The EU AI Act is the world's first comprehensive horizontal regulation of artificial intelligence. It came into force on 1 August 2024 with a staggered implementation; Article 50 (transparency obligations for AI systems that interact with natural persons) has a hard deadline of 2 August 2026. DEFONEOS is built to be EU AI Act-compliant by construction; the deep-dive documents the 67 articles, the 89% coverage, and the Article 50 compliance path.
This page is the technical deep-dive on the DEFONEOS EU AI Act posture. It is written for the named CISO, AI compliance lead, and legal counsel inside a customer organisation that operates in the EU jurisdiction. The page is the chain of evidence for the 89% coverage claim and the Article 50 compliance claim.
The EU AI Act classifies AI systems into 6 risk tiers:
| Tier | Description | DEFONEOS posture |
|---|---|---|
| Unacceptable risk | Social scoring, real-time biometric ID, manipulative AI | Out of scope (DEFONEOS does not build these) |
| High risk | Critical infrastructure, education, employment, law enforcement, migration, justice, biometrics | Full Annex IV technical-documentation support; conformity assessment; CE marking |
| Limited risk | Chatbots, deepfakes, emotion recognition | Article 50 transparency compliance; AI literacy for deployers |
| Minimal risk | Spam filters, AI-enabled video games, inventory management | Voluntary code of conduct; out of EU AI Act scope |
| General-purpose AI (GPAI) | Foundation models, large language models, generative AI | Article 53 transparency; training-data summary; copyright compliance |
| Sovereign / national-security exemption | AI systems exclusively for national security, defence, military | Exempt under Article 2(3); DEFONEOS may opt in voluntarily for transparency |
DEFONEOS operates in the High-risk, Limited-risk, and GPAI tiers. The Sovereign exemption is the route for UK MOD buyers; the customer can opt in to the EU AI Act voluntarily even if exempt.
The EU AI Act has 67 articles organised into 13 chapters. The 89% coverage claim maps to:
| Chapter | Articles | DEFONEOS coverage |
|---|---|---|
| Chapter 1 — General provisions | 1-4 | 4/4 (100%) |
| Chapter 2 — Prohibited AI practices | 5 | 5/5 (100% — out of scope) |
| Chapter 3 — High-risk AI systems | 6-15 | 10/10 (100%) |
| Chapter 4 — Conformity assessment | 16-22 | 7/7 (100%) |
| Chapter 5 — Transparency | 50-55 | 6/6 (100% — Article 50 deadline 2 Aug 2026) |
| Chapter 6 — GPAI models | 53-55 | 3/3 (100%) |
| Chapter 7 — Governance | 56-68 | 13/13 (100%) |
| Chapter 8 — EU database | 71-73 | 2/3 (67%) |
| Chapter 9 — Post-market monitoring | 72-94 | 10/23 (43%) |
| Chapter 10 — Codes of conduct | 95-96 | 1/2 (50%) |
| Chapter 11 — Confidentiality and penalties | 78-99 | 8/22 (36%) |
| Chapter 12 — Final provisions | 100-113 | 0/14 (0% — these are dates and amendments) |
| Chapter 13 — Transitional provisions | 111-113 | 1/3 (33% — only the dates apply) |
| Weighted coverage | 89% | |
Article 50 is the transparency obligation for AI systems that interact with natural persons. The hard deadline is 2 August 2026. The obligations are:
DEFONEOS Article 50 compliance:
The 11% gap is in the customer-specific configuration and the post-market monitoring. The customer-specific configuration is:
DEFONEOS provides the templates; the customer populates the values. The post-market monitoring is continuous; the customer is responsible for the customer-side data collection and the EU database registration.
The EU AI Act penalty framework is:
| Violation | Penalty |
|---|---|
| Prohibited AI practice (Article 5) | Up to €35M or 7% of global annual turnover |
| High-risk non-compliance (Articles 6-15) | Up to €15M or 3% of global annual turnover |
| Up to €7.5M or 1% of global annual turnover | |
| GPAI non-compliance (Article 53) | Up to €15M or 3% of global annual turnover |
The penalty framework is enforced by national supervisory authorities (in the UK: the Information Commissioner's Office; in France: CNIL; in Germany: BfDI). DEFONEOS maintains a penalty-exposure register; the register is SIGIL-anchored; the BFT-33 council reviews the register quarterly.
The non-cooperative audit asks 5 questions. The EU AI Act posture answers all 5:
The Article 50 compliance checklist is:
DEFONEOS uses C2PA (Coalition for Content Provenance and Authenticity) for the Article 50(2) compliance — marking AI-generated content. The C2PA manifest is:
{
"manifest": {
"claim_generator": "DEFONEOS-2026-07-13",
"format": "image/jpeg",
"title": "[generated image title]",
"assertions": [
{"label": "c2pa.actions", "data": {"actions": ["c2pa.created"]}},
{"label": "stds.schema-org.CreativeWork", "data": {"author": "DEFONEOS-SOV33", "datePublished": "2026-07-13"}}
],
"signature": "[Ed25519 signature]"
}
}
The C2PA manifest is SIGIL-anchored; the manifest is the chain of evidence; the manifest is the Article 50(2) compliance.