EU AI Act

The EU AI Act and routeur.ai: what we cover, and what we don't.

A plain-English guide to where the Act actually bites, which obligations routeur.ai helps you meet, and which stay firmly your responsibility.

Last reviewed: June 2026 Informational — not legal advice

The timeline, in plain English

  • In force — August 2024. The AI Act entered into force; obligations phase in over the following years.
  • Prohibitions — February 2025. Bans on unacceptable-risk practices (e.g. social scoring, certain biometric uses) began to apply.
  • GPAI obligations — August 2025. Transparency and documentation duties for general-purpose AI models began to apply.
  • High-risk obligations — from 2 August 2026. The bulk of high-risk system obligations (Annex III) apply, including record-keeping, logging and human-oversight duties.
Most everyday workplace AI use is not 'high-risk' under the Act. For most companies the immediate drivers are GDPR processor obligations, customer due diligence, and the Act's direction of travel — not Annex III. Here's what applies to whom.

What maps to what

Obligation What routeur.ai provides What stays your responsibility
Record-keeping & logging Art 12 Per-request traces and a tamper-evident, append-only audit trail — provider, model, tokens, latency, cost, routing decision and policy verdict on every call. Deciding which systems are high-risk, what must be logged for your use case, and how long you retain it.
Transparency Visibility into which model handled each request and which policies fired, surfaced in the dashboard and audit trail. Telling your own users when they're interacting with AI and providing required notices.
Human oversight Policy enforcement, prompt shields, DLP and hard spend caps that can block or flag requests before they reach a provider. Defining oversight processes, escalation paths and who reviews flagged activity.
Deployer duties incl. log retention Art 26 Configurable audit-log retention (7 days Starter, 90 days Pro, extended on Enterprise) and data residency on every plan. Classification, a Fundamental Rights Impact Assessment (FRIA) where required, vendor DPAs, and your retention policy.
This page is informational and is not legal advice. The EU AI Act interacts with GDPR and sector rules in ways that depend on your specific use case. Use it to frame a conversation with your own legal and compliance advisers — not as a substitute for one.

Get the readiness checklist

A one-page EU AI Act readiness checklist for AI-using companies: 12 yes/no items across visibility, policy, logging, vendor DPAs, data residency and incident response. Drop your work email and we'll unlock it.

Not sure where your AI exposure is?

Start with a Shadow AI Assessment — we'll help you map where AI is already being used across your business, what data flows through it, and which obligations that triggers. It's the fastest way to turn the Act from an abstract deadline into a concrete plan.

Request a Shadow AI Assessment →