EU-AI-ACT
Getting Started Guide

European Union Artificial Intelligence Act

The world's first comprehensive legal framework for AI, categorizing systems by risk.

Audit Effort6–18 months depending on risk tier
Key FactUnacceptable risk AI is banned; high-risk AI requires strict conformity assessments.

What Is EU AI Act?

The EU AI Act is a landmark, comprehensive legal framework regulating Artificial Intelligence across the European Union. Unlike voluntary frameworks (like the NIST AI RMF), the EU AI Act is binding law, and non-compliance carries massive financial penalties.

The Act takes a strict, risk-based approach, categorizing AI systems into four tiers: Unacceptable Risk (banned entirely, e.g., social scoring), High Risk (subject to strict conformity assessments before market entry), Limited Risk (subject to transparency requirements), and Minimal Risk (largely unregulated).

It also introduces specific rules for General Purpose AI (GPAI) models—like large language models (LLMs)—requiring providers to maintain technical documentation, comply with EU copyright law, and summarize their training data.

Does EU AI Act Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

AI Providers Selling to the EU

If you develop an AI system or a GPAI model and place it on the EU market, you bear the primary burden of compliance.

Mandatory

Deployers of High-Risk AI

If you are an EU company using a high-risk AI system (e.g., an AI tool to screen resumes), you have strict monitoring and data governance obligations.

Mandatory

Importers and Distributors

Companies bringing third-country AI systems into the EU must verify that the provider has met all compliance requirements.

Mandatory
You probably don't need EU AI Act if:
  • AI systems developed exclusively for military, defense, or national security purposes.
  • AI used purely for scientific research and development, prior to being placed on the market.
  • Providers of free and open-source AI components (unless they are high-risk or prohibited).

Why EU AI Act Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

The Law is Passed

The EU AI Act entered into force in 2024. Prohibitions on unacceptable risk systems take effect within 6 months, and GPAI rules take effect within 12 months.

Massive Fines

Fines are staggering: up to €35 million or 7% of global turnover for prohibited AI, and €15 million or 3% for high-risk AI violations.

Market Access Gateway

High-risk AI systems cannot legally be sold in the EU without passing a conformity assessment and bearing the CE marking.

The Requirements

The core security controls and evidence parameters audited for EU AI Act.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for EU AI Act.

1
Weeks 1-4

Classification & Scoping

Analyze your AI products against the Act's definitions to determine your risk tier (Unacceptable, High, Limited, Minimal).

Key Deliverable:AI Risk Classification Report
2
Weeks 5-16

Governance & Documentation Build

For high-risk systems, build the required Quality Management System (QMS), compile technical documentation, and implement logging.

Key Deliverable:QMS Manual, Technical Documentation
3
Weeks 17-24

Conformity Assessment & CE Marking

Complete the conformity assessment (internal or third-party depending on the system), draw up the EU declaration, and affix the CE mark.

Key Deliverable:EU Declaration of Conformity, CE Mark
With Existing Certifications

4-6 months: If you already follow ISO 42001 or NIST AI RMF, your internal governance is strong. You will primarily need to format your documentation to meet the specific legal requirements for the CE marking.

Starting from Scratch

9-18 months: Building a compliant Quality Management System and executing a full conformity assessment for a high-risk AI system from scratch is a massive, highly specialized legal and technical effort.

The Mistakes That Delay Most EU AI Act Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Assuming B2B SaaS is low risk

Why it happens:

Many AI startups assume they are low risk. But if your SaaS is used for employment screening, credit scoring, or biometric categorization, it is automatically classified as High-Risk.

How to avoid it:

Carefully review Annex III of the Act. The 'use case' determines the risk, not the underlying technology.

Ignoring 'Deployer' obligations

Why it happens:

Even if you don't build the AI, if you are a European company deploying a high-risk AI tool built by someone else, you have strict legal obligations to monitor its use.

How to avoid it:

Implement an AI vendor risk management program to track which AI tools your employees are using and for what purposes.

Treating it like GDPR

Why it happens:

GDPR is about privacy. The AI Act is fundamentally a product safety law (modeled on the New Legislative Framework). It requires engineering-level conformity, not just legal policies.

How to avoid it:

Compliance must be driven by engineering and product teams, not just the legal department.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

EU AI Act Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

EU AI Act Checklist

Assess your baseline control posture against EU AI Act criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about EU AI Act compliance and certification processes.