EU AI Act Registration FAQ

Yes. Article 2 of the EU AI Act applies to providers placing AI systems on the EU market or whose AI output is used in the EU, regardless of where the provider is established. If your AI system processes data about EU residents, makes decisions affecting EU users, or is deployed by EU-based customers, you are likely in scope. See our full analysis for US companies.

Article 71 establishes an EU-wide database for high-risk AI systems. Providers (or their authorised representatives) must enter specific information about their high-risk AI systems into this database before placing them on the market. The database is publicly accessible to promote transparency.

Following the Digital Omnibus political agreement of 7 May 2026 (Strasbourg, Cypriot Presidency), Annex III high-risk obligations apply 2 December 2027 (deferred from 2 August 2026). Annex I embedded high-risk products move to 2 August 2028 (deferred from 2 August 2027).

Operational deadlines unchanged: 2 August 2026 — Article 50 transparency obligations and AI Office full enforcement powers; 2 December 2026 — new Article 5 prohibition on AI-generated NCII/CSAM and Article 50(2) watermarking grandfathering close. Until OJEU publication, the original AI Act dates remain legally binding. See the complete timeline.

Article 99 establishes three tiers: up to EUR 35M or 7% of global turnover for prohibited practices, up to EUR 15M or 3% for high-risk system violations (including registration failures), and up to EUR 7.5M or 1% for incorrect information. The Digital Omnibus introduces additional protections for Small Mid-Caps (50–500 employees, €10M–€100M turnover). See our full penalty breakdown.

Annex III lists eight areas: biometrics, critical infrastructure, education, employment, essential services (credit/insurance), law enforcement, migration/border control, and administration of justice. See our detailed Annex III guide.

Yes, if you are a provider established outside the EU. Article 22 requires non-EU providers to appoint an authorised representative in the EU by written mandate before making high-risk AI systems available on the EU market. SecureFound, our strategic partner established in Adeje, Tenerife (Spain), holds this mandate under both Articles 22 (high-risk) and 54 (GPAI), covering all 27 EU Member States from a single appointment with AESIA as the coordinating home authority. See our Article 22 guide.

The two organisations deliver one transatlantic compliance engagement across two jurisdictions. Lexara Advisory (New York) handles the US-side gap audit, Annex IV technical documentation, and conformity assessment guidance. SecureFound (Spain), led by bar-admitted attorneys, holds the European Authorised Representative mandate under Articles 22 and 54, faces national market surveillance authorities and the EU AI Office, and maintains the statutory 10-year documentation custody with EU data residency. The partnership is publicly stated on both companies' websites. Visit securefound.com.

Annex IV specifies the mandatory technical documentation that providers of high-risk AI systems must prepare under Article 11. It covers system description, design specifications, training data governance, risk management, testing results, cybersecurity measures, and more. See our Annex IV documentation guide.

No. While SOC 2 and ISO 27001 partially overlap with cybersecurity requirements, they do not satisfy Annex IV's specific AI-related documentation requirements, particularly around training data governance, bias assessment, human oversight specifications, and risk management specific to AI systems. Existing certifications can accelerate certain sections, but cannot substitute for Annex IV compliance.

End-to-end — from inventory through database submission — takes a minimum of 8–12 weeks for a single system. Companies with multiple high-risk systems should plan for 3–6 months. The most time-consuming step is typically Annex IV technical documentation (4–6 weeks per system). The post-trilogue runway to 2 December 2027 is meaningful but not unlimited. See our step-by-step guide.

Lexara Advisory LLC is an AI governance consulting firm based in New York City, founded by Constantin Razvan Gospodin, a European lawyer admitted to the Spanish Bar (ICATF nº 5961) with over 10 years of legal practice across EU jurisdictions. Lexara specializes in EU AI Act compliance for US companies and operates in strategic partnership with SecureFound (Spain) for EU Authorised Representative mandates. Lexara Advisory is a consulting firm, not a law firm.

If your AI system exclusively affects US users with no EU connection, the EU AI Act generally does not apply. However, if any EU residents use your product, if your system is available to EU-based deployers, or if your AI output influences decisions about EU persons, extraterritorial scope under Article 2 likely applies. When in doubt, a classification assessment is the prudent approach.