EU Artificial Intelligence Act (Regulation (EU) 2024/1689)

The EU Artificial Intelligence Act, Regulation (EU) 2024/1689, is the world's first comprehensive AI law. Risk-based framework covering prohibited AI practices (Article 5, in force since 2 Feb 2025), high-risk AI systems (Annex I/III, Chapter III), general-purpose AI models (Chapter V, in force since 2 Aug 2025), and transparency obligations (Article 50, from Aug 2026). Following the AI Act Omnibus political agreement (7 May 2026), high-risk AI obligations are deferred: Annex III use-based systems to 2 Dec 2027 (16-month deferral); Annex I product-embedded systems to 2 Aug 2028. New prohibition on AI-generated non-consensual intimate imagery and CSAM from 2 Dec 2026. AI-generated content labelling deferred to 2 Dec 2026. SME simplifications extended to mid-caps (≤750 employees / €150M). Penalties up to €35M or 7% global turnover (Article 99).

Composition

55 controls currently indexed; participates in 29 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI conformity assessment, EU database registration, regulatory sandbox
• AI content labelling — testing consent, deep fakes, SGI, deployer notices
• AI data governance — provenance, preparation, external reporting
• AI governance lifecycle — GOVERN function and inventory
• AI incident reporting — serious incidents to authorities
• AI lifecycle — policies, safety mindset, environmental impact
• AI policy and AIMS leadership commitment
• AI post-deployment monitoring and incident response
• AI principles — Seven Sutras + ISO 42001 + NIST + EU AI Act literacy
• AI resource inventory — data, tooling, systems, people across AI lifecycle
• AI risk classification — EU AI Act high-risk + GPAI + NIST risks
• AI roles and responsibilities across the lifecycle
• AI supplier management — third-party AI systems and components
• AI system impact assessment (AISIA / FRIA / DPIA convergence)
• AI transparency — fairness, explainability, deep fake disclosure
• AI-generated content provenance — C2PA, watermarking, SGI
• Automated Decision-Making Technology — pre-use notice, opt-out, access rights
• Data Protection Impact Assessment / risk assessment for high-risk processing
• Data subject / Data Principal rights — operational rights mechanism
• EU AI Act prohibited practices + India AI capacity building
• GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• GDPR data subject rights — Articles 12-22 operational implementation
• General-Purpose AI model provider obligations
• India-specific AI risk classification reflecting societal context
• PII principal rights — comprehensive ISO 27701-anchored programme
• Responsible AI use — operational guardrails
• SDF algorithmic due diligence and traffic-data localisation
• Workforce security awareness, role-based training, and human-factor controls