Compliance

EU AI Act Compliance: How to Prepare Your Business

Work out if the Act applies to you, classify your AI systems, and act before the deadlines.

Author
Dr. Kilian Schmidt
Date
Updated on
11.7.2026
EU AI Act Compliance: How to Prepare Your Business

EU AI Act compliance is now a live obligation, not a future one. The Act entered into force on 1 August 2024, the ban on unacceptable-risk systems has applied since February 2025, and the rules for high-risk systems arrive in August 2026. This guide is the practical companion to our explainer on what the EU AI Act is: it walks through whether you are in scope, how to classify your AI systems, what each risk level requires, and the steps to be ready in time.

Read the specifics against your own situation. The framework is settled, but how a given system is classified depends on how you build and use it, so treat the risk examples below as a starting point for your own assessment.

Does the EU AI Act apply to you?

Almost certainly, if you build, sell, or use AI systems that reach people in the EU. Like the GDPR, the Act applies beyond EU borders: a company based anywhere is in scope when its AI system is placed on the EU market or its output affects people in the EU. Your obligations depend on your role in the AI value chain:

  • Providers develop an AI system or general-purpose AI model, or have one developed to put on the market under their name. Providers carry the heaviest obligations.
  • Deployers use an AI system in the course of their business. Most companies embedding third-party AI fall here, with lighter but real duties.
  • Importers and distributors bring an AI system from outside the EU to the EU market, and must check the provider has met its obligations.

One system can put you in more than one role. If you fine-tune or rebrand a model and market it as your own, you can become a provider even if you did not build the base model, which materially raises what you owe.

Classify your AI system: the four risk levels

The Act is risk-based, so your first real task is to place each AI system into one of four levels, because that determines everything else. The table below summarises the levels and what each one requires. For the full background on how the tiers were designed, see the EU AI Act framework overview.

Risk level Examples What you must do
UnacceptableSocial scoring, untargeted scraping of facial images, certain biometric categorisationProhibited. These systems cannot be placed on the market or used.
HighAI used in hiring, credit scoring, critical infrastructure, medical devices, education, border controlConformity assessment, risk management, data governance, technical documentation, human oversight, and registration before going to market.
LimitedChatbots, emotion recognition, generative AI contentTransparency. Tell people they are interacting with AI, and label AI-generated content.
MinimalSpam filters, AI in video games, inventory toolsNo mandatory obligations. Voluntary codes of conduct are encouraged.

Most business AI lands in the minimal or limited tiers, where the burden is light. The work concentrates on high-risk systems, so the classification step is worth doing carefully. A structured way to assess your AI systems keeps this defensible rather than a guess.

What high-risk providers must do

If you provide a high-risk system, you must demonstrate conformity before it reaches the market, then keep it compliant in use. The core obligations run in sequence:

  1. Risk management system. Establish and maintain a continuous process to identify and mitigate risks across the system's lifecycle.
  2. Data governance. Show that training, validation and testing data are relevant, representative and appropriately managed.
  3. Technical documentation and logging. Produce the documentation that proves conformity, and enable automatic record-keeping of the system's operation.
  4. Human oversight and transparency. Design the system so people can understand and, where needed, override it.
  5. Conformity assessment and registration. Complete the assessment (internal or third-party depending on the system), affix the CE marking, and register the system in the EU database.

Deployers of high-risk systems have their own duties, including human oversight and monitoring in use, so the obligation does not end with the provider. Building an AI management system aligned to ISO 42001 gives you a repeatable structure for all of this rather than a one-off scramble.

EU AI Act compliance deadlines

The Act applies in stages, and several are already live. Map each of your systems to the date that governs it so nothing slips.

Contact our team for a free, personalized demo.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

EU AI Act Compliance: How to Prepare Your Business
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check