:PROPERTIES:
:ID:       auto-eu-ai-act
:CREATED:  [2026-05-23 Sat]
:END:
#+title: EU AI Act
#+filetags: :passepartout:compliance:framework:eu:

** EU AI Act

First comprehensive AI regulation globally (effective August 2026). Risk-based
tiers: unacceptable (banned), high-risk (conformity assessment), limited
(transparency), minimal (code of conduct). High-risk systems require: risk
management, data governance, technical documentation, transparency, human
oversight, accuracy/robustness/cybersecurity. Third-party conformity assessment
for some high-risk systems (notified bodies).

Who must comply: Providers and deployers of AI systems in the EU. Extraterritorial
if the AI system output is used in the EU. Scope covers GPAI (general-purpose AI)
with additional obligations for systemic-risk GPAI.

Penalties: Up to 35M EUR or 7% of global turnover (higher than GDPR).

Why it matters: The EU AI Act's conformity assessment requirement creates an
instant certification market. Passepartout's gate stack can serve as the
human oversight and accuracy/robustness infrastructure for any AI system
deployed through it. The [[file:verification-monopoly.org][verification monopoly]] argument applies at maximum
force: an ACL2-verified gate stack is the most defensible approach to AI Act
compliance. First-mover advantage: the regulation takes effect August 2026.
No certification body or tool vendor has an ACL2-based compliance pipeline.
First to market captures the standard-setting role.

** DORA (Digital Operational Resilience Act)