TrustWaysby Ailoitte
Book a demo
EU AI Act · Regulation (EU) 2024/1689

The complete EU AI Act workspace. Every article, every annex, every deadline.

TrustWays AI covers Articles 5, 6, 9–15, 22, 25, 27, 50, 71, 72, 73 and Annexes I, III, IV out of the box. Two-thirds of our customer base evaluated three other tools before us; the depth of regulatory coverage is what they cite as the reason for switching.

Walk through your stackSee the platform
Aug 2, 2026
enforcement begins
EU AI ACT(EU) 2024/1689Art. 5ProhibitionsArt. 6High-riskArt. 9Risk mgmtArt. 11Annex IVArt. 27FRIAArt. 50Transparency
Enforcement timeline

Four staggered deadlines. We track them per system.

Feb 2, 2025
In force
Chapter II + AI literacy
Article 5 prohibitions and the AI-literacy obligation under Article 4 are live. Operating a system that falls under any of the eight Article 5(1)(a)–(h) prohibitions is illegal on the EU market today.
Aug 2, 2025
In force
GPAI + governance + penalties
General-Purpose AI obligations under Articles 51–55 are live. AI Office, AI Board, and national competent authorities are operational. Penalties under Article 99 apply.
Aug 2, 2026
Upcoming
Annex III high-risk + general application
Most provisions of the Act apply. Every Annex III high-risk system (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) must demonstrate Articles 9–15 compliance.
Aug 2, 2027
Upcoming
Annex I product safety AI
AI systems that are safety components of products covered by Annex I (machinery, medical devices, toys, etc.) fall under the high-risk regime + their existing sectoral conformity assessment.
Article coverage

Every operative article — handled.

The matrix below maps every article that imposes an operational obligation to the platform module that handles it.

Art. 5Prohibited practices

Eight Unacceptable-Risk practices banned outright. The wizard covers all clauses (a)–(h) including real-time remote biometric ID by law enforcement.

Art. 6 + Annex IIIHigh-risk classification

Eight Annex III categories that trigger high-risk + the Article 6(3) advisory-only derogation. We compute both deterministically.

Art. 9Risk management

Iterative risk management process with documented identification, estimation, evaluation, and mitigation. Our risk register is its operational form.

Art. 10Data governance

Training, validation, and test data quality + bias examination. Datasets module + bias-examination workflow.

Art. 11 + Annex IVTechnical documentation

12-section Annex IV template generated from your system context. Reviewer-signed, branded, hash-chained.

Art. 12Record-keeping

Automatic event logging with retention. Our SHA-256 hash chain satisfies the tamper-evidence requirement.

Art. 13Transparency to deployers

Instructions for Use (IFU) document type generated from your system + tech stack.

Art. 14Human oversight

Human-in-the-loop playbook templates + escalation thresholds tied to your model risk score.

Art. 15Accuracy, robustness, cybersecurity

Drift, bias, adversarial-robustness telemetry per system + threshold-based alerting.

Art. 22Authorised Representative

Mandatory for non-EU providers placing AI on the EU market. We track this on the entity record + auto-create gaps when missing.

Art. 25Deployer obligations

Auto-applied to every high-risk system whose output reaches EU users — including extraterritorial cases under Art. 2(1)(c).

Art. 27FRIA

Fundamental Rights Impact Assessment for public bodies and essential-services deployers. Template + workflow built-in.

Art. 50Transparency to users

Disclosure obligations for chatbots, deepfakes, emotion-recognition, biometric categorisation. Limited-risk tier output.

Art. 71EU database

Pre-deployment registration for high-risk systems. We generate the submission packet from your platform data.

Art. 72Post-market monitoring

Continuous monitoring plan + execution. Monitoring module covers it end-to-end.

Art. 73Serious incident reporting

72-hour notification + 15-day full report. Incident workflow includes both clocks with visible countdowns.

Extraterritorial scope

Article 2(1)(c) — when the Act reaches you.

The most-missed clause of the Act. Any provider placing an AI system on the EU market — even if established outside the EU — falls within scope. Output used in the EU is enough.

We detect this automatically: combine entity establishment with system markets-served and output-used-in-EU flags, and the extraterritorial finding fires with Article 22 representative gap creation as a follow-up.

Scenario · India → EU
A SaaS company headquartered in Bengaluru runs a resume-screener LLM for European recruiters. Compute sits in AWS us-east-1.
→ Art. 2(1)(c) — extraterritorial: YES
→ Annex III §4 (Employment): HIGH_RISK
→ Art. 22 Authorised Representative: REQUIRED
→ Art. 25 deployer obligations: APPLY
→ Schrems II TIA on EU→US flow: REQUIRED
→ GDPR Art. 46 mechanism: SCC + DPF check
Every one of these findings is created automatically when the system is registered.

Get audit-ready before Aug 2, 2026.

See the platform classify a system from your stack — live — in 30 minutes. No NDAs required for the demo.

Book a demoExplore the platform