Kaamel offers Drata customers free one-month consultations to help build up your compliance baseline, jumpstart your compliance journey.Learn More

Get the EU AI Act ready, ahead of time

The first comprehensive AI law is phasing in, and EU buyers already ask about it in security reviews. Classify early and keep the initiative.

Kaamel classifies every AI system you ship, maps your obligations, builds the documentation, and prepares you for conformity assessment. It runs alongside your SOC 2, ISO, and GDPR work, so nothing is done twice.

AICPA SOCDrataVanta

AI governance experts · Trusted by nearly 100 companies going global

4 tiers
risk tiers; your tier decides your obligations, so classification comes first
2026–27
when the high-risk obligations land, and EU buyers are asking now
7%
of global turnover, the fine ceiling for the worst violations

What is the EU AI Act?

The EU AI Act is the world's first comprehensive AI law, and its logic is simple: the riskier the use case, the heavier the obligations. A few practices are banned outright, high-risk systems face strict requirements, and most everyday AI only owes transparency. Like the GDPR, it reaches beyond Europe — if your AI's output is used in the EU, you're in scope, wherever you're based.

Four risk tiers

Unacceptable (banned), high, limited, minimal. Everything about your obligations follows from which tier each system lands in.

High risk means real work

AI in hiring, credit, healthcare, biometrics, or critical infrastructure faces risk management, documentation, human oversight, and conformity assessment.

General-purpose AI has its own chapter

Model providers carry transparency and documentation duties — heavier ones if the model poses systemic risk.

It's already phasing in

The bans came first, general-purpose AI duties followed in 2025, and most high-risk obligations arrive across 2026–27. The clock is running.

The four risk tiers — where does your AI sit?

TierExamplesWhat it means for you
Unacceptable riskSocial scoring; manipulative or exploitative techniquesBanned outright — these systems can't be placed on the EU market
High riskHiring, credit scoring, healthcare, biometrics, critical infrastructureThe heavy duties: risk management, documentation, conformity assessment
Limited riskChatbots, deepfakes, emotion recognitionTransparency: people must know they're dealing with AI
Minimal riskSpam filters, recommenders, most everyday toolsNo new obligations — but be ready to explain why you're here

Why prepare now

Obligations arrive on a schedule and EU buyers are already asking questions. Preparing early costs far less than preparing late.

Your buyers moved first

EU enterprise security reviews now include AI Act questions. Having an answer ready today is a differentiator, not a checkbox.

Classification sets the roadmap

Learning in 2026 that you are high-risk leaves very little time. Learning it now leaves room to plan.

Foundation models are included

Building or fine-tuning general-purpose models brings its own duties — better mapped before a customer or regulator asks.

How Kaamel prepares you

The Act is new and most advice about it stays theoretical. We turn it into a concrete workplan.

  1. 01

    Classify every system

    We inventory your AI and place each system in its risk tier — the decision everything else depends on.

  2. 02

    Map duties to gaps

    Risk management, data governance, transparency, human oversight, logging — we list what applies to you and what's missing today.

  3. 03

    Write the technical file

    We produce the documentation, instructions for use, and records the Act requires, aligned with your ISO and GDPR work so the same material is never written twice.

  4. 04

    Prepare for conformity

    For high-risk systems: conformity assessment readiness, CE marking, and the post-market monitoring the Act expects.

Want a timeline and a quote for your case?

Why Kaamel

AI compliance sits between engineering and law, which is where we work every day.

AI companies are our home turf

We run SOC 2, HIPAA, and GDPR programs for AI startups every day. We know model pipelines, not just legal text.

Concrete, not theoretical

We translate the Act into technical controls that match how your system actually works — so the documentation describes reality.

Two teams, no time-zone gap

Delivery teams in Silicon Valley and Asia hand off around the clock, and your obligations are mapped before you enter the EU market.

Stacks with ISO 42001 and GDPR

The governance the Act expects overlaps heavily with both. We build them as one program, not three.

Trusted by AI companies

SOC 2 in 3 months

An AI infrastructure company reached SOC 2 in three months with audit prep cut by 30% — building the governance base the AI Act now expects.

An AI infrastructure company

Three frameworks in six months

SOC 2, GDPR, and HIPAA delivered together for an AI model startup — the same foundation the AI Act builds on.

A fast-growing AI model startup

Same-day audit answers

An AI agent startup now answers deep compliance spot checks the day they arrive — the documentation discipline the AI Act formalizes.

An AI agent startup

What's included

  • An inventory and risk classification of every AI system
  • Obligation mapping and gap analysis
  • AI risk management and data governance
  • Transparency and human-oversight controls
  • The technical file: documentation and logging
  • Conformity assessment preparation for high-risk systems
  • Alignment with ISO 27001, ISO 42001, and the GDPR
  • Ongoing tracking as obligations phase in

EU AI Act FAQ

When does the EU AI Act take effect?

It's already in force — since 2024 — and applies in phases: the bans first, general-purpose AI duties in 2025, and most high-risk obligations across 2026–27. The practical deadline is earlier than the legal one: EU buyers are asking now.

Does the Act apply to companies outside the EU?

Yes. If your AI system's output is used in the EU, you're in scope wherever you're based — the same extraterritorial logic as the GDPR. That's why classification belongs on every go-global roadmap.

How do I know if my AI is high-risk?

The Act lists the high-risk categories — hiring, credit, biometrics, healthcare, critical infrastructure, and more. Placing your systems correctly is the first and most consequential step, and it's an assessment we do for you.

How does the Act relate to ISO 42001 and the GDPR?

They overlap heavily — ISO/IEC 42001 and a solid GDPR program supply much of the governance the Act expects. We build them as one program so nothing is duplicated.

We're an AI startup going global — why act now?

Because obligations arrive on a fixed schedule and EU customers are already asking. Early preparation is inexpensive, and having an answer ready wins deals while competitors are still reading the law.

Building AI for a global market?

Book a free assessment. We'll classify your systems and lay out which obligations apply, when they take effect, and what to do now.