⚖ EU_AI_ACT :: COMPLIANCE_GUIDE

EU AI Act & On-Premise Deployments

What the EU AI Act means for organizations running LLMs in-house. Risk classification, compliance timelines, and the obligations that apply to deployers and providers of on-premise AI systems.

⚠ NOT LEGAL ADVICE — This page is an analytical reference for technical teams. Consult qualified legal counsel for compliance decisions.

> COMPLIANCE_TIMELINE

Key dates as of May 2026

Aug 2024

ENACTED

EU AI Act enters into force

20 days after OJ publication. The 24-month clock starts for most obligations.

Feb 2025

PAST ✓

Article 5 — Prohibited AI Practices

Bans on social scoring, real-time biometric surveillance in public, subliminal manipulation. Already in effect.

Aug 2025

PAST ✓

GPAI Model Obligations & Governance

General Purpose AI model providers (Llama, Mistral, etc.) must comply with transparency and copyright rules. Governance bodies established.

Aug 2026

⚡ 3 MONTHS

HIGH-RISK AI obligations — Article 10+ (Annex III)

Full obligations for high-risk AI systems: risk management, data governance, technical documentation, human oversight, logging. This is the critical deadline for most enterprise LLM deployments.

Aug 2027

FUTURE

High-risk AI embedded in regulated products

Medical devices, machinery, automotive. Additional 12-month window for product-embedded AI.

> YOUR_ROLE_UNDER_THE_ACT

> DEPLOYER

You run an AI system within your organisation for your own purposes or for users.

TYPICAL SCENARIO:

Using Llama 3 on-premise for HR screening, loan decisions, or worker monitoring.

Obligations: human oversight, logging, fundamental rights impact assessment (if public sector).

> PROVIDER

You develop or significantly modify an AI system and place it on the market or put it into service.

TYPICAL SCENARIO:

Building a fine-tuned LLM-based product sold to other companies in the EU.

Full obligations: technical documentation, conformity assessment, CE marking (for high-risk), EU representative.

> INTERNAL_USE_ONLY

You run an LLM for productivity, coding assistance, or knowledge management — not for decisions affecting people.

TYPICAL SCENARIO:

Ollama for developer Q&A, summarisation, internal docs search.

Low obligation burden. Transparency notices if employees interact with AI. Good practice: basic logging and oversight policy.

> RISK_CLASSIFICATION_MATRIX

Which category does your on-premise LLM deployment fall into?

USE CASE	RISK TIER	KEY OBLIGATIONS (Aug 2026)	ON-PREM ADVANTAGE
CV screening / HR decisions	HIGH-RISK	Risk management system, data governance, human oversight, audit log, conformity assessment	Full log control ✓
Credit scoring / loan decisions	HIGH-RISK	Explainability, human review, bias monitoring, technical documentation	Data residency ✓
Medical diagnosis assistance	HIGH-RISK	MDR/IVDR alignment, clinical validation, ECC RAM, deterministic outputs	Air-gap option ✓
Biometric identification (workplaces)	HIGH-RISK	Strict conditions, GDPR alignment, DPA notification	No cloud exposure ✓
Customer service chatbot	LIMITED	Disclose AI nature to users. No further high-risk obligations unless decisions affect rights.	—
Internal coding assistant / RAG	MINIMAL	No specific obligations. Best practice: usage policy, basic access logging.	—
Document summarisation / Q&A	MINIMAL	No specific obligations. Output review by human recommended.	—

> HIGH_RISK_COMPLIANCE_CHECKLIST

Pre-August 2026 preparation — verification gates, not legal advice

> RISK_MANAGEMENT_SYSTEM

□ Documented risk identification process
□ Risk estimation & evaluation methodology
□ Risk mitigation measures defined
□ Residual risk communicated to users
□ Annual review cycle established

> DATA_GOVERNANCE

□ Training data documented & bias-assessed
□ Data lineage traceable
□ GDPR alignment verified (separate obligation)
□ Personal data minimisation applied
□ Data access control documented

> HUMAN_OVERSIGHT

□ Override mechanism implemented (human can halt AI)
□ Trained human reviewer assigned to decisions
□ Escalation path defined for edge cases
□ Human not pressured to follow AI output blindly
□ Oversight logs retained ≥ 5 years

> TECHNICAL_DOCUMENTATION

□ System description & intended purpose
□ Model version, quantization level, hardware
□ Known limitations & foreseeable misuse
□ Accuracy, robustness, cybersecurity measures
□ Instructions for deployer (if you're the provider)

> LOGGING_&_AUDIT_TRAIL

□ Automatic logging of AI-assisted decisions
□ Timestamps, inputs (hashed if personal), outputs
□ Tamper-evident log storage
□ Retention policy aligned with sectoral requirements
□ Logs accessible to national authority on request

> TRANSPARENCY_TO_USERS

□ Users informed they are interacting with AI
□ Right to explanation for consequential decisions
□ Right to human review pathway disclosed
□ Contact point for AI-related complaints defined
□ AI Act statement published (public sector)

> ON_PREM_COMPLIANCE_ADVANTAGES

FULL LOG CONTROL

Mandatory audit trails under Article 12 are trivially satisfied when you control the infrastructure. Cloud vendors may retain or process logs on their side.

DATA SOVEREIGNTY

Personal data processed by the LLM stays within your jurisdiction. No cross-border transfer risks. Simplifies GDPR Article 46 compliance.

MODEL DOCUMENTATION

Open-weight models (Llama, Mistral) come with model cards and weights you can inspect. Satisfies technical documentation requirements more easily than black-box API.

DETERMINISTIC VERSIONING

You lock the exact model version and quantization. Cloud APIs may silently update underlying models, complicating reproducibility and audit trails.

RELATED SECTIONS

Governance Framework → Deployment Checklists → Regulated Manufacturing → Pharma Validated Systems →