EU AI Act Registration FAQ

Yes. Article 2 of the EU AI Act applies to providers placing AI systems on the EU market or whose AI output is used in the EU, regardless of where the provider is established. If your AI system processes data about EU residents, makes decisions affecting EU users, or is deployed by EU-based customers, you are likely in scope. See our full analysis for US companies.

Article 71 establishes an EU-wide database for high-risk AI systems. Providers (or their authorized representatives) must enter specific information about their high-risk AI systems into this database before placing them on the market. The database is publicly accessible to promote transparency.

August 2, 2026 for high-risk AI systems listed in Annex III. Systems embedded in products covered by Annex I legislation have until August 2, 2027. See the complete timeline.

Article 99 establishes three tiers: up to EUR 35M or 7% of global turnover for prohibited practices, up to EUR 15M or 3% for high-risk system violations (including registration failures), and up to EUR 7.5M or 1% for incorrect information. See our full penalty breakdown.

Annex III lists eight areas: biometrics, critical infrastructure, education, employment, essential services (credit/insurance), law enforcement, migration/border control, and administration of justice. See our detailed Annex III guide.

Yes, if you are a provider established outside the EU. Article 22 requires non-EU providers to appoint an authorized representative in the EU by written mandate before making high-risk AI systems available on the EU market. See our Article 22 guide.

Annex IV specifies the mandatory technical documentation that providers of high-risk AI systems must prepare under Article 11. It covers system description, design specifications, training data governance, risk management, testing results, cybersecurity measures, and more. See our Annex IV documentation guide.

No. While SOC 2 and ISO 27001 partially overlap with cybersecurity requirements, they do not satisfy Annex IV's specific AI-related documentation requirements, particularly around training data governance, bias assessment, human oversight specifications, and risk management specific to AI systems. Existing certifications can accelerate certain sections, but cannot substitute for Annex IV compliance.

End-to-end — from inventory through database submission — takes a minimum of 8–12 weeks for a single system. Companies with multiple high-risk systems should plan for 3–6 months. The most time-consuming step is typically Annex IV technical documentation (4–6 weeks per system). See our step-by-step guide.

Lexara Advisory LLC is an AI governance consulting firm based in New York City, founded by Constantin Razvan Gospodin, a European lawyer admitted to the Spanish Bar (ICATF nº 5961) with over 10 years of legal practice across EU jurisdictions. Lexara specializes in EU AI Act compliance for US companies. Lexara Advisory is a consulting firm, not a law firm.

If your AI system exclusively affects US users with no EU connection, the EU AI Act generally does not apply. However, if any EU residents use your product, if your system is available to EU-based deployers, or if your AI output influences decisions about EU persons, extraterritorial scope under Article 2 likely applies. When in doubt, a classification assessment is the prudent approach.