Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act): How OpenKBS Ensures Compliance for Enterprises

Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act) is the world's first legislative act regulating artificial intelligence systems. The Regulation entered into force on 1 August 2024 and applies in a phased manner, with full application from 2 August 2026.

As an EU regulation, the AI Act applies directly in all Member States of the European Union, without the need for national transposition.

The obligation for AI literacy under Art. 4 of the Regulation has been in force since 2 February 2025. Organisations that use AI systems are already required to ensure a sufficient level of AI literacy among their staff.

Built-in compliance audit in OpenKBS Studio

OpenKBS Studio includes a built-in AI Act Compliance Skill that automatically audits the project and generates a structured compliance report. The skill analyzes which AI models are used, classifies them by risk category according to Annex III, verifies the presence of human oversight mechanisms, traceability and transparency measures, and produces a documented report ready for submission to regulatory authorities or internal audit. The process is initiated with a single instruction to the AI agent and requires no additional configuration.

Phased Application

DateWhat comes into force
1 August 2024The Regulation enters into force
2 February 2025Prohibited AI practices (Art. 5) and AI literacy obligation (Art. 4)
2 August 2025Rules for general-purpose AI models (GPAI)
2 August 2026Full application: high-risk AI systems, conformity assessment, penalties
2 August 2027High-risk systems under Annex I (product-embedded high-risk AI: medical devices, machinery, toys)

AI Literacy Obligation (Art. 4)

Art. 4 of Regulation (EU) 2024/1689 requires providers and deployers of AI systems to take measures ensuring a sufficient level of AI literacy of their staff and of the persons handling AI systems on their behalf.

Who Is Affected

The obligation covers:

  • employees who use AI tools in their daily work;
  • managers who make decisions based on AI outputs;
  • teams responsible for selecting vendors and technologies;
  • contractors and outsourced personnel who operate AI systems on behalf of the organisation;
  • governing bodies with supervisory functions over AI systems.

What Is Required

The Regulation does not prescribe a specific format, duration, or training programme. The standard is adequacy relative to the role, taking into account technical knowledge, experience, education, and the context of use of the AI system.

Generic training that does not address the specific AI systems used in the organisation is considered insufficient. Training must cover:

  • the capabilities and limitations of the specific AI systems;
  • the risks associated with their use;
  • critical evaluation of AI outputs;
  • ethical considerations, including bias and fairness;
  • incident reporting procedures.

How to Demonstrate Compliance

Organisations must maintain:

  • an AI Acceptable Use Policy;
  • an AI literacy policy (training structure, responsibilities, update cycle);
  • records of training conducted with dates, participants, and content;
  • assessment results demonstrating understanding (not just attendance);
  • a log of programme updates.

Penalties

The AI Act does not establish a direct EU-level fine for non-compliance with the obligations under Art. 4. The three penalty tiers of Art. 99 apply to other violations: up to EUR 35 million or 7% of global annual turnover for prohibited practices (Art. 5), up to EUR 15 million or 3% for deployer obligations (Art. 26), up to EUR 7.5 million or 1% for supplying false information. Member States may set their own penalties for Art. 4 violations.

Prohibited AI Practices (Art. 5)

Since 2 February 2025, eight categories of AI practices are prohibited:

  1. Manipulative AI techniques causing harm;
  2. Exploitation of vulnerabilities (age, disability, socio-economic situation);
  3. Social scoring;
  4. Prediction of individual risk of committing criminal offences;
  5. Untargeted scraping of facial images from the internet or CCTV;
  6. Emotion recognition in the workplace and in education;
  7. Biometric categorisation based on protected characteristics;
  8. Real-time biometric identification in public spaces (with limited exceptions for law enforcement).

Point 6 is directly applicable to any organisation using AI in human resource management.

High-Risk AI Systems (Annex III)

Annex III of the Regulation defines eight areas in which AI systems are classified as high-risk:

AreaExamples
BiometricsRemote biometric identification, emotion recognition
Critical infrastructureManagement of energy grids, transport, water supply
EducationAdmission, grading, group assignment
Employment and worker managementCandidate selection, CV screening, performance evaluation, promotion or dismissal decisions
Access to essential servicesCredit scoring, insurance, social assistance
Law enforcementEvidence evaluation, predictive policing
Migration and border controlVisa application assessment, border surveillance
Administration of justiceLegal analysis, predictive tools for judicial decisions

Obligations for Deployers of High-Risk Systems (Art. 26)

Organisations deploying high-risk AI systems are required to:

  • use the systems in accordance with the provider's instructions;
  • ensure human oversight by competent persons;
  • guarantee that input data are appropriate and representative;
  • monitor the operation of the system and report serious incidents;
  • retain automatically generated logs for at least 6 months;
  • inform worker representatives and affected workers before deployment;
  • for systems in the employment domain — inform candidates that AI is involved in the selection process.

How OpenKBS Addresses AI Act Requirements

Traceability of AI Operations (Art. 12, Art. 26)

OpenKBS operates the entire AI infrastructure of its enterprise clients on the platform, including a unified AI proxy for access to multiple AI models (OpenAI, Anthropic, Google).

Every call to an AI model passes through the proxy, which records:

  • which AI model was used and which version;
  • the timestamp of the request;
  • the number of input and output tokens;
  • the project identifier.

This data is stored in the client's infrastructure and is available for audit. It addresses the traceability requirements for outputs (Art. 12) and the log retention obligations (Art. 26(6)).

Human Oversight by Design (Art. 14, Art. 26)

The architecture of OpenKBS is designed so that AI outputs are not executed automatically without human intervention. For enterprise clients:

  • AI systems operate within a managed environment with controlled access;
  • for critical decisions (HR, finance, operations), an approval workflow is applied — AI generates a recommendation, an authorised person confirms or rejects it;
  • every new version of the solution undergoes a structured security review process before deployment to production.

Transparency and AI Content Marking (Art. 50)

OpenKBS provides enterprise clients with tools for marking AI-generated content:

  • origin metadata — every AI response can carry information about the model, version, and generation date;
  • AI Disclosure component — ready for integration into client applications, informing end users that they are interacting with AI or that the content was generated by AI.

AI Literacy (Art. 4)

OpenKBS provides enterprise clients with documentation and consulting on:

  • the capabilities and limitations of AI models available through the platform;
  • the risks across different usage categories;
  • best practices for critically evaluating AI outputs;
  • incident reporting procedures.

This documentation can serve as the foundation for the organisation's internal AI literacy programme.

Compliance Report (Art. 11, Art. 26)

OpenKBS provides enterprise clients with a specialized skill for automated AI Act compliance report generation. The skill is installed in OpenKBS Studio with one click from the Skills section and is activated through an instruction to the AI agent (e.g., "generate AI Act compliance report"). The agent collects data from AI proxy logs, analyzes the project code, and generates a structured report containing:

AI Systems Inventory:

  • complete list of AI models used in the project (e.g. Claude Sonnet 4.6, GPT-4.1, Gemini 2.5 Flash);
  • model versions and providers;
  • number of calls per model for a selected period;
  • total consumption of input and output tokens.

Risk Classification:

  • automatic assessment of risk category according to Annex III (high-risk, limited, minimal);
  • identification of areas falling within the scope of high-risk systems (employment, finance, education);
  • recommendations for additional measures for high-risk AI.

Compliance Measures Status:

  • presence of the AI Act Compliance Skill in the project;
  • status of human oversight mechanisms (approval workflow);
  • presence and completeness of traceability logs;
  • status of the AI Disclosure component;
  • presence of an AI Acceptable Use Policy and an AI literacy policy.

Generated Artefact: The report is generated as a structured document (PDF/JSON), ready to be submitted to regulatory authorities, internal audit committees, or archived as a compliance artefact. Periodic generation (e.g. quarterly) ensures a documented history of AI usage in the organisation.

Prohibited Practices and AI Act Compliance Skill

OpenKBS integrates a specialised compliance skill into enterprise projects — a set of rules that the AI agent loads automatically. These rules include:

Prohibited Operations:

  • emotion recognition in the context of employment or education;
  • social scoring of natural persons;
  • biometric categorisation based on protected characteristics;
  • manipulative techniques exploiting vulnerabilities.

Mandatory Procedures:

  • logging every AI decision with input data, output data, model, and timestamp;
  • for decisions in the areas of employment, finance, and education — pausing and requiring confirmation from an authorised person;
  • adding AI origin metadata to generated content;
  • generating a risk assessment when introducing new AI functionalities.

AI Supply Chain Consolidation

An organisation using AI models from multiple providers (OpenAI, Anthropic, Google) must manage compliance for each separately — different terms of use, different data policies, different transparency levels.

OpenKBS consolidates access to multiple AI models through a unified proxy, operated in the platform's EU infrastructure. The client interacts with one provider (OpenKBS), which manages the integration with AI vendors.

This reduces:

  • the number of providers subject to separate assessment;
  • the complexity of managing different data policies;
  • the administrative burden of documenting the AI supply chain.

Infrastructure Security

The AI Act does not operate in isolation — organisations falling within the scope of Directive (EU) 2022/2555 (NIS2) must ensure compliance with both acts simultaneously. OpenKBS addresses both frameworks through:

  • Dedicated AWS account for each enterprise client — complete isolation and transferability;
  • EU Data Residency — data is hosted in AWS region eu-central-1 (Frankfurt, Germany);
  • Serverless architecture — reduced attack surface, automatic security updates;
  • Encryption — TLS 1.2+ in transit, AES-256 at rest;
  • Audit trail — tracking of all administrative actions.

A detailed description of NIS2 coverage is available in the publication on Directive (EU) 2022/2555.

Summary: Coverage of Key Requirements

AI Act RequirementHow OpenKBS Addresses It
AI literacy (Art. 4)Documentation, consulting, and materials for the AI literacy programme
Prohibited practices (Art. 5)AI Act Compliance Skill with built-in prohibitions
Traceability (Art. 12)AI proxy logs: model, version, timestamp, project
Human oversight (Art. 14, 26)Approval workflow for high-risk decisions
Transparency (Art. 50)AI Disclosure component and origin metadata
Logging (Art. 26(6))Automatic log storage in client infrastructure
Technical documentation (Art. 11)Automated compliance report per project
Worker information (Art. 26(7))Consulting on notification procedures
Supply chain managementConsolidated AI proxy — one provider instead of many
NIS2 + AI Act togetherUnified infrastructure covering both acts

Next Step

If your organisation uses AI systems and needs to ensure compliance with Regulation (EU) 2024/1689, contact us for a consultation on:

  • assessment of current AI usage against the requirements of the Regulation;
  • classification of AI systems by risk categories;
  • implementation of the AI Act Compliance Skill in the managed environment;
  • generation of a compliance report for regulatory authorities or internal audit;
  • AI literacy programme for staff.

The described AI Act compliance services — compliance skill, AI usage audit, human oversight workflow, and compliance report — are part of the OpenKBS Enterprise plan.

This publication is for informational purposes only and does not constitute legal advice. For specific questions about the application of Regulation (EU) 2024/1689, please consult a qualified legal adviser.

Book a Strategy Call
AI ActRegulation EU 2024/1689AI literacyhigh-risk AIcomplianceAWSenterpriseOpenKBS