What is an EU AI Act gap analysis?
Most EU AI Act compliance tools tell you whether your AI system is high-risk. That's the starting point — not the finish line. A gap analysis goes further: it identifies which specific technical requirements you don't yet meet, maps each gap to the relevant article in the regulation, and tells you what to do about it.
Classification vs gap analysis
| Classification | Gap analysis |
|---|---|
| Is my system in scope? | What do I need to build? |
| What risk tier? | Which articles apply to me? |
| Am I a Provider/Deployer? | What’s missing right now? |
| Yes/No output | Prioritised remediation list |
| Starting point | Actionable output |
What an EU AI Act gap report covers
Technical pillars (high-risk systems)
For high-risk AI systems under Annex III, a gap report checks nine technical pillars defined in Articles 9–17: risk management system, data governance, technical documentation, logging and record-keeping, transparency and instructions for use, human oversight, accuracy and robustness, conformity assessment, and post-market monitoring. Each pillar maps to a specific article in Regulation EU 2024/1689.
GPAI and foundation models
For general-purpose AI models and foundation models, a gap report covers the seven obligation areas under Articles 53–55: technical documentation, copyright compliance, training data transparency, systemic risk classification, adversarial testing, incident reporting, and cybersecurity measures. These obligations have been in force since August 2025.
Role-aware obligations
A Provider — an organisation that develops or places an AI system on the market — has different obligations from a Deployer — an organisation that uses a third-party AI system. A meaningful gap analysis treats these separately. It also checks whether a Deployer has become a Provider under Article 25 by rebranding or modifying a system — a step most tools miss.
What AI Act Gap produces
- •Role-aware questionnaire: Provider vs Deployer, with Article 25 reclassification check
- •Gap report: each missing pillar mapped to its EU AI Act article with a recommended remediation action
- •Priority flags: Critical (before August 2026) / Important / Nice-to-have
- •Downloadable PDF: share with your legal team, board, or auditor
- •Covers high-risk (Annex III) and GPAI/foundation models
- •Verified against the final published regulation text (Regulation EU 2024/1689, OJ L, 12.7.2024)
This tool is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for formal compliance determinations.