Skip to main content
Operayde
Talk to usGet a quote
Regulatory brief · European UnionAI Act (Regulation 2024/1689)phasedUpdated 15 Apr 2026

EU AI Act — how Operayde maps to the obligations

A plain-English read on how the Operayde appliance model satisfies the AI Act's documentation, logging, and human-oversight obligations for high-risk deployments — written for procurement and compliance teams.

Effective: phased from 2 Feb 2025

The headline

The EU AI Act phases in from 2 February 2025, with the bulk of high-risk system obligations landing on 2 August 2026 (Article 113). Operayde is neither a provider under Article 16 (we do not train or place a general purpose model on the market), nor a deployer under Article 26 (we do not use an AI system in the course of our own professional activity) — we are a distributor of AI infrastructure. Our customers are the deployers.

That matters because it means the obligations the Act imposes fall on the customer's side of the DPA, and the appliance exists specifically to make those obligations cheap to satisfy.

Mapping the obligations

Article 12 — automatic recording of events ("logs"). The appliance persists every prompt, every model response, every gateway decision (allow / rate-limit / refuse) and every administrator action into a signed audit chain. The chain is hash-linked, signed with an Ed25519 key that never leaves the appliance, and exportable monthly as a cryptographically verifiable bundle.

Article 13 — transparency and provision of information. Model cards, datasheet, evaluation summaries and known limitations for every model the appliance ships with are available at /docs/appliance/model-cards and as a signed manifest on the appliance itself. The portal exposes the currently-active model version on every tenant dashboard.

Article 14 — human oversight. Every destructive or billing-impacting operation in the operator portal (policy publish, invoice void, fleet quarantine) is gated by a step-up authentication — operators re-prove their MFA every 5 minutes of sensitive work. The OPA policy bundle is cosign-signed so no one can silently re-deploy a permissive policy.

Article 15 — accuracy, robustness, cybersecurity. The appliance boots from a measured, Secure-Boot-verified image. Workloads run in mTLS-only pods; the only ingress is an Apache2 reverse proxy hardened against direct LLM provider traffic. Penetration testing reports are available under NDA.

What we cannot do for you

The Act's obligations on deployer-side risk management (Article 26), fundamental-rights impact assessment and end-user disclosure are yours to hold. The appliance gives you the evidence you need to discharge them — it does not discharge them for you.

Our regulatory team is happy to walk through any specific sub-clause on a call. Email compliance@operayde.com with your use case.