EU AI Act Compliance for Canadian Defence Suppliers

EU AI Act compliance — bundled with Level 2

The EU AI Act establishes the first comprehensive regulatory framework for artificial intelligence systems. Enforcement began in phases throughout 2025, and by 2026 it applies to any AI system placed on the EU market — including systems built by Canadian defence suppliers that interact with European counterparts, logistics chains, or NATO partners.

Solymus bundles EU AI Act evidence capture with CPCSC Level 2 at no additional cost. The same cryptographic receipt that proves an ITSP.10.171 control is implemented also proves an EU AI Act obligation is met.

What the EU AI Act requires

Risk classification — every AI system must be classified as prohibited, high-risk, limited-risk, or minimal-risk
Data governance — training data must be relevant, representative, error-free, and complete
Technical documentation — design specifications, architecture, and capabilities must be documented and available to authorities
Record-keeping — automatic logging of events throughout the AI system's lifecycle
Transparency — users must be informed when they are interacting with an AI system
Human oversight — high-risk AI systems must be designed for effective human supervision
Accuracy, robustness, cybersecurity — AI systems must meet appropriate levels of accuracy and resilience
Conformity assessment — high-risk systems require third-party conformity assessment before deployment

How Solymus captures EU AI Act evidence

Every AI telemetry event ingested by Solymus is cryptographically signed and chained into the same Merkle ledger as CPCSC evidence. State-diff compression isolates only modified model parameters, making hardware-rooted logging practical even on resource-constrained edge devices.

Article 12 — Logging

Automatic event logging with KMS-signed receipts. Every inference, every model update, every human override — cryptographically sealed.

Article 13 — Transparency

Signed disclosure events prove when users were informed they interact with an AI system. Tamper-evident audit trail for regulators.

Article 14 — Human Oversight

Human intervention events captured as first-class telemetry. Override decisions, escalations, and shutdown events all chained into the ledger.

Article 15 — Accuracy

Performance metrics captured as signed telemetry. Model version, evaluation dataset hash, accuracy metrics — all reproducible from the receipt.

Article 17 — QMS

Quality management system evidence: change management receipts, testing records, incident logs. Full lifecycle documentation.

Article 61 — Post-market

Continuous monitoring receipts prove ongoing conformity. Incident reporting supported via webhook integration with supervisory authorities.

Penalties for non-compliance

The EU AI Act establishes tiered penalties: up to €35 million or 7% of global annual turnover for prohibited AI use, up to €15 million or 3% for breaches of other obligations, and up to €7.5 million or 1% for supplying incorrect information to authorities. Canadian suppliers with EU market exposure face the same penalty framework as EU-based vendors.

Who needs EU AI Act evidence

Canadian defence suppliers that: (1) place AI systems on the EU market, (2) export AI-enabled products to EU customers, (3) participate in NATO AI procurement, (4) supply AI-driven logistics or planning systems to allied forces, or (5) operate AI systems whose outputs are used in the EU.

EU AI Act evidence — bundled with CPCSC Level 2