The EU AI Act entered into force on 1 August 2024. It is not a framework under consultation. It is not a proposal awaiting ratification. It is law, and its application timeline is already running. Organizations deploying AI in European contexts need to understand what it requires, not what it might eventually require.

This is a practical overview of what the EU AI Act demands from operators of high-risk AI systems. It is not a legal opinion and does not constitute legal advice. For compliance decisions, consult qualified legal counsel.

The Application Timeline

The EU AI Act has a phased implementation schedule. Prohibitions on unacceptable-risk AI systems applied from 2 February 2025. Requirements for General-Purpose AI models and their providers applied from 2 August 2025. The full set of requirements for high-risk AI systems apply from 2 August 2026. Organizations have until that date to bring their high-risk deployments into compliance, but preparatory obligations, including governance frameworks and technical infrastructure, require action well in advance.

What Triggers High-Risk Classification

High-risk AI systems are defined in Annex III of the Act. The categories include AI used in critical infrastructure, educational or vocational training, employment and workforce management, access to essential private and public services, law enforcement, migration and border control, administration of justice, and democratic processes.

For most enterprise organizations, the categories that will trigger classification are employment and workforce management (including CV screening, performance monitoring, and recruitment tools), credit and insurance scoring, and any AI system that makes or materially influences decisions about access to services. If your organization uses AI to evaluate employees, screen applicants, score creditworthiness, or assist in regulatory decisions, high-risk classification almost certainly applies.

What the Act Actually Requires

Three articles define the core operational requirements for high-risk AI systems.

Article 12 requires logging. High-risk systems must automatically log events throughout their operational lifecycle. Logs must capture the start and end date of each period of use, the reference database used when the system checked against a database, the input data that led to a given result where technically feasible, and the identity of the natural persons involved in verification of results. Logs must be retained for a period defined by applicable regulation, with a minimum of six months unless sector-specific rules require longer.

Article 13 requires transparency. High-risk AI systems must be designed to enable operators to interpret their outputs and use them appropriately. Instructions for use must cover the system's intended purpose, performance characteristics, known limitations, and the human oversight measures appropriate to the deployment context. This is not a documentation exercise. Regulators will ask for evidence that your organization understood the system's limitations before deploying it.

Article 14 requires human oversight. High-risk systems must be designed to allow natural persons to oversee their functioning. This means organizations must identify qualified persons responsible for oversight, ensure those persons have the training and authority to intervene, and document how oversight is implemented in practice. The ability to stop a system or override its outputs is a minimum requirement, not a sufficient one. Regulators expect documented procedures, not just technical capability.

The Penalty Tiers

Penalties under the EU AI Act are tiered by violation type. Violations of prohibited practice provisions carry fines of up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Violations of obligations for high-risk AI systems, including logging, transparency, and oversight requirements, carry fines of up to 15 million euros or 3 percent of global annual turnover. Providing incorrect information to authorities carries up to 7.5 million euros or 1 percent of global turnover. Fines are calculated on global turnover, not European turnover. For large organizations, 3 percent of global turnover is a material penalty.

What Organizations Need to Implement

Compliance requires infrastructure, not just policy. The logging obligation under Article 12 requires technical systems that can capture and retain structured audit data about AI system inputs, outputs, and decisions. Application-layer logs maintained by the AI system operator are the minimum, but they have a limitation: they are controlled by the same party whose compliance is being assessed. When an audit or enforcement investigation requires verification, operator-controlled logs can be disputed.

On-chain audit trails provide an independent verification layer. A cryptographic hash of an AI system's output, committed to a blockchain at the time of production, creates a tamper-evident record that does not depend on the operator to maintain its integrity. Any party, including a regulator, can verify that the recorded output matches the produced output without relying on the operator's word.

Mintlayer's Compliance Sentinel is designed to provide on-chain audit trail infrastructure for AI systems operating in regulated environments. It captures AI outputs, timestamps them on Bitcoin-anchored settlement infrastructure, and produces verifiable records suitable for regulatory examination.

‍

This article is for informational purposes only and does not constitute investment advice.

‍

Mintlayer Web Services helps organizations build on Bitcoin-native infrastructure. Learn more →