EU AI Act
Compliance Checker
Answer 7 quick questions to see whether your AI use case is likely in scope and what your team should do next.
Frequently asked Question
This tool evaluates your AI use case against key criteria of the EU AI Act — including who you are (builder, integrator, or deployer), where your AI operates, what it does, and who it affects. Based on your answers, it tells you whether you’re likely in scope and what your next steps should be.
No. The result is an indicative assessment based on publicly available information about the EU AI Act. It’s designed to help you orient your compliance thinking, not replace legal advice. We recommend consulting a qualified legal or compliance professional for a formal determination.
Yes, obligations are being phased in, but the timeline is already running. Prohibited AI practices were banned as of February 2025. High-risk AI system obligations apply from August 2026. GPAI (general-purpose AI) model rules are already in effect. Starting your readiness assessment now gives you time to build compliant systems rather than retrofit them.
The Act classifies AI systems into four levels: Unacceptable risk (banned outright, e.g., social scoring by governments), High risk (requires conformity assessments and documentation, e.g., AI in hiring, healthcare, or law enforcement), Limited risk (transparency obligations, e.g., chatbots), and Minimal risk (no specific obligations, e.g., spam filters).
Yes, potentially. The EU AI Act has extraterritorial reach, similar to GDPR. If your AI system is placed on the EU market, used by people in the EU, or produces outputs that affect people in the EU, you may be in scope regardless of where your company is headquartered.
If you integrate ChatGPT or Claude into your product, you are most likely a provider under the EU AI Act, not just a deployer. The Act treats the AI system you ship to customers, such as your chatbot or AI-powered feature, as a separate system from the foundation model behind it. OpenAI, Anthropic, and Google are general-purpose AI (GPAI) providers under Chapter V, while you are the provider of the AI system built on top of their model. Both roles apply independently, so integrating a third-party model under your own product name means you inherit provider obligations for the system you built.
Yes, the EU AI Act applies to a US-based company in most cases, even when the company has no EU offices. Article 2 of the Act applies to providers and deployers regardless of where the company is incorporated, with the jurisdictional trigger being whether the AI system’s output is used inside the EU.
Go through three checks in order. First, your AI is high-risk under Annex I if it is a safety component of a regulated product such as a medical device, automotive component, or industrial machinery. Second, your AI is high-risk under Annex III if its intended purpose falls in one of eight sensitive areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, or justice), unless it qualifies for the Article 6(3) escape clause for narrow procedural or preparatory tasks. If neither Annex applies, your AI is limited-risk under Article 50 transparency rules when it generates content, interacts with people, or produces deepfakes, and is otherwise minimal-risk with no specific obligations.
Sprinto helps with EU AI Act compliance by auto-mapping your existing SOC 2, ISO 27001, ISO 42001, GDPR, and NIST AI RMF controls to the specific EU AI Act Articles that apply to your company. Three capabilities matter most: shadow AI detection surfaces every AI tool in your environment (including those employees introduced informally), cross-framework mapping reuses the evidence you have already produced for other frameworks, and continuous monitoring keeps your program from drifting after launch by flagging stale evidence and new vendor AI features that need assessment.
