GateSolutionsAssuranceProtocolProofDocsPricingRequest pilot
EU AI Act · Annex III high-risk · provisionally deferred to Dec 2, 2027 (Digital Omnibus, May 7, 2026)

The deadline moved.
The obligations didn't.
High-risk AI still needs a receipt.

The Digital Omnibus agreement (May 7, 2026, formal adoption pending) defers stand-alone Annex III high-risk obligations from August 2, 2026 to December 2, 2027. Everything the law requires is unchanged: logging, human oversight, transparency, traceability — with penalties up to €35M or 7% of global turnover. The extension is time to build the evidence layer properly instead of in a panic. EMILIA Protocol is the formally verified, open-standard way to do that.

500
Days
19
Hours
03
Minutes
44
Seconds
Talk to a compliance engineerRead the spec
Scope

What "high-risk" covers

The EU AI Act defines high-risk systems by domain. If your AI agent touches any of these, Article 113 obligations apply on day one of enforcement (Dec 2, 2027) — regardless of whether the agent is autonomous or human-assisted.

  • Biometric identification
  • Critical infrastructure
  • Education access and assessment
  • Employment and worker management
  • Essential services — banking, insurance, credit
  • Law enforcement
  • Migration, asylum, border control
  • Administration of justice and democracy
The mapping

How EP satisfies Articles 9 through 15

Each obligation maps to a specific phase of the EMILIA ceremony. The two articles most often cited in early enforcement guidance — Art. 12 (logging) and Art. 14 (human oversight) — are highlighted.

Art. 9
Risk management system
The obligation: Continuous risk identification, evaluation, and mitigation across the AI lifecycle.
How EP satisfies it: Every receipt carries the policy version that authorized it. Receipts and entity trust profiles are queryable through the Trust Explorer.
Art. 10
Data governance and quality
The obligation: Training and operational data must be relevant, representative, and free of errors.
How EP satisfies it: Action context is bound to receipt at sign time; tampering invalidates the cryptographic chain.
Art. 11
Technical documentation
The obligation: Documentation kept current and available to authorities on request.
How EP satisfies it: TLA+ spec, Alloy facts, and 6,719 automated test cases are public. Apache 2.0 — auditors read source, not vendor PDFs.
Art. 12
Automatic logging
Primary EP fit
The obligation: Logs must enable post-incident traceability for the full operational life of the system.
How EP satisfies it: Pre-execution receipt is the log. Cryptographically signed, replay-proof, queryable by actor/policy/time.
Art. 13
Transparency to users
The obligation: Users must be able to understand and use system outputs.
How EP satisfies it: Every receipt is human-inspectable JSON with the policy clause that fired. No black-box decisions.
Art. 14
Human oversight
Primary EP fit
The obligation: Natural-person oversight to prevent or minimize risks during operation.
How EP satisfies it: The Signoff phase is mandatory for high-risk actions. Cryptographically bound to a real human identity at decision time.
Art. 15
Accuracy, robustness, cybersecurity
The obligation: System must be resilient to errors, faults, and unauthorized third-party alteration.
How EP satisfies it: 26 TLA+ theorems and 35 Alloy facts prove the ceremony logic cannot be replayed or partially executed, given signature soundness.
Article 14 Human-Oversight Kit

Your 30-day path to human oversight.

Article 14 asks that a human can oversee, intervene, and stop a high-risk system. EMILIA is the technical implementation of that slice — and it's mostly packaging what you already have.

01
Week 1 — Inventory
List every irreversible action your system can take. Each becomes a canonical action.
02
Week 2 — Observe
Wrap them in Emilia Eye mode — log "what would have been blocked" with zero enforcement. No risk.
03
Week 3 — Enforce + sign-off
Turn on signoff for the high-risk classes; route approvals to your humans. Every approval mints a receipt.
04
Week 4 — Evidence
Export the receipt bundle — an auditor verifies it offline, no need to trust EP or you.

Maps to Art 14 (human oversight), Art 12 (record-keeping), Art 9 (risk management). Not a complete compliance program; not legal advice. Full mapping in the Article 14 kit.

Financial services mapping (PDF)Government programs mapping (PDF)Healthcare mapping (PDF)
Penalties

What non-compliance costs

€35M
Maximum fine — flat ceiling
7%
Of global annual turnover — whichever is higher
Dec 2, 2027
Day 1 — no grace period for high-risk systems
Beyond Brussels

Parallel forcing functions

Even if your AI never touches an EU user, the US Executive Order and three active state laws create the same pre-execution governance requirement on a similar timeline. EP's NIST AI RMF mapping covers the federal side directly.

United States
NIST AI RMF + OMB M-25-21
Federal AI use-case inventories flag high-impact uses; NIST AI RMF alignment shapes procurement. EP publishes its RMF mapping.
California
EO N-5-26 + TL 24-03
Trusted-AI procurement standards and GenAI risk assessments for state entities.
Colorado
Colorado AI Act
Effective June 30, 2026. Impact assessments and consumer notification.
Texas
TRAIGA (HB 149)
Effective Jan 1, 2026. Agency AI governance and disclosure obligations.
Next step

Eighteen months is enough — if you start this week.

We integrate in under a day. Apache 2.0, no vendor lock-in. Reference verifiers deployed publicly; first pilot slots open.

Schedule a compliance walkthroughTry the SDK
EU AI Act High-Risk Deadline Moved to Dec 2, 2027 — Obligations Unchanged | EMILIA