, you may be a deployer of that model and a provider of the AI system your customers use. Full provider obligations can still apply.

What does Article 12 actually require?

Automatic, tamper-evident logging of every input, output, and timestamp — and for agents, the full action chain: tool calls made, APIs invoked, and decisions taken at each step.

What does Article 12 actually require?

Automatic, tamper-evident logging of every input, output, and timestamp — and for agents, the full action chain: tool calls made, APIs invoked, and decisions taken at each step.

Does the EU AI Act apply to AI agents?

Yes. The AI Office has confirmed that an AI agent is an AI system for the purposes of the Act. The classification question is the same as any AI system: what it does, and in what context.

Does the EU AI Act apply to AI agents?

Yes. The AI Office has confirmed that an AI agent is an AI system for the purposes of the Act. The classification question is the same as any AI system: what it does, and in what context.

What is the Article 50 transparency obligation?

From 2 August 2026, AI systems designed to interact with people must disclose that they are AI unless this is obvious from context. Synthetic content is also subject to watermarking and machine-readable marking requirements.

What is the Article 50 transparency obligation?

From 2 August 2026, AI systems designed to interact with people must disclose that they are AI unless this is obvious from context. Synthetic content is also subject to watermarking and machine-readable marking requirements.

What other EU regulations should I be aware of?

Beyond the AI Act, the EU Cloud and AI Development Act and GDPR both affect how AI systems handle data and infrastructure. See our EU sovereignty page for how Orq addresses these.

What other EU regulations should I be aware of?

Beyond the AI Act, the EU Cloud and AI Development Act and GDPR both affect how AI systems handle data and infrastructure. See our EU sovereignty page for how Orq addresses these.

What does “human oversight” under Article 14 mean in practice?

The ability for a human to understand what the system did, intervene in it, override a decision, or halt it entirely. For agents, this means permitted action scopes, step-by-step logs, and the ability to halt and reconstruct what happened.

What does “human oversight” under Article 14 mean in practice?

The ability for a human to understand what the system did, intervene in it, override a decision, or halt it entirely. For agents, this means permitted action scopes, step-by-step logs, and the ability to halt and reconstruct what happened.

How long do I need to keep system logs?

Article 26(6) requires deployers to retain system logs for at least six months in audit-ready form. Orq’s audit logs are tamper-evident, exportable, and searchable across agent and gateway activity.

How fast do I need to report a serious incident?

Article 73 requires reporting within 2 to 15 days, depending on severity. That depends on monitoring and alerting already being in place.

Does the EU AI Act apply to companies outside the EU?

The Act applies to providers and deployers of AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider is based.

How does Orq help with AI Act compliance?

Full request observability, automatic logging covering the full agent action chain, real-time monitoring, and router-level guardrails are built into the platform by default, ready before you need them.

Get ahead of the EU AI Act

30 minutes. Your use cases mapped to what applies when.

Get ahead of the EU AI Act

30 minutes. Your use cases mapped to what applies when.

Get ahead of the EU AI Act

30 minutes. Your use cases mapped to what applies when.

Get ahead of the EU AI Act

30 minutes. Your use cases mapped to what applies when.