Article by Article. What Fuze does, and what stays on you.

Art. 12

Automatic event recording

Fuze covers

What the Act says

High-risk systems must technically allow for the automatic recording of events over the lifetime of the system. Logs must enable traceability and post-market monitoring. Deployers must keep them for at least six months.

What Fuze does

Every prompt, tool call, return value, and guard event captured as structured JSONL on the hot path. Hash-chained and HMAC-signed for tamper detection. Six-month minimum retention, configurable up to seven years.

Art. 14

Human oversight

Fuze covers

What the Act says

Operators must be able to monitor a high-risk system, intervene, override, and stop it. Natural persons must have the competence, training, authority, and support to perform that oversight effectively.

What Fuze does

`ctx.requestOversight()` suspends a run on a durable adapter; the reviewer's signature binds the human decision into the hash chain. Pending-oversight queue and kill-switch live in Fuze Control.

Art. 26

Deployer obligations

Fuze covers

What the Act says

Deployers must use the system per the provider's instructions, assign competent natural persons for oversight, monitor operation, maintain the logs they generate, and report serious incidents.

What Fuze does

Fuze Control aggregates evidence per agent and per run. Posture views, retention controls, an admin audit log of privileged dashboard actions. Article 73 report drafts compile from the same stream.

Art. 27

Fundamental rights impact assessment

Fuze covers

What the Act says

Before deploying certain Annex III high-risk systems, deployers (notably public bodies) must perform a fundamental-rights impact assessment, kept up to date.

What Fuze does

`@fuze-ai/agent-fria` compiles a FRIA draft from the evidence stream's span attributes. The output is a structured document ready for review and submission.

Art. 73

Serious incident reporting

Fuze covers

What the Act says

Deployers must notify the relevant national market-surveillance authority within 72 hours of becoming aware of a serious incident involving the high-risk system.

What Fuze does

`@fuze-ai/agent-incident` drafts a regulator-ready Article 73 report from the same stream — timeline, affected runs, human decisions already attached.

Art. 19

Log retention

Partial today

What the Act says

Operators must keep the automatically generated logs for an appropriate period — at least six months for high-risk systems, longer where sector law requires it.

What Fuze does

Append-only event store with configurable retention. HMAC-SHA256 hash chain is in the Python SDK; TypeScript parity is on the near-term roadmap.

Annex IV

Technical documentation

Partial today

What the Act says

The technical file describing the system — purpose, architecture, training data, risk management, monitoring plan, performance metrics. Required before placing the system on the market.

What Fuze does

`@fuze-ai/agent-annex-iv` maps evidence span attributes to Annex IV sections and ISO 42001 controls. The structural skeleton compiles; human review required for prose sections.

Art. 9

Risk management system

On the roadmap

What the Act says

A continuous, documented process across the lifecycle: identify reasonably foreseeable risks, evaluate them, adopt mitigation, monitor outcomes, iterate.

What Fuze does

On the roadmap: tooling for residual-risk logs and control-registry tracking. The runtime data is already there; the document UI isn’t.

Art. 13

Transparency to deployers

On the roadmap

What the Act says

Providers must give deployers the information needed to interpret and use the system correctly: intended purpose, performance characteristics, known limitations, oversight measures.

What Fuze does

On the roadmap: capability cards and a known-limitation registry exported with each run.

Art. 15

Accuracy and robustness

On the roadmap

What the Act says

Demonstrated performance levels under realistic conditions, resilience to error and attack, cybersecurity measures proportionate to the risk.

What Fuze does

On the roadmap: eval-suite integration and jailbreak-attempt logging on the hot path.

Art. 72

Post-market monitoring

On the roadmap

What the Act says

Systematic collection and analysis of operational data after deployment to identify risks, drift, and the need for corrective action.

What Fuze does

On the roadmap: drift alerts and performance-regression diffs per deployment. The data is in the stream today; the analysis surface ships next.

Art. 10

Data and data governance

On you

What the Act says

Training, validation, and test data sets used by high-risk systems must meet quality criteria: relevance, representativeness, bias testing, lineage.

What Fuze does

Outside Fuze’s runtime scope. Your data team owns provenance, representativeness testing, and bias evaluation.

Art. 14(4)

Training the humans in the oversight role

On you

What the Act says

The natural persons assigned to oversee the system must have sufficient competence, training, and authority.

What Fuze does

Hiring, training, and access governance are entirely on you. Fuze Control surfaces the activity those people supervise.

Art. 15(5)

Cybersecurity

On you

What the Act says

Cybersecurity measures proportionate to the risk: identity, secrets, network, supply-chain controls.

What Fuze does

Largely outside Fuze’s runtime scope; references ISO 27001 / SOC 2 controls. Fuze Control’s admin audit log + DPA + sub-processor list are inputs to your own security posture.