Researchers Propose 'Compliance Cards' for EU AI Act
What happened
A research initiative from Cambridge and UK partners has introduced "Compliance Cards," a machine-readable tool for automating compliance with the EU AI Act. The system is designed to create a digital audit trail for complex AI supply chains by encoding obligations, risk levels, and evidence for each component.
Why it matters
- The EU AI Act uses a four-tiered risk classification system: unacceptable, high, limited, and minimal. High-risk systems are not banned but are subject to the strictest regulations, with non-compliance fines reaching up to €35 million or 7% of global turnover. - AI systems are classified as high-risk if they are used in sensitive areas listed in the Act's Annex III, such as management of critical infrastructure, educational and vocational training, employment and recruitment, and biometric identification. - Providers of high-risk AI systems must establish and maintain extensive technical documentation, implement a risk management system for the AI's entire lifecycle, ensure robust data governance, and provide for human oversight to minimize risks. - The concept of machine-readable regulation is already applied in other regulated sectors like finance and healthcare to automate compliance monitoring and reporting, providing a precedent for the "Compliance Cards" proposal. - The rules for providers of high-risk AI systems will become fully applicable on August 2, 2026, creating a concrete deadline for organizations to establish compliance mechanisms. - The Act distinguishes between "providers" (who develop an AI system) and "deployers" (who use it), assigning distinct compliance obligations to each, which is critical for assigning responsibility in a supply chain. - The documentation burden is a significant challenge, particularly for small and medium-sized businesses (SMBs), which may lack the resources to produce and maintain the required compliance evidence manually. - The research originates from a collaboration including the University of Cambridge, which is also home to research initiatives like the AI Agent Index and the Leverhulme Centre for the Future of Intelligence that focus on AI safety, transparency, and auditing.
Key numbers
- High-risk systems are not banned but are subject to the strictest regulations, with non-compliance fines reaching up to €35 million or 7% of global turnover.
- The rules for providers of high-risk AI systems will become fully applicable on August 2, 2026, creating a concrete deadline for organizations to establish compliance mechanisms.
What happens next
- The rules for providers of high-risk AI systems will become fully applicable on August 2, 2026, creating a concrete deadline for organizations to establish compliance mechanisms.
- The documentation burden is a significant challenge, particularly for small and medium-sized businesses (SMBs), which may lack the resources to produce and maintain the required compliance evidence manually.
Quick answers
What happened in Researchers Propose 'Compliance Cards' for EU AI Act?
A research initiative from Cambridge and UK partners has introduced "Compliance Cards," a machine-readable tool for automating compliance with the EU AI Act. The system is designed to create a digital audit trail for complex AI supply chains by encoding obligations, risk levels, and evidence for each component.
Why does Researchers Propose 'Compliance Cards' for EU AI Act matter?
The EU AI Act uses a four-tiered risk classification system: unacceptable, high, limited, and minimal. High-risk systems are not banned but are subject to the strictest regulations, with non-compliance fines reaching up to €35 million or 7% of global turnover. AI systems are classified as high-risk if they are used in sensitive areas listed in the Act's Annex III, such as management of critical infrastructure, educational and vocational training, employment and recruitment, and biometric identification. Providers of high-risk AI systems must establish and maintain extensive technical documentation, implement a risk management system for the AI's entire lifecycle, ensure robust data governance, and provide for human oversight to minimize risks. The concept of machine-readable regulation is already applied in other regulated sectors like finance and healthcare to automate compliance monitoring and reporting, providing a precedent for the "Compliance Cards" proposal. The rules for providers of high-risk AI systems will become fully applicable on August 2, 2026, creating a concrete deadline for organizations to establish compliance mechanisms. The Act distinguishes between "providers" (who develop an AI system) and "deployers" (who use it), assigning distinct compliance obligations to each, which is critical for assigning responsibility in a supply chain. The documentation burden is a significant challenge, particularly for small and medium-sized businesses (SMBs), which may lack the resources to produce and maintain the required compliance evidence manually. The research originates from a collaboration including the University of Cambridge, which is also home to research initiatives like the AI Agent Index and the Leverhulme Centre for the Future of Intelligence that focus on AI safety, transparency, and auditing.
