Skip to main content
      The EU AI Act marks a pivotal shift in the regulatory landscape, aiming to ensure that AI systems deployed within the EU are safe, transparent, and aligned with fundamental rights. It is a risk-based regulatory framework that classifies AI systems into four categories: unacceptable risk, high risk, limited risk, and minimal risk. Compliance is not merely a legal obligation – but a strategic imperative that affects trust, brand reputation, and long-term competitiveness. 
       

      Key implications include mandatory conformity assessments for high-risk AI systems, transparency obligations for AI systems interacting with humans, robust data governance and documentation requirements, and human oversight together with accountability mechanisms. KPMG’s Trusted AI Framework is designed to align with these requirements, offering a structured approach to governance, risk management, and ethical deployment.

      10 key pillars of the Trusted AI Framework

      These principles are operationalized through KPMG’s Trusted AI Council, which oversees policy development, risk assessments, and regulatory alignment.

      Author


      Alexander Zagnetko
      Manager
      Process Organization and Improvement

      Contact us for more information

      Evaluating AI Systems Under the EU AI Act

      When assessing risks, it’s important to evaluate how a tool or technology is used, considering its data sources, decision-making processes, and potential societal impact. Key steps include:

      • AI Maturity Assessment: Evaluate readiness across governance, data, technology, and culture.
      • Use Case Prioritization: Identify high-risk applications and assess their regulatory exposure.
      • Gap Analysis: Compare current practices against EU AI Act requirements.
      • Control Effectiveness Review: Assess safeguards, monitoring mechanisms, and escalation protocols.

      When selecting the right AI solutions, organizations should strive to balance business value, technical feasibility, and regulatory compliance. It is therefore important to consider several questions: Does the solution support the organization’s goals? Are the data sources legal, ethical, and of high quality? Is the technical environment secure and scalable? Are external vendors compliant with AI governance standards?

      When using artificial intelligence, several additional aspects need to be considered. If AI significantly affects people’s access to services, employment, credit, education, or healthcare, it represents a high risk and requires stricter controls. Similarly, if it can generate content, mimic humans, or create so-called deepfakes, transparency measures must be implemented, including clear labelling, verifiability, and content moderation. For autonomous AI agents interacting with systems or data, safeguards should be established - limiting access, using isolated environments, relying only on approved tools, and ensuring continuous monitoring.

      Regulatory compliance cannot be treated as a mere afterthought; it must be fully integrated into the entire AI development lifecycle - from automated comparison of internal policies with regulatory requirements, through thorough documentation and traceability of data and decisions, to ongoing monitoring with real-time alerts and regular training on risks and regulatory expectations.

      Finally, artificial intelligence introduces new cybersecurity risks. Organizations are therefore advised to protect the access points and interfaces through which AI communicates with customers, maintain control over the data and the environment in which the system operates, and carefully assess the reliability of their vendors and partners.

      Frequently Asked Questions

      • Q: We’re integrating a third party LLM via API - do GPAI obligations hit us, or just the model provider?

        A: Article 53 targets model providers (documentation, copyright policy, training‑data summary). But integrators (you) still shoulder system‑level duties, especially where the AI system is high‑risk (risk management, oversight, logs, CE‑marking if applicable). Require providers’ docs and build your own controls. 

      • Q: How do copyright and training data affect us if we’re only deploying?

        A: You must ensure your upstream model provider has a copyright policy and respects TDM opt‑outs; your contracts should make this auditable. If you fine‑tune or retrain, you inherit those obligations. 

      • Q: What makes a model “systemic risk,” and why do we care?

        A: A compute‑threshold creates a presumption (e.g., 10²⁵ FLOPs), and the Commission can designate models based on market impact. Systemic‑risk models face stronger obligations (evals, risk mitigation, incident reporting, cybersecurity). If you rely on such models, vendor selection and monitoring must reflect this. 

      • Q: Will harmonised standards be ready before our 2026 high risk deadlines?

        A: The Commission and JRC expect delays; you should plan on using the GPAI Code, ISO/IEC 42001, and NIST AI RMF as interim scaffolding while mapping controls to emerging CEN‑CENELEC outputs. 

      • Q: How does this all relate to GDPR and the Data Act?

        A: The EDPB is clarifying GDPR expectations for AI (lawfulness, fairness, transparency, accuracy), and the Data Act (applying from Sept 12, 2025) reshapes data access, portability, and cloud switching - especially relevant for model training and enterprise AI stacks. Align your AI and privacy governance to avoid duplicate audits. 

      The EU’s AI rulebook is no longer a concept - it’s becoming a compliance regime with teeth, plus a growing toolbox. The companies that win here won’t just “check the box” - they’ll operationalise trust: predictable launches, better regulator relationships, and faster enterprise sales. For European‑scale growth - or global brands selling into Europe - that’s the moat worth building.

      KPMG’s approach to EU AI Act compliance is grounded in trust, transparency, and transformation. By leveraging its Trusted AI Framework and sector-specific expertise, KPMG empowers organizations to not only meet regulatory requirements but also unlock the full potential of AI responsibly.

      Stay informed with our newsletters

      Do not miss anything important. Choose topics you are interested in and receive regular news via email.

       

      Subscribe
      modrofialove plasticke tvary

      Contact us

      Should you wish more information on how we can help your business or to arrange a meeting for personal presentation of our services, please contact us.

      Alexander Zagnetko
      Alexander Zagnetko

      Manager, Process Organization and Improvement

      KPMG in Slovakia

      Strategic insights for business leaders
      Read more

      Book a free consultation

      Submit your enquiry and connect with KPMG professionals.

      Book a free consultation Stay informed with our newsletters
      NEW JERSEY - MARCH 20: Empty Sky Memorial with sunshine on March 20, 2014 in New Jersey. It is the official New Jersey September 11 memorial to the victims of the September 11 attacks.

      Related content

      A practical overview of obligations, risks, and recommendations for businesses in the era of regulated AI
      Read more

      The AIMA Framework Helps Identify Gaps and Build a Corporate AI Strategy.
      Read more

      Artificial intelligence that can think and act independently is no longer just a vision of the future — it’s becoming a competitive advantage
      Read more

      Make the most of new technologies while avoiding potential risks
      Read more