← All Demos
EU AI Act Lab · Instrument II · Conformity

The Paper Trail

An EU AI Act provider simulation · robert@barcik.training
Take this with a grain of salt. This is an educational simulation, not legal advice, and I can't be held liable for decisions based on it — consult your legal representative before making real compliance decisions. The scenario is fictional; the articles, deadlines and traps are real, grounded in Regulation (EU) 2024/1689 and the agreed 2026 Digital Omnibus (dates pending Official Journal publication as of 12 July 2026 — verify on EUR-Lex).

In The Navigator you classified an AI system. This is what happens next. You run engineering at a company whose product just landed in the high-risk tier — and for the next eighteen months, every decision you make either builds your paper trail or burns it. Five acts, scored, with the real article behind every answer.

Briefing Act 1 · Runway Act 2 · Evidence Act 3 · The Route Act 4 · The Call Act 5 · Incident Debrief
Briefing — Tallinn, July 2026
You are the Head of Engineering at Skilline OÜ, an Estonian HR-tech company of 40 people. Your product, SkillRank, plugs into applicant-tracking systems and scores, ranks and filters candidates for mid-size employers across the EU.
"Legal finished the classification memo," says Marta, your CEO. "Annex III point 4(a) — recruitment and selection. It profiles natural persons, so no Article 6(3) escape. SkillRank is high-risk. The obligations bite on 2 December 2027. You own getting us there."
Eighteen months sounds like a long time. Your notified-body-adjacent friends tell you it isn't. Every act in this simulation is a moment where providers really win or lose their conformity story — and the score at the end tells you what kind of paper trail you built.
Your starting position

• SkillRank is already on the market — you're not launching, you're retrofitting compliance.
• The model is built in-house on candidate data from customers; a hosted LLM writes candidate summaries.
• You have: a data science team of six, one overworked compliance officer (Priit), and a CEO who reads the fines table before breakfast.
• What you don't have yet: a QMS, technical documentation, a post-market monitoring plan, or any idea what "conformity assessment" means for a company your size.

Act 1 — The runway
Monday morning, planning meeting. Marta wants a compliance timeline on one slide. Priit has been reading LinkedIn thought-leadership all weekend and arrives with three plans. The date on the wall says 2 December 2027 — the post-Omnibus application date for Annex III high-risk systems.

Decision 1 — Which plan do you commit to?

Harmonised standards for the AI Act are still being drafted; the Art 6(5) classification guidelines are still a draft; the Omnibus itself is awaiting Official Journal publication.
Wait for the harmonised standards to be published, then implement against them — no point building twice.
Start now: stand up the QMS and risk-management skeleton, build documentation as you go, adopt standards when they land.
Pause everything until the Omnibus is in the Official Journal — the dates aren't even law yet.

Decision 2 — Marta asks: "What happens between now and Dec 2027? Are we unregulated?"

"Correct — high-risk obligations don't apply yet, so legally nothing constrains SkillRank until then."
"No. Prohibitions and AI literacy have applied since Feb 2025, Art 50 transparency hits our LLM-written candidate summaries from 2 Aug 2026, and GDPR never went away. Only the high-risk layer waits until Dec 2027."
"Everything AI Act moved to 2027 with the Omnibus — that was the whole point of the delay."
Act 2 — The evidence pack
Three months in. You're assembling the technical documentation — the Annex IV file that has to exist before SkillRank's compliance deadline, and the artifact an authority will ask for first Art 11. Your team dumped everything they have into a shared folder. Not all of it counts as evidence.
Select the artifacts that belong in your Annex IV / Chapter III Section 2 evidence pack (pick exactly 5)
Living risk register with mitigations & test results
Risks identified per release, mitigation owner, residual-risk sign-off.
Dataset documentation: provenance, representativeness, bias checks
Where training data came from, who's under-represented, what you did about it.
The LLM vendor's public model card, printed to PDF
"The upstream provider says it's safe" — surely their homework covers ours.
Automatic event logging design + retention config
What gets logged per ranking decision, where it lives, how long it's kept.
Declared accuracy metrics + robustness test suite results
The numbers you're prepared to state in the instructions for use, and the tests behind them.
The investor deck saying "SkillRank is 94% accurate"
Marketing already made the claim — reusing it saves time.
Human-oversight design: what recruiters see, can override, and are warned about
Interface measures that make oversight possible in practice, not just in policy.
A signed purchase order for ISO/IEC 42001 certification services
"We bought the management-system standard, so we're compliant."

Decision — The bias test needs sensitive data

Your data scientists say they can't measure whether SkillRank disadvantages candidates by ethnicity without processing special-category data. Priit turns pale and cites GDPR.
Skip the ethnicity analysis — processing special-category data is too risky; test only what's already in the dataset.
Use the AI Act's own legal basis: special-category data may be processed for bias detection and correction, under strict safeguards — document the necessity and the safeguards.
Quietly infer ethnicity from names and postcodes — it's not "really" special-category data if you derived it yourself.
Act 3 — The route
Month nine. The documentation is taking shape. Now the question that decides your budget: who assesses SkillRank's conformity? Priit got three consultancy quotes; the most expensive one assumes a notified body and bills accordingly. Marta wants to know if you really need one.

Decision 1 — Which conformity route applies to SkillRank (Annex III point 4, employment)?

A notified body must audit us — it's high-risk, and high-risk means third-party assessment.
Internal control: we run the conformity assessment ourselves against the requirements, then declare conformity and CE-mark.
Neither — conformity assessment is only for physical products; software just needs the documentation.

Decision 2 — What's the correct order of the final four steps?

The launch checklist has four items: EU declaration of conformity, CE marking, EU-database registration, and the conformity assessment itself.
Conformity assessment → declaration of conformity → CE marking → registration in the EU database — all before the system is on the market in its high-risk-regulated form.
CE-mark now for the sales deck, run the assessment in parallel, register within 12 months of the deadline.
Sign the declaration of conformity first — it's a statement of intent — then do the assessment to back it up.

Decision 3 — Priit asks how long the paperwork has to live

Five years — same as most commercial records.
Ten years after SkillRank is placed on the market — technical documentation, QMS records, the declaration, all of it.
Indefinitely — EU law never lets you delete anything.
Act 4 — The customer call
Month fourteen. Nordvik Retail, your biggest customer, books a call. Their procurement lead has discovered the AI Act and has opinions. Their legal counsel joins. So does Marta, which means you can't improvise.
"Two things," says Nordvik's counsel. "First: what do we get from you so our obligations as deployer are manageable? Second: we'd like to white-label SkillRank as 'Nordvik TalentEngine' — our brand, your engine. Fine, yes?"

Decision 1 — What is YOUR side of the deployer's compliance story?

"Deployer obligations are Nordvik's problem — we sell the tool, they figure out how to use it."
"You get instructions for use that make oversight possible: what SkillRank can and can't do, its declared accuracy, the oversight measures, what to monitor. Your Art 26 duties are built on our Art 13 transparency."
"We'll contractually indemnify you against AI Act fines — that transfers the obligations to us."

Decision 2 — The white-label request

"Sure — it's just branding. The engine doesn't change, so the compliance story doesn't either."
"Careful. If you put your name on a high-risk system, YOU become its provider under the Act — the full provider obligation set moves to Nordvik. Let's talk about what that means before anyone signs."
"Absolutely not — the AI Act prohibits white-labeling high-risk AI systems."

Decision 3 — Nordvik's counsel asks: "Do we owe anyone a fundamental-rights impact assessment?"

Nordvik Retail is a private retailer using SkillRank to hire shop staff.
"Yes — every deployer of every high-risk system must do a FRIA before first use."
"For a private retailer hiring staff — generally no. The FRIA duty targets public bodies, private providers of public services, and deployers of credit-scoring and life/health-insurance systems. But your worker-information and oversight duties under Art 26 stand regardless."
"No — FRIAs were deleted by the Digital Omnibus."
Act 5 — The incident
Three months after your conformity milestone. Your post-market monitoring dashboard — the one Art 72 made you build and you're now glad exists — flags a pattern: at one customer, SkillRank has been systematically down-ranking candidates who list a career gap for parental leave. A recruiter noticed too, and posted about it. The post is getting traction. Marta is calling.
Day 0
The clock in this act is real: reporting windows under the AI Act are counted in days, and "we were still investigating" is not a pause button. Your choices advance the clock.

Decision 1 — First move, Day 0

Get PR to respond to the post first — contain the narrative, then investigate quietly.
Trigger the incident procedure from your QMS: preserve the logs, reproduce the behaviour, assess whether this is a "serious incident" under the Act, and start corrective-action planning in parallel.
Hotfix the model tonight and retrain — if the behaviour is gone, there's nothing to report.

Decision 2 — Day 4: the investigation confirms it

The pattern is real, reproducible, and traces to a feature introduced two releases ago. Systematic disadvantage in access to employment is on the table — this reads as an infringement of fundamental-rights protections, which the Act treats as a serious incident. Legal wants "another two weeks to be sure."
Give legal their two weeks — you can't report what you haven't fully characterised.
Report to the market surveillance authority now: the causal link is established, and the reporting window (15 days at most, shorter for the gravest categories) started counting when you established it — completeness can follow in the investigation report.
Inform the affected customer and fix it — authority reporting is only for deaths and physical harm.

Decision 3 — Day 9: corrective action

The fix is validated. Deployment is ready. What's the complete corrective-action move?
Ship the fix to all customers. Done — the non-conformity no longer exists.
Ship the fix, inform every affected deployer (and your distributor) with instructions, update the risk register and technical documentation, record it all in the QMS, and cooperate with the authority's follow-up.
Recall SkillRank from the market entirely — any serious incident legally requires full withdrawal.
Case file closed · The Paper Trail

Your conformity record

Decision-by-decision debrief
What this simulation compressed

Real conformity work is slower and lumpier than five acts: standing up a QMS takes months, notified-body queues (where they apply) run long, and the standards landscape is still settling. Three honest simplifications:

• We compressed role nuances — importer and distributor duties (Art 23–24) never entered the story.

• The serious-incident definition and windows have more structure than one decision can carry (Art 3(49), Art 73) — the lesson that survives compression: establish the causal link, then the clock is already running.

• Registration mechanics (Art 49, Annex VIII) got one checklist line; in reality the EU database has its own workflow.

Where this comes from. The Paper Trail dramatizes the provider chapters of Regulation (EU) 2024/1689 — Articles 8–22, 43–49 and 72–73 — the way I teach them: as an engineering discipline where the deliverable is evidence, not vibes. Classify your own system first with The Navigator. For trainings on engineering AI Act compliance: barcik.training · Official sources: the Act on EUR-Lex, the EC AI Act Service Desk.