Risk classification that lives in a spreadsheet is not compliance. It is a label without traceability, without version control, and without a connection to the obligations that follow from it.
EAB stores risk classification server-side — derived from documented evaluation signals, version-controlled, and directly linked to the obligation set it generates.
Risk classification determines which obligations apply, which evidence is required, and which approval path must be followed. It cannot be an informal label — it must be a governed result.
Classification is derived from structured evaluation signals — system purpose, deployment context, affected persons, sector, and applicability of Annex III criteria. Each signal is documented and linked to the classification result.
The classification is stored server-side as part of the system governance record — not in a spreadsheet, not in a document, not in an email thread. It cannot be changed without creating a new version in the audit trail.
The obligation set — which articles apply, which evidence is required, which approval path is mandatory — is generated directly from the classification. Change the classification and the obligation set updates. The connection is structural.
Every classification change is version-controlled — who changed it, when, and based on which updated evaluation signals. The classification history is part of the governance record. There is no silent overwriting.
When a system changes in ways that affect its risk level — new purpose, expanded scope, changed deployment context — re-classification is triggered. The re-classification event and its obligation impact are documented.
The complete classification record — evaluation signals, result, version history, and obligation linkage — is exportable as a structured artefact. Regulators see how the classification was derived, not just what it is.
When classification is stored server-side and version-controlled, it cannot be quietly changed without a governance event. The classification reflects the system — at every point in time.
AI Screening collects structured evaluation signals — system purpose, deployment context, sector, affected persons, and Annex III applicability. Each signal is documented as part of the screening record, not entered informally.
The risk classification is derived from the documented signals and stored server-side. The obligation set is generated from the classification automatically. The link between classification and obligations is structural — not manual.
The supervisor reviews the classification result and evaluation signals before approval. The approved classification is sealed — it becomes the baseline for all subsequent governance events. Changes after approval create a new version.
Material system changes are assessed for re-classification impact. When re-classification is required, the process repeats with updated signals. The classification history shows every version — when it changed, why, and what the new obligation set became.
Risk classification is the root of compliance governance. EAB makes it a governed system result — derived, stored, version-controlled, and obligation-linked.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
