p24-infra Docs

eu-ai-act-compliance

7 min read

EU AI Act Compliance — Ecotrans / p24-infra Platform

Last reviewed: 2026-06-16
Next review due: 2027-06-16
Owner: Radek Konarski (p24-infra admin)
Regulation: Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act

1. Applicability & Timeline

The EU AI Act applies to any AI system placed on the market or put into service in the EU, including internal deployment.

DateWhat applies
2025-02-02Chapter II — prohibited AI practices (already in force)
2025-08-02Chapter V — GPAI model obligations (general-purpose AI providers only; we are deployers, not providers)
2026-08-02Chapter III — Annex III high-risk systems + conformity assessments
2027-08-02Chapter IV — high-risk AI embedded in Annex I regulated products

2026-08-02 is 47 days away. Any system classified as high-risk must be fully compliant before that date.

As a deployer (not a provider) of general-purpose AI (Claude by Anthropic), our obligations under Article 26 are:

  • Use AI systems in accordance with the provider’s instructions
  • Ensure human oversight where required
  • Monitor operation and report serious incidents to authorities

2. Risk Classification Framework

TierDefinitionObligations
ProhibitedSystems banned by Chapter II (e.g. social scoring, subliminal manipulation, real-time biometric surveillance in public)Never deploy
HighSystems listed in Annex III (see §3)Full compliance: risk mgmt, data governance, technical docs, logging, human oversight, transparency, accuracy
LimitedChatbots, AI-generated content, emotion recognition in some contextsTransparency: users must know they are interacting with AI (Art. 52)
MinimalEverything elseNo mandatory obligations; register for completeness

3. Annex III — High-Risk Categories Relevant to Our Platform

The following Annex III categories could apply to fleet/logistics and workforce management:

CategoryDescriptionApplies?
III.2(a)AI managing/operating critical road transport infrastructurePotentially if managing public road infrastructure — does NOT apply to private fleet management
III.3(a)AI for education/vocational trainingNot applicable
III.4(a)AI for recruitment or selection of natural persons, evaluating, promoting, terminating workers, allocating tasks, monitoring and evaluating performanceReview required if driver scoring, performance KPI tracking, or task allocation uses AI
III.4(b)AI for evaluating creditworthiness / credit scoringNot applicable
III.5(a)AI used by public authorities in essential private servicesNot applicable (private platform)
III.6(a)AI for law enforcementNot applicable
III.8(a)AI for administration of justiceNot applicable

Current verdict: No deployed system is classified as high-risk. This must be re-evaluated if AI is introduced for driver performance scoring, automated task assignment to workers, or any HR decision support.

4. Current AI Systems Inventory

All systems are registered in public.dev_r_ai_systems. The table is the authoritative source; this section summarises the current assessment.

p24-infra

SystemServiceRiskStatusAnnex III
workbook-designeraudit-engineminimalpartial
report-generatoraudit-engineminimalpartial

et-operational-platform

SystemServiceRiskStatusNotes
(none registered)Register any AI features in the fleet web app — see §7

n8n AI workflows

Any n8n workflow that calls the Claude proxy, OpenAI, or any other AI provider must be registered. Use service_name = 'n8n-bms4' (or 'n8n-hstgr' for Hostinger) and system_name = workflow slug.

Registered as of 2026-06-16 (migration 021 + 023):

SystemServiceRiskStatusKey gap
tronik-gps-kierowcyn8n-hstgrlimitedpartialDrivers not informed AI processes GPS data (Art.52)
tronik-gps-serwisant-mobilnyn8n-hstgrlimitedpartialSame as above for technicians
wa-ai-to-inboxn8n-hstgrminimalpartialNo structured logging; no AI response to users
imap-inbox-ai-classifiern8n-hstgrminimalpartialNo structured logging
ai-documents-inbox-processingn8n-cloudminimalpartialNo structured logging
et-chatbot-produkcjan8n-hstgrlimitedn/aWIP — disabled until Art.52 disclosure implemented

Action required before 2026-08-02: Add AI disclosure to driver/technician onboarding for the two GPS report workflows (Art.52 transparency gap).

5. Compliance Requirements by Risk Tier

High-Risk (Annex III) — checklist

Before deploying any high-risk system, all items must be true in dev_r_ai_systems:

FieldArticleRequirement
has_risk_managementArt. 9Documented risk management system: identify, analyse, evaluate risks; test before deployment
has_data_governanceArt. 10Data governance practices: training data quality, relevance, bias assessment
has_technical_docsArt. 11Technical documentation before market placement; includes architecture, capabilities, limitations
has_loggingArt. 12Automatic logging of events; retain logs for at least 6 months
has_transparencyArt. 13Clear information to deployers and affected persons about AI involvement
has_human_oversightArt. 14Designated human overseer who can interrupt, override, or shut down the system

Additionally:

  • Accuracy, robustness, cybersecurity requirements (Art. 15)
  • Register in EU AI Act database if deploying to third parties or in public-interest context (Art. 49)
  • Post-market monitoring plan (Art. 72)
  • Serious incident reporting to national authority (Art. 73)

Limited-Risk — checklist

FieldArticleRequirement
has_transparencyArt. 52Disclose to users that they are interacting with an AI system

Minimal-Risk — best practices (not legally required)

  • Register in dev_r_ai_systems for visibility
  • Set has_logging = true (audit trail)
  • Set has_human_oversight = true (ability to override)
  • Annual review of classification

6. Compliance Status — audit-engine AI systems

Both current systems are minimal risk. No Annex III category applies.

workbook-designer — current gaps

MeasureStatusNotes
Human oversight✅ yesWorkbooks reviewed; /reoptimize endpoint allows manual override
Logging✅ yesEvery design attempt in audit.runs
Transparency✅ yesInternal team; documented in docs/audit-engine.md
Technical docs✅ yesdocs/audit-engine.md covers architecture, designer, WorkbookSpec
Risk management❌ noNo formal risk assessment doc — good practice gap
Data governance❌ noNo formal data governance policy — good practice gap

Action: Draft a one-page internal risk assessment and data governance note. Not legally required at minimal risk, but establishes the habit before any higher-risk system is added.

report-generator — current gaps

Same gap set as workbook-designer. Reports are informational; no automated action is taken on AI output.

7. Registering a New AI System

Before deploying any new AI-powered feature:

  1. Classify the risk tier — use §3 Annex III table to check if the system falls into a high-risk category. When in doubt, consult the EU AI Act official text.

  2. Insert a row in dev_r_ai_systems:

INSERT INTO public.dev_r_ai_systems (
  project_id, service_name, system_name, description,
  ai_provider, ai_model, purpose, decision_type, affects_people,
  eu_ai_act_risk, annex_iii_category, risk_justification,
  has_human_oversight, has_logging, has_transparency,
  has_technical_docs, has_risk_management, has_data_governance,
  compliance_status, compliance_notes, doc_url, status, last_reviewed
) VALUES (
  'p24-infra',           -- or 'et-operational-platform'
  'service-name',        -- matches dev_r_services.service_name
  'system-slug',         -- short identifier for this AI capability
  'What this AI does.',
  'anthropic',           -- ai_provider
  'claude-sonnet-4-6',   -- ai_model
  'Plain-English purpose.',
  'informational',       -- decision_type
  false,                 -- affects_people
  'minimal',             -- eu_ai_act_risk
  NULL,                  -- annex_iii_category (NULL unless high-risk)
  'Why this classification was chosen.',
  false, false, false, false, false, false,  -- compliance checklist (update to actual values)
  'partial',
  'Notes on what is done and what is missing.',
  'docs/eu-ai-act-compliance.md',
  'active',
  CURRENT_DATE
);

  1. For high-risk systems, complete all six compliance checklist items before going live. Create a separate ops doc section covering the risk management system and data governance policy.

  2. Update this document — add the system to §4 inventory table and document its compliance status in §6.

8. Automated Audit Check

The eu_ai_act_check action runs every Monday at 08:00 UTC via the audit engine.

What it checks:

RuleSeverityCondition
Prohibited system activeFAILeu_ai_act_risk = 'prohibited' and status = 'active'
High-risk: missing oversightFAILeu_ai_act_risk = 'high' and has_human_oversight = false
High-risk: missing loggingFAILeu_ai_act_risk = 'high' and has_logging = false
High-risk: missing technical docsFAILeu_ai_act_risk = 'high' and has_technical_docs = false
High-risk: missing risk managementFAILeu_ai_act_risk = 'high' and has_risk_management = false
High-risk: missing data governanceWARNeu_ai_act_risk = 'high' and has_data_governance = false
Limited-risk: missing transparencyFAILeu_ai_act_risk = 'limited' and has_transparency = false
Annual review overdueFAILlast_reviewed < today - 365 days or last_reviewed IS NULL
High-risk: quarterly review overdueWARNeu_ai_act_risk = 'high' and last_reviewed < today - 90 days

Results are recorded in audit.runs. A FAIL triggers the standard error notification (Discord + GitHub issue).

9. Annual Review Process

Who: Platform owner (Radek Konarski) or delegated technical lead.
Frequency: All systems annually; high-risk systems quarterly.

Review steps:

  1. Query dev_r_ai_systems for all active systems
  2. Re-evaluate EU AI Act risk classification — check if Annex III scope has changed, if system use has changed, or if new guidance has been issued
  3. Verify each compliance checklist field reflects current state
  4. Update last_reviewed = CURRENT_DATE for each reviewed system
  5. Update this document’s “Last reviewed” date
  6. If any system is newly classified as high-risk, complete the full compliance checklist before the next deployment

10. Regulatory References

DocumentURL
EU AI Act full texthttps://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
Annex III (high-risk categories)EU AI Act, Annex III
Art. 26 — deployer obligationsEU AI Act, Article 26
EU AI Act databasehttps://database.euaiact.eu (from 2026-08-02)
National authority (Poland)Urząd Komunikacji Elektronicznej (UKE) — pending designation

11. Incident Reporting

If an AI system causes or contributes to a serious incident (harm to health, safety, or fundamental rights of persons), report to the national supervisory authority within 15 days (Art. 73).

Record all incidents in dev_r_incidents and tag with source = 'eu-ai-act'.

Graph View

Backlinks