EU AI Act compliance is now a live obligation, not a future one. The Act entered into force on 1 August 2024, the ban on unacceptable-risk systems has applied since February 2025, and the rules for high-risk systems arrive in August 2026. This guide is the practical companion to our explainer on what the EU AI Act is: it walks through whether you are in scope, how to classify your AI systems, what each risk level requires, and the steps to be ready in time.
Read the specifics against your own situation. The framework is settled, but how a given system is classified depends on how you build and use it, so treat the risk examples below as a starting point for your own assessment.
Does the EU AI Act apply to you?
Almost certainly, if you build, sell, or use AI systems that reach people in the EU. Like the GDPR, the Act applies beyond EU borders: a company based anywhere is in scope when its AI system is placed on the EU market or its output affects people in the EU. Your obligations depend on your role in the AI value chain:
- Providers develop an AI system or general-purpose AI model, or have one developed to put on the market under their name. Providers carry the heaviest obligations.
- Deployers use an AI system in the course of their business. Most companies embedding third-party AI fall here, with lighter but real duties.
- Importers and distributors bring an AI system from outside the EU to the EU market, and must check the provider has met its obligations.
One system can put you in more than one role. If you fine-tune or rebrand a model and market it as your own, you can become a provider even if you did not build the base model, which materially raises what you owe.
Classify your AI system: the four risk levels
The Act is risk-based, so your first real task is to place each AI system into one of four levels, because that determines everything else. The table below summarises the levels and what each one requires. For the full background on how the tiers were designed, see the EU AI Act framework overview.
Most business AI lands in the minimal or limited tiers, where the burden is light. The work concentrates on high-risk systems, so the classification step is worth doing carefully. A structured way to assess your AI systems keeps this defensible rather than a guess.
What high-risk providers must do
If you provide a high-risk system, you must demonstrate conformity before it reaches the market, then keep it compliant in use. The core obligations run in sequence:
- Risk management system. Establish and maintain a continuous process to identify and mitigate risks across the system's lifecycle.
- Data governance. Show that training, validation and testing data are relevant, representative and appropriately managed.
- Technical documentation and logging. Produce the documentation that proves conformity, and enable automatic record-keeping of the system's operation.
- Human oversight and transparency. Design the system so people can understand and, where needed, override it.
- Conformity assessment and registration. Complete the assessment (internal or third-party depending on the system), affix the CE marking, and register the system in the EU database.
Deployers of high-risk systems have their own duties, including human oversight and monitoring in use, so the obligation does not end with the provider. Building an AI management system aligned to ISO 42001 gives you a repeatable structure for all of this rather than a one-off scramble.
EU AI Act compliance deadlines
The Act applies in stages, and several are already live. Map each of your systems to the date that governs it so nothing slips.
Contact our team for a free, personalized demo.







