What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework specifically regulating artificial intelligence. Adopted in March 2024, it uses a risk-based approach to classify AI systems into four tiers - unacceptable risk (banned), high risk (extensive obligations), limited risk (transparency requirements), and minimal risk (voluntary codes). Like GDPR, it has extraterritorial scope, applying to any organization worldwide whose AI systems are used within the EU.

What does my company need to do to comply with the EU AI Act?

To comply with the EU AI Act, organizations using AI must: implement automatic logging of all AI interactions with 6+ month retention (Articles 12, 19), establish human oversight including a kill switch to halt AI systems (Article 14), deploy data governance controls including masking and access restrictions for sensitive data (Article 10), set up continuous risk monitoring and incident reporting workflows (Articles 9, 73), ensure staff AI literacy (Article 4, already in force), and maintain comprehensive technical documentation (Article 11). Areebi provides all of these capabilities in a single platform.

Does the EU AI Act require a kill switch for AI systems?

Yes. Article 14(4)(e) of the EU AI Act explicitly requires that persons overseeing high-risk AI systems must be able to 'intervene in the operation of the high-risk AI system or interrupt the system through a stop button or a similar procedure that allows the system to come to a halt in a safe state.' This is a mandatory human oversight requirement for all high-risk AI systems. Areebi's admin kill switch provides exactly this capability - instant, company-wide AI shutdown with a full audit trail.

What logging is required under the EU AI Act?

Article 12 requires high-risk AI systems to have automatic logging capabilities that record events over the system's entire lifetime. Logs must enable traceability, risk identification, and post-market monitoring. Article 19 requires both providers and deployers to retain these automatically generated logs for a minimum of 6 months. Logs must be available to market surveillance authorities on request. Areebi's immutable audit logging captures every AI interaction with user identity, timestamps, prompts, responses, and policy decisions.

What are the penalties for EU AI Act non-compliance?

The EU AI Act imposes the highest AI-specific penalties globally, structured in three tiers. Violations involving prohibited AI practices carry fines up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. Violations of other obligations (logging, transparency, human oversight, data governance) face fines up to EUR 15 million or 3% of turnover. Supplying incorrect information to authorities risks fines up to EUR 7.5 million or 1% of turnover. SMEs and startups face proportionally lower caps.

Does the EU AI Act apply to companies outside the EU?

Yes. Like GDPR, the EU AI Act has extraterritorial reach. It applies to any organization that places AI systems on the EU market, puts them into service in the EU, or produces AI outputs used within the EU. This means US, UK, Australian, and other non-EU companies serving European customers, employees, or partners must comply. Non-compliance exposes organizations to the same penalty framework regardless of where they are headquartered.

Is ChatGPT or enterprise AI considered high-risk under the EU AI Act?

General-purpose AI models like GPT-4, Claude, and Gemini are regulated separately as GPAI models under the EU AI Act, not directly classified as high-risk. However, enterprise applications built on these models become high-risk when deployed in domains listed in Annex III - including employment and HR decisions, credit scoring, education, law enforcement, and critical infrastructure management. The classification follows the use case, not the underlying model. Most enterprise AI copilots and productivity tools fall under limited risk with transparency obligations.

What is the difference between the August 2025 and August 2026 EU AI Act obligations?

August 2, 2025 activated GPAI model provider obligations, AI literacy requirements (Article 4), the full penalty regime, and governance infrastructure. August 2, 2026 is when full high-risk AI system obligations take effect - including conformity assessments, deployer obligations (Article 26), human oversight requirements (Article 14), logging mandates (Article 12), data governance (Article 10), and risk management (Article 9). Organizations should be preparing now, as building compliance infrastructure takes months.

EU AI Act Compliance

EU AI ActIndustry Cross-Reference

EU AI Act Compliance for Healthcare AI

Healthcare AI systems are classified as high-risk under EU AI Act Annex III Area 5. Areebi provides the risk management, human oversight, and documentation controls that high-risk classification demands.

The Compliance Challenge

Healthcare AI is classified as high-risk under multiple Annex III categories, triggering the EU AI Act's most demanding compliance requirements

Conformity assessment for medical device AI requires technical documentation and risk management evidence that most AI platforms do not generate

Human oversight requirements mandate that clinicians can intervene in AI-assisted decisions, but AI platforms lack override and review mechanisms

Ongoing compliance monitoring is mandatory for high-risk healthcare AI but requires continuous logging and risk assessment capabilities that general platforms lack

How Areebi Helps You Comply

High-Risk Compliance Framework

Controls mapped to all six EU AI Act high-risk obligations: risk management (Art. 9), data governance (Art. 10), documentation (Art. 11), logging (Art. 12), transparency (Art. 13), and oversight (Art. 14).

Conformity Assessment Support

Platform generates technical documentation, risk management records, and testing evidence required for conformity assessments under Article 43.

Human Oversight Mechanisms

AI outputs can require human review before clinical action. Override controls allow clinicians to intervene. All decisions and interventions are logged for compliance evidence.

Continuous Risk Monitoring

Real-time monitoring of AI performance, anomaly detection, and risk indicators. Supports the ongoing risk management that Article 9 mandates throughout the AI system lifecycle.

Health Data Governance

DLP and workspace controls enforce data quality, bias detection, and special category data protections required by Article 10 for healthcare AI training and operational data.

Healthcare AI Under the EU AI Act's High-Risk Classification

The EU AI Act classifies healthcare AI as high-risk under Annex III, Area 5 (Access to essential private and public services). AI systems used as safety components of medical devices, or AI systems that are medical devices themselves, fall under Annex I, Section A. This dual classification means virtually every healthcare AI application, from clinical decision support to diagnostic assistance to patient triage, must comply with the Act's most demanding requirements.

High-risk classification under the EU AI Act triggers mandatory obligations across six domains: risk management systems (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), and human oversight (Article 14). These requirements apply to providers, deployers, importers, and distributors of healthcare AI systems.

Areebi enables healthcare organisations to meet EU AI Act high-risk requirements through built-in documentation and logging, data governance controls, and human oversight mechanisms that satisfy the Act's prescriptive obligations.

Annex III Area 5: Healthcare AI Classification

Annex III Area 5 covers AI systems intended to be used to evaluate the eligibility of natural persons for essential private and public services and benefits, including healthcare services. This encompasses AI systems that assess patient eligibility for treatments, triage patients, prioritise healthcare resource allocation, or evaluate health insurance coverage.

Separately, AI systems that qualify as medical devices under Regulation (EU) 2017/745 (MDR) are classified as high-risk under Annex I, Section A. This includes AI-based diagnostic tools, clinical decision support systems with a medical purpose, and AI systems that process medical data for clinical conclusions. The intersection of the AI Act and MDR creates a comprehensive regulatory framework for healthcare AI.

Conformity Assessment for Healthcare AI

High-risk healthcare AI systems must undergo conformity assessment (Article 43) before being placed on the EU market. For AI systems covered under Annex I (medical devices), the conformity assessment follows the procedure established by the relevant medical device regulation, which typically involves a notified body. For Annex III systems, providers may conduct internal conformity assessments with quality management systems per Article 17.

Areebi supports conformity assessment by providing the technical documentation, risk management records, testing evidence, and ongoing monitoring data that assessments require. The platform's comprehensive logging generates the continuous compliance evidence needed to maintain conformity throughout the AI system's lifecycle.

How Areebi Supports EU AI Act Compliance for Healthcare AI

Areebi addresses the EU AI Act's healthcare requirements through controls mapped to each high-risk obligation. Risk management (Article 9) is supported through continuous monitoring of AI interactions, anomaly detection, and risk assessment documentation that demonstrates ongoing compliance. Data governance (Article 10) is enforced through the DLP engine and workspace data controls that ensure training and operational data meets the Act's quality requirements.

Technical documentation (Article 11) is generated from platform metadata including system configurations, processing logic documentation, data flow maps, and performance monitoring records. Record-keeping (Article 12) is satisfied through immutable audit logs that capture every AI interaction with full provenance. Transparency (Article 13) is addressed through user-facing documentation of AI capabilities and limitations.

Human oversight (Article 14) is built into Areebi's architecture. Healthcare AI outputs are logged and can be configured to require human review before clinical action. Override mechanisms allow clinicians to intervene in AI-assisted processes, and all interventions are documented in the audit trail.

EU AI Act Compliance Checklist

Classify healthcare AI systems under EU AI Act risk categories (Annex I medical devices, Annex III Area 5 health services)

Implement a risk management system per Article 9 with continuous monitoring and periodic review throughout the AI lifecycle

Establish data governance controls per Article 10, including data quality, bias detection, and special category data protections

Generate and maintain technical documentation per Article 11 covering system design, capabilities, limitations, and performance metrics

Activate immutable record-keeping per Article 12 logging all AI interactions, decisions, and system events

Provide transparency documentation per Article 13 informing users of AI capabilities, intended purpose, and known limitations

Implement human oversight mechanisms per Article 14 including review requirements and clinician override controls

Prepare for conformity assessment per Article 43 with evidence documentation and quality management system alignment

Frequently Asked Questions

Is healthcare AI classified as high-risk under the EU AI Act?

Yes. Healthcare AI falls under high-risk classification through two pathways. AI systems that are medical devices or safety components of medical devices are classified under Annex I, Section A. AI systems used for access to healthcare services are classified under Annex III, Area 5. Both classifications trigger the full set of high-risk obligations including risk management, data governance, documentation, logging, transparency, and human oversight.

What does the EU AI Act require for human oversight of clinical AI?

Article 14 requires that high-risk AI systems are designed to allow effective human oversight during use. For clinical AI, this means clinicians must be able to understand AI outputs, monitor system performance, intervene when necessary, and override AI recommendations. The system must not induce over-reliance and must clearly communicate when AI confidence is low. Areebi supports these requirements through configurable review workflows and intervention logging.

How does the EU AI Act interact with the Medical Device Regulation for AI?

AI systems that qualify as medical devices under MDR (Regulation 2017/745) must comply with both the MDR and the EU AI Act. The conformity assessment follows the MDR procedure, typically involving a notified body. The EU AI Act adds requirements for risk management, data governance, transparency, and human oversight that supplement existing MDR obligations. Areebi helps providers satisfy the AI Act layer through built-in controls.

When do EU AI Act healthcare requirements take effect?

The EU AI Act entered into force on 1 August 2024, with high-risk system obligations applying from 2 August 2026. Healthcare AI providers and deployers must be fully compliant by this date. Given the complexity of conformity assessments, technical documentation, and quality management systems, healthcare organisations should begin compliance preparations now.

Related Resources

Ready to achieve EU AI Act compliance for your AI?

See how Areebi maps to EU AI Act requirements with a personalised demo.

Get a Demo Free AI Risk Assessment

Healthcare AI Under the EU AI Act's High-Risk Classification

Annex III Area 5: Healthcare AI Classification

Conformity Assessment for Healthcare AI

How Areebi Supports EU AI Act Compliance for Healthcare AI