Get the EU AI Act ready, ahead of time
The first comprehensive AI law is phasing in, and EU buyers already ask about it in security reviews. Classify early and keep the initiative.
Kaamel classifies every AI system you ship, maps your obligations, builds the documentation, and prepares you for conformity assessment. It runs alongside your SOC 2, ISO, and GDPR work, so nothing is done twice.



AI governance experts · Trusted by nearly 100 companies going global
What is the EU AI Act?
The EU AI Act is the world's first comprehensive AI law, and its logic is simple: the riskier the use case, the heavier the obligations. A few practices are banned outright, high-risk systems face strict requirements, and most everyday AI only owes transparency. Like the GDPR, it reaches beyond Europe — if your AI's output is used in the EU, you're in scope, wherever you're based.
Four risk tiers
Unacceptable (banned), high, limited, minimal. Everything about your obligations follows from which tier each system lands in.
High risk means real work
AI in hiring, credit, healthcare, biometrics, or critical infrastructure faces risk management, documentation, human oversight, and conformity assessment.
General-purpose AI has its own chapter
Model providers carry transparency and documentation duties — heavier ones if the model poses systemic risk.
It's already phasing in
The bans came first, general-purpose AI duties followed in 2025, and most high-risk obligations arrive across 2026–27. The clock is running.
The four risk tiers — where does your AI sit?
| Tier | Examples | What it means for you |
|---|---|---|
| Unacceptable risk | Social scoring; manipulative or exploitative techniques | Banned outright — these systems can't be placed on the EU market |
| High risk | Hiring, credit scoring, healthcare, biometrics, critical infrastructure | The heavy duties: risk management, documentation, conformity assessment |
| Limited risk | Chatbots, deepfakes, emotion recognition | Transparency: people must know they're dealing with AI |
| Minimal risk | Spam filters, recommenders, most everyday tools | No new obligations — but be ready to explain why you're here |
Why prepare now
Obligations arrive on a schedule and EU buyers are already asking questions. Preparing early costs far less than preparing late.
Your buyers moved first
EU enterprise security reviews now include AI Act questions. Having an answer ready today is a differentiator, not a checkbox.
Classification sets the roadmap
Learning in 2026 that you are high-risk leaves very little time. Learning it now leaves room to plan.
Foundation models are included
Building or fine-tuning general-purpose models brings its own duties — better mapped before a customer or regulator asks.
How Kaamel prepares you
The Act is new and most advice about it stays theoretical. We turn it into a concrete workplan.
- 01
Classify every system
We inventory your AI and place each system in its risk tier — the decision everything else depends on.
- 02
Map duties to gaps
Risk management, data governance, transparency, human oversight, logging — we list what applies to you and what's missing today.
- 03
Write the technical file
We produce the documentation, instructions for use, and records the Act requires, aligned with your ISO and GDPR work so the same material is never written twice.
- 04
Prepare for conformity
For high-risk systems: conformity assessment readiness, CE marking, and the post-market monitoring the Act expects.
Why Kaamel
AI compliance sits between engineering and law, which is where we work every day.
AI companies are our home turf
We run SOC 2, HIPAA, and GDPR programs for AI startups every day. We know model pipelines, not just legal text.
Concrete, not theoretical
We translate the Act into technical controls that match how your system actually works — so the documentation describes reality.
Two teams, no time-zone gap
Delivery teams in Silicon Valley and Asia hand off around the clock, and your obligations are mapped before you enter the EU market.
Stacks with ISO 42001 and GDPR
The governance the Act expects overlaps heavily with both. We build them as one program, not three.
Trusted by AI companies
An AI infrastructure company reached SOC 2 in three months with audit prep cut by 30% — building the governance base the AI Act now expects.
An AI infrastructure company
SOC 2, GDPR, and HIPAA delivered together for an AI model startup — the same foundation the AI Act builds on.
A fast-growing AI model startup
An AI agent startup now answers deep compliance spot checks the day they arrive — the documentation discipline the AI Act formalizes.
An AI agent startup
What's included
- An inventory and risk classification of every AI system
- Obligation mapping and gap analysis
- AI risk management and data governance
- Transparency and human-oversight controls
- The technical file: documentation and logging
- Conformity assessment preparation for high-risk systems
- Alignment with ISO 27001, ISO 42001, and the GDPR
- Ongoing tracking as obligations phase in
EU AI Act FAQ
When does the EU AI Act take effect?
It's already in force — since 2024 — and applies in phases: the bans first, general-purpose AI duties in 2025, and most high-risk obligations across 2026–27. The practical deadline is earlier than the legal one: EU buyers are asking now.
Does the Act apply to companies outside the EU?
Yes. If your AI system's output is used in the EU, you're in scope wherever you're based — the same extraterritorial logic as the GDPR. That's why classification belongs on every go-global roadmap.
How do I know if my AI is high-risk?
The Act lists the high-risk categories — hiring, credit, biometrics, healthcare, critical infrastructure, and more. Placing your systems correctly is the first and most consequential step, and it's an assessment we do for you.
How does the Act relate to ISO 42001 and the GDPR?
They overlap heavily — ISO/IEC 42001 and a solid GDPR program supply much of the governance the Act expects. We build them as one program so nothing is duplicated.
We're an AI startup going global — why act now?
Because obligations arrive on a fixed schedule and EU customers are already asking. Early preparation is inexpensive, and having an answer ready wins deals while competitors are still reading the law.

