Preparing for AI Regulation (Version A — EU AI Act Compliance)
Preparing for AI Regulation (Version A — EU AI Act Compliance): what European businesses need to do now to meet the EU AI Act requirements and turn compliance into a competitive advantage.
ARTIFICIAL INTELLIGENCE
Video Guru
6/27/20266 min read
classification inventory. Without a complete register of every AI system in your organization, what it does, what data it uses, and which tier it occupies, you cannot build downstream compliance processes. I have written before about how systematic approaches to compliance reduce long-term risk, and the AI Act is no exception.
The Implementation Timeline: What Takes Effect When
The AI Act activates in phases. Multiple phases are already in force, and the August 2026 deadline captures most businesses.
February 2, 2025: Prohibited AI practices became enforceable and AI literacy obligations took effect.
August 2, 2025: General-purpose AI model rules activated for new models, and the EU AI Office became operational.
August 2, 2026: High-risk AI system obligations under Annex III take full effect, transparency duties activate, and enforcement powers come online. This is the critical date for most organizations.
August 2, 2027: High-risk obligations extend to AI systems embedded within regulated products under Annex I, including medical devices and machinery.
I have seen leadership teams treat August 2026 as distant, only to discover that conformity assessments take months. The organizations that are serious about compliance build operational systems early, not at the deadline.
Obligations by Risk Tier: What You Actually Need to Do
For high-risk systems, you need a documented risk management system, data governance, technical documentation per Annex IV, automatic logging, human oversight with trained individuals who can intervene, and demonstrated accuracy, robustness, and cybersecurity. Before market entry, complete a conformity assessment, draw up a declaration of conformity, affix the CE marking, and register in the EU database. After deployment, maintain post-market monitoring and report serious incidents without delay. You also need a quality management system, typically around ISO 42001.
For deployers of high-risk systems, obligations include using systems per provider instructions, assigning trained human oversight, monitoring performance, retaining logs, and conducting fundamental rights impact assessments in sensitive use cases.
For limited-risk systems, you must disclose AI interaction to users, label synthetic content, and inform individuals when emotion recognition or biometric categorization is deployed.
The S•I•C•T framework is directly relevant. The Structure component, governance architecture, roles, decision rights, makes or breaks your compliance posture. Most organizations I work with have strong individual contributors but lack structural scaffolding for AI governance. There is no single owner for AI risk classification. There is no committee with authority to halt deployment when gaps appear. Building this governance structure is not bureaucracy. It is the operational foundation that makes AI Act preparation repeatable. At Roth AI Consulting, I help organizations design exactly these frameworks, tailored to their existing operating models.
Documentation Requirements: The Paper Trail That Saves You
The AI Act is documentation-heavy in a way that surprises technology leaders. Regulators want evidence, and the burden of producing it sits entirely with you.
For high-risk systems, technical documentation must cover the system's intended purpose, design architecture, training methodologies, data sources, risk management measures, conformity assessment details, performance metrics, known limitations, and deployer guidance. This is not a one-time document. It must be maintained throughout the system's lifecycle.
You also need logs of system operation, quality management system documentation, and post-market monitoring records. Organizations with strong GDPR programs have a foundation. Data protection impact assessments and privacy-by-design documentation provide a starting point. But the AI Act adds AI-specific requirements beyond GDPR. The organizations that integrate AI governance into existing compliance frameworks find the transition far more manageable.
Penalties: The Cost of Getting It Wrong
The AI Act's penalty structure is designed to command attention.
Violation Type
Maximum Fine
Prohibited AI practices
€35 million or 7% of global annual turnover
High-risk obligation violations
€15 million or 3% of global annual turnover
Information and registration failures
€7.5 million or 1% of global annual turnover
Beyond fines, authorities can impose daily penalty payments, order product recalls, and mandate market withdrawal. The forthcoming AI Liability Directive adds civil liability exposure. This is where governance Structure becomes a financial risk management tool. Boards that understand these penalties and allocate resources are making rational decisions. Boards that assume lax enforcement are taking a bet history suggests they will lose.
Building Your AI Act Roadmap: A Practical Starting Point
If you are a CEO and you have not started formal AI Act preparation, here is where to begin.
Step one: build a complete AI inventory. Identify every AI system in your organization: internal tools, vendor solutions, generative AI used by employees, and automated workflows. For each, document what it does, who owns it, and which risk tier it likely occupies.
Step two: classify rigorously. Work through the four-tier framework. Check prohibited applications first, then Annex III for high-risk, then transparency triggers for limited risk. Document your reasoning. This record is your first line of defense in any regulatory inquiry.
Step three: assign ownership. Designate a senior leader accountable for AI compliance. Establish a cross-functional governance committee with authority to review deployments and halt non-compliant systems. The complex systems thinking that applies to enterprise decisions applies here. AI governance requires alignment across legal, technology, and risk management.
Step four: close gaps for high-risk systems. Begin conformity assessments now. Start technical documentation. Design human oversight workflows. Evaluate data governance. Register systems when the EU database launches. Map this against the August 2026 deadline with realistic timelines.
Step five: integrate with existing programs. Extend your GDPR program rather than duplicating it. Many AI Act requirements overlap with data protection obligations. The organizations that build AI governance as a layer on top of existing compliance achieve it faster and at lower cost.
Step six: train your people. Article 4 requires AI literacy for staff working with AI systems. Literate teams spot risks earlier and treat AI governance as a shared responsibility. The organizations that invest in foundational service infrastructure capture trust premiums in the market.
The S•I•C•T framework captures what makes this sustainable. Structure (governance architecture, roles, decision rights) enables Information flow (documentation, logs, risk assessments) that creates Cohesion (alignment across teams) and supports Transformation (adapting as regulation evolves). Get Structure wrong, and everything collapses.
Conclusion
The EU AI Act is the most comprehensive AI regulation enacted anywhere, and its extraterritorial reach means few organizations can ignore it. The biggest risk is not malicious non-compliance. It is unpreparedness, the slow accumulation of undetected gaps that becomes a crisis when enforcement arrives.
What separates organizations that navigate this successfully from those that struggle is governance Structure. The leaders who act now, while there is still time to build properly, will look back on this as one of the smartest investments they made. For AI regulation for CEOs, the message is clear: start now, build structure first, and treat compliance as capability-building.
Frequently Asked Questions
What is the EU AI Act and when does it take effect?
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive binding AI regulation. It entered into force on August 1, 2024, with provisions phasing in through 2027. Prohibited practices have been enforceable since February 2, 2025. High-risk system obligations take effect on August 2, 2026. The regulation applies to any organization whose AI systems affect individuals in the EU.
Does the EU AI Act apply to my company if we are not based in Europe?
Yes. The AI Act has extraterritorial scope similar to GDPR. If your AI system is used in the EU or affects EU residents, you are subject to the regulation regardless of your company's location.
How do I know if my AI system is high-risk?
A system is high-risk if it is a safety component in a product regulated under EU product safety law, or a standalone application in Annex III: biometrics, critical infrastructure, education, employment, credit scoring, law enforcement, migration, or justice. If your AI influences important decisions in these domains, assume high-risk classification.
What documentation do I need for high-risk AI systems?
You need technical documentation covering system purpose, architecture, training methods, data sources, risk management, conformity assessment, performance metrics, and limitations. You also need operational logs, a quality management system, post-market monitoring records, and an EU declaration of conformity. Documentation must be maintained throughout the system's lifecycle.
What are the penalties for non-compliance?
Prohibited practices carry fines up to €35 million or 7% of global annual turnover. High-risk obligation violations carry up to €15 million or 3% of turnover. Information and registration failures carry up to €7.5 million or 1% of turnover. Authorities can also impose daily penalties, order recalls, and mandate market withdrawal. The AI Liability Directive will add civil liability exposure.
How does the AI Act relate to GDPR?
The AI Act regulates AI systems based on risk to safety and fundamental rights. GDPR regulates personal data processing. If your AI processes personal data, you must comply with both. Many requirements overlap, accountability, documentation, transparency, risk assessment. Organizations with mature privacy programs have a head start, but the AI Act adds AI-specific obligations beyond data protection.
What is a conformity assessment and when do I need one?
A conformity assessment demonstrates that your high-risk AI system meets requirements in Articles 8 through 15. It may be a self-assessment or third-party evaluation, depending on system type. You must complete it before market entry, then draw up a declaration of conformity, affix the CE marking, and register in the EU database.
What should my first steps be?
Build an inventory of all AI systems and classify each against the four risk tiers. Cease use of prohibited systems. For high-risk systems, begin technical documentation and plan conformity assessments. Assign senior ownership for AI governance. Establish a cross-functional committee with halt authority. Integrate with existing compliance programs, especially GDPR. Train staff on AI Act requirements.
How long does preparation typically take?
For organizations with multiple high-risk systems, full preparation takes 9 to 18 months from inventory to completed conformity assessments. Starting in early 2026 for an August 2026 deadline is tight. Starting earlier provides the buffer for sustainable compliance.
Is compliance just a cost, or can it create value?
While compliance requires investment, strong AI governance becomes a competitive advantage. Enterprise customers increasingly require AI governance transparency in procurement. Investors view it as a signal of quality. The capabilities built for compliance improve AI system quality beyond regulatory minimums. Companies that approach this as capability-building capture value that exceeds compliance cost.