Skip to main content
L
Lexara Advisory
AI Procurement · Compliance

Vendor Due Diligence for AI Tools: A Compliance Checklist

Before procuring AI tools, organizations must evaluate vendor compliance with the EU AI Act, GDPR, and sector-specific requirements. This checklist provides a structured approach.

June 27, 2026 · By Constantin Razvan Gospodin, Legal AI Risk Manager

until EU AI Act high-risk obligations take effect

Organizations are procuring AI tools at an unprecedented pace. Hiring platforms, credit scoring models, customer service chatbots, and diagnostic assistants are being purchased and deployed without adequate compliance review. This article provides a practical checklist for evaluating AI vendors before procurement, with specific attention to the EU AI Act, GDPR, and the contractual terms that govern AI risk allocation between vendor and buyer.

What This Means

AI vendor due diligence is the process of evaluating a vendor's compliance posture, technical capabilities, and risk profile before entering into a procurement contract. Unlike traditional software procurement, AI procurement involves additional layers of regulatory risk, ethical risk, and operational risk that many vendor assessment frameworks do not address adequately. Under the EU AI Act, providers of high-risk AI systems bear significant compliance obligations. If you are procuring an AI tool that qualifies as high-risk under Annex III, your vendor is legally responsible for conformity assessment, technical documentation, risk management systems, and registration in the EU database. However, deployer obligations under Articles 26 and 27 also apply to you as the buyer. You cannot outsource your compliance responsibilities to the vendor. Under GDPR, AI tools that process personal data are subject to data protection by design and by default. If the tool makes automated decisions that produce legal effects or similarly significant effects on individuals, Article 22 applies. This requires explicit consent or another legal basis, meaningful information about the logic involved, and the right to human intervention. Your vendor contract must clearly specify who is the data controller and who is the processor, and what data protection safeguards are in place. Traditional procurement checklists focus on functionality, price, and service levels. AI procurement requires additional scrutiny: how was the model trained, on what data, with what bias mitigation techniques? What is the vendor's incident response plan? Can the vendor explain how the model reaches its decisions? Does the vendor provide ongoing monitoring and retraining? These questions are not optional; they are essential for understanding the risk you are assuming. The due diligence process should be documented. If a regulator asks why you selected a particular vendor, you should be able to produce evidence of your evaluation process, the questions you asked, the documentation you received, and the conclusions you reached. Documentation is not just a best practice; it is a compliance requirement under both the EU AI Act and GDPR. Three operational conclusions follow from the current state of the file. First, the 2 December 2026 date is the nearest binding obligation under the proposed new regime — if your AI generates synthetic content (text, image, audio, video), Article 50 transparency obligations apply to you, and the new Article 5 prohibition on nudifiers and AI-generated CSAM is enforceable from this date. Second, until the Omnibus is formally adopted and published, the 2 August 2026 deadline for Annex III high-risk systems remains legally binding. Building a compliance program around the proposed 2 December 2027 date is a planning bet, not a legal certainty. Professional prudence requires preparing for the original deadline and treating the deferral, if it materializes, as a supervening benefit. Third, even under the new dates, the time horizon is shorter than it appears. A typical high-risk compliance program requires 4 to 6 months from initiation to completion. Organizations starting now have sufficient runway under either timeline. Those waiting until late 2026 or 2027 will face compressed timelines under the new regime as well.

Key Requirements

EU AI Act Provider Obligations.

Ask the vendor whether it considers itself a provider under the EU AI Act. If the system is high-risk, ask for evidence of conformity assessment, technical documentation, and risk management system implementation. Request the vendor's classification rationale for why the system is or is not high-risk. If the vendor claims the system is not high-risk, ask for a detailed legal analysis supporting that conclusion. For employment AI, credit scoring, and biometric systems, the high-risk classification is often mandatory, not discretionary.

GDPR Data Processing Terms.

The contract must include a data processing agreement (DPA) that specifies the roles of controller and processor, the purposes and duration of processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller. For AI systems, the DPA should also address data minimization, storage limitations, and the right to erasure. If the AI tool makes automated decisions, the contract must specify how human review is implemented and how individuals can exercise their rights under Article 22.

Risk Classification Documentation.

The vendor should provide a written risk classification document that maps the AI system against the EU AI Act's risk categories. The document should explain why the system is or is not high-risk, limited-risk, or minimal-risk. It should cite specific Annex III categories if applicable. It should also address whether the system falls under any prohibited practices under Article 5. Evaluate this document with your legal counsel; do not accept the vendor's classification at face value.

Training Data and Model Documentation.

Request documentation about the training data: its sources, its quality, its representativeness, and any known biases. Ask for model cards or technical documentation that explain the model's architecture, performance metrics, and limitations. Under the EU AI Act, high-risk AI providers must maintain technical documentation that includes this information. If the vendor cannot or will not provide it, this is a serious red flag.

Bias Testing and Fairness Metrics.

Ask the vendor for bias testing results across relevant demographic categories. For employment AI, this includes race, ethnicity, and sex categories. For credit scoring, it may include additional categories. Ask what fairness metrics the vendor uses, what thresholds it considers acceptable, and how it mitigates identified disparities. Note that vendor internal testing does not satisfy third-party audit requirements like NYC LL144, but it is still a valuable component of due diligence.

Human Oversight and Explainability.

The vendor should explain how human oversight is implemented in the system. Can a human operator understand, interpret, and override the AI output? Under the EU AI Act, high-risk AI systems must be designed to enable effective human oversight. Ask the vendor to demonstrate the human oversight interface and explain how it works in practice.

2 February 2025 — Prohibited practices and AI literacy.

Article 5 prohibitions are enforceable: social scoring, manipulative AI, emotion recognition in workplaces and schools, real-time biometric identification in public spaces (with narrow law enforcement exceptions), untargeted scraping of facial images from the internet or CCTV. Article 4 AI literacy obligations are active for all providers and deployers. Penalties for prohibited practices violations are up to €35M or 7% of global turnover.

2 August 2025 — GPAI and governance.

Chapter V obligations for general-purpose AI models: technical documentation, copyright compliance, training data summaries. Governance structures (Chapter VII), confidentiality rules, and sanctions provisions became applicable. National competent authorities were designated by this date.

2 August 2026 — Full enforcement powers and penalty regime.

The AI Office and national market surveillance authorities obtain full enforcement powers, including the ability to request information, mandate mitigations, and impose administrative fines across all applicable provisions. The penalty regime under Article 99 becomes fully operational. Member States must have at least one operational AI regulatory sandbox by this date.

This date is not affected by the Omnibus and remains binding.

2 August 2026 — High-risk systems under Annex III (current regime).

Under the AI Act as currently in force, high-risk AI systems used in employment, finance, education, healthcare, law enforcement, and other Annex III sectors must achieve full compliance by this date: conformity assessments completed, technical documentation finalized, risk management systems operational, human oversight mechanisms in place, EU database registration filed. The Digital Omnibus provisional agreement of 7 May 2026 proposes to defer this deadline to 2 December 2027. Until the Omnibus is formally adopted and published in the Official Journal, organizations should plan against the 2 August 2026 deadline as legally binding. Proposed new dates under the Digital Omnibus (provisional agreement, 7 May 2026)

2 December 2026 — Article 50 transparency and new Article 5 prohibition.

Article 50 transparency obligations for synthetic content (watermarking of AI-generated images, audio, video, and text) take effect. The Digital Omnibus introduces a new Article 5 prohibition on AI systems designed to generate child sexual abuse material and on nudifier applications, with the same date of application. This is the nearest live obligation under the new regime and applies regardless of risk classification.

2 December 2027 — Annex III high-risk systems (proposed new date).

If the Omnibus is formally adopted, the compliance deadline for high-risk AI systems listed in Annex III moves from 2 August 2026 to 2 December 2027. This covers systems used in employment, education, finance, law enforcement, migration, justice, and access to essential services.

2 August 2028 — Annex I product safety (proposed new date).

AI systems embedded in regulated products under Annex I (medical devices, machinery, vehicles, toys, radio equipment) move from 2 August 2027 to 2 August 2028. GPAI models placed on the market before 2 August 2025 also have until this date to achieve full compliance.

31 December 2030 — Large-scale IT systems.

AI components of large-scale IT systems listed in Annex X must be brought into compliance. This date is unchanged by the Omnibus. National market surveillance authorities have been actively supervising GPAI and prohibited practices since 2 August 2025. Full enforcement powers across all provisions begin on 2 August 2026 regardless of whether the Omnibus is adopted. The European Commission will evaluate the AI Office's functioning by August 2028 and review the Act's impact every four years starting August 2029.

Practical Steps

Build an AI-Specific Procurement Questionnaire.

Adapt your standard procurement questionnaire to include AI-specific questions. Cover risk classification, data governance, bias testing, human oversight, incident response, and ongoing monitoring. Require the vendor to answer in writing and to provide supporting documentation. Oral assurances are not sufficient for compliance records.

Require Written Warranties.

The contract should include specific warranties from the vendor regarding compliance with applicable AI regulations, accuracy of training data, absence of prohibited practices, and ongoing conformity maintenance. The warranties should be backed by indemnification provisions that allocate liability if the vendor's representations prove false. Do not rely on general software warranties; they are unlikely to cover AI-specific risks.

Negotiate Audit Rights.

Include a right to audit the vendor's compliance with AI obligations, including access to technical documentation, bias testing results, and incident logs. The audit right should be exercisable by you or by an independent third party. This is particularly important for high-risk AI systems where ongoing compliance monitoring is required by the EU AI Act.

Establish Ongoing Monitoring.

AI compliance is not a one-time event. The contract should require the vendor to notify you of material changes to the model, training data, or risk classification. It should also require the vendor to provide periodic updates on performance metrics, bias testing, and incident reports. Build these monitoring requirements into your contract and your internal compliance calendar.

Coordinate with Legal and Compliance Teams.

Do not let procurement teams evaluate AI vendors in isolation. Legal, compliance, privacy, and risk management teams must be involved from the beginning. The EU AI Act and GDPR have specific requirements that procurement professionals may not recognize. A cross-functional evaluation team ensures that all relevant risks are identified and addressed.

Document Everything.

Maintain a complete record of your due diligence process: the questionnaire, the vendor's responses, the documentation provided, the evaluation criteria, the meeting notes, and the final decision rationale. This documentation is your evidence of good faith and reasonable care if a regulator later questions your procurement decision.

Related Resources

Vendor AI Due Diligence

EU AI Act

EU AI Act Compliance Audit

System inventory, risk classification, and compliance roadmap.

Bias, privacy, and fairness evaluation across multiple frameworks.

EU Authorised Representative

Article 22 mandate for non-EU providers, with our partner SecureFound (Spain).

## Page: /eu-ai-act-article-2-us-companies.html

### Title: EU AI Act Article 2: US Companies in Scope | Lexara

### Meta Description: EU AI Act Article 2 extraterritorial scope: how it applies to US companies whose AI output reaches the EU. Broader than GDPR, follows the output not the address.

### Canonical: https://lexaraadvisory.com/eu-ai-act-article-2-us-companies.html

### OG Tags:

### Sections:

### Internal Links:

### Content:

Extraterritorial Scope · Updated 8 May 2026

EU AI Act Article 2 — Does It Apply to US Companies?

until the next

EU AI Act

obligation takes effect

Written for US compliance officers, legal teams, and business leaders navigating the extraterritorial reach of the EU AI Act.

The scope trigger follows the output, not your address

Article 2(1) of the EU AI Act (Regulation 2024/1689) establishes three categories of non-EU entities that fall within its scope. The critical principle: jurisdiction follows where the AI system's output is used, not where the system is built, hosted, or where the company is headquartered.

The three triggers for US companies are: first, providers placing AI systems on the EU market, which covers any US company selling an AI product to EU customers; second, providers whose AI system outputs are used within the EU, capturing US companies whose AI makes decisions affecting EU residents even if the sale happens outside Europe; and third, importers and distributors handling AI systems in the EU market.

Why this is broader than GDPR

Under GDPR, extraterritorial application required that a company either offer goods or services to EU individuals or monitor their behavior. The EU AI Act requires neither targeting nor monitoring. If your AI output reaches an EU individual — a job applicant screened by your algorithm, a customer scored by your credit model, a student assessed by your platform — you are in scope. There is no intent test, no targeting requirement, and no data processing connection needed.

Industry analysis confirmed in August 2025 that this extraterritorial reach is broader than that of GDPR. Most US compliance teams initially modeled the AI Act as the narrower obligation. That assumption needs to be revisited.

Practical scenarios for US organizations

SaaS with global customers.

A US company develops a recommendation engine used by thousands of customers worldwide. The moment one EU-based customer starts using that engine for high-risk purposes, the provider is in scope — potentially without knowing it.

Financial services.

A credit scoring system hosted in Virginia that scores EU counterparties is in scope. The question is where the output is used, not where the system sits.

HR technology.

A US hiring platform that screens applications from EU job candidates triggers both EU AI Act Annex III (Area 4: employment) and potentially NYC LL144 if candidates reside in New York City.

Higher education.

A New York university using AI-powered proctoring or adaptive learning tools for EU exchange students or joint-degree programs is deploying high-risk AI under Annex III (Area 3: education).

What is already enforceable

The EU AI Act's obligations are phased in over time, but two categories are already active. Prohibited AI practices under Article 5 have been enforceable since 2 February 2025. These include real-time biometric identification in public spaces, emotion recognition in workplaces and schools, social scoring, manipulative AI, and untargeted scraping of facial images. The AI literacy obligation under Article 4, requiring providers and deployers to ensure their staff has sufficient AI literacy, has also been in force since 2 February 2025. GPAI model obligations under Chapter V became applicable on 2 August 2025.

Note on the high-risk timeline — Digital Omnibus on AI (7 May 2026)

The high-risk obligations under Annex III are currently scheduled to take effect on 2 August 2026 under the Act as in force. On 7 May 2026, Council and Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI proposing to defer this deadline to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding.

A separate new obligation taking effect on 2 December 2026 under the proposed regime concerns Article 50 transparency for synthetic content and a new Article 5 prohibition on AI-generated CSAM and nudifier applications. The scope question discussed on this page applies regardless of which deadline ultimately governs the high-risk regime — if your AI output reaches the EU, you are in scope under either timeline.

The authorized representative requirement

Non-EU providers of high-risk AI systems and GPAI models must appoint an authorized representative within the EU before placing their systems on the market. Without an authorized representative, you cannot legally offer your AI product in Europe. This is a distinct role from GDPR representatives and requires specific AI Act expertise.

Read more about the EU authorized representative requirement

and how Lexara coordinates mandates through our partner SecureFound (Spain).

What US companies should do now

First, map your AI output flows to identify any EU nexus. Second, classify each in-scope system against the risk framework. Third, assess whether any of your current AI practices fall under the already-enforceable prohibited categories. Fourth, begin AI literacy training for staff who operate or use AI systems — this obligation is already active, regardless of any Omnibus deferral. Fifth, for high-risk systems, begin the conformity assessment process even under the proposed extended timeline: a typical compliance program requires 4 to 6 months from initiation to a Declaration of Conformity, and registration in the EU database (Article 71) cannot occur until that process is complete.

The organizations that begin compliance now have the advantage of time under either regime. Those that wait face compressed timelines, higher costs, and enforcement risk: the AI Office and national market surveillance authorities obtain full enforcement powers on 2 August 2026 regardless of the Omnibus, and the prohibited practices and Article 4 obligations are already enforceable today.

EU AI Act Fines: €35M and 7% Turnover

EU AI Act Timeline for US Organizations

Article 4 AI Literacy Obligation

EU Authorised Representative

Bias, privacy, and fairness evaluation under LL144, GDPR Art.22, and EU AI Act.

Unified strategy across EU AI Act, GDPR, LL144, and NIST AI RMF.

## Page: /eu-ai-act-fines-us-companies.html

### Title: EU AI Act Fines for US Companies | Lexara Advisory

### Meta Description: EU AI Act fines and penalties for US companies: up to EUR 35M or 7% of global turnover. See full analysis.

### Canonical: https://lexaraadvisory.com/blog/eu-ai-act-penalties-non-compliance.html

### OG Tags:

### Sections:

### Internal Links:

### Content:

This page has moved.

Click here if you are not redirected

EU AI Act Fines for US Companies

## Page: /eu-ai-act-new-york-higher-education.html

### Title: EU AI Act for NY Higher Education | Lexara Advisory

### Meta Description: How the EU AI Act affects NY universities with EU partnerships. Proctoring, admissions AI, and adaptive learning classification under Annex III.

### Canonical: https://lexaraadvisory.com/eu-ai-act-new-york-higher-education.html

### OG Tags:

### Sections:

### Internal Links:

### Content:

Higher Education · Annex III · Updated 8 May 2026

EU AI Act for New York Higher Education Institutions

until the next

EU AI Act

obligation takes effect

How the EU AI Act affects New York universities with European partnerships, exchange programs, and cross-border research collaborations.

Education AI is high-risk under the EU AI Act

Annex III (Area 3) of the EU AI Act classifies several categories of educational AI as high-risk: systems that determine access or admission to educational institutions, systems that evaluate learning outcomes, systems that assess appropriate education levels for individuals, and systems that monitor or detect prohibited student behavior during tests. This classification applies regardless of the institution's location when the AI system's output reaches EU individuals.

How New York institutions are affected

The Rockefeller Institute of Government's November 2025 policy brief identified four common activities that trigger EU AI Act obligations for New York higher education institutions. First, enrolling EU nationals in distance or hybrid programs that rely on AI-powered adaptive learning or assessment platforms. Second, operating EU-based study-abroad centers that use home-campus chatbots, learning analytics, or proctoring software. Third, licensing educational technology tools to European partner campuses. Fourth, running US-hosted AI systems whose outputs are viewed or applied inside the EU for research collaboration.

Remote proctoring: a concrete example

AI-powered remote proctoring platforms that use face detection, gaze tracking, or behavior analysis during examinations are classified as high-risk under Annex III (Area 3d: monitoring prohibited behavior during tests). The University of Amsterdam proctoring case in 2020-2021 demonstrated how these systems intersect with privacy and discrimination concerns. Under the EU AI Act, such platforms must now meet full conformity assessment requirements including risk management, data governance, human oversight, and transparency obligations.

If a New York institution co-administers online examinations with a European partner using a US-hosted proctoring system, both the institution (as deployer) and the proctoring vendor (as provider) face EU AI Act obligations.

Emotion recognition prohibition (already enforceable)

Article 5 of the EU AI Act prohibits emotion recognition systems in educational settings. This means AI tools that analyze student facial expressions, voice patterns, or biometric indicators to infer engagement, stress, or emotional states during learning sessions are banned.

This prohibition has been enforceable since 2 February 2025 and is not affected by the Digital Omnibus.

Penalties for prohibited practices reach up to €35M or 7% of global annual turnover, with no transition period available.

Conformity timeline — Digital Omnibus on AI (7 May 2026)

Under the EU AI Act as currently in force, conformity assessments for high-risk education AI must be completed by

2 August 2026

. On 7 May 2026, Council and Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI proposing to defer this deadline to

2 December 2027

for Annex III stand-alone systems. Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding.

Two obligations remain unaffected: the Article 5 prohibition on emotion recognition in educational settings (enforceable since February 2025) and the Article 4 AI literacy obligation for faculty and staff who deploy AI systems (also already in force). Universities cannot defer compliance with these requirements regardless of the Omnibus outcome.

EU authorised representative for non-EU education vendors

If your institution licenses or distributes US-built AI tools to European partner campuses, the vendor (or the institution itself, if it acts as a provider) must appoint an EU authorised representative under Article 22 before placing the system on the EU market.

Read more about the EU authorised representative requirement

and how Lexara coordinates mandates through our partner SecureFound (Spain).

What institutions should do

Conduct an inventory of all AI systems used in programs that involve EU students or partners. Classify each system against Annex III Area 3 criteria. Verify that no prohibited practices (emotion recognition in educational settings, social scoring) are in use — this is the most urgent step because these prohibitions are already enforceable and not affected by the Digital Omnibus. Begin AI literacy training for faculty and staff who deploy AI systems, as Article 4 is also already in force. For confirmed high-risk systems, begin conformity assessment processes: a typical compliance program requires 4 to 6 months from initiation to a Declaration of Conformity, well within either the August 2026 or December 2027 timelines if started now.

Article 2 Extraterritorial Scope

Article 4 AI Literacy

EU AI Act Fines

EU Authorised Representative

EU AI Act Timeline

Article 2 Scope

EU AI Act Fines

Database Registration

EU Authorised Representative

GDPR + EU AI Act Double Compliance

Map overlapping obligations between GDPR Article 22 and the EU AI Act for high-risk AI systems.

Systematic classification of AI systems against the EU AI Act risk framework.

Bias, privacy, and fairness evaluation under GDPR, EU AI Act, and NYC LL144.

Build operating models for accountable AI deployment across multiple regulatory frameworks.

Helps us understand how visitors use the site via Google Analytics.

## Page: /gdpr-article-22-eu-ai-act-double-compliance.html

### Title: GDPR Article 22 and EU AI Act Double Compliance | Lexara

### Meta Description: When AI makes decisions about EU individuals, GDPR Article 22 and the EU AI Act apply simultaneously. How to build a unified compliance architecture.

### Canonical: https://lexaraadvisory.com/gdpr-article-22-eu-ai-act-double-compliance.html

### OG Tags:

### Sections:

### Internal Links:

### Content:

GDPR · Double Compliance · Updated 8 May 2026

GDPR Article 22 + EU AI Act — Double Compliance for Automated Decisions

until the next

EU AI Act

obligation takes effect

Understanding the double compliance burden when your AI makes automated decisions about EU individuals.

Two frameworks, one decision

When an AI system makes or substantially influences decisions about EU individuals, two regulatory frameworks apply simultaneously. GDPR Article 22 provides individuals with the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The EU AI Act adds model-specific obligations on top: risk management, technical documentation, human oversight, and conformity assessments for high-risk systems.

These are not alternative compliance paths. They are cumulative. Meeting one does not exempt you from the other.

What GDPR Article 22 requires

Article 22 establishes a default prohibition on purely automated decision-making with legal or significant effects, with three exceptions: explicit consent, contractual necessity, or authorization by EU or Member State law. When automated decisions are made under these exceptions, organizations must implement suitable safeguards including the right to obtain human intervention, express a point of view, and contest the decision. The data subject must be informed about the existence of automated decision-making, the logic involved, and the significance and envisaged consequences.

What the EU AI Act adds

Beyond GDPR's data protection requirements, the EU AI Act imposes system-level obligations: a continuous risk management system throughout the lifecycle (Article 9), data governance ensuring training data quality and representativeness (Article 10), technical documentation detailed enough for authorities to assess compliance (Article 11), automatic logging of events for traceability (Article 12), transparency sufficient for deployers to understand and supervise the system (Article 13), human oversight enabling effective supervision and intervention (Article 14), and documentation retention for 10 years (Article 18). These are architectural requirements, not just procedural ones.

Where they intersect for US companies

A US fintech company using AI to assess EU loan applicants must satisfy GDPR Article 22 (right to human intervention, transparency about logic, ability to contest), GDPR Articles 13-14 (privacy notices about automated processing), and EU AI Act Annex III Area 5 (full high-risk compliance for credit scoring AI). The practical impact: you need both a GDPR-compliant data protection framework AND an EU AI Act-compliant risk management and conformity system.

Building unified compliance

The efficient approach is to treat GDPR as the data protection layer and the EU AI Act as the system governance layer. GDPR protects the rights of individuals whose data is processed. The AI Act governs how the system processes that data. A unified Data Protection Impact Assessment (DPIA) under GDPR and Fundamental Rights Impact Assessment (FRIA) under EU AI Act Article 27 can address both frameworks with one analytical exercise.

Note — Digital Omnibus on AI (7 May 2026)

On 7 May 2026, Council and Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI proposing to defer the EU AI Act high-risk deadline from 2 August 2026 to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding.

The double compliance question discussed on this page is not affected by the Omnibus. GDPR Article 22 has been in force since 2018 and is unaffected. The EU AI Act applies in parallel under either timeline. The Omnibus changes only when the high-risk system component of the EU AI Act takes effect — not whether GDPR and the AI Act apply together when AI makes automated decisions about EU individuals.

Article 2 Scope

Annex III Financial Services

EU Authorised Representative

NYC Local Law 144 bias audit readiness and employment AI compliance.

AI Vendor Due Diligence

Procurement compliance, contract review, and risk classification for AI tool buyers.

EU AI Act

Systematic classification of AI systems against the EU AI Act risk framework.

Annex III employment classification and governance strategies for HR AI.

Helps us understand how visitors use the site via Google Analytics.

## Page: /index.html

### Title: EU AI Act & AI Governance Advisory NYC | Lexara Advisory

### Meta Description: AI governance consulting for US organizations navigating EU AI Act, NIST AI RMF, ISO 42001, GDPR, and NYC Local Law 144. NYC-based, European legal formation.

### Canonical: https://lexaraadvisory.com/

### OG Tags:

### Sections:

### Internal Links:

### Content:

Govern AI systems before regulators, customers, or boards do.

Fines up to €35M. Applies to any organization whose AI affects EU individuals. EU AI Act consulting for US companies by Constantin Razvan Gospodin, European-barred attorney (ICATF nº 5961), advising from New York.

Start AI Governance Assessment

Explore Governance Intelligence

European legal expertise

NYC-based advisory

NIST AI RMF

ISO/IEC 42001

EU AI Act focus

Compliance Architecture

Active

EU AI Act

● In force

Art. 2 · Annex III · Art. 22 · Art. 4 AI literacy

● Active

Article 22 · DPIA · Automated decisions

NIST AI RMF

● Aligned

Govern · Map · Measure · Manage

ISO/IEC 42001

● Mapped

AI management system standard

NYC Local Law 144

● Active

AEDT bias audits · Employment AI

Annex III deadline

Dec 2027

Governance

AI operating model

Frameworks

NIST AI RMF + ISO 42001

Regulation

EU AI Act + GDPR

Risk

Classification and evidence

Authority

European legal background

Market

NYC and cross-border

Governance Ecosystem

Regulatory readiness becomes more durable when it is built on a governance system, not a one-off legal checklist.

Operating Model

Roles, accountability, lifecycle controls, evidence ownership, escalation paths, and board-ready oversight.

Framework

NIST AI RMF

Govern, Map, Measure, and Manage as practical control language for AI risk decisions.

Management System

ISO/IEC 42001

A structured AI management-system lens for policies, objectives, controls, monitoring, and improvement.

Regulation

EU AI Act

Scope, risk classification, technical documentation, conformity planning, and EU market access.

Regulatory Exposure Snapshot

See the overlapping obligations before they fragment.

Governance Controls

NIST AI RMF + ISO/IEC 42001

Use risk management and AI management-system controls to create repeatable governance evidence.

Regulatory Duties

EU AI Act + GDPR + AI

Connect high-risk AI obligations, automated decision-making, transparency, human oversight, and data protection.

Market Access

EU Representative + Cross-Border AI

Coordinate non-EU provider exposure, Article 22 representation, documentation, and authority interface planning.

Each engagement starts with governance maturity and system exposure, then maps obligations to practical controls.

Governance

Build roles, policies, intake, risk review, monitoring, and board-ready evidence across AI use cases.

Cross-border governance

Frameworks

NIST AI RMF + ISO 42001 Alignment

Translate risk and management-system principles into lightweight controls, records, and workflows.

EU AI Act

Classify systems, identify Annex III exposure, map Article 2 scope, and prepare documentation roadmap.

Automated Decision Governance

Align AI governance with Article 22, DPIA/FRIA, transparency, human review, and rights handling.

AI Literacy

Article 4 Literacy Program

Create role-based training, evidence records, and practical literacy expectations for providers and deployers.

AI Literacy

EU Market Access

EU Representative Coordination

Plan Article 22 mandate strategy and EU-side coordination for non-EU high-risk AI providers.

Industries We Serve

Sector-specific AI governance for high-impact systems

Different AI use cases create different governance records, risk classifications, and buyer expectations.

Financial Services

Credit, underwriting, fraud, and customer risk models

NIST AI RMF

EU AI Act

GDPR Article 22

HR Technology

Hiring, screening, promotion, and workforce AI tools

Annex III

AI Literacy

SaaS

AI features embedded in platforms used across borders

ISO/IEC 42001

EU scope

Higher Education

Admissions, proctoring, adaptive learning, and EU partnerships

Annex III

Risk controls

Healthcare

Clinical support, diagnostic tools, and regulated AI workflows

Monitoring

Documentation

Enterprise AI

Internal copilots, decision support, procurement, and vendor AI

AI inventory

Governance policy

Methodology

Identify. Classify. Document. Govern. Monitor.

A practical command flow for moving from AI uncertainty to defensible governance evidence.

Identify

Inventory AI systems, vendors, users, decisions, data flows, and EU touchpoints.

Classify

Map risk under NIST AI RMF, ISO/IEC 42001 controls, EU AI Act, GDPR, and sector rules.

Document

Create technical, policy, literacy, DPIA/FRIA, and governance evidence records.

Govern

Assign accountability, approvals, escalation, oversight, and board reporting.

Monitor

Maintain post-deployment controls, model change review, incident signals, and updates.

Founder Authority

European legal background, New York business context.

Read founder background

Practical Example

A fintech using AI for credit and onboarding needs more than one regulation mapped. The governance path starts with system inventory and NIST/ISO-style controls, then classifies EU AI Act exposure, GDPR Article 22 implications, EU Representative needs, and ongoing monitoring evidence.

Governance first

EU AI Act second

Evidence throughout

The existing

/blog/

URL becomes a structured Resource Center for articles, guides, checklists, templates, and regulatory intelligence.

NIST AI RMF + ISO 42001

EU AI Act

EU Representative

Framework Intelligence

NIST AI RMF vs EU AI Act

Use voluntary AI risk management to support mandatory legal and governance obligations.

AI Literacy

Article 4 AI Literacy

Role-based literacy and evidence records for providers and deployers.

EU Market Access

EU Representative Coordination

Article 22 mandate planning for non-EU high-risk AI providers.

Strategic Insights

Reviewed guidance for legal, compliance, and AI teams

Scope

EU AI Act Article 2

When US-built AI systems fall within EU scope.

Double compliance

Automated decisions can trigger more than one regime.

Timeline

EU AI Act dates

Map obligations to governance workstreams.

Employment AI overlap

Detailed guidance on preparing for LL144 bias audits and understanding AEDT classification.

Understanding the disclosure obligations and what must be published under LL144.

EU AI Act vs NYC Local Law 144

Compare the EU AI Act's high-risk AI obligations with NYC LL144's employment AI requirements.

HR AI Compliance

Comprehensive compliance support for AI used in hiring, screening, and promotion decisions.

Helps us understand how visitors use the site via Google Analytics.

## Page: /nist-ai-rmf-vs-eu-ai-act.html

### Title: NIST AI RMF vs EU AI Act: Unified Framework | Lexara

### Meta Description: NIST AI RMF and EU AI Act: where they align, where they diverge, and how to build a unified compliance framework covering both voluntary and mandatory obligations.

### Canonical: https://lexaraadvisory.com/nist-ai-rmf-vs-eu-ai-act.html

### OG Tags:

### Sections:

### Internal Links:

### Content:

Frameworks · NIST + EU AI Act · Updated 8 May 2026

NIST AI RMF vs EU AI Act — Building a Unified Compliance Framework

until the next

EU AI Act

obligation takes effect

Mapping where NIST AI RMF and EU AI Act align, where they diverge, and how to build a framework that satisfies both.

Voluntary vs. mandatory: the fundamental difference

The NIST AI Risk Management Framework (AI 100-1) is a voluntary, consensus-based framework designed to help organizations manage AI risks. The EU AI Act (Regulation 2024/1689) is a binding legal instrument with mandatory requirements and financial penalties. Understanding where they align and where they diverge is essential for US organizations that need to comply with the EU AI Act while leveraging existing NIST-based governance programs.

Where they align

NIST Govern ↔ EU AI Act governance.

NIST's Govern function establishes organizational AI risk management policies, roles, and accountability structures. The EU AI Act requires quality management systems (Article 17), AI literacy (Article 4), and organizational governance. Companies with mature NIST Govern implementations have a strong foundation for EU AI Act governance requirements.

NIST Map ↔ EU AI Act risk classification.

NIST Map identifies and contextualizes AI risks. The EU AI Act's risk classification process (Article 6, Annex III) serves a similar function but with binding categories and specific consequences. NIST Map exercises can directly inform EU AI Act classification analysis.

NIST Measure ↔ EU AI Act conformity.

NIST Measure assesses and tracks AI risks using metrics and testing. The EU AI Act requires accuracy, robustness, and cybersecurity standards (Article 15), bias testing through data governance (Article 10), and conformity assessments (Article 43). NIST measurement practices can contribute to conformity evidence.

NIST Manage ↔ EU AI Act post-market monitoring.

NIST Manage implements risk mitigation strategies. The EU AI Act's post-market monitoring (Article 72), incident reporting (Article 73), and corrective action requirements (Article 20) align conceptually with NIST Manage objectives.

Critical gaps NIST does not cover

Conformity assessment procedures.

NIST has no equivalent to the EU AI Act's formal conformity assessment process, which requires either self-assessment or third-party certification depending on the system type.

EU database registration (Article 71).

No NIST parallel exists for mandatory public registration of AI systems in a government database.

EU authorised representative (Article 22).

Non-EU providers of high-risk AI must appoint an EU authorised representative before placing systems on the market. NIST has no equivalent.

Read more about the EU authorised representative requirement

Declaration of Conformity and CE marking.

The EU AI Act requires a formal Declaration of Conformity for high-risk systems and, where applicable, CE marking. These are EU product safety concepts with no US equivalent.

Specific documentation formats.

Articles 11-12 prescribe detailed technical documentation requirements and automatic event logging. NIST recommends documentation but does not mandate specific formats or retention periods (the EU AI Act requires 10 years).

Mandatory penalties.

NIST non-compliance has no legal consequence. EU AI Act non-compliance carries fines up to €35 million or 7% of global turnover.

Note — Digital Omnibus on AI (7 May 2026)

On 7 May 2026, Council and Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI proposing to defer the EU AI Act high-risk deadline from 2 August 2026 to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding.

The structural comparison between NIST AI RMF and the EU AI Act on this page is unaffected by the Omnibus. The deferral changes only when high-risk obligations take effect, not which framework imposes them or how they differ from NIST's voluntary structure. Article 5 prohibitions and Article 4 AI literacy remain enforceable since 2 February 2025.

Building a bridged framework

Organizations already implementing NIST AI RMF can extend their existing program to cover EU AI Act requirements by adding the missing elements: formal risk classification against Annex III, conformity assessment procedures, EU database registration, EU authorised representative appointment, specific documentation formats, and penalty-aware governance structures. This approach leverages existing investment while closing compliance gaps.

EU AI Act vs LL144

EU AI Act Timeline

EU Authorised Representative

Bias, privacy, and fairness evaluation under GDPR, EU AI Act, and sector rules.

Roles, policies, intake, risk review, monitoring, and board-ready evidence.

EU AI Act

Systematic classification of AI systems against the EU AI Act risk framework.

Automated decision governance and data protection for AI systems.

Helps us understand how visitors use the site via Google Analytics.

Frequently Asked Questions

What should I ask an AI vendor before procurement?

Before procuring an AI tool, ask the vendor about risk classification under the EU AI Act, data processing terms under GDPR, training data sources and quality, model performance metrics, bias testing results, human oversight capabilities, and incident reporting procedures. Request documentation for all claims and verify them independently where possible.

Does the EU AI Act apply to AI vendors?

Yes. The EU AI Act imposes obligations on providers of AI systems, including those that develop or place AI systems on the EU market. Providers of high-risk AI systems must comply with conformity assessment, technical documentation, risk management, and registration requirements. Even if a vendor is not based in the EU, its obligations apply when the system affects EU individuals.

What GDPR terms should an AI contract include?

AI contracts should include data processing agreements that specify the roles of controller and processor, the purposes and duration of processing, the types of data and categories of data subjects, the obligations and rights of the controller, and the subprocessor governance structure. For AI systems that make automated decisions, the contract should also address Article 22 requirements and human review mechanisms.

How do I verify an AI vendor's risk classification?

Request a written risk classification from the vendor based on the EU AI Act Annex III categories. For employment AI, credit scoring, or biometric systems, high-risk classification is likely. Ask the vendor to explain its classification rationale and to provide documentation supporting its assessment. If the vendor claims the system is not high-risk, request a detailed justification and evaluate it with your legal counsel. Evaluate Your AI Vendor Risk Our free AI Regulatory Readiness Assessment includes vendor due diligence evaluation across 43 controls.

Why do I need a cross-border compliance approach?

Without a unified strategy, organizations duplicate compliance efforts across EU AI Act, GDPR, LL144, and NIST. This wastes resources and creates gaps where obligations are unique to one framework. A cross-border approach identifies overlaps where a single control can satisfy multiple frameworks, and isolates the unique requirements of each regime for targeted action.

Does the NIST AI RMF satisfy EU AI Act requirements?

Partially. NIST provides a strong voluntary foundation. However, the EU AI Act is mandatory with fines up to €35M. Key gaps include conformity assessments, EU database registration, Declaration of Conformity, EU authorised representative appointment, specific documentation formats required by Articles 11-12, and post-market monitoring plans under Article 72.

Does the Digital Omnibus change the cross-border picture?

Not materially. The Omnibus, provisionally agreed on 7 May 2026, proposes to defer the EU AI Act high-risk deadlines but does not change the Act's substantive requirements, scope, or the parallel obligations under GDPR, LL144, NIST AI RMF, or state legislation. For organizations with cross-border exposure, the unified-controls strategy continues to apply, with sequencing adjusted to the new timeline if and when the Omnibus is formally adopted.

Which US states have AI legislation I should track?

Colorado's AI Act is the most comprehensive state-level framework. NYC LL144 covers employment AI specifically. Illinois has the AI Video Interview Act. Several states including California, New Jersey, Massachusetts, and Connecticut have bills in progress. Lexara monitors these developments as part of our ongoing advisory services.

What does an EU AI Act compliance audit include?

A complete audit includes AI system inventory, Article 2 scope assessment for EU nexus, risk classification under Article 6 and Annex III, gap analysis against high-risk requirements (Articles 8-17), conformity assessment roadmap, and documentation templates for technical files, risk management, and human oversight.

How long does the audit take?

A Rapid Exposure Assessment covering up to 5 AI systems takes approximately one week, including a 90-minute stakeholder session and a written report. Comprehensive audits for larger portfolios typically require 3-6 weeks depending on the number and complexity of systems.

Do I need a compliance audit if I am only a deployer?

Yes. Deployers face their own set of obligations under the EU AI Act: following provider instructions, implementing human oversight, monitoring system performance, reporting incidents, and in some cases completing Fundamental Rights Impact Assessments (Article 27). An audit identifies which deployer obligations apply to your specific situation.

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is a European Union regulation establishing a risk-based framework for AI systems. It categorizes AI into prohibited, high-risk, limited-risk, and minimal-risk tiers, with corresponding obligations for providers and deployers.

Does the EU AI Act apply to US companies?

Yes, under Article 2, the EU AI Act applies to any organization that places an AI system on the EU market or puts it into service within the EU, regardless of where the company is headquartered. A US company whose AI system is used by European employees, customers, or partners may fall within scope. Physical presence in the EU is not required.

What is a high-risk AI system under the EU AI Act?

Article 6 and Annex III define high-risk AI systems. These include AI used in employment, education, essential services, law enforcement, migration, and biometric identification. AI systems used in HR, credit scoring, or certain biometric applications are considered high-risk by default and subject to the strictest compliance requirements.

When does the EU AI Act apply to my organization?

The EU AI Act entered into force on 1 August 2024. Prohibited AI practices and AI literacy obligations apply sooner. The Digital Omnibus deal of May 7, 2026 introduced changes to some timelines. The specific timeline for your organization depends on your AI systems' risk classification and the final adopted text. Consult current official EU sources for the latest adopted deadlines.

What are the fines for violating the EU AI Act?

Under Article 99, fines for prohibited AI practices can reach up to EUR 35 million or 7% of global annual turnover. Violations of high-risk AI obligations carry fines up to EUR 15 million or 3% of global turnover. These fines apply to global revenue, not only EU revenue. Exact amounts depend on the nature and severity of the violation. Related guidance EU Representative Article 4 AI Literacy Article 2 — US Companies EU AI Act Timeline Services Helps us understand how visitors use the site via Google Analytics. --- ## Page: /eu-representation.html ### Title: EU Authorised Representative | Article 22 | Lexara Advisory ### Meta Description: Non-EU providers of high-risk AI systems must appoint an EU Authorised Representative under Article 22. Lexara Advisory coordinates appointment through SecureFound. ### Canonical: https://lexaraadvisory.com/eu-representation.html ### OG Tags: - og:title: EU Authorised Representative | Article 22 | Lexara Advisory - og:description: Non-EU providers of high-risk AI systems must appoint an EU Authorised Representative under Article 22. Lexara Advisory coordinates appointment through SecureFound. - og:image: https://lexaraadvisory.com/og-image.png ### Sections: - (p14b-inline-system) ### Internal Links: - #main [Skip to main content] - /privacy.html [Privacy Policy] - / [LLexaraAdvisory] - / [Home] - /eu-ai-act-audit.html [EU AI Act Audit] - /ai-risk-assessment.html [Risk Assessment] - /cross-border-ai-compliance.html [Cross-Border] - /eu-representation.html [EU Representation] - /blog/ [Resource Center] - /about.html [About] - /assessment/ [Start Assessment] - /ai-risk-assessment.html [AI Risk Assessment] - /privacy.html [Privacy] - /sitemap.xml [Sitemap] ### Content: . Article 22 EU AI Act · Authorised Representative Your AI system reaches the EU. An EU representative is now mandatory. EU Authorised Representative Art. 22 Article 22 of Regulation (EU) 2024/1689 requires every non-EU provider of high-risk AI systems to appoint, by written mandate, an Authorised Representative established in the European Union, before placing the system on the market. Lexara Advisory in New York coordinates the appointment with our strategic partner SecureFound, established in Spain. EU Representative Trust Flow From non-EU provider to EU authority contact point. The appointment pathway is a trust chain: non-EU organization, EU representative, EU market access, and authority-facing coordination. Non-EU Organization Provider outside the Union with high-risk AI or GPAI exposure. EU Representative Written mandate through the EU-side representative function. EU Market Access Representative details, documentation access, and market-facing readiness. Authority Contact Point Coordination path for competent authorities and AI Office requests. A statutory obligation. Not a compliance preference. Operating an AI system in the European market from outside the Union without an Authorised Representative is a direct breach of Regulation (EU) 2024/1689. Article 22 governs non-EU providers of high-risk AI systems listed under Annex III. Article 54 applies in parallel to non-EU providers of general-purpose AI models. Both regimes can apply concurrently to the same organization. Enforcement is staged, real, and underway. Who is affected Non-EU providers placing AI on the EU market Providers established in the United States, United Kingdom, Canada, Israel, Singapore, Japan, Australia, and any third country, when their AI systems or GPAI models are placed on the EU market or their output is used in the Union. What is at stake Up to €35M / 7% of worldwide turnover Administrative fines up to €35 million or 7% of total worldwide annual turnover for prohibited practices; up to €15 million or 3% for breaches of Articles 22 and 54 obligations. Plus market access restrictions, withdrawal orders from national authorities, and reputational exposure. When it applies Phased timeline through 2028 Article 54 GPAI obligations: in force since 2 August 2025. Article 22 high-risk AI systems: under the Digital Omnibus provisional agreement of 7 May 2026, application date is 2 December 2027 for stand-alone Annex III systems and 2 August 2028 for Annex I embedded systems. AI Office full enforcement powers: 2 August 2026.

Article 22 or Article 54?

The eligibility test. The AI Act draws a clean line between the two regimes. The table below sets out the distinction. If you are unsure where your system falls, the eligibility review is free and runs in 48 hours. Article 22 Article 54 Scope High-risk AI systems General-purpose AI models Examples Biometrics · Credit scoring · HR & recruitment · Critical infrastructure · Migration · Justice Reports to National market surveillance authorities EU AI Office Open-source exception No Yes (unless systemic risk) In force Phased through 2027–2028 Since 2 August 2025 If all four are true, you must appoint an Authorised Representative: The provider is established outside the European Union The AI system is high-risk under Annex III, OR the model is a GPAI model The system or its output reaches the EU market No legal entity established in an EU Member State acts as provider What the mandate covers The Authorised Representative is not a forwarding service. It is a regulatory role with statutory duties under Articles 22 and 54. Once appointed by written mandate, the representative assumes the operational obligations on behalf of the non-EU provider. 01 Mandate execution Formal acceptance of the written mandate as your sole Authorised Representative within the European Union, registered correctly across instructions for use, the EU Declaration of Conformity, and your registration in the EU database under Article 49. 02 Documentation custody Secure custody of your technical documentation, EU Declaration of Conformity, conformity certificates, and post-market monitoring records for the full statutory period of 10 years. EU data residency. GDPR-compliant infrastructure. 03 Regulatory liaison Single point of contact for AESIA, the EU AI Office, and any national market surveillance authority. Inbound communications received, triaged, contextualised, and answered with the standards of professional regulatory practice. 04 Authority cooperation Active cooperation in any investigation, audit, or risk-mitigation procedure. Article 26 reporting and Article 61 cooperation duties handled with the procedural rigour the regulation requires. 05 Registration support Assistance in completing and maintaining the obligations under Article 49 of the AI Act, including the EU database submission and the verification of correctness of the information delivered to authorities. 06 Independent professional judgement The Act requires the Authorised Representative to terminate the mandate where the provider acts contrary to its obligations. That independence is what makes the representation credible to authorities, and protective for you. How we deliver this. One partnership, two jurisdictions. , an AI governance consultancy established in Spain, the jurisdiction of AESIA, one of the EU's most active national AI supervisory authorities. SecureFound is led by bar-admitted attorneys with decades of professional formation in European law. They assume the Authorised Representative mandate; Lexara coordinates the engagement on the US side and aligns the work with your broader EU AI Act, GDPR, and US compliance posture. Strategic partner EU Authorised Representative EU presence under Articles 22 and 54 Regulatory liaison · AESIA · EU AI Office Documentation custody · 10 years Bar-admitted leadership in Spain EU AI Act gap audit and risk classification GDPR alignment NYC Local Law 144 · US state frameworks Coordination of the EU representative appointment Visit SecureFound ↗ How the engagement works Each appointment runs through a predictable four-step process. Lexara Advisory leads the eligibility review and the coordination on the US side; SecureFound executes the mandate and delivers the ongoing representation in the EU. Step 1 Eligibility review We confirm whether your AI system or model triggers Articles 22 or 54, classify it under Annex III where applicable, and map your EU market entry timeline. Free · 48 hours. Step 2 Mandate drafting Step 3 Mandate execution Formal signature. Your representative details are immediately ready for inclusion in your instructions for use, EU Declaration of Conformity, and EU database registration under Article 49. Step 4 Ongoing representation Documentation custody, regulatory liaison, post-market monitoring cooperation, and authority interaction for the lifecycle of the mandate. Lexara coordinates the broader EU AI Act and GDPR alignment.

Need to appoint an EU Authorised Representative?

Free 48-hour eligibility review. We confirm whether Article 22 or 54 applies to your AI system, classify it under Annex III, and outline next steps for the appointment with SecureFound. Request eligibility review → is an AI governance consultancy. Not legal advice under U.S. law. The Authorised Representative mandate under Articles 22 and 54 of Regulation (EU) 2024/1689 is executed by (S.L., NIF B-56538416) under a separate written engagement. Lexara Advisory coordinates the engagement and aligns it with the client's broader compliance posture. SecureFound is not a law firm and does not provide legal advice. Both firms operate under European professional standards. --- ## Page: /faq.html ### Title: EU AI Act FAQ for US Companies | Lexara Advisory ### Meta Description: Answers to the most common questions about EU AI Act compliance for US-based companies. Fines, scope, high-risk AI, authorised representatives, and how to comply. ### Canonical: https://lexaraadvisory.com/faq ### OG Tags: - og:title: EU AI Act FAQ for US Companies | Lexara Advisory - og:description: Answers to the most common questions about EU AI Act compliance for US-based companies. Scope, fines, high-risk AI, and how to comply. - og:image: https://lexaraadvisory.com/og-image.png ### Sections: - No identifiable sections ### Internal Links: - #main [Skip to content] - / [LLexaraAdvisory] - / [Home] - /eu-ai-act-audit.html [EU AI Act Audit] - /ai-risk-assessment.html [Risk Assessment] - /cross-border-ai-compliance.html [Cross-Border] - /eu-representation.html [EU Representation] - /blog/ [Resource Center] - /about.html [About] - /assessment/ [Start Assessment] - /assessment/ [Start free assessment] - /ai-risk-assessment.html [AI Risk Assessment] - /privacy.html [Privacy] - /sitemap.xml [Sitemap] ### Content: Knowledge Base EU AI Act FAQ for US Companies Answers to the most common questions about EU AI Act compliance for US-based organizations. Updated June 2026 to reflect the Digital Omnibus provisional agreement of 7 May 2026. Understanding Your Exposure

Does the EU AI Act apply to US companies?

Yes. The EU AI Act applies to any organization that places an AI system on the EU market or puts it into service within the EU, regardless of where the company is incorporated. A US company whose AI system is used by European employees, customers, or partners falls within scope.

My company uses AI for hiring. Does the EU AI Act apply?

Very likely yes. AI systems used in recruitment, CV screening, interview scheduling, or candidate scoring are explicitly listed in Annex III of the EU AI Act as high-risk AI systems. If those systems affect EU-based applicants or employees, compliance obligations apply even if your company has no office in Europe.

What happens if my AI system affects European employees?

If your AI system makes or informs decisions about EU-based workers, it is likely classified as high-risk under Annex III. This triggers mandatory obligations including a conformity assessment, transparency measures, human oversight requirements, and registration in the EU AI Act database before deployment.

Do I need to register my AI system in Europe?

High-risk AI systems under Annex III must be registered in the EU AI Act database managed by the European Commission before they are placed on the market or put into service. US companies without an EU entity must appoint an EU Authorised Representative to fulfill this obligation. Understanding the Risk

What is a high-risk AI system under the EU AI Act?

Annex III of the EU AI Act lists eight categories of high-risk AI, including systems used in critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. AI used in HR, credit scoring, biometric identification, or public benefit allocation is considered high-risk by default and subject to the strictest compliance requirements.

What fines can a US company receive for violating the EU AI Act?

Fines for prohibited AI practices can reach EUR 35 million or 7% of global annual turnover (Article 99). Violations of high-risk AI obligations carry fines up to EUR 15 million or 3% of global turnover. Providing incorrect information to authorities can result in fines up to EUR 7.5 million or 1.5% of turnover. These fines are calculated on global turnover, not just EU revenue.

What is an EU Authorised Representative for the AI Act?

An EU Authorised Representative is a legal entity or natural person established in the EU that a non-EU provider designates in writing to act on their behalf regarding EU AI Act obligations. The representative handles registration, maintains technical documentation, and serves as the point of contact for EU authorities. SecureFound S.L. (Tenerife, Spain) provides this service for US companies through Lexara Advisory.

Does the EU AI Act apply if I have no office in Europe?

Yes. Physical presence in the EU is not required. The Act applies based on where the AI system is used or who it affects, not where the provider is located. A US company deploying AI that affects EU residents, workers, or users must comply and must appoint an EU Authorised Representative if it has no EU establishment. Finding Solutions

How do I comply with the EU AI Act as a US company?

Compliance starts with a gap assessment to determine which of your AI systems fall within scope and at what risk level. For high-risk systems, this leads to a conformity assessment, technical documentation, a risk management system, data governance measures, and EU registration. Lexara Advisory provides structured compliance programs tailored to US organizations with European AI exposure.

What is an EU AI Act compliance audit?

A compliance audit evaluates your AI systems against EU AI Act requirements. It covers risk classification, documentation gaps, data governance practices, human oversight mechanisms, transparency obligations, and registration requirements. Lexara Advisory's audit produces a detailed gap report with prioritized remediation steps.

How much does an EU AI Act compliance audit cost?

Pricing depends on the number of AI systems in scope, their risk classification, and the complexity of your data environment. Contact Lexara Advisory for a scoping call and fixed-fee proposal.

Who can help with EU AI Act compliance in New York?

Evaluating Providers

What is included in an AI Act compliance gap assessment?

A gap assessment covers: (1) inventory and classification of all AI systems in scope; (2) risk level determination against Annex III and Annex II criteria; (3) review of existing documentation, data governance, and human oversight practices; (4) identification of compliance gaps against applicable obligations; and (5) a prioritized remediation roadmap with timelines.

Does an EU AI Act consultant need to be a lawyer?

No. EU AI Act compliance is primarily a governance, technical, and risk management discipline. Legal advice on specific regulatory disputes or enforcement proceedings requires a licensed attorney. Lexara Advisory operates as a consulting firm and handles governance frameworks, documentation, and compliance programs. We are not a US law firm and do not provide legal representation.

Ready to assess your EU AI Act exposure?

Start free assessment --- ## Page: /gdpr-ai.html ### Title: GDPR for AI Systems | Article 22, DPIA, Automated Decisions | Lexara Advisory ### Meta Description: GDPR compliance for AI systems: Article 22 automated decision-making, DPIA requirements, data governance, and AI-specific privacy risks. ### Canonical: https://lexaraadvisory.com/gdpr-ai.html ### OG Tags: - og:title: GDPR for AI Systems | Article 22, DPIA, Automated Decisions | Lexara Advisory - og:description: GDPR compliance for AI systems: Article 22 automated decision-making, DPIA requirements, data governance, and AI-specific privacy risks. - og:image: https://lexaraadvisory.com/og-image.png ### Sections: - (hero) - (section section-white) ### Internal Links: - #main-content [Skip to content] - / [LLexaraAdvisory] - / [Home] - /eu-ai-act-audit.html [EU AI Act Audit] - /ai-risk-assessment.html [Risk Assessment] - /gdpr-ai.html [GDPR + AI] - /ai-governance.html [AI Governance] - /ll144-aedt-bias-audit.html [LL144 Bias Audit] - /cross-border-ai-compliance.html [Cross-Border] - /eu-representation.html [EU Representation] - /blog/ [Resource Center] - /about.html [About] - /assessment/ [Start Assessment] - /assessment/ [Check your exposure first] - /gdpr-article-22-eu-ai-act-double-compliance.html [GDPR + EU AI Act Double ComplianceMap overlapping ] - /eu-ai-act.html [EU AI Act AuditSystematic classification of AI sys] - /ai-risk-assessment.html [AI Risk AssessmentBias, privacy, and fairness eval] - /ai-governance.html [AI Governance Program DesignBuild operating models] - /ai-risk-assessment.html [AI Risk Assessment] - /privacy.html [Privacy] - /sitemap.xml [Sitemap] - /terms.html [Terms] - /disclaimer.html [Disclaimer] - /privacy.html [Privacy Policy] ### Content: Service GDPR Compliance for AI Systems GDPR and AI: Double compliance, single governance system. Align automated decision-making, data protection, and AI governance under one operating model. Check your exposure first Request a consultation GDPR Article 22 and Automated Decision-Making Article 22 of the GDPR grants individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. When AI systems are involved in such decisions, organizations must assess whether Article 22 applies and what safeguards are required. The analysis depends on the specific system architecture: does the AI make the final decision, or does it merely inform a human decision? Does the system use profiling that evaluates personal aspects of an individual? The answers determine which obligations apply under the GDPR and how they interact with the EU AI Act. DPIA Requirements for AI Systems A Data Protection Impact Assessment (DPIA) is required when AI processing is likely to result in a high risk to the rights and freedoms of natural persons. National supervisory authorities may publish lists of processing activities that require a DPIA. AI systems typically fall within these lists when they involve systematic and extensive profiling, automated decision-making, or large-scale processing of sensitive data. Data Governance for AI Training and Inference GDPR data protection principles apply throughout the AI lifecycle, from training data collection to inference and output. Organizations must ensure that personal data used to train or operate AI systems is processed lawfully, fairly, and transparently. Key governance considerations include: purpose limitation for data collected for one purpose and repurposed for model training; data minimization in selecting features and training datasets; accuracy of data used to make decisions about individuals; and retention and deletion policies for data that feeds AI systems. The difficulty of explaining how individual data points influence model outputs creates additional governance complexity. Transparency and Explainability Obligations Articles 13 and 14 of the GDPR require organizations to provide individuals with meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences. For AI systems, this means explaining what factors the system considers, how the system processes them, and what impact the decision may have. Explainability requirements interact with the EU AI Act's transparency obligations for high-risk AI systems. Organizations should coordinate their GDPR and AI Act transparency documentation so that privacy notices and technical documentation remain consistent and do not contradict each other. Rights of Data Subjects in AI Contexts

Data subjects have the right to access, rectification, erasure, data portability, and restriction of processing. In AI contexts, these rights can be difficult to operationalize. How does an individual exercise the right to erasure when their data has been used to train a model? How does data portability apply to AI-generated profiles?

Overlap with the EU AI Act The GDPR and EU AI Act are separate legal instruments that operate in parallel. The GDPR protects personal data and privacy rights; the EU AI Act regulates AI systems based on risk levels. An AI system may be subject to both frameworks simultaneously. For example, an AI system used for HR screening that processes personal data of EU residents may require both a GDPR DPIA and an EU AI Act Fundamental Rights Impact Assessment (FRIA). The human oversight requirements in both frameworks should be mapped to avoid conflicting or redundant processes. Lexara Advisory provides gap analysis that identifies these overlaps and helps organizations build integrated compliance evidence.

Does GDPR Article 22 apply to AI systems?

Article 22 of the GDPR grants individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. AI systems that make or substantially contribute to such decisions may trigger Article 22 obligations. The analysis depends on the specific system, its role in the decision, and the nature of the impact on individuals.

When is a DPIA required for an AI system?

Under GDPR, a Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to the rights and freedoms of natural persons. AI systems that involve systematic and extensive profiling, automated decision-making, or large-scale processing of sensitive data typically require a DPIA. National supervisory authorities may publish lists of processing activities that require a DPIA.

How does GDPR overlap with the EU AI Act?

The GDPR and the EU AI Act operate in parallel but address different risks. The GDPR protects personal data and privacy rights, including through Article 22 on automated decisions and DPIA requirements. The EU AI Act regulates AI systems based on risk levels, with specific obligations for high-risk AI. An AI system may be subject to both frameworks simultaneously, creating what Lexara calls double compliance obligations.

What transparency obligations apply to AI under GDPR?

Articles 13 and 14 of the GDPR require controllers to inform individuals about the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing. For AI systems, this means explaining the role of the AI in a decision, the factors considered, and the potential impact on the individual.

What rights do data subjects have in relation to AI decisions?

Under GDPR Article 22, data subjects have the right not to be subject to solely automated decisions with legal or significant effects, unless specific conditions apply. They also have the right to obtain human intervention, to express their point of view, and to contest the decision. These rights apply in addition to standard data subject rights such as access, rectification, erasure, and data portability.

Does the EU AI Act classify HR AI as high-risk?

Yes. AI systems used in employment contexts—including recruitment, candidate screening, promotion decisions, and performance monitoring—are listed in Annex III of the EU AI Act as high-risk. This classification applies when the system affects EU-based employees or applicants, regardless of where the employer is headquartered.

What does NYC Local Law 144 require for employment AI?

NYC Local Law 144 requires employers using automated employment decision tools (AEDTs) to conduct annual bias audits, publish summary results, and provide candidates with advance notice of automated screening. Lexara advises on LL144 readiness as part of a broader HR AI governance framework.

How does GDPR Article 22 apply to AI hiring tools?

GDPR Article 22 grants individuals the right not to be subject to solely automated decisions with legal or significant effects. In HR contexts, this means candidates and employees may have rights to human review, contest decisions, and receive meaningful information about the logic involved.

What is the EU AI Act Article 4 AI literacy requirement for HR?

Article 4 of the EU AI Act requires providers and deployers to ensure a sufficient level of AI literacy among staff. For HR teams, this means understanding how AI tools operate, their limitations, and the legal obligations that apply to their use. Lexara designs role-based literacy programs with defensible evidence records.

What documentation should HR teams maintain for AI tools?

HR teams should maintain system inventories, risk classification records, vendor due diligence files, bias audit results, training completion records, and evidence of human oversight. These records support both internal governance and external regulatory scrutiny. Questions executives ask before committing

Why lead with AI Governance instead of only EU AI Act compliance?

Because the strongest compliance evidence comes from a repeatable governance operating model. EU AI Act readiness is more durable when AI inventory, risk classification, documentation, accountability, and monitoring already exist.

Where do NIST AI RMF and ISO/IEC 42001 fit?

They provide practical governance and management-system structures. Lexara uses them as visible frameworks for risk controls, records, monitoring, and accountability, while mapping legal obligations such as the EU AI Act and GDPR + AI.

Does Lexara provide legal advice?

No. Lexara Advisory LLC provides AI governance consulting and is not a law firm. The founder's European legal background supports regulatory analysis and governance design, but Lexara does not practice US law. Next Step Build an AI governance roadmap before exposure compounds. Start with the existing free assessment to triage governance maturity, EU AI Act scope, GDPR + AI overlap, AI literacy, EU Representative exposure, and legacy LL144 signals. EU AI Act Compliance for US Companies Answers to what our clients ask most. View all 14 FAQs →

Does the EU AI Act apply to US companies?

+ Yes. The EU AI Act applies to any organization that places an AI system on the EU market or puts it into service within the EU, regardless of where the company is incorporated. A US company whose AI system is used by European employees, customers, or partners falls within scope.

My company uses AI for hiring. Does the EU AI Act apply?

+ Very likely yes. AI systems used in recruitment, CV screening, interview scheduling, or candidate scoring are explicitly listed in Annex III as high-risk. If those systems affect EU-based applicants or employees, compliance obligations apply even if your company has no office in Europe.

What is a high-risk AI system under the EU AI Act?

+ Annex III lists eight categories of high-risk AI including systems used in employment, education, essential services, law enforcement, and migration. AI used in HR, credit scoring, or biometric identification is considered high-risk by default and subject to the strictest compliance requirements.

What fines can a US company receive for violating the EU AI Act?

+ Fines for prohibited AI practices can reach EUR 35 million or 7% of global annual turnover (Article 99). Violations of high-risk AI obligations carry fines up to EUR 15 million or 3% of global turnover. These fines apply to global revenue, not just EU revenue.

How do I comply with the EU AI Act as a US company?

+ Compliance starts with a gap assessment to determine which AI systems fall within scope and at what risk level. For high-risk systems, this leads to a conformity assessment, technical documentation, a risk management system, data governance measures, and EU registration. Lexara Advisory provides structured compliance programs for US organizations.

Does the EU AI Act apply if I have no office in Europe?

+ Yes. Physical presence in the EU is not required. The Act applies based on where the AI system is used or who it affects. A US company deploying AI that affects EU residents must comply and must appoint an EU Authorised Representative if it has no EU establishment. View all 14 FAQs → Helps us understand how visitors use the site via Google Analytics. --- ## Page: /ll144-aedt-bias-audit.html ### Title: NYC LL144 AEDT Bias Audit Readiness | Lexara Advisory ### Meta Description: NYC Local Law 144 AEDT bias audit readiness: classification support, documentation review, and audit workflow advisory for New York employers. ### Canonical: https://lexaraadvisory.com/ll144-aedt-bias-audit.html ### OG Tags: - og:title: NYC LL144 AEDT Bias Audit Readiness | Lexara Advisory - og:description: NYC Local Law 144 AEDT bias audit readiness: classification support, documentation review, and audit workflow advisory for New York employers. - og:image: https://lexaraadvisory.com/og-image.png ### Sections: - (hero) - (section section-white) ### Internal Links: - #main-content [Skip to content] - / [LLexaraAdvisory] - / [Home] - /eu-ai-act-audit.html [EU AI Act Audit] - /ai-risk-assessment.html [Risk Assessment] - /gdpr-ai.html [GDPR + AI] - /ai-governance.html [AI Governance] - /ll144-aedt-bias-audit.html [LL144 Bias Audit] - /cross-border-ai-compliance.html [Cross-Border] - /eu-representation.html [EU Representation] - /blog/ [Resource Center] - /about.html [About] - /assessment/ [Start Assessment] - /assessment/ [Check your exposure first] - /blog/ll144-aedt-bias-audit-readiness.html [LL144 Bias Audit Readiness GuideDetailed guidance ] - /blog/ll144-public-summary-requirements.html [LL144 Public Summary RequirementsUnderstanding the] - /eu-ai-act-vs-nyc-local-law-144.html [EU AI Act vs NYC Local Law 144Compare the EU AI Ac] - /hr-ai-compliance.html [HR AI ComplianceComprehensive compliance support f] - /ai-risk-assessment.html [AI Risk Assessment] - /privacy.html [Privacy] - /sitemap.xml [Sitemap] - /terms.html [Terms] - /disclaimer.html [Disclaimer] - /privacy.html [Privacy Policy] ### Content: Service NYC LL144 AEDT Bias Audit Readiness NYC Local Law 144 advisory for employers using AI in hiring. Readiness support, documentation review, and audit workflow advisory — not guaranteed compliance or official certification. Check your exposure first Request a consultation

What Is NYC Local Law 144?

NYC Local Law 144 of 2021 is a municipal law that requires employers and employment agencies using automated employment decision tools (AEDTs) in New York City to conduct annual independent bias audits, provide notice to candidates and employees, and publish summary results. The law became enforceable on July 5, 2023. It is a municipal law, not a federal or state law, and applies within the City of New York. The law reflects a growing trend toward regulating AI in employment contexts. Its requirements are specific to New York City and may interact with other obligations, including federal anti-discrimination laws, state privacy laws, and the EU AI Act for organizations that also operate in Europe. Lexara Advisory provides readiness support for organizations navigating these overlapping requirements.

What Is an AEDT (Automated Employment Decision Tool)?

An AEDT is a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that produces a prediction, score, classification, or recommendation used to substantially assist or replace discretionary decision-making in employment decisions. This definition includes tools used for hiring, promotion, termination, and other employment actions. Whether a particular tool qualifies as an AEDT depends on the specific tool, its role in the decision process, and the context of its use. A tool that merely ranks candidates may be treated differently from one that makes final hiring recommendations. Determining whether a tool meets the statutory definition requires individualized analysis of its functionality, inputs, outputs, and decision role. When LL144 May Apply Organizations with remote hiring practices, multi-state operations, or vendor-provided tools should examine whether their tools trigger LL144 requirements. The applicability analysis must consider the specific tool, the employment decisions it supports, and the geographic scope of its use. Lexara Advisory provides classification support to help organizations assess whether LL144 may apply to their specific tools and circumstances. Candidate and Employee Notice Requirements Notice must be provided at least 10 business days before the AEDT is used, and candidates must have the opportunity to request an alternative process or accommodation. The exact content and timing of notice depends on the specific tool and the employment process. Lexara Advisory reviews notice practices and documentation to help organizations understand what notice obligations may apply to their specific circumstances. Independent Bias Audit Requirements The exact requirements for a bias audit depend on the specific tool and the data available. LL144 does not prescribe a single methodology, and the adequacy of any audit methodology depends on the specific circumstances of the tool being audited. Organizations must also consider that demographic data may not always be available, and the law recognizes certain limitations in data collection. Lexara Advisory provides audit workflow advisory to help organizations understand the audit requirements that may apply to their tools. Public Summary Requirements The summary must be made available for at least six months after the latest distribution date of the AEDT. Organizations must ensure that published summaries are accurate and consistent with the audit results. The specific disclosure requirements and the format of the summary depend on the specific tool and the audit findings. Lexara Advisory provides documentation review to help organizations understand what public summary obligations may apply to their specific circumstances. Selection Rate and Scoring Rate Concepts A selection rate measures the proportion of candidates from a demographic group who pass a screening or assessment stage and advance to the next stage. A scoring rate measures the proportion of candidates from a demographic group who receive a score above a threshold that advances them in the process. These rates are used to evaluate whether a tool produces different outcomes across demographic groups. The specific rates that are relevant depend on how the tool is used in the employment process. Some tools produce pass/fail outcomes, while others produce continuous scores. The audit methodology must be appropriate for the type of output the tool produces. Lexara Advisory provides classification support to help organizations understand which rate concepts apply to their specific tools. Impact Ratio Concept An impact ratio compares the selection or scoring rate of one demographic group to that of the highest-performing group. For example, if the selection rate for female candidates is 40% and the selection rate for male candidates is 50%, the impact ratio for female candidates would be 0.80 (40/50). Impact ratios are used to assess whether a tool produces disparate outcomes across groups. The interpretation of impact ratios depends on the specific context, the size of the candidate pool, and the statistical significance of the difference. An impact ratio below a certain threshold may suggest disparate impact, but the threshold is not fixed in the law and depends on the specific circumstances. Lexara Advisory provides audit workflow advisory to help organizations understand how impact ratio analysis may apply to their specific tools. Demographic Data Limitations The availability and quality of demographic data can affect the feasibility and accuracy of a bias audit. Organizations should assess what data they have, what data they can lawfully collect, and what methods are appropriate for their specific circumstances. Lexara Advisory provides documentation review to help organizations understand the data limitations that may affect their audit readiness. Vendor Documentation Needs Organizations that use third-party AEDTs often rely on vendors for documentation about the tool's design, training data, performance, and bias testing. LL144 places obligations on the employer or employment agency, not the vendor, so organizations must ensure that they have sufficient documentation to support their compliance efforts. Vendor documentation may include information about the tool's purpose, the data used to train it, the features it evaluates, the outputs it produces, and any internal bias testing the vendor has conducted. The adequacy of vendor documentation depends on the specific tool and the organization's compliance obligations. Lexara Advisory provides documentation review to help organizations assess whether their vendor documentation is sufficient for their specific circumstances. Audit Readiness Workflow

What is NYC Local Law 144?

NYC Local Law 144 of 2021 is a municipal law that requires employers and employment agencies using automated employment decision tools (AEDTs) in New York City to conduct annual independent bias audits, provide notice to candidates and employees, and publish summary results. The law became enforceable on July 5, 2023. It is a municipal law, not a federal or state law, and applies within the City of New York.

What is an AEDT (Automated Employment Decision Tool)?

An AEDT is a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that produces a prediction, score, classification, or recommendation used to substantially assist or replace discretionary decision-making in employment decisions. The definition depends on the specific tool, its role in the decision process, and the context of its use. Determining whether a particular tool qualifies as an AEDT requires careful analysis of the tool's functionality and its role in employment decisions.

What is a bias audit under LL144?

Under LL144, a bias audit is an impartial evaluation by an independent auditor that assesses whether an AEDT has a disparate impact on candidates or employees based on sex, race, or ethnicity. The audit must examine the tool's selection or scoring rates across demographic groups. The exact requirements for a bias audit depend on the specific tool and the data available. LL144 does not prescribe a single methodology, and the adequacy of any audit methodology depends on the specific circumstances of the tool being audited.

What should AI buyers verify before signing a vendor contract?

Buyers should verify the vendor's risk classification documentation, conformity assessment evidence, technical documentation availability, update and patching protocols, data processing terms, transparency materials, and human oversight capabilities. These items should be reflected in contract terms and service-level agreements.

How do EU AI Act provider obligations affect AI buyers?

Under the EU AI Act, providers bear primary responsibility for conformity assessments, technical documentation, and CE marking for high-risk AI systems. Deployers (buyers) must verify that providers have fulfilled these obligations, follow provider instructions, implement human oversight, and monitor performance. Lexara helps buyers build verification checklists.

What GDPR considerations apply to AI vendor contracts?

AI vendor contracts should address data processing roles (controller/processor), lawful basis for processing, data minimization, retention limits, subprocessor governance, security measures, breach notification, audit rights, and cross-border transfer safeguards. These provisions are especially critical for HR AI, financial AI, and health AI systems.

How should buyers monitor AI vendors after deployment?

Ongoing monitoring should include periodic review of vendor updates, model change notifications, incident reports, performance drift, bias audit results, and compliance with evolving regulatory requirements. Contracts should specify the vendor's obligation to notify buyers of material changes that affect risk classification or compliance.

What documentation should buyers request from AI vendors?

Buyers should request technical documentation, risk management system records, data governance descriptions, transparency information, human oversight instructions, and conformity assessment evidence. For high-risk AI under the EU AI Act, this documentation is essential for the deployer's own compliance obligations.

## Page: /contact.html

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Need help with AI compliance?

Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.

Start the Free Assessment

Lexara Advisory LLC provides AI governance consulting and is not a law firm. This article reflects our understanding of applicable regulations as of the date of publication. It does not constitute legal advice. Organizations should consult qualified legal counsel for advice specific to their circumstances.