EU AI Act Red Teaming Requirements: What You Must Do Before August 2, 2026
The EU AI Act mandates adversarial testing for high-risk AI systems. With the compliance deadline 5 months away and penalties up to €15 million or 3% of turnover, here is exactly what the regulation requires and how to prepare.
RedTeam Partners
CREST-Certified Security Team · 2026-03-13
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation, and its most critical compliance deadline is approaching fast. By August 2, 2026, organisations deploying high-risk AI systems must demonstrate compliance with Chapter III requirements — including mandatory adversarial testing. Non-compliance with high-risk obligations carries penalties of up to €15 million or 3% of global annual revenue, whichever is higher (up to €35 million or 7% for prohibited AI practices).
This guide covers exactly what the regulation requires, how to determine if your AI systems fall under the high-risk category, and the specific red teaming methodology that satisfies Article 9 requirements.
EU AI Act Timeline: Key Dates
| Date | Milestone | What It Means |
|---|---|---|
| August 1, 2024 | Act enters into force | Official start of compliance countdown |
| February 2, 2025 | Prohibited AI practices apply | Banned AI systems must cease operation |
| August 2, 2025 | GPAI model rules apply | General-purpose AI (GPT-4, Claude, Gemini) providers must comply |
| August 2, 2026 | High-risk AI obligations apply | All Chapter III requirements enforced — 5 months away |
| August 2, 2027 | Full enforcement | All remaining provisions, including Annex I AI systems |
Is Your AI System "High-Risk"?
The EU AI Act classifies AI systems into four risk categories. High-risk systems (Article 6, Annex III) face the strictest requirements, including mandatory adversarial testing. Your system is likely high-risk if it's used for:
- Employment and recruitment — CV screening, interview evaluation, hiring decisions, performance monitoring
- Credit and financial assessment — Credit scoring, insurance pricing, loan approval, fraud detection
- Critical infrastructure management — Energy grid control, water supply, transport systems, telecommunications
- Education and training — Student assessment, admission decisions, learning path assignment
- Law enforcement — Risk assessment, evidence analysis, crime prediction, border control
- Access to essential services — Healthcare AI, social benefits eligibility, emergency services prioritisation
- Biometric identification — Facial recognition, emotion detection, behavioural categorisation
Additionally, AI systems that are safety components of products already covered by EU harmonised legislation (medical devices, vehicles, machinery, aviation) automatically qualify as high-risk.
Important: Even if your AI system isn't "high-risk," the Act's general obligations (Article 4, transparency and human oversight) apply to all AI systems deployed in the EU, including general-purpose AI tools like Claude Code used for business automation — as we analysed in our AI coding tools attack surface report.
What Article 9 Requires: Risk Management for AI
Article 9 of the EU AI Act establishes a mandatory risk management system that must be maintained throughout the AI system's lifecycle. The key requirements relevant to red teaming are:
Article 9(2)(a) — Identification and Analysis of Known and Foreseeable Risks
You must identify risks "when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse." This explicitly includes adversarial attacks. Given the well-documented nature of:
- System prompt extraction (89% success rate in our assessments)
- RAG pipeline vulnerabilities (82% of deployments affected)
- Prompt injection (73% of production AI per OWASP)
These attacks are unambiguously "reasonably foreseeable" and must be addressed in your risk management process.
Article 9(2)(b) — Estimation and Evaluation of Risks
Risks must be estimated and evaluated using both quantitative and qualitative methods. A red teaming assessment produces the exact evidence this requirement demands: specific vulnerabilities, severity scores, exploitability ratings, and impact analysis.
Article 9(6) — Testing Procedures
The Act explicitly requires "appropriate testing procedures" at various stages of development and before placing the system on the market. Testing must include:
- Testing against "clearly defined metrics" (CVSS scores, OWASP classifications)
- Testing under "real-world conditions" (production environment assessment)
- Testing for "reasonably foreseeable misuse" (adversarial red teaming)
Article 9(7) — Residual Risk Management
After testing and mitigation, any remaining risks must be documented and communicated to deployers. This means a red teaming report isn't just recommended — it's a legal document that demonstrates compliance.
What "Adversarial Testing" Means Under the EU AI Act
The Act's recitals and supporting documentation from the European AI Office provide clarification on what constitutes adequate adversarial testing:
- Testing must be conducted by independent parties — Internal testing alone is insufficient. The risk management system must include external validation. CREST-certified assessors are specifically recognised for this purpose in UK/EU cybersecurity standards.
- Testing must cover the full attack surface — Not just the AI model, but the entire system: APIs, data pipelines, access controls, deployment infrastructure, and integration points.
- Testing must use current attack methodologies — Static checklists don't satisfy the requirement. Testing must reflect the current threat landscape, including techniques documented in OWASP Top 10 for LLMs, NIST AI RMF, and recent incident reports.
- Results must be documented and actionable — The regulation requires that test results feed back into the risk management system with specific remediation actions.
Our 7-Step Methodology Mapped to EU AI Act Requirements
Our AI Security Configuration Review methodology was specifically designed to satisfy EU AI Act Article 9 requirements:
| Our Step | EU AI Act Requirement | Evidence Produced |
|---|---|---|
| 1. Threat Modelling | Art. 9(2)(a) — Risk identification | Threat register, attack surface map |
| 2. Input Validation Testing | Art. 9(6) — Testing procedures | Prompt injection test results, bypass documentation |
| 3. Output Analysis | Art. 9(6) — Testing procedures | Data leakage assessment, hallucination analysis |
| 4. Access Control Review | Art. 9(2)(b) — Risk evaluation | Authentication/authorisation audit, RBAC/ABAC review |
| 5. Data Pipeline Assessment | Art. 9(2)(a) — Foreseeable misuse | RAG security report, training data analysis |
| 6. Integration Security | Art. 9(6) — Real-world conditions | API security audit, third-party integration review |
| 7. Compliance Mapping | Art. 9(7) — Residual risk | Compliance report with framework mappings |
Each step produces documented evidence that directly satisfies specific regulatory requirements, creating an audit trail that demonstrates compliance to regulators.
Penalties for Non-Compliance
The EU AI Act establishes a three-tier penalty structure (Article 99):
| Violation Type | Maximum Penalty |
|---|---|
| Prohibited AI practices | €35 million or 7% of global annual revenue |
| High-risk AI obligations (including testing) | €15 million or 3% of global annual revenue |
| Providing incorrect information to authorities | €7.5 million or 1% of global annual revenue |
For SMEs and startups, the lower of the two amounts applies. But for enterprises with global revenue above €500 million, the percentage-based calculation dominates — making penalties potentially devastating.
Important precedent: The GDPR established that EU regulators do impose maximum penalties. Meta was fined €1.2 billion in 2023. Amazon received a €746 million fine. The EU AI Act enforcement mechanism mirrors GDPR, and the European AI Office has already signalled aggressive enforcement.
5-Month Compliance Roadmap (March to August 2026)
Month 1 (March): AI System Inventory and Classification
- Catalogue all AI systems in use across the organisation
- Classify each system against Annex III risk categories
- Identify which systems fall under high-risk obligations
- Map existing compliance documentation and gaps
Month 2 (April): Risk Assessment and Testing
- Conduct initial risk assessment for each high-risk system
- Commission independent adversarial testing / AI red teaming assessment
- Document all identified vulnerabilities and risks
Month 3 (May): Remediation and Mitigation
- Implement fixes for critical and high-severity findings
- Deploy additional security controls (monitoring, access controls, input filtering)
- Re-test remediated vulnerabilities
Month 4 (June): Documentation and Evidence
- Complete technical documentation (Article 11)
- Establish human oversight mechanisms (Article 14)
- Document residual risks and mitigation measures (Article 9(7))
- Create compliance dossier for each high-risk system
Month 5 (July): Validation and Go-Live
- Final compliance review against all Chapter III requirements
- Executive sign-off on risk management documentation
- Establish ongoing monitoring and periodic re-assessment schedule
- Prepare for potential regulatory inquiries
The Cost of Waiting
AI red teaming assessments typically take 2-4 weeks for a standard enterprise deployment. Remediation takes another 2-6 weeks depending on severity. Re-testing adds 1-2 weeks. That's a minimum of 5-12 weeks from assessment to compliance — meaning organisations that haven't started are already at risk of missing the deadline.
The AI red teaming market is also experiencing unprecedented demand. According to Market.us, the sector is valued at $1.3 billion in 2025 and growing at 30.5% CAGR. As the August deadline approaches, qualified CREST-certified assessors will be in short supply.
Frequently Asked Questions
Does the EU AI Act apply to UK companies?
If your AI systems are used by or affect EU citizens, yes. The Act has extraterritorial reach similar to GDPR. UK companies serving EU markets must comply.
What if our AI system uses a third-party model (OpenAI, Anthropic, Google)?
The deployer remains responsible for compliance of the overall system. While the model provider must comply with GPAI rules (from August 2025), the deployer must ensure the complete system — including how the model is integrated, what data it accesses, and what decisions it makes — meets high-risk requirements.
Is internal red teaming sufficient?
Article 9 requires risk management to be "proportionate to the level of risk." For high-risk systems, regulators will expect independent external validation. Internal testing can complement but not replace independent assessment.
How often must we conduct adversarial testing?
The Act requires ongoing risk management throughout the system's lifecycle (Article 9(1)). Best practice is to conduct testing at initial deployment, after significant changes, and on a regular cycle (at least annually). We recommend quarterly testing for high-risk systems in dynamic environments.
Next Steps
- Assess your exposure — Download our free 25-point AI security checklist to gauge your current readiness
- Classify your systems — Determine which AI systems are high-risk under Annex III
- Book an assessment — Our AI Security Configuration Review produces the exact evidence Article 9 requires
References
- European Parliament, "Regulation (EU) 2024/1689 — Artificial Intelligence Act," Official Journal of the European Union, 2024
- European AI Office, "Guidelines on Prohibited AI Practices," February 2025
- Market.us, "AI Red Teaming Services Market — Global Forecast to 2035," 2026
- OWASP, "Top 10 for Large Language Model Applications," 2025 Edition
- NIST, "AI Risk Management Framework (AI RMF 1.0)," 2023
- RedTeam Partners Switzerland: EU AI Act Compliance Guide
- Cyber Security Switzerland: EU AI Act Compliance Encyclopedia
Is Your AI Infrastructure Secure?
Book a free 30-minute AI security analysis with our CREST-certified team. We'll show you what an attacker could exploit in your AI systems.
Book Free Analysis