Question 1

Does the EU AI Act apply to US companies?

Accepted Answer

Yes, it can. The EU AI Act has extraterritorial reach: it applies to providers and deployers established outside the EU when the output of their AI system is used inside the EU, or when the system is placed on the EU market. A US company offering an AI hiring or credit-scoring tool to EU users can therefore fall in scope even with no EU office.

Question 2

Is ISO/IEC 42001 mandatory?

Accepted Answer

No. ISO/IEC 42001:2023 is a voluntary international standard for an AI management system (AIMS). It is not law, but certifying against it is one of the strongest ways to demonstrate the organisational governance the EU AI Act, customers and regulators increasingly expect.

Question 3

What is a FRIA?

Accepted Answer

A FRIA is a Fundamental Rights Impact Assessment required by Article 27 of the EU AI Act. Certain deployers of high-risk AI systems — notably public bodies and providers of essential public and private services — must assess, before first use, how the system could affect people's fundamental rights, the categories of persons affected, and the mitigation and human-oversight measures in place.

Question 4

Do I need an AI policy for ChatGPT at work?

Accepted Answer

Strongly recommended. A generative-AI acceptable-use policy defines approved tools, prohibits pasting confidential, personal or regulated data into public chatbots, requires human review of outputs, and sets disclosure rules. It is also a practical first step toward the EU AI Act's AI-literacy obligation, which applies from February 2025.

Question 5

What are the key EU AI Act deadlines?

Accepted Answer

Prohibited practices and AI-literacy duties applied from 2 February 2025; governance and obligations for general-purpose AI (GPAI) models applied from 2 August 2025; and most high-risk system obligations apply from 2 August 2026, with high-risk AI embedded in regulated products following in August 2027.

Question 6

What is the difference between the EU AI Act and NIST AI RMF?

Accepted Answer

The EU AI Act is binding law with penalties and a risk-tier classification (unacceptable, high, limited, minimal). The NIST AI Risk Management Framework is a voluntary US framework structured around four functions — Govern, Map, Measure and Manage — that helps any organisation manage AI risk but imposes no legal obligation.

Question 7

How do I classify whether my AI system is high-risk?

Accepted Answer

Under the EU AI Act a system is high-risk if it is a safety component of a regulated product, or if it is listed in Annex III (for example biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration and justice). Start by inventorying every AI use case, then test each against the prohibited list and Annex III.

Question 8

Can one programme cover the EU AI Act, ISO 42001 and NIST AI RMF together?

Accepted Answer

Yes, and it is the efficient approach. Use ISO/IEC 42001 as the management-system backbone, NIST AI RMF to structure day-to-day risk activities, and map both to the specific legal obligations of the EU AI Act. A single AI inventory, risk register and oversight process can satisfy all three.

🛡️ AI Governance: the practical guide

What “AI governance” means — and why now

The four pillars you need to know

The EU AI Act timeline at a glance

EU AI Act vs ISO/IEC 42001 vs NIST AI RMF

An 8-step AI governance roadmap

Which AMAADOR tool for which step

AI governance FAQ