← Back to Haakon & Haakon

EU AI Act — Compliance Statement

Haakon & Haakon™ is legal-reasoning software from Fjell Systems AS. Because it offers guidance to people in vulnerable situations (family, housing, immigration), it is treated as a high-risk AI system under Annex III of the EU AI Act (Regulation (EU) 2024/1689). We follow the self-assessment path (Annex VI internal control — no external notified body). This page states, honestly, where we are and are not yet compliant, ahead of the 2 August 2026 high-risk deadline.

Read the Act (EUR-Lex, official) European Commission overview
Self-assessed · Last updated 2026-07-12 · Contact: craig@fjellsystems.com

Where we stand, article by article

Compliant in place today In progress being built toward the deadline Planned scheduled, not started Under legal review awaiting counsel
ObligationWhat it requiresStatusWhere we are
Art. 9 — Risk management A continuous risk-management system across the lifecycle. In progress Two security audits worked off (both kill-chains closed); a formal, documented risk-management process is being structured.
Art. 10 — Data & data governance Relevant, representative data; privacy safeguards. Compliant Redact-first architecture: personal data is removed before any AI processing. All data stored in Norway; redacted text processed in the EU/EEA (Azure Data Zone). PII never leaves the region.
Art. 11 + Annex IV — Technical documentation A structured technical file describing the system. In progress The architecture is documented; formalising it into the Annex IV structure is in progress.
Art. 12 — Record-keeping (logging) Automatic, tamper-evident logging of events over the system's lifetime. Compliant Vör-Log records security-relevant events to a hash-chained, append-only audit trail (tamper-evident); Vör-Report produces the record on demand.
Art. 13 — Transparency & instructions Users can interpret output; instructions for use are provided. In progress Output is structured guidance (not raw model text). Formal instructions-for-use are being written.
Art. 14 — Human oversight Humans can understand, monitor, and override the system. Compliant The system never acts autonomously — every output is a draft the user reviews and confirms. A per-file human approval gate governs cloud processing; an adversarial review layer (Tyr) flags errors; users can correct any output; Vör logs oversight actions.
Art. 15 — Accuracy, robustness & cybersecurity Appropriate accuracy, resilience, and security. In progress Fact-sheet anchoring constrains the model to verified values; security hardening shipped; Vör-Watch detects suspicious access. Formal accuracy metrics are still to be documented.
Art. 16–21 — Provider obligations & quality management A quality-management system and provider duties. In progress Being formalised alongside the technical documentation.
Art. 43 / 47 / 48 — Conformity, declaration & CE marking Self-assessment, a declaration of conformity, and CE marking. Planned Self-assessment path (Annex VI internal control — no notified body required). Target: 2 August 2026.
Art. 49 — EU database registration Registration in the EU high-risk database before deployment. Planned Follows completion of the technical documentation.
GDPR Art. 22 — Automated decision-making A legal basis where a decision is solely automated. Under legal review Under counsel review. Mitigated now: every output is a non-binding draft until a human confirms it — there is no solely-automated decision.

What is not yet in place

In plain terms, the open items are: formalising the technical documentation (Annex IV), completing the conformity assessment + declaration of conformity + CE marking, registering in the EU high-risk database, and confirming with counsel the legal basis under GDPR Article 22. None of these has passed its deadline — they are scheduled work toward 2 August 2026, tracked in our internal assessment.
This is a good-faith self-assessment, not legal advice or a certification. It is reviewed as the system changes. Norway/EEA adoption of the Act may follow the EU dates via the EEA Joint Committee; we track any divergence.