Skip to content

How to Comply with the EU AI Act

The EU AI Act is binding regulation. This guide turns it into an ordered path from role classification through post-market monitoring.

Typical timeline: 9–12 months for a high-risk AI system; longer if you are also the provider of a general-purpose AI model.

Key dates

Obligations phase in from 2 February 2025 (original Article 5 prohibitions, AI literacy). The later Omnibus-affected milestones take effect once the adopted Digital Omnibus on AI is in force: 2 December 2026 (new Article 5(1)(ba)/(bb) prohibitions and legacy Article 50(2) synthetic-content marking), 2 December 2027 (most high-risk obligations under Annex III / Article 6(2)), and 2 August 2028 (Annex I / Article 6(1) product high-risk). Target readiness for each obligation before its applicable date.

Digital Omnibus on AI

The Digital Omnibus on AI was adopted in June 2026 (European Parliament 16 June; Council 29 June) but is not yet in force; it enters into force on the third day after Official Journal publication. On entry into force, the adopted text sets most Annex III / Article 6(2) high-risk obligations to apply from 2 December 2027 and Annex I / Article 6(1) high-risk obligations from 2 August 2028, and adds proportionality measures for SMEs and small mid-caps. The dates in this guide reflect those amendments; full detail is on the EU AI Act landing page.

Before you start

  • Identify the legal entity that will bear EU AI Act obligations.
  • Confirm whether any AI system falls under the prohibited practices list (Article 5). If an intended or actual use falls within Article 5, do not place it on the market, put it into service, or use it once the relevant prohibition applies, unless redesigned so the prohibited practice no longer occurs.
  • Line up legal counsel for conformity and CE-marking decisions.

Step 1 — Identify your role under the EU AI Act

Output: role register per AI system (provider / deployer / importer / distributor / authorized representative / product manufacturer).

Roles are per AI system, not per organization. The same company may be a provider for one system and a deployer for another. Relevant definitions live in Article 3.

Providers carry the heaviest obligations. Deployers have lighter but still substantive duties (Article 26). Importers and distributors have product-chain duties.

Step 2 — Inventory and classify AI systems

Output: AI system inventory, risk tier per system, GPAI classification where applicable.

For each system, determine:

  • Risk tier — prohibited (Article 5), high-risk (Article 6(1) + Annex I product legislation or Article 6(2) + Annex III, subject to Article 6(3) where available), limited-risk with transparency duties (Article 50), or minimal-risk.
  • GPAI — is it a general-purpose AI model, and does it meet systemic-risk thresholds (Article 51)?
  • Product-safety intersection — for Annex I products, check whether the AI is the product or a safety component, whether the Article 6(1) conditions are met, and whether Section A or Section B sectoral rules apply.

In Modulos: classify each AI system in its project and attach the EU AI Act framework.

Step 3 — Build the high-risk requirements stack

Output: documented implementation of the applicable Articles 8–15 requirements per high-risk AI system (directly or through Annex I sectoral rules).

ArticleRequirementTypical artifact
9Risk management systemrisk register with treatment and residual risk
10Data and data governancedata lineage, training/validation/test datasets with quality criteria
11 + Annex IVTechnical documentationsingle document that covers the whole system
12Record-keepingautomatic logs with retention
13Transparency and user infoinstructions for use, model card
14Human oversightoversight policy, gating for autonomous actions
15Accuracy, robustness, cybersecurityperformance metrics, stress and adversarial testing

In Modulos: represent each article as a requirement, implement controls, and attach evidence that travels into the technical documentation.

Step 4 — Stand up the provider quality management system (QMS)

Output: documented QMS under Article 17.

If you are a provider of a high-risk AI system to which Article 17 applies, you must operate a QMS covering:

  • design control, verification and validation procedures
  • examination, test, and validation procedures before, during, and after development
  • procedures for data management, including data acquisition and analysis
  • procedures for risk management (Article 9) and post-market monitoring (Article 72)
  • communication procedures with national competent authorities and notified bodies

An ISO/IEC 42001 AIMS is one of the most efficient ways to produce this QMS evidence.

Step 5 — Complete the conformity assessment and CE marking

Output: conformity assessment records, EU declaration of conformity, CE marking, and EU database registration where Article 49 requires it.

  • Run the applicable conformity assessment: Article 43 for Annex III and Section A Annex I systems, and the relevant sectoral legislation for Section B Annex I systems. Most Annex III systems use internal control; Annex III point 1 may require notified-body assessment where harmonised standards or common specifications are not fully applied.
  • Produce the EU declaration of conformity (Article 47).
  • Affix the CE marking (Article 48).
  • Where Article 49 requires EU database registration, complete it before placing on the market or putting into service; once in force, the adopted Omnibus will simplify Annex VIII Section B by deleting points 7 and 9 but will not remove registration.

Step 6 — Deploy with human oversight, transparency, and logging

Output: oversight configuration, user-facing transparency artifacts, log retention.

At deployment:

  • operate the human oversight measures you designed (Article 14)
  • provide Article 13 instructions and information to deployers, and meet Article 50 transparency duties for users or exposed natural persons where required — including applicable synthetic-content, deepfake, and biometric/emotion-recognition notices
  • maintain automatic logs for the required retention period (Article 12 + Article 19)

Step 7 — Operate post-market monitoring and serious-incident reporting

Output: post-market monitoring plan, incident reports filed as required.

  • Post-market monitoring (Article 72) — collect, document, and analyse performance data throughout the AI system's lifetime; feed findings back into the risk management system (Article 9).
  • Serious-incident reporting (Article 73) — report serious incidents without undue delay to the relevant market surveillance authority within the applicable severity-based timeframes; on entry into force of the Digital Omnibus, reporting for systems within new Article 75(1) will go to the AI Office.
  • Substantial modifications — if the AI system changes materially, re-run the applicable conformity steps.

In Modulos: wire post-market monitoring into Runtime Inspection and use the audit trail for incident records.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The EU AI Act's exact obligations depend on the AI system's role, risk tier, and applicable sectoral law. Consult qualified legal counsel.