CertifiedData.io
EU AI Act · Evidence Workflows

EU AI Act

The August 2026 deadline for high-risk AI obligations is fixed. The technical documentation, record-keeping, and post-market monitoring requirements aren't. The evidence layer is what changes.

CertifiedData turns AI decisions and artifacts into tamper-evident, auditor-ready records. Practical evidence workflows for every article that asks for one.

Deadlines

The Act phases obligations in over three years. The high-risk window — Articles 9–15 — opens in August 2026.

DateMilestone
Feb 2025Prohibitions
Aug 2025GPAI obligations
Aug 2026High-risk AI systems
Aug 2027Embedded high-risk AI

Who this is for

The Act has different obligations for different roles. Pick the row that matches yours — the rest of the hub is laid out so you can scan from there.

Compliance officer

You need to map each high-risk AI system to its applicable articles and prove the obligations are met before August 2026. Start with the Compliance guide, then move to the article-by-article navigator.

Compliance guide →
Engineering lead

You need to know what records the platform must emit, what fingerprints to capture, and what counts as a tamper-evident log. Start with Article 12 logging, then jump into the CertifiedData evidence layer.

Article 12 logging →
Product / risk lead

You need to classify systems against Annex III, run the FRIA when applicable, and make sure the operating model lines up. Start with Annex III, then Article 27.

Annex III →
Internal audit

You need a checklist of what to verify, when, and with what evidence. Start with the audit-readiness checklist. The article navigator below is your reference grid.

Audit checklist →
Deployer (operating someone else's high-risk system)

Your obligations differ from the provider's. Article 26 sets the operational duties; Article 86 sets the explanation right; Article 27 governs the impact assessment. Start with Article 26.

Article 26 →
GPAI model provider

Your obligations took effect in August 2025. They focus on documentation, copyright policy, and downstream-deployer transparency rather than runtime record-keeping. Coverage for this audience lives in the broader articles cluster.

Article 11 →

Articles by intent

Organized by what you're trying to figure out, not by article number.

Technical documentation

Article 11 + Annex IV: what regulators expect to see.

Transparency, oversight, performance

Articles 13, 14, 15 — runtime obligations for high-risk systems.

Deployer + downstream obligations

If you operate a high-risk AI system (rather than develop it).

Post-market monitoring + incidents

After deployment: monitoring, reporting, serious incidents.

The CertifiedData evidence layer

How CertifiedData turns each obligation into a verifiable record. The same primitives apply across all articles that ask for evidence.

Sign every decision

Decision Ledger records each AI system decision as a structured, Ed25519-signed event — input context, model version, decision label, policy reference, outcome, and the chain hash linking it to the previous record. Tamper-evident by construction.

Decision Ledger →

Bind decisions to certified artifacts

Every decision references the certificate IDs of the model artifact and training data that produced it. Auditors can trace any outcome back to the certified inputs — without trusting the platform.

AI artifact certification →

Verify independently

All signed records are verifiable using the published public key. Regulators, auditors, and downstream parties validate offline — no platform access, no API agreement required.

Verify a record →

Common questions

Cross-cutting questions about scope, deadlines, and what CertifiedData does and does not certify. Article-specific questions are covered on the dedicated article pages.

Does the August 2026 deadline mean everything must be in place by that date?

The Articles 9–15 obligations for high-risk AI systems become enforceable on that date — but the system must be conformant when it is placed on the market or put into service, whichever is later. Systems put into service after the deadline must meet the obligations from day one. Systems already in operation get the deadline window to catch up.

Is every AI system a high-risk system?

No. The Act categorizes systems into prohibited (Article 5), high-risk (Annex III + Annex I), limited-risk (transparency obligations only, e.g. chatbots), and minimal-risk (no specific obligations). Most enterprise AI systems sit in limited or minimal risk. The high-risk classification is what triggers the heavy Articles 9–15 stack.

Are providers and deployers held to the same obligations?

No. Providers (those who develop and place a system on the market) carry the bulk of the obligations — risk management, technical documentation, conformity assessment, post-market monitoring. Deployers (those who use a high-risk system in their own operations) have a narrower set of duties focused on operating it within the provider's instructions and protecting affected persons (Articles 26 + 27 + 86).

Does Article 12 require keeping every log forever?

Article 12 requires logs that enable traceability over the system's lifecycle and access by competent authorities. The retention period is set by the provider based on the intended purpose and a minimum of six months unless other Union or national law applies. The records must be tamper-evident and traceable — which is what the CertifiedData evidence layer addresses directly.

Will CertifiedData certify my AI system as EU AI Act compliant?

No. CertifiedData provides verifiable evidence primitives — signed decision records, certified artifacts, independent verification. Compliance is determined by conformity assessment (Article 43) by notified bodies for the specific classes that require it. Our records make that assessment easier and the audit cheaper; they are not themselves a compliance certificate.

What does 'tamper-evident' mean in this context?

A tamper-evident record is one where any modification after issuance is detectable using only public information. CertifiedData records are SHA-256 fingerprinted, Ed25519 signed, and chain-linked — so anyone with the public signing key can verify that a record existed at the certified timestamp and has not been altered. This is stronger than mutable logs and weaker than physically immutable storage. It is the property the Act's record-keeping obligations practically need.

Machine-readable summary

{
  "concept": "EU AI Act",
  "concept_type": "regulatory-hub",
  "canonical_url": "https://certifieddata.io/eu-ai-act",
  "hreflang": [
    "en",
    "fr",
    "de"
  ],
  "deadline_high_risk": "2026-08-02",
  "obligation_areas": [
    "risk_management",
    "data_governance",
    "technical_documentation",
    "record_keeping",
    "transparency",
    "human_oversight",
    "accuracy_robustness_cybersecurity",
    "post_market_monitoring",
    "incident_reporting"
  ],
  "key_articles": [
    "Article 9",
    "Article 10",
    "Article 11",
    "Article 12",
    "Article 13",
    "Article 14",
    "Article 15",
    "Article 18",
    "Article 19",
    "Article 26",
    "Article 27",
    "Article 72",
    "Article 73",
    "Article 86"
  ],
  "certifieddata_evidence_layer": {
    "decision_records": "/decision-ledger",
    "artifact_certification": "/ai-artifact-certification",
    "independent_verification": "/verify"
  },
  "positioning": "Tamper-evident, auditor-ready records for every article that asks for one.",
  "claim_boundary": "CertifiedData provides verifiable evidence primitives. It does not certify legal compliance or regulator approval."
}

Build your evidence layer

Decision Ledger signs every AI decision. AI artifact certification proves what data and models were used. Verification works for any party — without trusting the platform.

EU AI Act — Evidence Workflows for High-Risk AI Systems | CertifiedData | CertifiedData