Classification first
Each system placed in the regulatory map before any compliance spend — most businesses discover their real obligations are narrower, and different, than feared.
AI regulatory readiness from Aun & Co.: obligations under the EU AI Act, privacy frameworks and sectoral rules mapped to your systems before enforcement asks first.
AI regulation is no longer hypothetical: the EU AI Act is phasing in with risk-tiered obligations that reach non-European businesses whose systems touch the EU market, privacy frameworks in Israel and abroad already govern the data layer, and sector regulators are adding expectations of their own. Readiness work is the translation exercise — which of your systems fall where, which obligations attach on what timeline, and what documentation, transparency and oversight the rules require you to be able to show.
The firm inventories the AI systems in and around your business, then classifies each against the regimes that plausibly reach it — the EU AI Act where European market contact exists, privacy law wherever personal data flows, sector rules where your industry adds them. Obligations are translated from regulation-speak into artefacts and behaviours: the records to keep, the notices to give, the oversight to install. The plan sequences the work against the actual enforcement calendar, so effort lands where deadlines do.
Each system placed in the regulatory map before any compliance spend — most businesses discover their real obligations are narrower, and different, than feared.
Rules translated into the concrete records, notices and oversight steps your team must produce — compliance you can show, not just claim.
Work phased against actual application dates and enforcement priorities, spending readiness effort where the deadlines genuinely are.
A typical engagement: an Israeli company with EU-facing services commissions a readiness review. Classification places one system in a regulated tier and clears the rest; the plan produces its transparency documentation and oversight mechanism ahead of the applicable phase-in date, and the questionnaire answers write themselves.
Described in abbreviated, anonymised form to preserve client confidentiality.
It can — the Act reaches providers and deployers outside the EU where their systems are placed on the EU market or their outputs are used there. For Israeli businesses with European customers or users, applicability analysis is the mandatory first step, not a formality.
It depends on the tier: prohibited practices are banned outright, high-risk systems carry documentation, oversight, and quality obligations, and lighter transparency duties attach to certain interactive and generative uses. Most systems fall outside the heavy tiers — which is exactly why classification precedes compliance spend.
An inventory and classification of the systems in use, an applicability map across the regimes that reach you, a gap assessment, and a phased plan tied to the enforcement calendar. First classification results typically arrive within weeks; the artefact-building follows by priority.