EU AI Act Compliance Tools

EU AI Act compliance tools in this directory are products and services that help organizations create evidence for EU AI Act readiness — record-keeping under Article 12, documentation retention under Article 18, automatically generated logs under Article 19, deployer obligations (Article 26), explanation workflows under Article 86, and Annex III high-risk system requirements. Included in this category are AI governance tools that map to EU AI Act articles, evidence-bundle generators for AI Act audit packages, fundamental rights impact assessment tooling, and productized regulatory services that output Act-aligned evidence. Out of scope are general legal advisory, generic GRC platforms without AI Act mappings, and tools that mention the EU AI Act without producing Act-specific evidence.

Buyers are solving a time-and-proof problem: when a national authority or a procurement counterparty requests EU AI Act evidence on a specific high-risk system, can they produce a defensible package that maps to the Articles and Annex III sub-categories in scope? They also evaluate whether artifacts are versioned, date-stamped, and traceable to system versions and owners so that, months later, the same bundle can be re-verified without ambiguity. Evidence that cannot be traced to a requirement or tied to a stable artifact is difficult to defend.

The ladder defines how deeply a claim has been examined. Listed indicates the vendor operates in EU AI Act compliance tooling; no specific Act claim has been reviewed. Vendor-submitted means the vendor has supplied Act-mapped documentation, sample audit bundles, or Article coverage matrices. Public-source reviewed means CertifiedData confirmed those coverage claims against public documentation. Evidence-reviewed means primary evidence was assessed — real bundles produced by the tool, Article mappings compared against current regulatory text, and completeness relative to the asserted Annex III sub-category. Here, “supports EU AI Act compliance” is tested against “the artifacts would withstand a competent authority’s evidence review.”

Certified applies to specific EU AI Act evidence bundles for a particular high-risk AI system on a defined date. The bundle is content-addressed with SHA-256, canonicalized if JSON-based via RFC 8785 JCS, and signed using Ed25519 so any reviewer can verify the signature with a public key. Certification adds tamper-evidence and independent verifiability across handoffs and time. It does not assert that the bundle is sufficient under the EU AI Act; sufficiency is a regulatory determination. Certification proves that the reviewed bundle is the same as the bundle that was originally issued.