EU AI Act
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI
regulation. High-risk requirements take effect August 2, 2026.
CRP implements 33 of 35 technical controls required for high-risk AI systems.
Risk Classification (Article 6)
CRP includes a built-in risk classifier aligned with the EU AI Act's risk
categories:
| Risk Level |
EU AI Act Category |
CRP Response |
| Unacceptable |
Art. 5 — Prohibited practices |
Blocks deployment |
| High |
Art. 6 — Annex III systems |
Full compliance suite |
| Limited |
Art. 52 — Transparency obligations |
Transparency declarations |
| Minimal |
Remaining systems |
Standard operation |
assessment = client.risk_classifier.assess(
category="employment",
intended_purpose="Resume screening for job applications",
processes_personal_data=True,
makes_automated_decisions=True,
affects_fundamental_rights=True,
safety_critical=False,
profiles_individuals=True,
)
print(f"Risk level: {assessment.risk_level.value}")
print(f"Category: {assessment.system_category.value}")
print(f"Mitigations: {assessment.mitigations}")
Article-by-Article Mapping
Article 9 — Risk Management System
| Requirement |
CRP Implementation |
| Identify and analyze known/foreseeable risks |
RiskClassifier.assess() with 7 risk dimensions |
| Estimate and evaluate risks |
Quality tier system (S/A/B/C/D) with degradation formulas |
| Adopt risk management measures |
Automatic mitigations per risk level |
| Testing procedures |
1,473+ automated tests, live verification suite |
Article 10 — Data and Data Governance
| Requirement |
CRP Implementation |
| Training data quality |
3-tier fact validation gate (structural, confidence, anomaly) |
| Data governance practices |
Event-sourced fact model with full provenance |
| Bias examination |
Content complexity routing, multi-aspect decomposition |
| Relevant data characteristics |
Fact graph with typed relationships |
Article 11 — Technical Documentation
| Requirement |
CRP Implementation |
| Detailed description of AI system |
9 specification documents |
| Elements of the AI system |
Full protocol specification (§1–§9) |
| Monitoring and functioning |
Quality reports, telemetry, session status |
Article 12 — Record-Keeping
| Requirement |
CRP Implementation |
| Automatic recording of events |
HMAC-SHA256 chained audit trail |
| Traceability throughout lifecycle |
Window DAG with provenance tracking |
| Identification of input data |
Fact lineage tracking from ingest to output |
| Tamper evidence |
BLAKE3 hashing + HMAC chain signing |
# Verify audit trail integrity
is_valid, broken_at = client.compliance_audit.verify_chain()
entries = client.compliance_audit.entry_count
print(f"Chain valid: {is_valid}")
print(f"Entries: {entries}")
Article 13 — Transparency
| Requirement |
CRP Implementation |
| Sufficient transparency for users |
Quality tier reports, envelope preview |
| Instructions for use |
Comprehensive documentation + demo app |
| Capabilities and limitations |
Honest degradation reporting per quality tier |
Article 14 — Human Oversight
| Requirement |
CRP Implementation |
| Human oversight measures |
HumanOversightController with 4 levels |
| Understanding AI capabilities |
Quality reports + session status |
| Ability to override |
APPROVAL and CONTROL levels require human action |
| Ability to interrupt |
Session close, budget caps, timeouts |
# Configure human oversight level
from crp.security import HumanOversightLevel
client.human_oversight.level = HumanOversightLevel.APPROVAL
# Now all dispatches require human approval before execution
level = client.human_oversight.level
print(f"Oversight: {level.value}")
Oversight Levels:
| Level |
Behavior |
NONE |
Fully autonomous |
INFORMED |
Humans notified of all operations |
APPROVAL |
Humans must approve before dispatch |
CONTROL |
Humans control every step |
Article 15 — Accuracy, Robustness, Cybersecurity
| Requirement |
CRP Implementation |
| Appropriate accuracy levels |
Quality tiers with degradation formulas |
| Robustness |
8-layer security architecture |
| Cybersecurity measures |
AES-256-GCM, HMAC-SHA256, RBAC |
| Resilient to errors |
3-tier fact validation, echo detection, re-grounding |
Article 17 — Quality Management System
| Requirement |
CRP Implementation |
| Quality management system |
Event-sourced fact model, quality gates, QualityReport |
| Documented procedures |
9 specification documents + RFC process |
| Record-keeping obligations |
Append-only event log, snapshots every 50 windows |
Coverage Gap
CRP implements 33/35 controls. The 2 gaps are:
- Notified body notification — Organizational process, not technical
- Post-market monitoring plan — Requires operational deployment data
Note
Both gaps are organizational/procedural — CRP provides the technical
infrastructure for compliance. The organizational processes sit on top.
EU AI Act Timeline
2024 Aug ─── EU AI Act enters into force
2025 Feb ─── Prohibited practices (Art. 5) apply
2025 Aug ─── GPAI rules (Art. 51-54) apply
2026 Aug ─── HIGH-RISK REQUIREMENTS APPLY ← YOU ARE HERE
2027 Aug ─── Full enforcement
Deadline
High-risk AI system requirements under Articles 6–17 apply from
August 2, 2026. Penalties: up to €35 million or 7% of global
annual turnover, whichever is higher.