The EU AI Act is being phased in across 2025–2026. Kommit isn't "EU AI Act certified" — that designation doesn't exist for platforms. What we ship is the evidence-collection plumbing that makes the documentation, monitoring, and human-oversight obligations enforceable in a system you can defend to a regulator.
What the AI Act requires that touches Kommit
The Act's obligations vary by risk category. For most B2B AI deployments the relevant pieces are:
| Obligation | Article (approx.) | What Kommit provides |
|---|---|---|
| Maintain technical documentation about the AI system | Art. 11 | Per-agent docs surface inside Kommit that pulls config + model card + data-flow descriptions into a single artifact. |
| Log every operation of a high-risk system | Art. 12 | The hash-chained audit log captures every governed action. See [#hash-chained-audit-log]. |
| Implement human oversight | Art. 14 | Approval workflows in the Policy library. See [#policy-library]. |
| Monitor performance after deployment | Art. 17 (post-market monitoring) | Evaluation / observability surface — on the design-partner roadmap, not live today. |
| Report serious incidents | Art. 73 | Incident-response surface — on the roadmap, not live today. |
The articles flagged "on the roadmap" are claims we will not make about Kommit today. If your AI Act readiness work requires those capabilities now, tell us — there are partial workarounds and we'll be honest about which gaps Kommit cannot close in the current release.
General-purpose AI model (GPAI) provisions
If you're a deployer of a GPAI (i.e. Anthropic, OpenAI, Mistral, or a fine-tuned derivative), the GPAI provisions (Art. 51–55) apply to the model provider, not to you. Kommit's role for GPAI deployment is to keep the documentation trail — which model version you used when, with what system prompt, against what data — so a regulator inspection can reconstruct the deployment context. That trail lives in the audit log.
Conformity assessments
For high-risk systems (Annex III categories like employment, education, law enforcement-adjacent), the AI Act requires a conformity assessment before deployment. Kommit doesn't perform conformity assessments — those are run by Notified Bodies. What Kommit produces is the underlying evidence those Notified Bodies will ask for. The audit-pilot deliverable (see [#how-the-14-day-audit-pilot-works]) is a good starting point for the documentation set a Notified Body will request.
Timeline reminder
The Act entered into force August 2024 with a phased timeline:
- —Feb 2025 — Prohibited AI practices apply.
- —Aug 2025 — GPAI provisions apply.
- —Aug 2026 — Most other obligations apply.
- —Aug 2027 — Embedded high-risk obligations apply.
Most customers we speak to are doing AI Act readiness work in 2026–2027 windows. The compliance-positioning rule applies: Kommit is not certified to the AI Act and will not describe itself that way. What we do is help your auditors and risk-management teams build the evidence trail the Act requires.