Quick Answer
To comply with the EU AI Act , first establish your role (provider or deployer), then classify each AI system's risk tier, and apply the obligations that match. High-risk systems require conformity assessment, CE marking, documentation, and human oversight. The checklist below turns those duties into concrete, sequenced steps. Are you a provider or a deployer? Your obligations depend heavily on your role, and many organisations are both for different systems. Provider: You develop an AI system (or have one developed) and place it on the EU market or put it into service under your own name or trademark. Providers of high-risk systems carry the heaviest obligations. Deployer: You use an AI system under your own authority in a professional context. Deployers have lighter but real duties, such as ensuring human oversight, using the system per instructions, and monitoring operation.
Free penetration test
Free cloud & web-app pentest for qualified companies. SOC 2, HIPAA, PCI DSS-aligned report.
ApplyTo comply with the EU AI Act, first establish your role (provider or deployer), then classify each AI system's risk tier, and apply the obligations that match. High-risk systems require conformity assessment, CE marking, documentation, and human oversight. The checklist below turns those duties into concrete, sequenced steps.
Are you a provider or a deployer?
Your obligations depend heavily on your role, and many organisations are both for different systems.
- Provider: You develop an AI system (or have one developed) and place it on the EU market or put it into service under your own name or trademark. Providers of high-risk systems carry the heaviest obligations.
- Deployer: You use an AI system under your own authority in a professional context. Deployers have lighter but real duties, such as ensuring human oversight, using the system per instructions, and monitoring operation.
Can you become a provider without building anything?
Yes. You can be re-classified as a provider if you put your name or trademark on an existing high-risk system, make a substantial modification to it, or change its intended purpose so it becomes high-risk. Fine-tuning or significantly adapting a third-party model can pull you into provider obligations, so document where you sit for every system in your estate.
How to classify your system's risk
Risk classification is the pivot of the whole Act. Work through the tiers in order.
- Is it prohibited? Check Article 5 practices, such as social scoring, manipulative subliminal techniques, and certain biometric uses. If yes, you cannot deploy it in the EU.
- Is it high-risk? Check Annex III use cases (recruitment, credit scoring, education, critical infrastructure, certain law-enforcement and biometric uses) and Annex I, where AI is a safety component of a regulated product such as a medical device.
- Does it have transparency duties? Chatbots, emotion recognition, and AI-generated or manipulated content (deepfakes) require disclosure even if not high-risk.
- Otherwise minimal: No mandatory obligations, though voluntary codes of conduct are encouraged.
Document the classification decision and its reasoning for each system. Regulators and customers will expect to see a defensible rationale, not an assumption.
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your situation and provide actionable recommendations — no obligation, no cost.
The step-by-step compliance checklist
Use this checklist to structure your programme. Not every row applies to every system; scope it to your role and risk tier.
| Step | Action | Applies to |
|---|---|---|
| 1 | Build an inventory of every AI system you provide or deploy | All |
| 2 | Assign a role (provider / deployer / importer / distributor) per system | All |
| 3 | Classify each system's risk tier and document the rationale | All |
| 4 | Confirm no prohibited practices are in use | All |
| 5 | Ensure staff AI-literacy measures are in place | All |
| 6 | Implement transparency disclosures (chatbots, deepfakes, emotion recognition) | Limited-risk |
| 7 | Establish a risk-management system across the lifecycle | High-risk |
| 8 | Apply data governance and quality controls to training/validation data | High-risk |
| 9 | Prepare technical documentation and event logging | High-risk |
| 10 | Design human oversight and accuracy/robustness/cybersecurity measures | High-risk |
| 11 | Complete conformity assessment and affix the CE marking | High-risk providers |
| 12 | Register the system in the EU database where required | High-risk providers |
| 13 | Set up post-market monitoring and serious-incident reporting | High-risk providers |
| 14 | For GPAI: documentation, training-data summary, copyright policy | GPAI providers |
Conformity assessment and CE marking for high-risk systems
High-risk AI systems must pass a conformity assessment before going to market, the procedure that demonstrates the system meets the Act's requirements. For many Annex III systems this is an internal assessment based on the provider's own controls and documentation; for some categories, and for AI embedded in regulated products, a third-party notified body is involved.
Once conformity is established, the provider draws up an EU declaration of conformity and affixes the CE marking, signalling that the system may circulate freely in the EU single market. Conformity must be maintained over time: a substantial modification can require a fresh assessment. Aligning with harmonised standards (being prepared by bodies such as CEN-CENELEC) gives a presumption of conformity and is the most practical route for most providers.
What documentation and governance do you need?
Plan for a documentation backbone that includes: the technical documentation file, records of the risk-management and data-governance processes, instructions for use, the declaration of conformity, automatically generated logs, and your post-market monitoring plan. On governance, assign clear accountability (often an AI governance lead or committee), integrate AI risk into existing enterprise risk and ISO 27001 controls, and keep an audit trail. Deployers should retain logs, ensure competent human oversight, and inform affected people where required.
Your timeline to compliance
The Act applies in phases, and the deadlines are being revised through the EU's 2026 simplification work, so confirm the current applicable date for each obligation. As a planning reference: prohibitions and AI-literacy duties applied from 2 February 2025; GPAI, governance, and penalty provisions from 2 August 2025; and high-risk obligations are phased in later (originally 2 August 2026 for Annex III use cases and 2 August 2027 for Annex I products, with proposed deferrals under discussion in 2026).
Because high-risk timing remained in flux as of mid-2026, do not anchor your programme to a single fixed future date. Instead, build readiness now and verify the live deadline for your specific systems before committing resources. Early preparation is rarely wasted: the documentation, risk management, and governance you build are durable regardless of exact dates.
How to start
You do not need to solve everything at once. A pragmatic first 90 days:
- Discover: Inventory every AI system in use or in development, including embedded vendor AI and internal tools.
- Triage: Classify role and risk tier, and flag anything potentially prohibited or high-risk for urgent review.
- Gap-assess: Compare current controls against the obligations for each tier and identify the biggest gaps.
- Remediate and govern: Stand up documentation, human oversight, and an accountable governance owner, reusing GDPR and ISO 27001 structures where you can.
Opsio, an ISO 27001-certified cloud and AI partner, helps enterprises run exactly this process, from AI inventory and risk classification through governance and conformity readiness. Explore our AI solutions strategy services, and for the underlying law see our explainer on what the EU AI Act is and how it works.
Frequently asked questions
When does the EU AI Act apply to my business?
It applies in phases. Prohibitions and AI-literacy duties applied from 2 February 2025, and GPAI and governance rules from 2 August 2025. High-risk obligations are phased in later and were being revised in 2026, so confirm the current applicable date for your specific systems rather than assuming a fixed deadline.
Does the EU AI Act apply to my company if we are based outside the EU?
Generally yes if your AI reaches the EU. The Act covers providers placing AI on the EU market wherever they are located, and providers and deployers outside the EU whose system output is used in the EU. Serving EU customers typically brings you into scope.
How is the EU AI Act different from GDPR?
GDPR governs the processing of personal data; the EU AI Act governs AI systems by risk tier and by your role as provider or deployer. They are complementary, and a single AI system that handles personal data must comply with both. Reusing your GDPR governance is an efficient starting point.
What are the penalties for non-compliance?
Fines reach up to €35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited practices, up to €15 million or 3% for most other breaches, and up to €7.5 million or 1% for supplying incorrect information, with proportionate caps for SMEs and start-ups.
This article is general information, not legal advice. The EU AI Act and its implementation timeline are evolving; consult qualified legal counsel for your specific situation.
Written By
Group COO & CISO
Fredrik is the Group Chief Operating Officer and Chief Information Security Officer at Opsio. He focuses on operational excellence, governance, and information security, working closely with delivery and leadership teams to align technology, risk, and business outcomes in complex IT environments. He leads Opsio's security practice including SOC services, penetration testing, and compliance frameworks.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. We update content quarterly for technical accuracy. Opsio maintains editorial independence.