EU AI Act compliance for companies: Checklist 2026/2027

Regulation (EU) 2024/1689 of the European Parliament and Council — generally known as the AI Act— entered into force on 1 August 2024. It is not a draft. It is not a plan for the future. It is binding European law that applies directly to every company in the EU that develops, deploys, or uses AI systems. Yet most mid-market companies still do not know about their obligations — or postpone them on the grounds that “it has not started applying yet.”

It has. The first sanctions for prohibited AI systems became possible from 2 August 2025. Obligations for general-purpose AI models (GPAI) enter force on 2 August 2026. The full scope of rules for high-risk AI systems will be enforceable from 2 August 2027. You have a window to prepare — but it is not unlimited.

This article is not legal commentary. It is an operational guide: what the AI Act says in practice, how to classify your AI tools, and what to do concretely in 2026 to be ready. If you want a deeper technical audit of your AI systems, see our AI Readiness Audit.

What the AI Act actually regulates

The AI Act applies to companies in two main roles: providers (those who develop or place AI systems on the market) and deployers (those who use AI systems in their processes). For most mid-market companies the relevant role is deployer — that is, companies that deploy off-the-shelf AI tools from external vendors (Microsoft Copilot, ChatGPT Enterprise, AI modules in ERP, HR screening tools, and so on).

The key thing to understand: the regulation does not ban AI. It regulates the level of risk and assigns proportionate obligations to it. The higher the risk, the greater the compliance burden. Most everyday business tools fall into the categories with minimal or limited requirements. Problems arise when a company does not know which category its AI system is in.

Four risk categories: where your company sits

1. Unacceptable risk — prohibited systems

These AI systems are completely banned in the EU from 2 August 2025. Examples include real-time biometric identification of people in public spaces, social scoring systems (rating people based on their behaviour), manipulative AI using subliminal techniques, or systems predicting criminal behaviour based on demographic profiles. For most companies the likelihood of deploying such systems is low — but if you have any biometric or behavioural scoring tool, verify its classification as a priority.

2. High risk — strict obligations

High-risk AI systems are subject to extensive requirements: documentation, conformity assessment, registration in an EU database, human oversight, and risk management. This category includes AI systems used in areas such as education (student performance evaluation), employment (HR screening, candidate evaluation, and employee performance), access to essential services (credit scoring, insurance), critical infrastructure, and other sensitive areas. If you use AI to make decisions about employees — for example automated CV screening — you are likely the deployer of a high-risk system.

3. Limited risk — transparency

Systems such as chatbots, deepfake generators, or AI assistants in customer service fall into this category. The main obligation is transparency: the user must know that they are communicating with AI. This requirement is relatively simple to meet — a clear label in the interface or welcome message suffices.

4. Minimal risk — no special obligations

Most everyday productivity AI tools — spam filters, recommendation systems in e-commerce, AI for text editing, automated translation — belong here. The law imposes no special obligations on them, although voluntary codes of conduct are recommended. Good news: if your company uses AI primarily for internal productivity purposes, you are most likely in this category.

GPAI models: what it means for you

From 2 August 2026, rules for general-purpose AI models (GPAI) come into force — that is, large language models like GPT-4, Claude, or Gemini. The obligations apply primarily to the providers of these models (OpenAI, Anthropic, Google), not to companies that merely use them through APIs. For you as a deployer, this means one thing above all: make sure that your GPAI vendor has its own documentation and model card in compliance with the AI Act. This requirement should be part of your vendor due diligence.

National regulators have not yet published concrete guidance for deployers. Detailed implementing guidelines are expected in the second half of 2026, when the European Commission finalises supporting codes of conduct and harmonised standards. Until then, the text of Regulation 2024/1689 applies directly.

Checklist: 7 steps for SMEs in 2026

AI Act compliance does not have to be a crushing project. For most mid-market companies it can be handled in phases over a few months. Here is the operational plan.

1. AI systems inventory

   Map every AI tool your company uses — including SaaS products with AI features you may not have consciously chosen (e.g., AI in CRM, automatic support ticket triage, sentiment analysis tools). Create a list: tool name, vendor, purpose of use, who in the organisation uses it, and which decisions it affects. Without this list, you cannot even start.

2. Risk classification of each system

   For every tool on the list, determine the risk category under the AI Act. The key question: Does this system affect decisions about people in areas listed in Annex III? (employment, education, access to services, safety). If yes, it is likely a high-risk system. If the system only generates content or processes internal data without affecting decisions about individuals, you are most likely in the minimal-risk category.

3. Vendor due diligence

   For each identified AI system, request the vendor's AI Act documentation: model technical card (technical documentation), training and testing information, and conformity declaration for high-risk systems. Add AI Act clauses to contracts — including the vendor's obligation to inform you of system changes that may alter its risk classification. When selecting new AI tools (e.g., through AI implementation), bake these criteria directly into the selection process.

4. Documentation and records

   For high-risk AI systems, keeping records is a legal obligation. Document: which system is used, for which purposes, who is responsible for its oversight, and the escalation procedure for suspected error or bias. Even for lower-risk systems, internal documentation is sensible — it protects you in a potential audit or customer complaint.

5. Staff training

   The AI Act explicitly requires deployers to ensure AI literacy — basic literacy and competence — among employees working with AI systems (Art. 4). Installing the system is not enough. The team must understand what the tool does, what it does not do, and when human judgement needs to step in. Plan basic training for every user group — especially those who use AI to make decisions about other people.

6. Internal governance

   Decide who in the organisation is responsible for AI compliance. For most SMEs this will not be a standalone position but an added responsibility of an existing manager (e.g., COO, IT manager, lawyer). Create a simple approval policy for new AI tools: who has to sign off on a new AI system before it goes live? Even one extra email step can prevent the deployment of an unqualified tool.

7. Monitoring and review

   The AI Act is not a one-off task. Systems change, new versions alter model behaviour, vendors update terms. Set up an annual review cycle: re-check the inventory, verify whether any system's classification has changed, and review contractual terms with key AI vendors. Also track the evolution of secondary legislation — harmonised standards and codes of conduct that the Commission issues continuously.

Compliance as opportunity, not burden

AI systems inventory and classification have a side effect most companies overlook: they force you to find out what you are actually using and why. Many organisations discover they are paying for AI tools nobody actively uses, or that duplicate systems do the same thing without coordination. If you are interested in extracting operational value from this inventory too, see our article on reducing operating costs with AI.

Companies that approach AI Act compliance systematically gain an internal AI registry, clear ownership of technology risks, and a better basis for vendor negotiations. These are advantages that have value even without regulatory pressure.

The goal is not to fill a folder with documents. The goal is to know what your systems do — and to have evidence of it when someone asks.