Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Framework · EU AI Act + ISO 42001 · Updated 2026-05-15

Reach EU AI Act readiness by 2 August 2026

EU AI Act compliance software covering Articles 9-15 for high-risk AI systems, Article 27 fundamental rights impact assessments, the Annex IV technical file, conformity assessment routing, CE marking, EU database registration, and post-market monitoring. Cross-mapped to ISO/IEC 42001:2023, NIST AI RMF 1.0, ISO 27001:2022, and GDPR so existing evidence carries forward.

  • AI inventory + Article 6 risk tier classifier across Annex I + Annex III
  • Articles 9-15 + Article 27 FRIA + Annex IV technical file builder
  • Article 43 conformity assessment routing + Article 49 EU database
  • Cross-mapped to ISO 42001, NIST AI RMF, GDPR, ISO 27001
Book a demoSee the framework hub

Trusted by 1,500+ risk and compliance teams

Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
Aon
Bose
The Coca-Cola Company
Iberdrola USA
Johnson & Johnson
Pfizer
Puma North America
SeaWorld Entertainment
TE Connectivity
What it is

What is EU AI Act compliance software?

EU AI Act compliance software automates the obligations set by the Regulation (EU) 2024/1689. RiskWatch covers Article 6 risk classification across the four tiers (prohibited, high-risk, limited, minimal), Articles 9-15 for high-risk providers, Article 27 fundamental rights impact assessments for deployers, Article 11 plus Annex IV technical documentation, Article 43 conformity assessment, Article 49 EU database registration, and Article 72 post-market monitoring with Article 73 incident reporting. Cross-mapped to ISO/IEC 42001:2023, NIST AI RMF 1.0, ISO 27001:2022, and GDPR.

0 Aug 2026
High-risk AI obligations enforceable
Annex III use cases plus most provider + deployer duties under Articles 9-15
0M
Article 99 maximum administrative fine
Or 7 percent worldwide annual turnover, whichever is higher
0%
Article 9 work covered by ISO 42001
Per CSA + GLACIS 2026 crosswalks; RiskWatch fills the delta
Why the EU AI Act matters for chief compliance officers and AI governance leads

The Articles are the framework. The inventory is what is missing.

Compliance teams face the same four pains heading into August 2026. No AI inventory so risk classification is impossible. Annex IV technical files no agile team has the source material for. Article 9 lifecycle that never closes. And board-level penalty exposure that scales with global turnover, not deal size.

Pain #1

No AI inventory. Risk classification is impossible.

Over half of enterprises lack a systematic inventory of AI systems already in production. Without knowing every model, training set, and downstream deployer, you cannot assign risk tiers under Article 6, and you cannot scope the obligations that follow. The AI Inventory module captures every system, vendor model, and shadow deployment with provider + deployer roles per Article 25.

Pain #2

Annex IV technical documentation will not write itself.

Article 11 plus Annex IV demands design choices, data lineage, test methodologies, and post-market monitoring evidence per high-risk system. Teams shipping with agile process and minimal docs cannot retrofit it weeks before audit. The Technical File Builder pulls evidence already collected for ISO 27001 + ISO 42001 into the AI Act format.

Pain #3

Article 9 risk management never closes.

Article 9 requires a risk management system across the entire lifecycle: identify foreseeable risks, evaluate residual risk, treat, monitor in deployment. ISO 42001 Clause 6 + Clause 8 deliver roughly 80 percent of the technical work. RiskWatch runs the lifecycle continuously, not as a one-off project, so the Article 9 file is current the day the auditor opens it.

Pain #4

Penalty math wakes up the board.

Article 99 caps administrative fines at €35M or 7% of worldwide annual turnover, whichever is higher, for prohibited-practice violations. Provider + deployer obligation breaches reach €15M or 3%. False or misleading information to notified bodies reaches €7.5M or 1%. The Penalty Exposure dashboard shows board-ready euro values per high-risk system per day of non-compliance.

See the AI inventory + risk classifier in a 20-minute demo
What is the EU AI Act

Regulation (EU) 2024/1689. In force 1 Aug 2024, phased through 2027.

The EU AI Act is the first comprehensive horizontal regulation of AI. It applies to providers placing AI on the EU market, deployers using AI in the Union, and a chain of importers, distributors, product manufacturers, and authorised representatives. See the consolidated text at EUR-Lex and the Commission's regulatory framework page. Application is phased: prohibitions enforce first, general-purpose AI rules next, then the bulk of high-risk obligations on 2 August 2026, with safety-component high-risk extending to 2 August 2027 and a 2026 Commission proposal moving parts of the Annex III regime to 2 December 2027.

1 Aug 2024 entered into force, 20 days after publication in the Official Journal
2 Feb 2025 prohibitions (Article 5) + AI literacy (Article 4) applied
2 Aug 2025 general-purpose AI model rules + Article 99 penalties applied
2 Aug 2026 high-risk AI under Annex III + most Articles 9-15 obligations apply
2 Aug 2027 high-risk AI as safety components of Annex I products fully apply
2 Dec 2027 high-risk extension: biometrics, infrastructure, employment, migration
EU AI Act phased application
Feb 2025
Prohibited practices (Art. 5) + AI literacy (Art. 4)
100%
Aug 2025
General-purpose AI model rules + governance bodies
100%
Feb 2026
Commission guidelines on high-risk classification due
70%
Aug 2026
High-risk AI (Annex III) + most provider + deployer duties
90%
Aug 2027
High-risk AI as safety components in regulated products (Annex I)
80%
Dec 2027
High-risk extension: biometrics, infrastructure, employment, migration
75%
Art. 99
Penalties enforceable up to €35M or 7% global turnover
100%
Articles 113 + transitional rules →Article 99 penalties enforce
AI risk categories

Four tiers, four different obligation stacks. Tier sets the duty.

The EU AI Act is risk-based. Article 5 prohibits eight practices outright. Article 6 plus Annex I plus Annex III pull high-risk AI into Articles 9-15. Article 50 applies transparency to limited-risk AI. Minimal-risk AI gets no obligation beyond Article 4 AI literacy. Classification is the first decision and the most consequential.

Prohibited

Article 5

Examples: Social scoring · subliminal manipulation · workplace + education emotion recognition · untargeted facial scraping · real-time biometric ID in public spaces (narrow exceptions)

Obligation: Banned. €35M / 7% turnover penalty cap.

High-risk

Articles 6-49

Examples: AI as safety components in regulated products (Annex I) · Annex III use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice + democracy

Obligation: Full Articles 9-15 stack: risk management, data governance, technical docs, logging, transparency, human oversight, accuracy + cybersecurity. Conformity assessment + CE marking + EU database registration. Post-market monitoring + incident reporting.

Limited

Article 50

Examples: Chatbots disclosing AI interaction · emotion recognition + biometric categorization with consent · deepfake + AI-generated content disclosure · synthetic media labelling

Obligation: Transparency obligations under Article 50. Inform natural persons they are interacting with AI. Mark synthetic content machine-readable.

Minimal

Article 4 + voluntary

Examples: AI spam filters · video game NPCs · inventory optimization · recommender systems below systemic risk threshold

Obligation: No mandatory rules. Voluntary codes of conduct encouraged. AI literacy obligation under Article 4 still applies for staff.

Who must comply

Six actor roles. Each carries a different stack.

Article 3 defines provider, deployer, importer, distributor, product manufacturer, and authorised representative. Article 25 distributes obligations across the chain. The Regulation has extra-territorial reach: non-EU entities whose AI output is used in the Union are in scope and may need to appoint an authorised representative under Article 22.

Role 1 of 6

Provider

An entity that develops an AI system or has it developed and places it on the EU market or puts it into service under its own name or trademark. Carries the bulk of Articles 9-15 + conformity assessment + post-market monitoring duties.

Role 2 of 6

Deployer

Any natural or legal person using an AI system under its authority, except where used in a personal non-professional activity. Owns Article 26 deployer obligations: instruction adherence, human oversight, input data, logging retention, and Article 27 FRIA where required.

Role 3 of 6

Importer

An EU-established entity placing an AI system from a non-EU provider on the Union market. Verifies the provider has carried out conformity assessment, technical documentation is available, and the CE marking is affixed before import.

Role 4 of 6

Distributor

Any actor in the supply chain other than provider or importer that makes the AI system available on the Union market. Verifies CE marking, conformity declaration, instructions for use, and provider + importer identification before distribution.

Role 5 of 6

Authorised representative

When a provider is established outside the Union, an EU-established representative must be appointed under Article 22 to interact with national competent authorities on behalf of the provider.

Role 6 of 6

Product manufacturer

Where a high-risk AI system is a safety component of a product covered by Annex I Union harmonisation legislation, the product manufacturer becomes the provider for the AI Act obligations.

How RiskWatch covers the EU AI Act

Every module an AI governance program needs, in one platform.

Sixteen modules sharing the AI inventory, evidence vault, and audit trail. Built around the Article 9 lifecycle so risk classification, conformity assessment, CE marking, EU database registration, and post-market monitoring all read from the same source of truth.

AI Act Dashboard

Article-by-article coverage at a glance

Per-system risk tier, Article 9-15 coverage percentages, open conformity gaps, post-market monitoring health, penalty exposure totals in euros.

AI Inventory

Every model, every deployer, every role

Capture every AI system in production, training, or vendor-supplied. Provider / deployer / importer / distributor role tagged per Article 25 obligations.

Risk Tier Classifier

Annex III + Article 6 walkthrough

Decision tree maps each system to Prohibited / High-risk / Limited / Minimal under Article 6, Annex I, Annex III. Reclassification audit trail every release.

Article 9 Risk Management

Lifecycle, not point-in-time

Identify foreseeable risks, estimate, evaluate, treat, monitor. Risks link to Annex IV technical documentation and FRIA, scoped to health, safety, and fundamental rights.

Article 10 Data Governance

Training, validation, testing sets

Data quality, relevance, representativeness, completeness, bias examination. Annex IV § 2(d) datasheet auto-built from each training run.

Annex IV Technical File

Builder, not blank-page editor

Annex IV §§ 1-9: system description, design choices, hardware + software, validation procedures, change log, accuracy metrics, cybersecurity measures, EU declaration of conformity.

Article 12 Logging

Automatic event capture

System operation logs retained per Article 12 + Article 19. Provider receives deployer logs for post-market monitoring per Article 72. Tamper-evident chain.

Article 13 Transparency

Instructions for deployers

Deployer-facing instructions per Article 13 § 3: intended purpose, accuracy levels, foreseeable misuse, human oversight measures, computational resources, expected lifetime.

Article 14 Human Oversight

Effectiveness + measure tracking

Article 14 measures designed into the system or implemented by the deployer. Override + stop controls + interpretability + sufficient training tracked per role.

Article 15 Accuracy + Robustness

KPIs + cybersecurity attestations

Accuracy thresholds declared, robustness against adversarial inputs, cybersecurity per Article 15 § 5. Annex IV § 2(g) auto-fills from observability data.

FRIA Builder

Article 27 fundamental rights impact assessment

Required for deployers of high-risk AI as defined in Article 27. Walks intended purpose, affected persons, risks to fundamental rights, mitigations, complaint mechanism.

Conformity Assessment

Internal control + notified body track

Article 43 routes by Annex III use case. Internal control for Annex III §§ 2-8, notified body for biometrics + safety components. Conformity declaration + CE marking per Article 48.

EU Database Registration

Article 49 high-risk register

Annex VIII registration record kept current per release. Provider + product + intended-purpose + member state filings tracked.

Cross-Framework Mapping

ISO 42001 + NIST AI RMF + GDPR + ISO 27001

Article 9 ↔ ISO 42001 Cl 6 + 8 ↔ NIST AI RMF GOVERN + MAP + MEASURE + MANAGE. Score one control, satisfy four frameworks.

Post-Market Monitoring

Article 72 plan + Article 73 incident reporting

Post-market monitoring plan per high-risk system. Serious-incident reporting timelines (Article 73): 72 hours basic, 2 days widespread, 15 days general.

Audit Trail

Who changed risk tier, answered instantly

Timestamped log of every classification change, evidence upload, FRIA decision, conformity declaration. Admissible to notified bodies and national market surveillance authorities.

Articles 9-15 for high-risk AI

Seven Articles. One lifecycle.

Articles 9-15 carry the technical heart of the Regulation for high-risk AI providers. The Commission's AI Act Service Desk walks the obligations article by article. Each one links to Annex IV technical documentation sections, and each one operates continuously across the lifecycle rather than as a one-off project. Article 17 wraps them in a quality management system. RiskWatch ships the templated control set and pulls existing evidence from ISO 27001 + ISO 42001 so the technical file does not start blank.

Article 9 risk management system across the AI lifecycle, foreseeable risks + intended use + reasonably foreseeable misuse
Article 10 data governance: training + validation + testing sets, quality + relevance + representativeness + bias examination
Article 11 technical documentation per Annex IV §§ 1-9: design, data, validation, change log, accuracy, cybersecurity
Article 12 automatic recording of events (logging) retained per Article 19 + transferable to deployers per Article 26
Article 13 transparency + instructions for deployers: intended purpose, accuracy, foreseeable misuse, human oversight
Article 14 human oversight by design (Article 14 § 3) and by deployer (Article 26 § 2), with override + stop controls
Article 15 accuracy + robustness + cybersecurity, declared in instructions and verified during conformity assessment
Articles 9-15 + Article 17 + Article 27 + Article 72 stack
Art. 9
Risk management lifecycle
94%
Art. 10
Data governance + bias examination
86%
Art. 11
Annex IV technical documentation
90%
Art. 12
Automatic event recording (logs)
88%
Art. 13
Transparency + deployer instructions
92%
Art. 14
Human oversight by design + deployer
90%
Art. 15
Accuracy + robustness + cybersecurity
87%
Art. 17
Quality management system
92%
Art. 27
Fundamental rights impact assessment
85%
Art. 72
Post-market monitoring + Art. 73 incidents
89%
10 Articles + Annex IV §§ 1-9 →Conformity assessment ready
ISO 42001 + EU AI Act + NIST AI RMF crosswalk

Score one control. Satisfy three regimes.

Per Cloud Security Alliance + GLACIS 2026 crosswalks, a mature ISO 42001 implementation covers roughly 80 percent of the Article 9 technical burden plus significant portions of Articles 10-15. NIST AI RMF 1.0 adds an outcome-based control language preferred by US enterprises. RiskWatch maps the three so a single evidence answer satisfies all of them, with the AI Act delta (Article 27 FRIA, Article 43 conformity assessment, Article 48 CE marking, Article 49 EU database registration) layered on.

EU AI ActDutyISO/IEC 42001:2023NIST AI RMF 1.0
Article 9Risk management system across the AI lifecycleClause 6 (Planning) + Clause 8 (Operation) + Annex A 6.1 AI risk assessmentMAP 1-5 · MEASURE 1-4 · MANAGE 1-4
Article 10Data governance, training + validation + testing setsAnnex A 7.2 Data resources + 7.3 Data qualityMAP 2.3 · MEASURE 2.6 · 2.10
Article 11Technical documentation per Annex IVClause 7.5 Documented information + Annex A 8.2 DocumentationGOVERN 1.5 · MAP 4.1 · MEASURE 3.2
Article 12Automatic recording of events (logging)Annex A 9.2 Monitoring + measurement + analysisMEASURE 2.3 · 2.4 · 2.5
Article 13Transparency + instructions for deployersAnnex A 8.3 Reporting concerns + 8.4 CommunicationGOVERN 4.1 · MAP 3.3 · MEASURE 2.8
Article 14Human oversight by design + by deployerAnnex A 9.3 Internal audit + Annex A 6.2 AI objectivesGOVERN 3.2 · MAP 3.5 · MANAGE 3.2
Article 15Accuracy, robustness, cybersecurityAnnex A 8.5 Operational planning + control + ISO 27001 Annex A.8 TechnologicalMEASURE 2.7 · 2.9 · 2.11
Article 17Quality management system for providersClause 4 Context + Clause 5 Leadership + Clause 9 Performance evaluationGOVERN 1.1 · 1.2 · 1.3 · 1.6
Article 27Fundamental rights impact assessment by deployersAnnex A 6.1.4 AI system impact assessmentMAP 5.1 · 5.2 · MEASURE 2.11
Article 72Post-market monitoring system + planClause 9.1 Monitoring + Clause 10.1 Continual improvementMANAGE 4.1 · 4.2 · 4.3

Sources: ISO/IEC 42001:2023 Annex A control catalog, NIST AI RMF 1.0, Cloud Security Alliance research note on prEN 18286 + ISO 42001 + EU AI Act (April 2026), GLACIS crosswalk guide 2026.

Map your ISO 42001 controls onto Articles 9-15 in 20 minutes
Cross-framework mapping

Answer once. Satisfy EU AI Act + ISO 42001 + NIST AI RMF + GDPR.

Organizations placing AI on the EU market typically run four regimes in parallel: the AI Act for product obligations, ISO/IEC 42001:2023 for the management system, NIST AI RMF 1.0 for US enterprise procurement, and GDPR for personal data. RiskWatch maps the Article 9 risk assessment, Annex IV technical documentation, Article 14 human oversight, and Article 27 FRIA to their ISO 42001 + NIST AI RMF + GDPR counterparts so a single evidence set satisfies all four. Customers running the four in parallel reduce combined audit prep by 55-65 percent.

ISO 42001 Clauses 6 + 8 + Annex A 6.1 ↔ Article 9 risk management lifecycle
ISO 42001 Annex A 7.2 + 7.3 ↔ Article 10 data governance
ISO 42001 Clause 7.5 + Annex A 8.2 ↔ Article 11 + Annex IV technical documentation
NIST AI RMF GOVERN + MAP + MEASURE + MANAGE ↔ Articles 9-15 + Article 17 + Article 72
GDPR Article 35 DPIA ↔ EU AI Act Article 27 FRIA (shared affected-person registry)
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
8-step compliance roadmap

From AI inventory to Article 49 registration, in eight ordered steps.

The order matters. Inventory before classification, classification before FRIA, FRIA before the Article 9 lifecycle, lifecycle before the Annex IV technical file, technical file before conformity assessment, conformity before deployment, deployment before post-market monitoring. RiskWatch enforces the order so nothing skips ahead and nothing gets left behind.

01

Inventory every AI system

Models in production, in development, vendor-supplied, shadow AI. Tag provider + deployer + importer + distributor roles per Article 25.

02

Classify under Article 6, Annex I, Annex III

Prohibited, high-risk, limited, minimal. Document Article 6 (3) derogation reasoning where applied. Reclassify on every material change.

03

Run Article 27 FRIA for every high-risk deployer use case

Affected persons, fundamental rights at stake, mitigations, complaint mechanism. File with national supervisory authority where required.

04

Stand up the Article 9 risk management system

Identify foreseeable risks, evaluate residual risk in intended use + reasonably foreseeable misuse, treat, retest, document. Lifecycle, not project.

05

Build the Annex IV technical file

Annex IV §§ 1-9 per high-risk system. Pull existing ISO 27001 + ISO 42001 evidence to avoid net-new authoring.

06

Pass conformity assessment + affix CE marking

Article 43 chooses internal control vs notified body by use case. EU declaration of conformity per Article 47. Register the system in the EU database (Article 49).

07

Deploy with Article 14 human oversight + Article 13 transparency

Train deployers, embed override + stop controls, label outputs as AI where Article 50 applies, retain logs per Article 12 + Article 19.

08

Run Article 72 post-market monitoring + Article 73 incident reporting

Active monitoring plan, serious-incident reporting in 72 hours / 2 days / 15 days depending on severity, corrective action, Article 20 + 21 information duties.

Article 99 penalties

Up to €35M or 7% of worldwide turnover, whichever is higher.

Article 99 sets three penalty tiers. Member states implement enforcement at national level under designated competent authorities, with the European AI Office coordinating consistency. SMEs and startups pay the lower of the two figures, not the higher. The penalty math is what wakes boards up: the calculation runs on global turnover, not EU revenue, so the exposure can dwarf the deal that triggered it.

€35M / 7%
Tier 1 · prohibited practices

Article 5 prohibitions. Social scoring, real-time remote biometric ID in public spaces, subliminal manipulation, exploitation of vulnerabilities, workplace + education emotion recognition, untargeted facial scraping. Highest fine of €35M or 7 percent of worldwide annual turnover.

€15M / 3%
Tier 2 · obligation breaches

Provider, deployer, importer, distributor, notified body, or Article 50 transparency breaches. Most Article 9-15 non-conformities sit here. €15M or 3 percent of worldwide annual turnover, whichever is higher. Per high-risk system, not per organization.

€7.5M / 1%
Tier 3 · misleading information

Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities. €7.5M or 1 percent of worldwide annual turnover. SMEs and startups: lower of the two, per Article 99 § 6.

Source: Article 99 of Regulation (EU) 2024/1689 and AI Act Service Desk.

RiskWatch vs alternatives

How RiskWatch compares to Drata, Vanta, and ModelOp

Public feature comparison drawn from each vendor's own AI governance product pages (audited 2026-05-15) plus aggregated G2 and Capterra commentary. EU AI Act software covers three different jobs: GRC-style governance (Vanta + Drata), enterprise AI governance (RiskWatch + ModelOp), and developer runtime control (ModelOp + observability tools). Many teams need more than one. The right buying decision usually starts with identifying your system of record.

CapabilityRiskWatchDrataVantaModelOp
AI inventory with provider / deployer role tagging (Article 25)Yes, native + auto-discovery via integrations + vendor questionnairesPartial, via ISO 42001 modulePartial, via AI governance add-onYes, runtime + model registry focus
Risk tier classifier walkthrough (Article 6 + Annex I + Annex III)Yes, decision tree with audit trail per releasePartialPartialYes, model card based
Article 9 lifecycle risk management systemYes, lifecycle continuous, not point-in-timeYes, ISO 42001 mappedYes, ISO 42001 mappedYes, observability based
Annex IV technical file builderYes, §§ 1-9 templated, pulls ISO 27001 + ISO 42001 evidenceTemplate-assistedTemplate-assistedPartial
Article 27 FRIA moduleYes, dedicated, with affected-person registryTemplateTemplateNo
ISO 42001 + NIST AI RMF + EU AI Act cross-mappingYes, configurable, score-once-satisfy-fourYes, 30+ framework Common ControlsYes, AI Governance + ISO 42001 add-onYes, NIST AI RMF aligned
Conformity assessment routing (internal vs notified body)Yes, Article 43 routing logic by Annex III use caseManualManualManual
Article 72 post-market monitoring plan + Article 73 incident reportingYes, 72h / 2d / 15d incident escalation built inPartialPartialYes, runtime drift + bias monitoring
Pricing transparencyQuote per scope + framework count, no surprise renewal jumpsQuote-only, scales with org sizeQuote-only, criticised for renewal jumpsEnterprise quote-only
ROI + outcomes

AI governance that does not require a separate platform

Real CCOs, AI governance leads, and DPOs running EU AI Act + ISO 42001 in parallel. Composite benchmarks from RiskWatch customers. The biggest win: existing ISO 27001 + ISO 42001 evidence carries forward, so the AI Act delta is the only net-new work.

80%
Of Article 9 work satisfied by ISO 42001
Per Cloud Security Alliance research note 2026 and GLACIS crosswalk, leaving conformity assessment + CE + database registration as net new
10 weeks
AI inventory to first conformity declaration
Composite from RiskWatch deployments running ISO 42001 + EU AI Act in parallel
€35M
Article 99 ceiling for prohibited-practice breaches
Or 7 percent of worldwide annual turnover, whichever is higher. Tier 2 obligations cap at €15M or 3 percent
The Article 9 lifecycle view and the Annex IV builder cut the doc effort in half. We were not retro-writing technical files three months before audit.
AT
Anna T.
Head of AI Governance · FinServ · 8,400 employees · EU + UK regulated
We are an AI vendor selling to European banks. The conformity assessment routing logic told us which products needed a notified body and which qualified for internal control, on day one.
RD
Ravi D.
CCO · AI vendor · 320 employees · Annex III § 5 high-risk
Cross-mapping is the reason our 3-person GRC team runs ISO 42001 + EU AI Act + GDPR + ISO 27001 in parallel. One control score, four audits.
MK
Marlene K.
Director of Compliance · HealthTech · 1,100 employees · MDR Class IIa
Who uses RiskWatch for the EU AI Act

Six ICPs running the AI Act on the same platform.

Provider, deployer, or both. AI vendor or AI buyer. Public sector or private. The Articles are universal; the actor role and risk tier set the work.

ICP 1 of 6

AI vendors selling to EU customers

Providers under Article 3 (3). High-risk classification on most B2B AI plus full Articles 9-15 stack plus CE marking plus EU database registration. RiskWatch is provider-mode by default.

ICP 2 of 6

Enterprises deploying AI in EU operations

Deployers under Article 26. FRIA per Article 27, Article 14 human oversight, log retention. Cross-mapped to ISO 27001 + GDPR + ISO 42001 already running.

ICP 3 of 6

Financial services + insurance

Annex III § 5(b) credit scoring + § 5(c) life + health insurance pricing fall in high-risk. Cross-mapped to DORA + ISO 27001 + EBA Guidelines on outsourcing.

ICP 4 of 6

Healthcare + medical-device AI

Medical devices with AI as safety components fall under Annex I via MDR + IVDR. CE marking already in place; AI Act extends the technical file and FRIA layer.

ICP 5 of 6

Government + public-sector AI

Annex III § 5(a) public assistance, § 6 law enforcement, § 7 migration, § 8 justice + democracy. FRIA mandatory under Article 27. Member-state notifications tracked.

ICP 6 of 6

Manufacturing + critical infrastructure

Annex III § 2 critical infrastructure (water, gas, electricity, traffic, ICT). Annex I safety components in regulated machinery. Cross-mapped to ISO 27001 + NIST 800-53.

Map RiskWatch to your AI Act role in a 20-minute demo
Frameworks alongside the EU AI Act

Plus every framework you run with the AI Act, cross-mapped.

Score one Article 9 risk assessment. Satisfy ISO 42001, NIST AI RMF, GDPR, and ISO 27001 simultaneously.

ISO/IEC 42001:2023
AI management system
ISO/IEC 23894
AI risk management guidance
ISO/IEC 24029
AI robustness assessment
NIST AI RMF 1.0
GOVERN + MAP + MEASURE + MANAGE
NIST AI 600-1
Generative AI profile
GDPR + EDPB AI Guidance
Article 22 ADM + AI
ISO 27001:2022
Information security base
ISO 27701
Privacy information management
EU DORA
FinServ digital operational resilience
MDR + IVDR
Medical-device AI as safety components
EU Data Act
Data sharing + access duties
EU AI Pact
Voluntary early-compliance commitments
Council of Europe AI Treaty
Framework Convention on AI 2024
ISO 22989
AI concepts + terminology
Compliance management hubRisk management softwareISO 27001 compliance softwareGDPR compliance softwareSOC 2 compliance softwareNIST 800-53 softwareVendor risk managementPolicy management software
Free download

EU AI Act Compliance Roadmap (Articles 9-15 + Article 27 FRIA)

A 38-page PDF walking the eight-step compliance roadmap, the Annex IV technical file template, the Article 27 FRIA worksheet, and the ISO 42001 + NIST AI RMF cross-mapping reference. Updated with 2026 Commission guidance.

  • Articles 9-15 obligation checklist per high-risk system
  • Annex IV §§ 1-9 technical file template with field-by-field guidance
  • Article 27 FRIA worksheet + affected-person registry
  • ISO 42001 + NIST AI RMF cross-mapping reference table
We'll never spam. Unsubscribe anytime.

No credit card · Updated for 2026 · Instant download

EU AI Act FAQ

What CCOs and AI governance leads ask before they buy

About Regulation (EU) 2024/1689, the four risk tiers, Articles 9-15, Article 27 FRIA, ISO 42001 cross-mapping, conformity assessment, penalties under Article 99, and how RiskWatch covers all of them.

Ready to ship AI Act readiness?

Build your AI inventory this week

Start a 30-day free trial. Full AI inventory, Article 6 risk classifier, Articles 9-15 control library, Article 27 FRIA builder, Annex IV technical file templates, conformity assessment routing, EU database registration, post-market monitoring, and cross-mapping to ISO 42001, NIST AI RMF, GDPR, and ISO 27001. No credit card.

Book a demoStart free trial

No credit card required · 30-day free trial · Cancel anytime

Request a Demo