← All articles
·2 min read·Regulatory & compliance

The EU AI Act and Online Proctoring: A 2025 Compliance Guide

A practical guide to the EU AI Act (Regulation 2024/1689) for education and certification teams using (or evaluating) online proctoring.

Online proctoring that monitors candidates and detects prohibited behavior can fall into the EU AI Act's “high-risk” category (Annex III) depending on how it is deployed and what it does. If your institution runs exams in the EU (or serves EU learners), you should plan now: the obligations for high‑risk systems in education become fully applicable by August 2, 2026.

This guide explains what matters operationally, what evidence you’ll be asked for, and how a privacy-first, on-device architecture can reduce risk without sacrificing integrity.

What “high-risk” means in practice

High-risk systems come with requirements around:

  • Risk management: identify foreseeable harms, define mitigations, keep evidence updated
  • Data governance: ensure training/validation data is appropriate and documented (where applicable)
  • Technical documentation: architecture, intended purpose, limitations, performance claims
  • Logging: event logs sufficient to reconstruct and audit decisions
  • Transparency: clear information to users and affected persons
  • Human oversight: humans must be able to interpret and override; no “black-box auto-fail”
  • Accuracy & robustness: defined performance metrics and monitoring

The compliance “paper trail” you should prepare

Even if you outsource parts of proctoring, you will likely need:

  • A clear intended use statement (what you detect, what you don’t detect)
  • A decision policy: how signals translate into “review” vs “no action”
  • An audit process: escalation, appeals, and evidence retention
  • A change-management process (updates, model changes, configuration)

Why privacy-first architectures lower legal exposure

Most legacy systems centralize raw video and biometric data in the cloud. That creates:

  • A broader attack surface
  • A larger breach blast radius
  • Greater data protection obligations (and reputational risk)

By processing signals locally (in-browser) and only sending tamper-evident, minimal event logs, you can often meet integrity needs while materially reducing the volume and sensitivity of data handled.

Next step

If you’re evaluating vendors, ask for a compliance pack that includes:

  • logging schema (what is logged, for how long, and why)
  • human review workflow
  • DPIA support materials
  • documented limitations (false positives/negatives)