COMPLIANCE · EU AI ACT · 5 WEEKS · $125K FIXED
Article 15, 16, and 26 obligations mapped to the Five Surfaces methodology. Insurance-grade deliverable. ISO/IEC 42001 Annex A aligned. Sign-off letter suitable for conformity-assessment bodies, cyber-insurance carriers, and acquirer diligence.
REGULATORY MAPPING
Articles 15, 16, 26
Three obligations the Compliance-Anchored engagement is built to satisfy. Each article’s requirement, what Vectorbreak delivers against it.
Article 15 · ACCURACY, ROBUSTNESS, AND CYBERSECURITY
The obligation
High-risk AI systems must be designed and developed to achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. Cybersecurity requirements address adversarial inputs, model poisoning, and AI-specific attack vectors that conventional pentests don't cover.
What Vectorbreak delivers
Full Five Surfaces battery — 69 risk classes, 139 validated test cases — applied to the system in scope. Surface 1 (jailbreaks, output sanitization), Surface 2 (RAG retrieval poisoning, indirect injection), Surface 3 (tool-call privilege escalation), Surface 4 (model extraction, training-data leakage), Surface 5 (sandbox escape, agent-loop abuse). Each finding gets a severity rating, reproduction steps, and remediation guidance suitable for a conformity dossier.
Article 16 · OBLIGATIONS OF PROVIDERS OF HIGH-RISK AI SYSTEMS
The obligation
Providers must establish a quality-management system, maintain technical documentation, ensure conformity assessment, register the system in the EU database, affix the CE marking, and report serious incidents. Cybersecurity evidence is one of the artifacts that conformity-assessment bodies require.
What Vectorbreak delivers
Engagement deliverables fit into the Article 16 documentation set: findings report becomes the cybersecurity-evidence section of the technical documentation; sign-off letter becomes part of the conformity-assessment artifact; retest validation supports the continuous-monitoring obligation. Format and structure match what notified bodies have been requesting since the August 2026 deadline went live.
Article 26 · OBLIGATIONS OF DEPLOYERS OF HIGH-RISK AI SYSTEMS
The obligation
Deployers (the organization actually putting the AI system into use, separate from the provider that built it) must use the system in accordance with the instructions, monitor operation, ensure human oversight, keep logs, and inform affected persons. Cybersecurity testing supports the operational-monitoring obligation.
What Vectorbreak delivers
Deployer-side engagements focus on Surfaces 2, 3, and 5 — where the deployer's specific integration creates risk that the provider couldn't have anticipated. RAG corpora the deployer populates (Surface 2), tools and MCP servers the deployer wires in (Surface 3), and runtime sandboxes the deployer operates (Surface 5). The deliverable becomes part of the deployer's documented monitoring posture.
The deliverable
Every Compliance-Anchored engagement ships these eight artifacts. Format and structure match what notified bodies, insurance carriers, and acquirer diligence teams have been requesting since the August 2026 deadline.
- 01
All five surfaces tested against the system as deployed (not just the model weights, not just the application layer — the full stack).
- 02
Findings catalog with severity ratings aligned to CVSS-style impact scoring, suitable for inclusion in a conformity-assessment technical file.
- 03
Article 15/16/26 explicit mapping — each finding annotated with the regulation clause(s) it satisfies evidence for.
- 04
ISO/IEC 42001:2023 Annex A control mapping — the AI management-system controls a notified body or auditor will cross-reference.
- 05
Insurance-attestation pack — separately formatted summary for cyber-insurance carriers underwriting the AI deployment. Carrier questionnaires from Beazley, Hiscox, AXA, and Munich Re Group have specific format expectations the pack matches.
- 06
Sign-off letter on Vectorbreak letterhead, citation of engagement scope, dated assessment window, and named auditor (Lance) — suitable for inclusion in CE-marking dossier and acquirer due diligence.
- 07
Retest engagement included — remediation validation re-runs the same battery against the system after fixes ship. Same auditor, same methodology, same severity scale.
- 08
Disclosure pipeline — any in-scope findings that hit upstream vendors get filed through coordinated-disclosure channels by Vectorbreak, with credit to the deployer where appropriate. The deployer gets a clean signal that the issue is contained.
FREQUENTLY ASKED
FAQ
When did the EU AI Act take effect?
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Obligations for high-risk AI systems — including the conformity-assessment requirements that trigger third-party testing — became applicable on 2 August 2026. Provisions governing prohibited practices applied earlier (2 February 2025). Penalties for non-compliance can reach €35 million or 7% of global annual turnover, whichever is higher.
What AI systems are classified as high-risk?
Annex III of the regulation enumerates eight high-risk categories: biometric identification, critical infrastructure management, education and vocational training access, employment and worker management, access to essential services, law enforcement, migration/asylum/border control, and administration of justice. Many enterprise AI deployments fall under one or more of these categories — particularly hiring tools, customer-service agents touching protected data, and operational systems in regulated sectors.
What does Article 15 require for cybersecurity?
Article 15 paragraphs 4 and 5 require providers to address AI-specific vulnerabilities — data poisoning, model poisoning, adversarial examples, model evasion, confidentiality attacks — through appropriate technical solutions. Conformity-assessment bodies expect evidence-grade third-party testing covering these classes. Generic IT-security pentests do not satisfy Article 15; AI-specific methodology is required.
Does the Five Surfaces methodology map to Article 15?
Yes. Each of the 69 risk classes in the Five Surfaces framework maps to one or more Article 15 cybersecurity obligations. The methodology paper includes the explicit map: Surface 1 risk classes 1-13 cover input/output adversarial robustness; Surface 2 (11 classes) covers retrieval poisoning and indirect injection; Surface 3 (20 classes) covers tool-call privilege escalation and code-execution risks; Surface 4 (11 classes) covers model-level extraction and confidentiality attacks; Surface 5 (14 classes) covers runtime escape and operational-security risks.
What's the difference between Article 16 and Article 26 obligations?
Article 16 obligations attach to providers — the organization that builds, places on the market, or substantially modifies a high-risk AI system. Article 26 obligations attach to deployers — the organization that uses the system in a professional capacity. Same system can have separate provider and deployer obligations. Vectorbreak engagements can be scoped to either or both; the deliverable structure shifts based on which obligations the client is under.
How long is the engagement?
Five weeks. Week 1 — scope confirmation, regulatory mapping, and threat-model baseline. Weeks 2-3 — full Five Surfaces battery against the system. Week 4 — findings catalog, Article 15/16/26 annotation, ISO/IEC 42001 control mapping. Week 5 — insurance-attestation pack, sign-off letter, deliverable QA. Retest engagement scheduled separately after remediation.
How much does it cost?
Fixed-fee at $125,000 (Compliance-Anchored tier). Includes the full 5-week engagement, all deliverables, the retest engagement, and 12 months of follow-up email support on the deliverable artifacts. Payment is 60% on signature, 30% at week-5 delivery, 10% on retest sign-off. No hourly creep. If the engagement runs long, that's covered by the fixed fee.
What if I'm a deployer outside the EU?
The EU AI Act applies extraterritorially: a deployer outside the EU whose system's output is used in the EU is in scope. US-based companies running AI agents that serve EU users have Article 26 obligations. The Compliance-Anchored engagement supports extraterritorial deployers — the deliverable references the appropriate provisions and the regulatory exposure assessment is included in the scoping conversation.
Scope a Compliance-Anchored engagement.
August 2026 deadline is past. If you’re mid-conformity assessment or your notified body has flagged the cybersecurity section, the engagement closes the gap on a fixed timeline.