While high-risk system obligations under Annex III have been deferred to December 2, 2027 via the Digital Omnibus amendment, Article 50 transparency requirements are unchanged and apply August 2, 2026. Any AI agent interacting with humans must disclose it is AI. Gateplex's audit trail and transparency reporting supports Article 50 compliance today.
The Digital Omnibus amendment has reached provisional political agreement but is not yet formally enacted into law. Enterprises should treat December 2, 2027 as the operative planning baseline while maintaining compliance readiness for August 2026 Article 50 obligations.
The Act regulates high-risk AI systems with specific obligations on providers and deployers.
Agents acting on financial, healthcare, employment, or legal decisions are classified as high-risk under Annex III.
Standard JSON server logs do not satisfy Article 12. Gateplex generates a cryptographically tamper-evident, hash-chained audit trail that cryptographically verifies every agent action.
Effective oversight by humans, with the ability to intervene or interrupt the system.
Detailed records of design, intended purpose, risk management, and post-market monitoring.
Users must be informed they are interacting with an AI system, and outputs labeled where required.
Continuous risk assessment and mitigation across the full lifecycle of the AI system.
Every requirement maps to a concrete Gateplex feature you can demonstrate to an auditor today.
| EU AI Act requirement | Gateplex feature |
|---|---|
| Human oversight (Article 14) | Real-time enforcement with hard-block + human-in-the-loop approval flows |
| Automatic logging (Article 12) | Tamper-evident, hash-chained audit trail of every agent action |
| Transparency reporting | One-click compliance PDF export, scoped per agent and date range |
| Technical documentation | Versioned guardrail policies and signed configuration history |
| Risk management & monitoring | Live feed, anomaly detection, PII detection, and prompt-injection guards |
| Data governance | EU data residency, redaction of personal data before storage |
Hash computed server-side at insert time. Each record stores its own SHA-256 hash and the hash of the preceding record.
Core architecture Patent Pending (USPTO)
A pre-configured guardrail preset that enforces the specific requirements of EU AI Act Articles 12 and 14 across every agent in your project. Turn it on with a single click - no policy authoring, no custom rules.
Automatically denies high-risk operations in credit scoring, employment, healthcare, education, and law enforcement contexts.
Every agent action is recorded to a tamper-evident, hash-chained log that satisfies Article 12 traceability obligations.
Sensitive actions are routed to a human-in-the-loop approval queue with intervention and interruption controls.
A zero-risk proof of concept for EU AI Act readiness. Gateplex runs silently behind your existing agent pipelines for 30 days, no code changes, no architecture rework, no disruption. At the end, you receive a compliance gap report showing exactly where agents attempted Annex III high-risk actions, violated Article 12 logging requirements, or bypassed Article 14 oversight.
Runs in read-only shadow mode behind your current stack. Agents continue unchanged while we record every decision point.
A prioritized breakdown of non-compliant actions mapped to Annex III risk categories, Article 12, and Article 14 obligations.
No SDK installation, no proxy reconfiguration, and no downtime. Gateplex observes via API traffic mirroring.
Any organization deploying AI agents that affect EU customers or users - even if you are headquartered outside the EU.
The EU AI Act applies to any provider or deployer whose AI system's output is used in the EU - regardless of where your company is headquartered. If your agents process EU resident data or make decisions affecting EU citizens, you are bound by the full Annex III high-risk compliance framework.
Real-world example
US fintech → EU customers
A US-based fintech uses an AI agent to assess credit risk and insurance eligibility for applicants. When that agent evaluates an EU resident - even if the company has no EU office - the system is immediately classified as high-risk under Annex III. The company must implement Article 12 audit trails, Article 14 human oversight, and full technical documentation by the December 2, 2027 Annex III deadline, or face fines up to €35 million or 7% of global turnover for the most serious violations.
Gateplex sits between your existing API and your agent. No application refactoring, no model retraining, no architecture changes.
Pre-mapped guardrails for credit scoring, insurance, employment, healthcare, and law enforcement contexts.
Tamper-evident logs, human oversight queues, and compliance PDF exports that satisfy Article 12 and 14 obligations.
Fines for prohibited AI practices reach €35 million or 7% of global annual turnover. High-risk system violations: up to €15 million or 3% of global annual turnover, whichever is higher.
See how Gateplex maps to your EU AI Act obligations in a 30-minute walkthrough.
The Act entered into force in August 2024 and applies in phases. Prohibited AI practices are already enforced. General-purpose AI (GPAI) model obligations apply from August 2026. Under the EU AI Act Omnibus agreement of May 7, 2026, Annex III high-risk system obligations - which cover most autonomous agents acting in regulated domains - now apply from December 2, 2027. Because enterprise procurement cycles typically run 6 to 12 months, vendor selection should start now.
Yes. The Act applies to any provider or deployer whose AI system's output is used in the EU, regardless of where the company is established. This is similar to the extraterritorial reach of GDPR.
Foundation models themselves fall under general-purpose AI rules. Agents built on them become high-risk when used in domains listed in Annex III - credit scoring, employment decisions, healthcare, law enforcement, education, and similar contexts.
Article 12 requires automatic recording of events sufficient to trace the system's operation throughout its lifecycle. Logs must be tamper-evident and retained for an appropriate period - Gateplex's hash-chained logs satisfy this requirement.
Gateplex sits in front of every agent action and can enforce hard blocks, require human approval for sensitive operations, and surface real-time alerts to your operators - meeting the Article 14 obligation for effective human oversight.
Up to €35M or 7% of global annual turnover for prohibited practices; up to €15M or 3% for high-risk system violations; up to €7.5M or 1.5% for supplying incorrect information to authorities.
This page is for informational purposes and does not constitute legal advice.