Which AI regulations apply to my organisation?

The regulations that apply depend on where your organisation is based, where your customers or affected individuals are located, and what your AI systems do. The EU AI Act applies to any organisation that places an AI system on the EU market or whose AI systems affect individuals in the EU — regardless of where the organisation is incorporated. ISO 42001 is a voluntary standard but increasingly expected by enterprise customers and auditors. NIST AI RMF is voluntary and US-focused but widely adopted globally. US state laws (Colorado, Illinois, Texas, California) apply if you have customers or employees in those states. Organisations with operations in multiple jurisdictions typically face overlapping requirements.

What is the EU AI Act compliance deadline?

The EU AI Act entered into force on 1 August 2024. Key compliance deadlines are: prohibited AI systems must be withdrawn by 2 February 2025; GPAI model providers must comply with transparency and copyright requirements by 2 August 2025; high-risk AI systems listed in Annex III (employment, education, law enforcement, etc.) must comply by 2 August 2026; and other high-risk AI systems (those in Annex I regulated by existing sectoral legislation) must comply by 2 August 2027. Organisations should begin compliance preparation immediately — the 2026 deadline for Annex III high-risk systems is the most impactful for most enterprises.

How does ISO 42001 relate to the EU AI Act?

ISO 42001 is an AI management system standard that provides a framework for managing AI responsibly. It is related to the EU AI Act in that implementing ISO 42001 will help organisations meet many EU AI Act requirements — particularly around governance structures, risk management, documentation, and accountability. However, ISO 42001 certification does not provide automatic EU AI Act compliance, and the EU AI Act has specific technical requirements (bias testing, explainability, accuracy benchmarks) that go beyond the ISO 42001 management system scope. The two frameworks are complementary — many organisations use ISO 42001 as the management backbone and map EU AI Act technical requirements on top.

What are the penalties for EU AI Act non-compliance?

EU AI Act penalties are tiered by violation type: deploying a prohibited AI system (Article 5 violations) carries fines of up to €35 million or 7% of global annual turnover, whichever is higher; non-compliance with other obligations for providers and deployers of high-risk AI systems carries fines of up to €15 million or 3% of global annual turnover; supplying incorrect or misleading information to national authorities carries fines of up to €7.5 million or 1.5% of global annual turnover. These penalties are comparable to GDPR enforcement levels and are applied per violation, not per organisation — multiple simultaneous violations could stack.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateRegulatory Compliance

AI Regulatory Compliance Tracker

Track compliance across the EU AI Act, NIST AI RMF, ISO 42001, and emerging US and UK AI regulations. Includes requirement mapping, gap analysis, and remediation tracking for your AI governance programme.

Updated March 2026 · 4 regulatory frameworks · Remediation tracking included

Download Template Book Demo

4 frameworks

EU AI Act, NIST, ISO 42001, emerging

Aug 2026

EU AI Act high-risk deadline

€35M

max penalty for prohibited AI

Free

to use and customise

Why You Need an AI Regulatory Compliance Tracker

AI regulation has accelerated dramatically since 2024. Organisations now face overlapping compliance obligations across multiple jurisdictions and frameworks — without a structured tracker, gaps are inevitable.

Aug 2026

EU AI Act high-risk deadline is approaching

Annex III high-risk AI system obligations apply from 2 August 2026. Most organisations haven't started their compliance programme.

3 frameworks

Overlapping requirements need unified tracking

EU AI Act, ISO 42001, and NIST AI RMF have overlapping but non-identical requirements. Without a unified tracker, gaps appear between frameworks.

50+

US state AI bills under consideration

More than 50 US state-level AI bills are at various stages of legislation. Organisations with US operations need to monitor and map requirements.

Audit

Compliance evidence must be maintained over time

Regulators expect evidence of ongoing compliance, not a point-in-time snapshot. A tracker provides the audit trail that demonstrates systematic compliance management.

The Compliance Tracker

Expand each section to view the compliance requirements and assessment framework. Complete the status fields for each requirement to build your gap analysis.

Step 1: Classify Each AI System by Risk Tier

Unacceptable Risk (Prohibited)

Compliance required: 2 Feb 2025

Real-time biometric surveillance in public spaces; social scoring by public authorities; exploitation of vulnerabilities of specific groups; subliminal manipulation. These systems must be withdrawn immediately.

High Risk (Annex III)

Compliance required: 2 Aug 2026

Employment and HR decisions; education and vocational training; access to essential services (credit, insurance, benefits); law enforcement; migration and asylum; administration of justice. Full obligations apply.

Limited Risk

Compliance required: 2 Aug 2026

AI systems that interact with natural persons (chatbots); AI that generates or manipulates content (deepfakes, synthetic media). Transparency obligations only — must disclose AI nature.

Minimal Risk

No additional obligations

All other AI systems — spam filters, AI-powered games, recommendation systems not in Annex III contexts. No additional obligations under the EU AI Act beyond existing law.

Key High-Risk AI Obligations (Annex III systems)

Risk Management System (Art. 9)