The EU AI Act is no longer a proposal — it's law. As the world's first comprehensive AI regulation, it establishes a risk-based framework that classifies AI systems and imposes obligations accordingly. If your company deploys AI systems that affect people in the EU — regardless of where your company is headquartered — you need to comply.
This guide cuts through the legal complexity and focuses on what CTOs and technology leaders need to implement.
Timeline
| Date | What Happens |
|---|---|
| August 2024 | AI Act entered into force |
| February 2025 | Banned AI practices prohibited |
| August 2025 | GPAI (General Purpose AI) rules apply |
| August 2026 | High-risk AI system obligations apply |
| August 2027 | Full enforcement including Annex I systems |
The critical deadline is August 2026. If you deploy high-risk AI systems, your compliance infrastructure must be in place by then.
The Risk Classification System
The AI Act classifies AI systems into four risk levels, each with different obligations.
Unacceptable Risk (Banned)
These AI practices are prohibited entirely:
- Social scoring by public authorities
- Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
- Subliminal manipulation that causes harm
- Exploitation of vulnerabilities of specific groups (age, disability)
- Emotion recognition in workplaces and educational institutions
- Untargeted scraping of facial images for facial recognition databases
Action required: Audit your AI systems. If any fall into these categories, shut them down.
High Risk (Heavy Regulation)
AI systems in these domains are classified as high-risk:
- Employment: Hiring, performance evaluation, promotion decisions
- Education: Admissions, assessment, student monitoring
- Credit and insurance: Scoring, risk assessment, pricing
- Essential services: Benefits eligibility, emergency services
- Law enforcement: Predictive policing, evidence assessment
- Migration: Visa processing, border control
- Critical infrastructure: Energy, transport, water management
- Biometric identification: Remote biometric systems (non-real-time)
Obligations for high-risk systems:
- Risk management system (continuous, not one-time)
- Data governance (training data quality, representativeness, bias testing)
- Technical documentation (detailed, kept up-to-date)
- Record-keeping (automatic logging of system operation)
- Transparency (information to deployers about capabilities and limitations)
- Human oversight (ability for humans to understand, monitor, and override)
- Accuracy, robustness, and cybersecurity (tested and maintained)
- Conformity assessment (self-assessment or third-party, depending on the domain)
- EU database registration (high-risk systems must be registered)
Limited Risk (Transparency Only)
AI systems that interact with people have transparency obligations:
- Chatbots: Must inform users they're interacting with AI
- Deepfakes/synthetic media: Must be labelled as AI-generated
- Emotion recognition: Must inform subjects
Minimal Risk (No Obligations)
Most AI systems — spam filters, recommendation engines, search, business automation — have no specific obligations under the AI Act. Voluntary codes of conduct are encouraged.
Technical Implementation Requirements
For High-Risk Systems
1. Risk Management System
What it means: A continuous process of identifying, analysing, and mitigating risks throughout the AI system's lifecycle.
Implementation:
- Create a risk register for each high-risk AI system
- Define risk assessment criteria (likelihood × impact)
- Conduct risk assessment before deployment and at regular intervals
- Document mitigations for identified risks
- Review and update after any significant change to the system
2. Data Governance
What it means: Ensuring training, validation, and test data is relevant, representative, and as free from bias as possible.
Implementation:
- Document data sources, collection methods, and preprocessing
- Assess data for completeness and representativeness across relevant demographics
- Conduct bias testing on training data
- Implement data quality monitoring for ongoing data feeds
- Maintain data lineage documentation
3. Technical Documentation
What it means: Comprehensive documentation that enables authorities to assess compliance.
Required content:
- System description (purpose, intended use, design specifications)
- Development process (data, training, testing methodology)
- Monitoring and performance metrics
- Risk management documentation
- Instructions for deployers
- Changes and updates log
4. Automatic Logging
What it means: AI systems must automatically log events relevant to identifying risks and monitoring operation.
Implementation:
- Log all inputs and outputs (or a statistically representative sample for high-volume systems)
- Log confidence scores and decision rationale
- Log system performance metrics
- Retain logs for the duration required by the specific domain regulation (minimum: as long as the system is in use)
- Ensure logs are tamper-evident
5. Human Oversight
What it means: Systems must be designed to allow effective human oversight.
Implementation:
- Ability for human operators to understand the system's capabilities and limitations
- Tools to monitor system operation in real-time
- Ability to override or reverse AI decisions
- "Stop button" — ability to halt system operation
- Alert mechanisms for anomalous behaviour
Penalties
| Violation | Maximum Fine |
|---|---|
| Banned AI practices | €35M or 7% of global annual revenue |
| High-risk system obligations | €15M or 3% of global annual revenue |
| Providing incorrect information | €7.5M or 1.5% of global annual revenue |
For SMEs and startups, the fines are capped at the lower percentage-based amount.
Practical Compliance Checklist
Immediate (Now)
- Inventory all AI systems deployed or in development
- Classify each system by risk level
- Verify no systems fall into the "banned" category
- Identify high-risk systems that need compliance by August 2026
- Assign a compliance owner for each high-risk system
Short-Term (Next 3 Months)
- Create risk management system for high-risk AI
- Document data governance practices
- Implement automatic logging for high-risk systems
- Conduct initial bias assessment
- Begin technical documentation
Medium-Term (3-6 Months)
- Implement human oversight mechanisms
- Conduct accuracy and robustness testing
- Complete conformity assessment
- Register high-risk systems in EU database
- Train staff on compliance obligations
Ongoing
- Continuous risk monitoring
- Regular bias audits
- Documentation updates after system changes
- Annual compliance review
- Monitor regulatory guidance updates
How It Affects Your AI Roadmap
The AI Act doesn't stop AI innovation — but it changes how you prioritise and build. Specifically:
- Build governance infrastructure first. Before deploying new high-risk AI systems, ensure logging, monitoring, and documentation capabilities are in place.
- Bias testing becomes mandatory. Budget time and resources for fairness testing in every high-risk AI project.
- Human oversight by design. Architect AI systems with human override capabilities from the start, not as an afterthought.
- Documentation is a deliverable. Technical documentation is no longer optional — it's a compliance requirement with legal consequences.
The EU AI Act is the most significant AI regulation globally, and it will influence AI governance standards worldwide. Getting ahead of compliance now saves costly retroactive work later. If you need help assessing your AI compliance posture, let's talk.