Appearance
How to Comply with the EU AI Act
The EU AI Act is binding regulation. This guide turns it into an ordered path from role classification through post-market monitoring.
Typical timeline: 9–12 months for a high-risk AI system; longer if you are also the provider of a general-purpose AI model.
Key dates
Obligations phase in from 2 February 2025 (original Article 5 prohibitions, AI literacy). The later Omnibus-affected milestones take effect once the adopted Digital Omnibus on AI is in force: 2 December 2026 (new Article 5(1)(ba)/(bb) prohibitions and legacy Article 50(2) synthetic-content marking), 2 December 2027 (most high-risk obligations under Annex III / Article 6(2)), and 2 August 2028 (Annex I / Article 6(1) product high-risk). Target readiness for each obligation before its applicable date.
Digital Omnibus on AI
The Digital Omnibus on AI was adopted in June 2026 (European Parliament 16 June; Council 29 June) but is not yet in force; it enters into force on the third day after Official Journal publication. On entry into force, the adopted text sets most Annex III / Article 6(2) high-risk obligations to apply from 2 December 2027 and Annex I / Article 6(1) high-risk obligations from 2 August 2028, and adds proportionality measures for SMEs and small mid-caps. The dates in this guide reflect those amendments; full detail is on the EU AI Act landing page.
Before you start
- Identify the legal entity that will bear EU AI Act obligations.
- Confirm whether any AI system falls under the prohibited practices list (Article 5). If an intended or actual use falls within Article 5, do not place it on the market, put it into service, or use it once the relevant prohibition applies, unless redesigned so the prohibited practice no longer occurs.
- Line up legal counsel for conformity and CE-marking decisions.
Step 1 — Identify your role under the EU AI Act
Output: role register per AI system (provider / deployer / importer / distributor / authorized representative / product manufacturer).
Roles are per AI system, not per organization. The same company may be a provider for one system and a deployer for another. Relevant definitions live in Article 3.
Providers carry the heaviest obligations. Deployers have lighter but still substantive duties (Article 26). Importers and distributors have product-chain duties.
Step 2 — Inventory and classify AI systems
Output: AI system inventory, risk tier per system, GPAI classification where applicable.
For each system, determine:
- Risk tier — prohibited (Article 5), high-risk (Article 6(1) + Annex I product legislation or Article 6(2) + Annex III, subject to Article 6(3) where available), limited-risk with transparency duties (Article 50), or minimal-risk.
- GPAI — is it a general-purpose AI model, and does it meet systemic-risk thresholds (Article 51)?
- Product-safety intersection — for Annex I products, check whether the AI is the product or a safety component, whether the Article 6(1) conditions are met, and whether Section A or Section B sectoral rules apply.
In Modulos: classify each AI system in its project and attach the EU AI Act framework.
Step 3 — Build the high-risk requirements stack
Output: documented implementation of the applicable Articles 8–15 requirements per high-risk AI system (directly or through Annex I sectoral rules).
| Article | Requirement | Typical artifact |
|---|---|---|
| 9 | Risk management system | risk register with treatment and residual risk |
| 10 | Data and data governance | data lineage, training/validation/test datasets with quality criteria |
| 11 + Annex IV | Technical documentation | single document that covers the whole system |
| 12 | Record-keeping | automatic logs with retention |
| 13 | Transparency and user info | instructions for use, model card |
| 14 | Human oversight | oversight policy, gating for autonomous actions |
| 15 | Accuracy, robustness, cybersecurity | performance metrics, stress and adversarial testing |
In Modulos: represent each article as a requirement, implement controls, and attach evidence that travels into the technical documentation.
Step 4 — Stand up the provider quality management system (QMS)
Output: documented QMS under Article 17.
If you are a provider of a high-risk AI system to which Article 17 applies, you must operate a QMS covering:
- design control, verification and validation procedures
- examination, test, and validation procedures before, during, and after development
- procedures for data management, including data acquisition and analysis
- procedures for risk management (Article 9) and post-market monitoring (Article 72)
- communication procedures with national competent authorities and notified bodies
An ISO/IEC 42001 AIMS is one of the most efficient ways to produce this QMS evidence.
Step 5 — Complete the conformity assessment and CE marking
Output: conformity assessment records, EU declaration of conformity, CE marking, and EU database registration where Article 49 requires it.
- Run the applicable conformity assessment: Article 43 for Annex III and Section A Annex I systems, and the relevant sectoral legislation for Section B Annex I systems. Most Annex III systems use internal control; Annex III point 1 may require notified-body assessment where harmonised standards or common specifications are not fully applied.
- Produce the EU declaration of conformity (Article 47).
- Affix the CE marking (Article 48).
- Where Article 49 requires EU database registration, complete it before placing on the market or putting into service; once in force, the adopted Omnibus will simplify Annex VIII Section B by deleting points 7 and 9 but will not remove registration.
Step 6 — Deploy with human oversight, transparency, and logging
Output: oversight configuration, user-facing transparency artifacts, log retention.
At deployment:
- operate the human oversight measures you designed (Article 14)
- provide Article 13 instructions and information to deployers, and meet Article 50 transparency duties for users or exposed natural persons where required — including applicable synthetic-content, deepfake, and biometric/emotion-recognition notices
- maintain automatic logs for the required retention period (Article 12 + Article 19)
Step 7 — Operate post-market monitoring and serious-incident reporting
Output: post-market monitoring plan, incident reports filed as required.
- Post-market monitoring (Article 72) — collect, document, and analyse performance data throughout the AI system's lifetime; feed findings back into the risk management system (Article 9).
- Serious-incident reporting (Article 73) — report serious incidents without undue delay to the relevant market surveillance authority within the applicable severity-based timeframes; on entry into force of the Digital Omnibus, reporting for systems within new Article 75(1) will go to the AI Office.
- Substantial modifications — if the AI system changes materially, re-run the applicable conformity steps.
In Modulos: wire post-market monitoring into Runtime Inspection and use the audit trail for incident records.
Related pages
EU AI Act guide
The full guide — prohibited, high-risk, limited-risk, GPAI
High-risk AI systems
Classification and obligations for Annex III and Annex I systems
Conformity assessment and CE marking
Procedures, notified bodies, CE marking, EU database
EU AI Act vs GDPR
How the two regulations interact for AI systems processing personal data
Disclaimer
This page is for general informational purposes and does not constitute legal advice. The EU AI Act's exact obligations depend on the AI system's role, risk tier, and applicable sectoral law. Consult qualified legal counsel.