Haakon & Haakon™ is legal-reasoning software from Fjell Systems AS. Because it offers guidance to people in vulnerable situations (family, housing, immigration), it is treated as a high-risk AI system under Annex III of the EU AI Act (Regulation (EU) 2024/1689). We follow the self-assessment path (Annex VI internal control — no external notified body). This page states, honestly, where we are and are not yet compliant, ahead of the 2 August 2026 high-risk deadline.
| Obligation | What it requires | Status | Where we are |
|---|---|---|---|
| Art. 9 — Risk management | A continuous risk-management system across the lifecycle. | In progress | Two security audits worked off (both kill-chains closed); a formal, documented risk-management process is being structured. |
| Art. 10 — Data & data governance | Relevant, representative data; privacy safeguards. | Compliant | Redact-first architecture: personal data is removed before any AI processing. All data stored in Norway; redacted text processed in the EU/EEA (Azure Data Zone). PII never leaves the region. |
| Art. 11 + Annex IV — Technical documentation | A structured technical file describing the system. | In progress | The architecture is documented; formalising it into the Annex IV structure is in progress. |
| Art. 12 — Record-keeping (logging) | Automatic, tamper-evident logging of events over the system's lifetime. | Compliant | Vör-Log records security-relevant events to a hash-chained, append-only audit trail (tamper-evident); Vör-Report produces the record on demand. |
| Art. 13 — Transparency & instructions | Users can interpret output; instructions for use are provided. | In progress | Output is structured guidance (not raw model text). Formal instructions-for-use are being written. |
| Art. 14 — Human oversight | Humans can understand, monitor, and override the system. | Compliant | The system never acts autonomously — every output is a draft the user reviews and confirms. A per-file human approval gate governs cloud processing; an adversarial review layer (Tyr) flags errors; users can correct any output; Vör logs oversight actions. |
| Art. 15 — Accuracy, robustness & cybersecurity | Appropriate accuracy, resilience, and security. | In progress | Fact-sheet anchoring constrains the model to verified values; security hardening shipped; Vör-Watch detects suspicious access. Formal accuracy metrics are still to be documented. |
| Art. 16–21 — Provider obligations & quality management | A quality-management system and provider duties. | In progress | Being formalised alongside the technical documentation. |
| Art. 43 / 47 / 48 — Conformity, declaration & CE marking | Self-assessment, a declaration of conformity, and CE marking. | Planned | Self-assessment path (Annex VI internal control — no notified body required). Target: 2 August 2026. |
| Art. 49 — EU database registration | Registration in the EU high-risk database before deployment. | Planned | Follows completion of the technical documentation. |
| GDPR Art. 22 — Automated decision-making | A legal basis where a decision is solely automated. | Under legal review | Under counsel review. Mitigated now: every output is a non-binding draft until a human confirms it — there is no solely-automated decision. |