DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

EU AI Act and SOC 2: what overlaps before August 2, 2026

By Editorial team · Published · Last updated

EU AI Act Chapter III–V obligations apply August 2, 2026. SOC 2 CC4 and CC7 map most directly to Article 12 logging requirements; CC2 maps to Article 50 transparency. Here is the practical overlap and what SOC 2 does not cover.

The EU AI Act and SOC 2 overlap on logging, monitoring, and transparency — but they do not substitute for each other. EU AI Act Chapter III (high-risk AI requirements) and Chapter IV (Article 50 transparency obligations) apply from August 2, 2026. SOC 2 Trust Services Criteria CC4 (Monitoring Activities) and CC7 (System Operations) cover the closest equivalent controls. The gap matters because EU AI Act penalties under Article 99 reach €35 million or 7% of global turnover — orders of magnitude larger than the commercial risk of a failed SOC 2.

EU AI Act Article 12 — record-keeping (verbatim)

From Regulation (EU) 2024/1689, Article 12 paragraph 1: 'High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.' Paragraph 2 requires logging to enable identification of risk situations (Article 79), facilitation of post-market monitoring (Article 72), and monitoring of operation (Article 26(5)).

Paragraph 3 specifies the minimum logging contents for biometric high-risk AI systems under Annex III point 1(a): recording of the period of each use (start and end timestamps), the reference database against which input data has been checked, the input data that produced a match, and the identification of the natural persons involved in result verification.

How SOC 2 Trust Services Criteria map to Article 12

Article 50 — transparency obligations

Article 50 paragraph 1 requires that AI systems intended to interact directly with natural persons be designed so users know they are interacting with AI — unless that is obvious to a reasonably well-informed person. Paragraph 2 requires providers of AI systems generating synthetic audio, image, video, or text content to mark outputs as artificially generated in a machine-readable format. Paragraph 4 requires deployers of deepfake-generating systems to disclose that the content has been artificially generated.

SOC 2 mapping: Article 50's transparency obligations map most closely to CC2 (Communication and Information), specifically CC2.3 (communication with external parties). SOC 2 does not have a specific requirement for AI-generated content labeling — that is an EU AI Act-specific obligation.

The eight high-risk AI categories (Annex III)

If your AI system falls into any of these eight Annex III categories, Article 12 logging applies from August 2, 2026:

  1. Biometrics (as permitted under Union or national law).
  2. Critical infrastructure (digital infrastructure, road traffic, water, gas, heating, electricity safety components).
  3. Education and vocational training (admission decisions, monitoring during tests).
  4. Employment, workers' management, and access to self-employment (hiring, performance management, allocation of tasks).
  5. Access to essential private and public services and benefits (credit scoring, insurance underwriting, emergency services prioritization).
  6. Law enforcement (as permitted).
  7. Migration, asylum, and border control management (as permitted).
  8. Administration of justice and democratic processes.

Penalty tiers under Article 99

What SOC 2 does not cover

What to do before August 2, 2026

  1. Determine whether you have a high-risk AI system under Annex III. If you operate in education, employment, essential services, biometrics, or critical infrastructure, you likely do.
  2. If high-risk: implement Article 12 logging now. Logging design takes 4–8 weeks for non-trivial systems; do not start in July 2026.
  3. If you provide AI to EU users (any risk level): implement Article 50 transparency disclosures by August 2, 2026. This applies to chatbots, deepfake-capable systems, and content-generating AI.
  4. Map your SOC 2 controls (if you have one) to the EU AI Act requirements. Use the mapping above as a starting point. Document the gaps separately.
  5. Engage a notified body if your system requires Article 43 conformity assessment (Annex I-listed systems and certain Annex III systems with third-party assessment requirements).

The bigger picture

SOC 2 was designed for service organization controls reporting under SSAE 18. It was never intended to cover AI-specific risks like training data lineage, model drift, prompt injection, or hallucination. Practitioners in 2026 are extending SOC 2 with AI overlays (see our separate guide on AI controls in SOC 2 audits), but the formal AICPA standard remains the 2017 Trust Services Criteria. For EU AI Act compliance, treat SOC 2 as one input among several — not as the answer.