Which EU regulations does LandingRed cover?

LandingRed covers the EU AI Act, GDPR, NIS2, DORA, the Cyber Resilience Act and the Data Act, plus ISO/IEC 42001 readiness. You enable only the frameworks that apply to your organisation, and the platform keeps obligations, evidence and deadlines for all of them in one place.

When do EU AI Act obligations actually apply?

The obligations are phased. Bans on prohibited practices and AI-literacy duties have applied since February 2025, and general-purpose AI rules since August 2025. Following the Digital Omnibus, most high-risk system obligations are expected to apply from December 2027 (Annex III use cases) and August 2028 (regulated products). The platform tracks each deadline against your AI inventory.

Who is the platform for?

SMEs and mid-market teams that deploy or provide AI systems and need to demonstrate compliance without a dedicated regulatory department. Consultancies and legal advisors also use it to run assessments for their clients.

How does the free trial work?

Every plan starts with a 14-day free trial — no credit card required. You get guided onboarding, a working AI inventory and AI-assisted document generation, so you see real output on your own use cases before paying.

Where is our data stored?

All customer data is hosted in EU data centres and processed under GDPR. Our sub-processor list and technical and organisational measures are published on our Trust page.

Can we change frameworks or plans later?

Yes. Framework applicability can be toggled at any time, and you can move between plans as your inventory grows — your data, evidence and audit trail carry over.

Back to home

Guide12 min read

EU AI Act Compliance Checklist for 2025

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 with a staged implementation timeline. This guide breaks down every obligation by role, risk level, and deadline.

Key Deadlines

Date	What Applies
2 Feb 2025	Prohibited AI practices (Article 5) and AI literacy (Article 4)
2 Aug 2025	GPAI model obligations, governance structure, confidentiality rules, penalties framework
2 Dec 2027	Full application — all high-risk AI system obligations, conformity assessment, CE marking, registration, deployer duties
2 Aug 2028	Article 6(1) obligations — high-risk AI systems that are safety components of products covered by EU harmonisation legislation
31 Dec 2030	Legacy AI systems in large-scale EU IT systems (Annex X) must be brought into compliance

Prohibited AI Practices (Article 5)

The following AI practices are banned outright, with fines up to EUR 35 million or 7% of global annual turnover:

Subliminal manipulation or deceptive techniques causing significant harm
Exploitation of vulnerabilities due to age, disability, or social/economic situation
Social scoring by public authorities leading to detrimental treatment
Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
Untargeted scraping of facial images from the internet or CCTV for facial recognition databases
Emotion recognition in workplaces and educational institutions (with narrow exceptions)
Biometric categorisation to infer race, political opinions, trade union membership, religious beliefs, or sexual orientation
Individual predictive policing based solely on profiling

Provider Obligations (Article 16)

Providers of high-risk AI systems bear the heaviest compliance burden. Before placing a system on the market or putting it into service, providers must:

Risk management system (Art. 9) — Establish a continuous, iterative process throughout the AI system's entire lifecycle
Data governance (Art. 10) — Ensure training, validation, and testing datasets meet quality criteria with appropriate statistical properties
Technical documentation (Art. 11, Annex IV) — Prepare comprehensive documentation covering all 9 required sections before market placement
Record-keeping (Art. 12) — Build in automatic logging capabilities proportionate to the system's intended purpose
Transparency (Art. 13) — Design the system so deployers can interpret output and use it appropriately
Human oversight (Art. 14) — Implement measures enabling effective human oversight during the system's use
Accuracy, robustness & cybersecurity (Art. 15) — Achieve appropriate levels throughout the lifecycle
Quality management system (Art. 17) — Document policies and procedures ensuring ongoing compliance
Conformity assessment (Art. 43) — Complete the appropriate assessment procedure before market placement
EU Declaration of Conformity (Art. 47) — Draw up and keep updated for each high-risk AI system
CE marking (Art. 48) — Affix visibly, legibly, and indelibly to the system
EU database registration (Art. 49) — Register the system and the provider in the EU database before market placement

Deployer Obligations (Article 26)

Organisations that use high-risk AI systems (deployers) have their own set of obligations:

Use per instructions — Implement appropriate technical and organisational measures to use the system according to the provider's instructions for use
Human oversight — Assign qualified persons with necessary competence, training, authority, and support to oversee the system's operation
Input data relevance — Where the deployer controls the input data, ensure it is relevant and sufficiently representative for the intended purpose
Monitoring — Monitor the system's operation based on the instructions for use and inform the provider of any risks or serious incidents
Log retention — Keep automatically generated logs for at least 6 months
Worker notification — Inform workers' representatives and affected workers before deploying a high-risk AI system in the workplace
Fundamental rights impact assessment — For certain deployers (public bodies, private entities providing public services), conduct an assessment of the system's impact on fundamental rights before use

Importer & Distributor Obligations

Importers (Articles 23) must verify that the provider has completed the conformity assessment, prepared technical documentation, affixed CE marking, and appointed an authorised representative. They must not place a non-conforming system on the market.

Distributors (Article 24) must verify CE marking, the EU declaration of conformity, and instructions for use are present. They must ensure storage and transport conditions don't jeopardise compliance.

Penalty Structure (Article 99)

Violation	Maximum Fine
Prohibited AI practices (Art. 5)	EUR 35M or 7% global turnover
Provider, deployer, importer, distributor obligations	EUR 15M or 3% global turnover
Incorrect or misleading information to authorities	EUR 7.5M or 1% global turnover

For SMEs and start-ups, fines are capped at the lower of the percentage or fixed amount. Mitigating factors include self-reporting, degree of cooperation, and technical measures already implemented.

Bottom line: The EU AI Act is not optional. If you develop, deploy, import, or distribute AI systems in the EU, you need to map your obligations now. The prohibited practices rules are already in effect, and full high-risk system obligations apply from December 2027 (deferred from August 2026 by the Digital Omnibus).

LandingRed automates all of this

Stop managing compliance in spreadsheets. Classify, document, assess, and monitor your AI systems from one platform.