EU AI Act
EU AI Act compliance, engineered in 14 weeks.
The Act is live and the obligations are real. We treat it as an operating-model question, not a paperwork exercise: inventory, classify, remediate the high-risk systems and stand up the governance your team runs afterwards.
Direct answer
EU AI Act compliance means meeting the obligations of Regulation (EU) 2024/1689 for AI systems placed on the EU market or affecting EU persons. It is achieved by inventorying AI systems, classifying each by risk tier, remediating gaps in documentation, data governance and human oversight, then operating ongoing monitoring and conformity controls.
- EU AI Act compliance
- EU AI Act compliance is the state of meeting the legal obligations of Regulation (EU) 2024/1689, the European Union's risk-based law governing AI systems. It requires organisations to classify AI by risk tier and apply the controls, documentation and oversight that each tier mandates.
Who it is for
- Chief Risk Officers at regulated corporates placing AI on the EU market
- General Counsel and legal teams managing AI regulatory exposure
- CISOs and security leaders owning AI system controls
- Banks, insurers and financial services using AI in credit, claims or fraud decisions
- Healthcare, employment and public-sector providers deploying high-risk AI
- Non-EU firms (US, UK, Australia, Africa, India) whose AI outputs reach EU users
Use cases
- Determining whether a deployed AI system falls under Annex III high-risk categories
- Preparing technical documentation and conformity assessment ahead of the August 2026 deadline
- Removing prohibited practices such as untargeted facial-recognition scraping or social scoring
- Establishing human oversight and logging for AI in hiring, lending or insurance underwriting
- Meeting general-purpose AI (GPAI) provider transparency and copyright obligations
- Aligning a global AI governance programme to EU AI Act, NIST AI RMF and ISO/IEC 42001
- Responding to board, regulator or customer due-diligence questions on AI readiness
Benefits
- A defensible AI inventory and risk classification mapped to Annex III and Article 6
- Reduced exposure to fines of up to EUR 35M or 7% of global annual turnover
- Technical documentation and audit pack ready for regulators and notified bodies
- Human oversight, logging and post-market monitoring embedded into operations
- A single control set that also satisfies NIST AI RMF and ISO/IEC 42001 expectations
- Faster procurement and customer due diligence with evidence of conformity
- Clear board-level reporting on AI risk posture and residual gaps
Limitations and caveats
- Compliance is point-in-time: obligations must be maintained as systems and the law evolve
- A 14-week engagement delivers classification, remediation plan and audit pack, not legal sign-off, which rests with your counsel
- Conformity assessment and CE marking for high-risk systems may require a notified body outside the engagement scope
- Some implementing acts, harmonised standards and GPAI codes of practice are still being finalised
- Scope is the EU AI Act and named frameworks; sector rules (for example MDR, financial services law) need separate treatment
Comparison
At a glance.
| Risk tier | What it means | Core obligation |
|---|---|---|
| Unacceptable risk | Practices banned under Article 5, such as social scoring and most real-time biometric identification in public spaces | Prohibited: the system cannot be placed on the market or used |
| High risk | Systems under Article 6 and Annex III, including AI in employment, credit, education and critical infrastructure | Conformity assessment, technical documentation, risk management, human oversight and registration |
| Limited risk | Systems that interact with people, such as chatbots and AI-generated content | Transparency: disclose AI use and label synthetic or deepfake content |
| Minimal risk | Most other AI, such as spam filters and recommendation features | No mandatory obligations; voluntary codes of conduct encouraged |
| General-purpose AI (GPAI) | Foundation and general-purpose models, with stricter rules for systemic-risk models | Technical documentation, training-data transparency, copyright policy and, for systemic risk, model evaluation and incident reporting |
EU AI Act risk tiers and the core obligation each one triggers
Step by step
How it works.
- 1
Inventory
Build a complete register of AI systems and general-purpose models in use or in development, including shadow AI and vendor-supplied models, with owner, purpose and data sources recorded for each.
- 2
Classify
Assess each system against Article 5 prohibitions, Article 6 and Annex III high-risk criteria, GPAI rules and transparency triggers, assigning a defensible risk tier and the obligations it carries.
- 3
Remediate
Close gaps by producing technical documentation, data governance, risk management, human oversight and logging, and by retiring or redesigning prohibited or non-conforming uses.
- 4
Operate
Embed post-market monitoring, incident reporting, change control and periodic re-classification so compliance is maintained as systems, vendors and the regulation continue to evolve.
Proof points
Up to EUR 35M or 7%
Maximum fine, or share of global annual turnover
Article 99, Regulation (EU) 2024/1689“Most organisations underestimate the inventory problem: you cannot classify or defend what you have not found, and shadow AI is where the high-risk surprises hide. Readiness starts with a complete, owned register, not a legal memo.”
In summary
EU AI Act compliance means meeting Regulation (EU) 2024/1689, the European Union's risk-based AI law that took force on 1 August 2024. Organisations must inventory their AI systems, classify each by risk tier (unacceptable, high, limited, minimal or general-purpose AI), and apply the documentation, human oversight and monitoring each tier requires. Prohibited practices applied from 2 February 2025 and most high-risk obligations apply from 2 August 2026. Non-compliance carries fines of up to EUR 35M or 7% of global annual turnover. The Act has extraterritorial reach over non-EU providers.
Key concepts
- EU AI Act
- Regulation (EU) 2024/1689
- Article 5
- Article 6
- Annex III
- high-risk AI system
- prohibited practices
- general-purpose AI
- conformity assessment
- CE marking
- EU AI Office
- notified body
- technical documentation
- post-market monitoring
- NIST AI RMF
- ISO/IEC 42001
Related on Moweb
Where your exposure sits
EU AI Act compliance: four risk tiers, no optional obligations.
Prohibited
Banned outright: social scoring, manipulative systems, untargeted facial-recognition scraping, most real-time public biometric ID.
High-risk
The heavy regime: risk management, data governance, documentation, human oversight, conformity assessment and EU registration before launch.
Limited-risk
Transparency obligations: tell users they are dealing with AI, and label AI-generated or manipulated content.
Minimal-risk
No specific obligations, but a defensible classification record and an inventory entry are still good governance.
Not sure which tier a system falls in? Run the free classifier
The working plan
Inventory before policy. Then classify, remediate, operate.
The plan we have run with European mid-sized corporates between EUR 500m and EUR 4bn in revenue. It is opinionated and skips three things we have seen waste budget elsewhere.
01
Inventory
Weeks 1 to 3
Build the real inventory of every AI system in use, in development or being procured. Most institutions overestimate completeness by 30 to 50 percent.
02
Classify
Weeks 4 to 6
Classify each system against Article 6 with the business head in the room, because only they can describe the system's actual decisional autonomy.
03
Remediate
Weeks 7 to 10
Remediate the top high-risk systems in parallel with long-tail inventory, producing documentation, monitoring and conformity artefacts as part of the work.
04
Operate
Weeks 11 to 14
Stand up the operating model: the AI risk committee, quarterly attestation, audit-pack template and reviewer rota, so the work does not decay in two quarters.
Free resource
Take the 14-week AI Act working plan.
The full week-by-week plan we use with clients, with the inventory template and the three budget traps to avoid. We will send it and follow up only if you want a conversation.
What you receive
A governed estate, not a gap list.
A complete, classified inventory of every AI system in the estate
Article 6 risk classification with the rationale recorded per system
High-risk remediation: documentation, monitoring and conformity artefacts
The operating model: AI risk committee, attestation and reviewer rota
An audit pack structured for a notified body or external review
A board-ready exposure summary and remediation roadmap
Questions
What buyers ask first.
Yes, and we have run compressed nine-week variants where senior sponsorship and budget were already secured. The plan is sequenced so the highest-exposure systems are remediated first, which means your worst risk is closed early even if the long tail runs on.
We run the classification with your legal and business teams and document the rationale to a standard that withstands review, but a formal legal opinion is issued by your counsel. Our work makes that opinion fast and cheap to obtain because the evidence is already assembled.
We build one internal control catalogue and map it to the EU AI Act, the NIST AI RMF and ISO 42001 at once, so a US and EU enterprise runs a single governance function rather than three. The AI Act is the binding overlay on top of that backbone.
A classified inventory, remediated high-risk systems, an operating model your team runs, and an audit pack ready for a notified body. The aim is that an external reviewer finds a complete, governed estate rather than a gap list.