EU AI ACT COMPLIANCE STATEMENT
Cognitiva Systems Inc. - Intelligence Platform
Regulation (EU) 2024/1689 - Artificial Intelligence Act
Published: 15 April 2026
Version: 1.0
EXECUTIVE SUMMARY
This document describes Cognitiva Systems Inc.'s ("Cognitiva") compliance approach to the EU Artificial Intelligence Act (Regulation EU 2024/1689, "AI Act").
Key Findings:
| AI System | Risk Classification | Compliance Status |
|---|---|---|
| Creator Matching Algorithm | Limited Risk | ✅ Compliant - Transparency obligations met |
| Payment Risk Detection | Limited Risk | ✅ Compliant - Transparency obligations met |
| Campaign Success Prediction | Minimal Risk | ✅ Compliant - No specific obligations |
| Compliance Monitoring | Limited Risk | ✅ Compliant - Transparency obligations met |
No High-Risk Systems: Cognitiva does not deploy AI systems classified as high-risk under Annex III of the AI Act.
Prohibited Practices: Cognitiva does not engage in prohibited AI practices under Article 5.
1. SCOPE AND APPLICABILITY
1.1 Geographic Scope
The AI Act applies to Cognitiva because:
✓ Article 2(1)(a): We place AI systems on the EU market
✓ Article 2(1)(b): We are a provider of AI systems with users located in the EU
✓ Article 2(1)(f): Our AI systems' outputs are used in the EU
Cognitiva's EU Presence:
- Customers in EU Member States: Yes
- EU office or subsidiary: None (US-incorporated entity serving EU customers remotely)
- EU Representative: Not currently required; under review as EU customer base grows
1.2 AI Systems in Scope
Cognitiva provides the following AI systems under the Intelligence Platform:
1. Creator Matching Algorithm
- Purpose: Match influencers/creators to campaign requirements
- Technology: Machine learning (supervised learning, ensemble methods)
- Output: Match scores (0-100), confidence intervals, ranking
- Decision Type: Recommendation system
2. Payment Risk Detection
- Purpose: Identify early warning signs of payment disputes
- Technology: ML classification (logistic regression, random forest)
- Output: Risk scores (0-100), risk factors, red flags
- Decision Type: Risk assessment
3. Campaign Success Prediction
- Purpose: Predict campaign outcome probability
- Technology: ML regression and classification
- Output: Success probability, key success factors
- Decision Type: Predictive analytics
4. Compliance Monitoring
- Purpose: Scan content for brand guideline and regulatory violations
- Technology: NLP, rule-based systems, ML classification
- Output: Compliance scores, detected violations, recommendations
- Decision Type: Automated content analysis
1.3 Out of Scope
Not AI Systems under AI Act:
- Campaign workflow automation (rule-based, no ML)
- Data anonymization procedures (deterministic algorithms, not AI)
- Platform analytics dashboards (aggregation, not AI decision-making)
2. RISK CLASSIFICATION
2.1 Classification Methodology
Per Article 6, we assess each AI system against:
- Annex III (High-Risk Use Cases)
- Article 5 (Prohibited Practices)
- Article 50 (Transparency Obligations)
2.2 High-Risk Assessment (Annex III)
Annex III Categories Reviewed:
| Annex III Category | Cognitiva System | Assessment | Result |
|---|---|---|---|
| 1. Biometric identification | None | N/A | ✅ Not High-Risk |
| 2. Critical infrastructure | None | N/A | ✅ Not High-Risk |
| 3. Education/vocational training | None | N/A | ✅ Not High-Risk |
| 4. Employment, workers, self-employment | Creator matching | Does not determine access to employment | ✅ Not High-Risk |
| 5. Essential services | None | N/A | ✅ Not High-Risk |
| 6. Law enforcement | None | N/A | ✅ Not High-Risk |
| 7. Migration, asylum, border control | None | N/A | ✅ Not High-Risk |
| 8. Justice and democratic processes | None | N/A | ✅ Not High-Risk |
Employment Category Analysis (Annex III, Section 4):
Annex III(4) includes AI systems used for:
- Recruitment or selection of persons (4(a))
- Decisions on promotion/termination (4(b))
- Task allocation (4(c))
- Monitoring/evaluating persons in work relationships (4(d))
Cognitiva's Creator Matching System:
- ❌ NOT for recruitment/employment: Matches creators to campaigns (commercial projects), not employment relationships
- ❌ NOT employer-worker relationship: Creators are independent contractors, not employees
- ❌ NOT access to self-employment: Does not determine who can be self-employed
- ✅ Commercial matching only: Analogous to marketplace algorithms
Conclusion: Creator Matching does not fall under Annex III(4).
2.3 Prohibited Practices Assessment (Article 5)
Article 5 Prohibitions Reviewed:
| Article 5 Prohibition | Cognitiva Practice | Compliance |
|---|---|---|
| 5(1)(a) - Subliminal manipulation | No subliminal techniques used | ✅ Compliant |
| 5(1)(b) - Exploitation of vulnerabilities | No targeting of vulnerable persons | ✅ Compliant |
| 5(1)(c) - Social scoring | No social scoring systems | ✅ Compliant |
| 5(1)(d) - Risk assessment based on profiling | No predictive policing or criminal risk profiling | ✅ Compliant |
| 5(1)(e) - Real-time remote biometric | No biometric identification | ✅ Compliant |
| 5(1)(f) - Emotion recognition (workplace/education) | No emotion recognition | ✅ Compliant |
| 5(1)(g) - Biometric categorization (sensitive characteristics) | No biometric categorization | ✅ Compliant |
| 5(1)(h) - Scraping for facial recognition databases | No facial recognition databases | ✅ Compliant |
Conclusion: Cognitiva does not engage in prohibited AI practices.
2.4 Final Risk Classification
All Cognitiva AI Systems: Limited Risk (Article 50)
Rationale:
- Not high-risk per Annex III analysis
- Not prohibited per Article 5 analysis
- Systems interact with natural persons (users receive recommendations)
- Transparency obligations apply under Article 50
Article 50 - Transparency Obligations:
- Inform users AI system is being used
- Provide clear, intelligible information about system capabilities and limitations
- Enable users to understand and engage with AI system appropriately
3. TRANSPARENCY OBLIGATIONS (ARTICLE 50)
3.1 User-Facing Disclosures
Where Disclosed:
- API Documentation: docs.cognitiva.systems/api/ai-transparency
- Platform UI: "AI-Powered" badges on relevant features
- Terms of Service: Section 10.2 (AI Disclaimers)
- Help Articles: "How AI Works" section
Information Provided:
✓ That AI is being used: Clear labeling of AI-powered features
✓ Capabilities: What the AI system can and cannot do
✓ Limitations: Accuracy ranges, potential for error
✓ Basis for AI outputs: High-level explanation of decision factors
✓ How to interpret outputs: Guidance on using scores responsibly
3.2 Specific Disclosures by System
Creator Matching:
🤖 AI-Powered Matching
This feature uses artificial intelligence to analyze campaign requirements
and creator profiles to suggest potential matches.
What it does:
- Analyzes historical campaign performance
- Considers audience demographics and engagement
- Evaluates creator reliability and communication quality
- Generates match scores (0-100) with confidence intervals
Limitations:
- Predictions are not guarantees of campaign success
- Human review recommended for final selection
- Scores may not capture all relevant factors
- Algorithm continuously improves; scores may evolve
Your role: Use AI scores as one input among many in your decision-making.
Payment Risk Detection:
⚠️ AI-Powered Risk Detection
This system uses machine learning to identify early warning signs
of potential payment disputes.
What it does:
- Monitors communication patterns
- Tracks milestone completion rates
- Analyzes historical behavior
- Flags potential issues before they escalate
Limitations:
- Not all disputes can be predicted
- False positives may occur (flagged issues that don't escalate)
- False negatives possible (missed risks)
- 85% detection rate based on historical data
Your role: Investigate flagged items and take preventive action.
Don't ignore genuine business concerns even if not flagged.
Campaign Success Prediction:
📊 AI-Powered Success Prediction
This feature predicts the likelihood of campaign success based on
campaign structure and historical data.
What it does:
- Analyzes campaign brief quality
- Assesses creator-campaign fit
- Evaluates timeline and budget feasibility
- Provides success probability and key factors
Limitations:
- 75% accuracy based on historical data
- Cannot predict external factors (market shifts, viral trends)
- Past performance doesn't guarantee future results
- Predictions more accurate for standard campaigns
Your role: Use predictions to optimize campaigns, not to decide
whether to proceed. Apply your expertise and judgment.
Compliance Monitoring:
✅ AI-Powered Compliance Monitoring
This system automatically scans content for brand guideline
and regulatory compliance issues.
What it does:
- Checks content against brand guidelines
- Identifies potential regulatory violations
- Flags sensitive content
- Suggests corrections
Limitations:
- 95% rule detection rate (some violations may be missed)
- Context may affect interpretation
- Human review required for final approval
- Cannot guarantee 100% compliance
Your role: Review all flagged content. Final compliance
responsibility remains with you.
3.3 Compliance Measures
Implementation:
- ✅ Disclosure language integrated into UI (December 2024)
- ✅ API documentation updated with AI transparency section (January 2025)
- ✅ Help center articles published (January 2025)
- ✅ Terms of Service updated with AI disclaimers (February 2025)
Accessibility:
- Available in English (primary)
- Translations: Arabic (in progress for MENA markets)
- Plain language (readability: Grade 8-10 level)
- Visual aids (icons, diagrams) supplement text
User Acknowledgment:
- First-time users shown AI transparency notice
- "Learn More" links to detailed documentation
- FAQ section addresses common questions
- No barrier to access (informational, not consent gate)
4. TECHNICAL DOCUMENTATION
4.1 System Descriptions
Per Article 11 / Annex IV (adapted for limited-risk systems)
System 1: Creator Matching Algorithm
Intended Purpose: Assist agencies in identifying suitable creators for campaigns by providing match scores based on historical performance, audience fit, and reliability indicators.
Technology:
- Supervised machine learning
- Ensemble methods (Random Forest, Gradient Boosting)
- Feature engineering from structured campaign data
- Model training on 400M+ historical campaign events
Inputs:
- Campaign requirements (industry, goals, audience, budget, timeline)
- Creator profiles (audience size, demographics, engagement rates, past performance)
- Historical campaign outcome data
Outputs:
- Match score (0-100)
- Confidence interval (±X points)
- Ranked list of creators
- Key matching factors explanation
Performance Metrics:
- Precision: 90% (top recommendations have 90% positive outcome rate)
- Recall: 75% (system identifies 75% of optimal matches)
- F1 Score: 0.82
- Validation method: Holdout test set (20% of data)
Limitations:
- Performance varies by campaign type (higher accuracy for standard campaigns)
- Novel campaign types have lower prediction accuracy
- Cannot predict external factors (market trends, competitive actions)
- Dependent on data quality and completeness
Training Data:
- Source: Proprietary dataset from CognitivaOS platform
- Size: 400M+ campaign events from 50k+ campaigns
- Timeframe: 2020-present
- Geographic coverage: Global (100+ countries)
- Anonymization: Applied per GDPR standards
- Bias mitigation: Demographic balance analysis, fairness metrics monitoring
Model Updates:
- Frequency: Monthly retraining
- Versioning: Semantic versioning (v2.3.1 current)
- A/B testing: New models tested before deployment
- Rollback: Available if performance degrades
System 2: Payment Risk Detection
Intended Purpose: Identify early warning signs of potential payment disputes by analyzing communication patterns, milestone completion, and historical behavior.
Technology:
- Binary classification (dispute risk: yes/no)
- Logistic regression and Random Forest ensemble
- Feature extraction from communication metadata
- Time-series analysis of milestone completion
Inputs:
- Communication frequency and sentiment
- Milestone completion rates
- Approval delays
- Historical payment behavior
- Campaign complexity indicators
Outputs:
- Risk score (0-100, where >70 = high risk)
- Identified risk factors (e.g., "communication frequency declined 50%")
- Recommended actions
Performance Metrics:
- Detection rate (sensitivity): 85% (identifies 85% of actual disputes early)
- False positive rate: 15% (15% of flags don't result in disputes)
- Precision: 70% (70% of flagged items become disputes)
- Lead time: Average 7 days advance warning
Limitations:
- Cannot predict all disputes (15% missed)
- False alarms create unnecessary concern
- Dependent on communication occurring through platform
- Less accurate for first-time users (cold start problem)
Training Data:
- Source: Historical campaigns with known outcomes
- Positive examples: 5,000+ disputes
- Negative examples: 45,000+ successful campaigns (10:1 ratio)
- Rebalancing: SMOTE applied to balance training set
- Feature selection: 47 features selected from 200+ candidates
Model Updates:
- Frequency: Monthly retraining
- Performance monitoring: Daily dashboard tracking false positive/negative rates
- Drift detection: Automatic alerts if accuracy drops >5%
System 3: Campaign Success Prediction
Intended Purpose: Predict likelihood of campaign achieving stated goals to help agencies optimize campaign structure before execution.
Technology:
- Regression (predict success score 0-100)
- Gradient Boosting Machines
- Feature importance analysis
- Counterfactual explanation generation
Inputs:
- Campaign brief (quality, clarity, goal specificity)
- Budget vs. industry benchmarks
- Timeline vs. deliverable complexity
- Creator-brand fit indicators
- Historical performance of similar campaigns
Outputs:
- Success probability (0-100)
- Confidence interval
- Key success factors (positive contributors)
- Risk factors (negative contributors)
- Recommendations for improvement
Performance Metrics:
- R² score: 0.68 (explains 68% of variance)
- Mean Absolute Error: 12 points
- Accuracy (binary classification >50 = success): 75%
- Calibration: Predicted probabilities match actual outcomes
Limitations:
- Cannot predict external shocks (market collapse, platform policy changes)
- Less accurate for novel campaign types
- Past patterns may not predict future in changing markets
- Lower accuracy for very high budgets (data scarcity)
Training Data:
- Source: 50,000+ completed campaigns with outcome data
- Outcome definition: Campaign goals achieved (yes/no) + engagement metrics
- Temporal validation: Models trained on data up to time T, tested on data after T
- Data freshness: Rolling 3-year window (older data aged out)
System 4: Compliance Monitoring
Intended Purpose: Automatically scan campaign content for potential brand guideline violations and regulatory compliance issues.
Technology:
- Natural Language Processing (NLP)
- Rule-based systems (brand guidelines encoded as rules)
- ML classification (trained on violation examples)
- Multi-language support (30+ languages)
Inputs:
- Campaign content (text, images, video metadata)
- Brand guidelines (encoded rules)
- Regulatory requirements (advertising standards, disclosure rules)
- Historical violation patterns
Outputs:
- Compliance score (0-100)
- Detected violations (list with severity)
- Suggested corrections
- Regulatory references
Performance Metrics:
- Rule detection rate: 95% (detects 95% of known rule violations)
- False positive rate: 10% (10% of flagged content is actually compliant)
- Precision: 90%
- Human review rate: 15% (flagged items requiring human review)
Limitations:
- Context-dependent interpretation (sarcasm, cultural nuances)
- May flag acceptable content (conservative approach)
- Cannot guarantee 100% compliance
- Evolving regulations require manual rule updates
Training Data:
- Violation examples: 10,000+ labeled instances
- Compliant examples: 100,000+ labeled instances
- Source: Manual review of historical campaigns
- Labeling: Dual-labeler with adjudication for disagreements
- Regular updates: New violation types added monthly
4.2 Accuracy and Performance
System-Wide Performance Monitoring:
All AI systems monitored through:
- Real-time accuracy tracking dashboards
- Weekly performance reports to engineering team
- Monthly performance reviews with stakeholders
- Quarterly model retraining and validation
- Annual comprehensive audit
Performance Degradation Alerts:
- Automatic alerts if accuracy drops >5% from baseline
- Investigation triggered within 24 hours
- Rollback to previous version if issue not resolved within 3 days
User Feedback Loop:
- Users can report inaccurate predictions
- Feedback incorporated into retraining data
- Acknowledgment to user within 48 hours
- Trend analysis of feedback monthly
5. DATA GOVERNANCE
5.1 Training Data
Data Sources:
- Proprietary: 95% (CognitivaOS platform user data, anonymized)
- Licensed: 5% (third-party benchmarking data)
- Public: 0% (no web scraping or public data harvesting)
Data Quality:
- Completeness: >95% (missing data imputation applied)
- Accuracy: Validated against known outcomes
- Consistency: Standardized data pipeline
- Timeliness: Rolling 3-year window
Bias Mitigation:
Identified Risks:
- Geographic bias (US/EU over-represented in early data)
- Campaign type bias (B2C over-represented vs. B2B)
- Creator size bias (mid-tier creators over-represented)
Mitigation Strategies:
- Data rebalancing (stratified sampling)
- Fairness metrics monitoring (demographic parity, equal opportunity)
- Regular bias audits (quarterly)
- Adversarial debiasing techniques
- User feedback on perceived bias
Current Bias Metrics:
| Demographic Group | Representation in Data | Model Performance Parity |
|---|---|---|
| US vs. Non-US | 60/40 | 95% parity |
| Large vs. Small Creators | 30/70 | 92% parity |
| B2C vs. B2B Campaigns | 80/20 | 88% parity |
Action Items:
- Increase B2B campaign data collection
- Targeted outreach for underrepresented geographies
5.2 Privacy and Security
Data Protection Measures:
- Anonymization: GDPR-compliant irreversible anonymization
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access control: Role-based access, least privilege
- Audit logging: All data access logged and monitored
Compliance:
- GDPR: Article 5 (lawfulness, fairness, transparency)
- GDPR: Article 25 (data protection by design and by default)
- GDPR: Article 35 (DPIA conducted)
- AI Act: Article 10 (data and data governance)
Data Retention:
- Training data: Indefinite (anonymized, no personal data)
- Model inputs (API requests): 30 days (troubleshooting)
- Model outputs: 90 days (performance monitoring)
6. HUMAN OVERSIGHT
6.1 Human-in-the-Loop
AI Outputs are Recommendations, Not Autonomous Decisions:
All AI systems designed with human oversight:
| System | AI Role | Human Role | Override Ability |
|---|---|---|---|
| Creator Matching | Recommends matches | Selects final creator | ✅ Full override |
| Payment Risk | Flags risks | Investigates and acts | ✅ Full override |
| Success Prediction | Provides probability | Decides whether to proceed | ✅ Full override |
| Compliance | Flags violations | Final compliance approval | ✅ Full override |
No Fully Automated Decision-Making:
- Per Article 14 (not applicable to limited-risk, but voluntarily adopted)
- Humans always in the loop for consequential decisions
- Users retain full decision-making authority
- AI never automatically executes actions (hiring, payments, content publication)
6.2 User Training and Guidance
Educating Users on Responsible AI Use:
✓ Onboarding tutorial: "How to Use AI Features Responsibly"
✓ Help center: "Best Practices for AI-Assisted Decision-Making"
✓ Warning messages: "AI recommendations should inform, not replace, your judgment"
✓ Case studies: Examples of good and bad AI reliance
Key Messages:
- AI is a tool, not a replacement for expertise
- Always investigate flagged items and high-scoring matches
- Consider AI output alongside other information
- Don't ignore your professional judgment because AI says otherwise
- Report inaccuracies to help improve the system
7. ACCURACY, ROBUSTNESS, CYBERSECURITY
7.1 Accuracy Requirements
Article 15 - Accuracy (Applicable to High-Risk, Adopted Voluntarily):
Performance Baselines:
- Creator Matching: 90% precision target
- Payment Risk: 85% detection rate target
- Success Prediction: 75% accuracy target
- Compliance: 95% rule detection target
Testing and Validation:
- Holdout test sets (20% of data never used in training)
- Cross-validation (5-fold)
- Temporal validation (train on past, test on future)
- A/B testing in production (new models tested against baseline)
Continuous Monitoring:
- Daily accuracy metrics dashboard
- Weekly trend analysis
- Monthly stakeholder review
- Quarterly comprehensive audit
Remediation Triggers:
-
5% drop in accuracy: Investigation required
-
10% drop: Immediate rollback to previous version
- Bias detected: Retraining with mitigation
7.2 Robustness
Article 15 - Robustness:
Adversarial Testing:
- Adversarial examples generated (edge cases, unusual inputs)
- Models tested against adversarial attacks
- Robustness to input perturbations measured
- Results: Models show >90% robustness to minor perturbations
Input Validation:
- Schema validation (API inputs checked for correct format)
- Range checks (values within expected ranges)
- Anomaly detection (flag unusual input patterns)
- Graceful degradation (sensible defaults if inputs incomplete)
Error Handling:
- Model fails "safe" (returns low-confidence score rather than wrong answer)
- Users notified if input quality insufficient
- Logging of all errors for investigation
Model Degradation Detection:
- Performance drift monitoring
- Concept drift detection (is underlying data distribution changing?)
- Retraining triggered when drift detected
7.3 Cybersecurity
Article 15 - Cybersecurity:
Threat Model:
- Model extraction attacks (attacker queries model to reverse-engineer)
- Data poisoning (attacker injects malicious training data)
- Adversarial examples (inputs designed to fool model)
- Model inversion (attacker reconstructs training data from model)
Mitigations:
- API rate limiting (prevents large-scale model extraction)
- Input sanitization (prevents injection attacks)
- Training data access controls (prevents poisoning)
- Differential privacy (protects against inversion)
- Regular security audits
Security Measures:
- API authentication required (no anonymous access)
- Encryption of model artifacts
- Secure model deployment pipeline
- Intrusion detection for unusual query patterns
Incident Response:
- Security incidents handled per Cognitiva Security Incident Response Plan
- Model compromise: Immediate takedown and investigation
- Data breach: Notification per GDPR Article 33/34
8. RECORD-KEEPING
8.1 Logs and Documentation
Article 12 - Record-Keeping (Applicable to High-Risk, Adopted Voluntarily):
Automatically Logged:
- All API requests (timestamp, user, input parameters, model version used)
- Model outputs (scores, recommendations)
- Model training events (dataset version, hyperparameters, performance)
- Model deployment events (version, rollout %, rollback events)
- Performance metrics (accuracy, bias metrics, error rates)
Retention:
- API logs: 90 days
- Training logs: Indefinite (for model provenance)
- Performance logs: Indefinite (for trend analysis)
Purpose:
- Debugging and troubleshooting
- Performance monitoring and improvement
- Accountability and auditability
- Compliance demonstration
Access Control:
- Logs access restricted to authorized personnel
- All log access audited
- Logs encrypted at rest
8.2 Technical Documentation Maintenance
Living Documentation:
- Model cards: Updated with each model version
- API documentation: Updated within 5 days of API changes
- Performance reports: Generated monthly
- Bias audits: Conducted quarterly
Version Control:
- All documentation versioned in Git
- Change history preserved
- Reviewers and approvers documented
9. INSTRUCTIONS FOR USE
9.1 User Documentation
Provided to All Users:
API Documentation:
- Endpoint descriptions
- Input/output schemas
- Example requests and responses
- Error codes and meanings
- Rate limits and quotas
User Guides:
- "Getting Started with AI Features"
- "Interpreting AI Scores"
- "Best Practices for AI-Assisted Decision-Making"
- "Troubleshooting AI Recommendations"
Technical Specifications:
- Model architectures (high-level)
- Feature importance (what factors matter most)
- Performance metrics and limitations
- Update frequency and versioning
9.2 Intended Use
Clearly Stated Intended Use:
✅ DO Use AI For:
- Narrowing down large sets of options
- Identifying potential risks to investigate
- Getting quick initial assessments
- Informing your decision-making process
- Benchmarking against historical patterns
❌ DO NOT Use AI For:
- Making final decisions without human review
- Sole basis for consequential actions
- Situations where you lack domain expertise to evaluate recommendations
- High-stakes decisions without additional validation
- Replacing legal, compliance, or professional advice
Out-of-Scope Use Cases:
- Employment decisions (hiring, firing, promotion)
- Creditworthiness assessment
- Insurance eligibility
- Medical diagnosis or treatment recommendations
- Legal judgments
Misuse Monitoring:
- User behavior analyzed for misuse patterns
- Warnings issued if misuse detected
- Terms of Service violations may result in suspension
10. CONFORMITY ASSESSMENT
10.1 Internal Assessment Process
Self-Assessment Procedure:
Given limited-risk classification, no third-party conformity assessment required. However, Cognitiva voluntarily conducts:
Quarterly Internal Audits:
- Review risk classification (any changes in use cases?)
- Verify transparency disclosures remain accurate
- Test accuracy metrics against baselines
- Review bias metrics
- Audit documentation completeness
Annual Comprehensive Review:
- External expert review (AI ethics consultant)
- User survey on AI transparency effectiveness
- Stakeholder interviews (users, ethics board)
- Lessons learned and improvement plan
- Board presentation on AI governance
Next Review: 15 April 2026
10.2 Continuous Compliance
Monitoring EU AI Act Developments:
- Legal team monitors EU regulatory updates
- Participation in industry working groups
- Engagement with European AI Office
- Attendance at regulatory conferences
Adaptation Plan:
- If AI Act interpretation changes: Reassess risk classification within 30 days
- If new obligations arise: Compliance plan within 90 days
- If reclassified to high-risk: Initiate conformity assessment process
11. POST-MARKET MONITORING
11.1 Ongoing Monitoring System
Article 72 - Post-Market Monitoring (High-Risk Requirement, Voluntarily Adopted):
Monitoring Activities:
Performance Monitoring:
- Daily: Accuracy metrics, error rates
- Weekly: Performance trends, anomaly detection
- Monthly: Comprehensive performance report
- Quarterly: Bias audit, fairness metrics
User Feedback:
- In-app feedback mechanism ("Was this recommendation helpful?")
- Support tickets analyzed for AI-related issues
- User surveys (quarterly)
- Focus groups (semi-annually)
Incident Tracking:
- All AI-related incidents logged
- Severity classification (low/medium/high)
- Root cause analysis for high-severity incidents
- Corrective actions tracked to completion
Regulatory Monitoring:
- EU AI Act guidance and opinions
- Supervisory authority decisions
- Industry best practices
- Academic research on AI safety
11.2 Serious Incident Reporting
Article 73 - Serious Incident Reporting (High-Risk Requirement, Proactive Adoption):
Definition of Serious Incident:
- Major accuracy failure (>20% drop)
- Systematic bias causing harm
- Security breach exposing model or data
- Widespread service disruption (>24 hours)
- Violation of fundamental rights
Reporting Process:
- Incident detection → Assessment within 24 hours → Report to authorities (if required) within 15 days
- Internal reporting: All serious incidents reported to Board
- User notification: If users affected, notification per Privacy Policy
Historical Incidents:
- No serious incidents to date
12. CORRECTIVE ACTIONS
12.1 Non-Conformity Response
If Non-Conformity Identified:
Process:
- Immediate assessment of severity
- Risk mitigation (may include temporary system shutdown)
- Root cause analysis
- Corrective action plan
- Implementation and verification
- Documentation and reporting
Recent Corrective Actions: No non-conformities identified to date.
12.2 Continuous Improvement
Improvement Initiatives:
- Model retraining: Monthly
- Feature engineering: Ongoing
- User experience improvements: Based on feedback
- Documentation updates: Continuous
- Security enhancements: Quarterly security reviews
2024-2025 Roadmap:
- Enhanced explainability (SHAP values for all predictions)
- Improved bias mitigation (fairness-aware ML algorithms)
- Multi-language support expansion (50+ languages)
- Adversarial robustness improvements
- Real-time performance dashboards for users
13. FUNDAMENTAL RIGHTS IMPACT ASSESSMENT
13.1 Fundamental Rights Considered
Article 27 - Fundamental Rights Impact Assessment (High-Risk Requirement, Voluntarily Conducted):
Rights Potentially Affected:
| Fundamental Right | Potential Impact | Mitigation |
|---|---|---|
| Non-discrimination (CFR Art. 21) | Algorithm bias could discriminate | Bias audits, fairness metrics, rebalancing |
| Privacy (CFR Art. 7, 8) | Training data includes personal data | Anonymization, GDPR compliance, DPIAs |
| Freedom to conduct business (CFR Art. 16) | Inaccurate recommendations affect business | Human oversight, accuracy monitoring, disclaimers |
| Consumer protection (CFR Art. 38) | Users may over-rely on AI | Transparency disclosures, education, limitations stated |
Assessment:
- No significant negative impact on fundamental rights identified
- Mitigation measures proportionate and effective
- Human oversight prevents AI from making consequential decisions alone
13.2 Vulnerable Groups
Special Consideration:
Cognitiva's AI systems do not target or disproportionately affect:
- Children
- Persons with disabilities
- Persons subject to social or economic vulnerability
- Marginalized communities
Safeguards:
- Terms of Service require 18+ users
- No special category data processing
- Bias mitigation addresses potential disparate impact
- Opt-out available for all AI features
14. TRANSPARENCY WITH AUTHORITIES
14.1 Market Surveillance Cooperation
Article 77 - Cooperation with Authorities:
Commitment: Cognitiva will fully cooperate with EU market surveillance authorities, including:
- Providing documentation upon request
- Responding to inquiries within reasonable timeframes
- Granting access to systems for assessment (subject to confidentiality safeguards)
- Taking corrective action if non-compliance identified
- Notifying authorities of serious incidents (if applicable)
Designated Contact:
Head of Legal & Compliance
Email: compliance@cognitiva.systems
Phone: +1 302-217-6601
14.2 Public Transparency
Publicly Available Information:
Published at https://cognitiva.systems/legal/ai-act-compliance:
- This compliance statement
- High-level system descriptions
- Risk classifications and justifications
- Transparency disclosures to users
- Performance metrics (aggregated)
- Contact information for inquiries
Not Published (Confidential):
- Detailed model architectures (trade secrets)
- Training data details (competitive advantage, privacy)
- Security-sensitive information (vulnerability details)
15. PROVIDER OBLIGATIONS SUMMARY
15.1 Obligations Applicable to Cognitiva
As Provider of Limited-Risk AI Systems:
| Obligation | Article | Status |
|---|---|---|
| Inform users AI is being used | Art. 50(1) | ✅ Compliant |
| Provide clear information about capabilities and limitations | Art. 50(2) | ✅ Compliant |
| Design systems to be interpretable | Art. 50(3) | ✅ Compliant |
| Maintain technical documentation | Art. 11, 53 | ✅ Compliant |
| Implement quality management system | Art. 17 | ✅ Compliant (voluntarily) |
| Monitor performance post-market | Art. 72 | ✅ Compliant (voluntarily) |
| Report serious incidents | Art. 73 | ✅ Prepared (voluntarily) |
| Cooperate with authorities | Art. 77 | ✅ Committed |
Not Applicable (High-Risk Only):
- Conformity assessment by notified body
- CE marking
- EU declaration of conformity
- Registration in EU database
15.2 Ongoing Compliance Program
Governance Structure:
AI Governance Committee:
- Meets quarterly
- Members: Legal, Engineering, Product, Ethics
- Reviews: Compliance status, incidents, performance, roadmap
Responsible Persons:
- Chief Technology Officer: Overall AI system responsibility
- VP Engineering: Technical compliance
- General Counsel: Legal compliance
- Chief Product Officer: User experience and transparency
Budget:
- Annual AI compliance budget: Allocated as part of overall legal & engineering compliance spend
- Allocated to: Audits, training, documentation, monitoring tools
16. CONCLUSION AND NEXT STEPS
16.1 Compliance Summary
Current Status: COMPLIANT
✅ All AI systems properly classified (Limited Risk)
✅ No prohibited practices engaged
✅ Transparency obligations met
✅ Technical documentation maintained
✅ Human oversight implemented
✅ Post-market monitoring active
16.2 Future Actions
2025 Priorities:
Q2 2025:
- Implement enhanced explainability (SHAP values)
- Expand bias audits to monthly frequency
- Conduct external AI ethics review
Q3 2025:
- Launch user education campaign on responsible AI use
- Implement real-time performance dashboards
- Publish first annual AI transparency report
Q4 2025:
- Engage with European AI Office
- Participate in industry AI Act working groups
- Prepare for any new guidance or requirements
2026:
- Reassess risk classifications (AI Act may evolve)
- Consider voluntary conformity assessment by third party
- Explore AI Act certification schemes (if developed)
16.3 Commitment Statement
Cognitiva Systems Inc. commits to:
✓ Maintaining full compliance with EU AI Act
✓ Transparent and ethical AI development
✓ Prioritizing fundamental rights and safety
✓ Continuous improvement of AI systems
✓ Cooperation with regulators and stakeholders
✓ Leading industry best practices
Signed:
On behalf of the Board of Directors
Cognitiva Systems Inc.
Date: 15 April 2026
17. CONTACT INFORMATION
AI Act Compliance Inquiries:
Phone: +1 302-217-6601
Email: ai-compliance@cognitiva.systems
EU Representative (if applicable):
Not currently appointed; contact compliance@cognitiva.systems for EU regulatory inquiries
For Market Surveillance Authorities:
compliance@cognitiva.systems
END OF EU AI ACT COMPLIANCE STATEMENT
Version: 1.0
Published: 15 April 2026
Next Review: April 2027
APPENDIX A: GLOSSARY
AI System: Machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Provider: Natural or legal person, public authority, agency, or other body that develops an AI system or that has an AI system developed and places it on the market or puts it into service under its own name or trademark.
User: Natural or legal person, public authority, agency, or other body using an AI system under its authority.
High-Risk AI System: AI system listed in Annex III or required to undergo conformity assessment as product safety component.
Limited Risk AI System: AI system that interacts with natural persons and triggers transparency obligations under Article 50.
Minimal Risk AI System: AI system with minimal or no risk to rights and safety (no specific obligations beyond general product safety).
General-Purpose AI Model (GPAI): AI model trained on large amounts of data designed for broad applicability and adaptable to many tasks.
APPENDIX B: REFERENCED STANDARDS
Harmonized Standards (When Developed):
- EN [TO BE ASSIGNED] - AI Risk Management
- EN [TO BE ASSIGNED] - AI Transparency and Explainability
- EN [TO BE ASSIGNED] - AI Data Governance
Current Standards Used:
- ISO/IEC 23894:2023 - AI Risk Management
- ISO/IEC 42001:2023 - AI Management System
- ISO/IEC 24028:2020 - AI Trustworthiness
- ISO/IEC TR 24027:2021 - AI Bias
- NIST AI Risk Management Framework
APPENDIX C: CHANGE LOG
| Version | Date | Changes | Approved By |
|---|---|---|---|
| 1.0 | 15 April 2026 | Initial publication | Board of Directors |