The EU AI Act (Regulation (EU) 2024/1689) is changing the way European organisations deploy AI on sensitive documents. For lawyers, notaries, company doctors, compliance teams and government bodies, the question is no longer whether AI fits into the working process, but under what conditions. The regulation distinguishes AI systems by risk and imposes concrete obligations on the heaviest category — high-risk AI. This article runs through the core of those rules and then draws the connection to what this means in practice for document-driven AI workflows.
When is an AI system high-risk?
Article 6 of the regulation contains the classification rules for high-risk AI systems. It sets out when a system falls into that category, based amongst other things on the areas of application in Annex III. At the same time, Article 6 provides exceptions: systems that perform only a limited procedural task or that work purely in a preparatory and supporting role do not automatically fall under the full high-risk regime.
In practice this means a nuanced picture. An AI agent that autonomously takes or prepares decisions in a sensitive domain — think of decision-making that directly affects people — is more likely to end up in the high-risk category. A tool that merely summarises, highlights or makes a suggestion that a professional then assesses themselves may, depending on the context, remain lower-risk. Where exactly the line lies depends on the concrete application; Article 6 is the starting point of that analysis, not the end point.
Obligations for providers and deployers
Article 16 describes the obligations for providers of high-risk AI systems. These include, amongst others, a quality management system, technical documentation, logging, a conformity assessment, corrective measures and the ability to demonstrate compliance to competent authorities. The High-level summary of the AI Act summarises the associated technical requirements: risk management, data governance, transparency, human oversight, accuracy, robustness and cybersecurity. The common thread is that high-risk AI must be explainable, traceable and verifiable — not an opaque black box.
At least as important for organisations that buy AI rather than build it: Article 26 imposes obligations on deployers. They must assign competent human oversight, monitor operation, ensure representative input data, keep logs for at least six months, and suspend use and inform the authorities in the event of a serious incident. There is also a duty to inform employees when high-risk AI is deployed in the workplace.
This division shifts attention from suppliers to the organisations themselves. Banks, law firms, hospitals and public institutions that use document-processing AI carry their own responsibilities for logging, oversight and incident response.
The timeline: 2027 and 2028
The regulation has a phased introduction. According to the European Commission's Guidelines for providers and deployers of AI high-risk systems, the rules for certain high-risk areas will apply from 2 December 2027, and those for systems integrated into certain regulated products from 2 August 2028. Those dates may seem far off, but setting up governance, logging and verification within existing working processes takes time. The years leading up to 2027–2028 are therefore the period in which organisations must make their approach concrete.
What this means for working with confidential documents
The common denominator in Article 16, Article 26 and the high-level summary is that AI use must be demonstrable and traceable. For professionals who work with confidential information, two things are added: the content of documents is itself sensitive, and the result of an AI answer must remain verifiable.
On these two points, Vera is designed as a verification layer — not a chatbot and not its own language model. The Semantic Privacy Shield anonymises documents on EU infrastructure before the content is presented to the selected AI models; only anonymised content leaves that pre-processing. This aligns with the principle of data governance and data protection that is central to the regulation, without this being a claim about full GDPR processor compliance or full European sovereignty.
For the verifiability of outcomes, Vera has AI answers verified across multiple models and makes those verification steps visible. This does not eliminate AI errors and guarantees no correctness or truth; it does reduce the risk that errors go unnoticed, because a professional can see where answers diverge or where substantiation is lacking. The evidence trail also makes clear which steps have been completed — relevant against the background of the logging and oversight obligations of Article 26.
Finally, a user can view and edit documents via Vera Office in Collabora Online within the same secure environment. Vera Office does not autonomously edit documents; the professional retains control. This fits the requirement of human oversight: the final judgement always remains with the human.
Looking ahead
The EU AI Act's high-risk rules make explainability, logging and human oversight not extras, but building blocks of any serious AI workflow on sensitive documents. Whether a specific application qualifies as high-risk requires a case-by-case analysis along the lines of Article 6. Those who are already working with tooling that supports anonymisation, verification and traceability are in any case better placed as 2027–2028 approaches. The responsibility — and the judgement — remain with the organisation and the professional themselves.