Compliance Guides

The EU AI Act Takes Effect in August — Here's Your Compliance Checklist

By LowerPlane Team
April 3, 2026
14 min read
🤖

EU AI Act — Full Application August 2, 2026

TL;DR: Quick Takeaways

  • The EU AI Act becomes fully applicable on August 2, 2026. If you deploy or develop AI systems touching EU users, compliance is no longer optional — enforcement risk is live.
  • Prohibited AI practices — including social scoring and real-time biometric surveillance in public — have been banned since February 2025. Continued use carries penalties of up to €35M or 7% of global turnover.
  • High-risk AI systems must complete conformity assessments, maintain technical documentation, register in the EU AI database, and implement human oversight before August deployment.
  • The AI Act intersects significantly with GDPR — AI systems that process personal data must satisfy both regulatory frameworks simultaneously.
  • LowerPlane's AI governance controls map EU AI Act obligations to your existing compliance program, reducing duplicated effort by up to 60% for companies already pursuing ISO 27001, SOC 2, or GDPR.

August 2, 2026 is the date that will define AI governance for the next decade. On that day, the EU Artificial Intelligence Act — the world's first comprehensive binding legal framework for artificial intelligence — becomes fully applicable across all 27 EU member states. For any company that develops, deploys, imports, or distributes AI systems touching EU users, compliance is no longer aspirational. It is a legal obligation backed by the largest penalty regime in the history of technology regulation.

The Act has been phasing in since it entered into force in August 2024. Prohibited practices were banned starting February 2025. General Purpose AI (GPAI) model obligations took effect August 2025. But August 2, 2026 represents the full application date — when obligations for high-risk AI systems, transparency requirements for limited-risk systems, and the complete enforcement apparatus become operational simultaneously.

With less than four months remaining before full application, many organizations — particularly US-based companies with EU market exposure — are only now beginning to assess their AI portfolios against the Act's requirements. This checklist breaks down every major obligation by risk category, gives you the documentation requirements and deadlines you need, explains the penalty structure, and provides a practical compliance roadmap you can start executing today.

Understanding the EU AI Act's Four-Tier Risk Classification

The EU AI Act organizes all AI systems into four risk categories: unacceptable risk, high risk, limited risk, and minimal risk. Your compliance obligations — and the penalties for non-compliance — depend entirely on which category your AI systems fall into. The first step in any EU AI Act compliance program is an honest inventory of every AI system you develop or deploy, followed by a systematic classification exercise.

Classification is not always straightforward. The Act defines AI systems broadly as any machine-based system that, for a given set of objectives, generates outputs such as predictions, recommendations, decisions, or content that influences real or virtual environments. This definition is intentionally wide and captures many systems that companies do not traditionally label as "AI," including rule-based recommendation engines, automated scoring models, and workflow automation tools that influence consequential decisions.

Risk LevelDefinitionCompliance ObligationsMaximum Penalty
Unacceptable RiskAI that poses a clear threat to safety, fundamental rights, or democratic valuesBanned — no deployment permitted€35M or 7% global turnover
High RiskAI in critical sectors or used for consequential decisions affecting individualsConformity assessment, technical documentation, human oversight, registration€15M or 3% global turnover
Limited RiskAI with specific transparency risks (chatbots, deepfakes, emotion recognition)Transparency disclosure obligations only€7.5M or 1.5% global turnover
Minimal RiskAll other AI systems — spam filters, AI in video games, basic automationVoluntary codes of conduct encouragedNo mandatory obligations

The vast majority of AI systems most companies use fall into the minimal or limited risk categories. However, any AI system embedded in HR processes, credit decisions, educational assessments, critical infrastructure management, or law enforcement applications is likely classified as high risk — and the compliance burden for high-risk systems is substantial. Do not assume your AI systems are low-risk without conducting a formal classification review against Annexes I and III of the Act.

Prohibited AI Practices: What Has Been Banned Since February 2025

Article 5 of the EU AI Act establishes an absolute prohibition on certain AI applications deemed incompatible with fundamental rights and EU values. These prohibitions have been in force since February 2, 2025 — eighteen months before full Act application. If your organization continues to deploy any of the following systems after that date, you are already operating in violation and face the Act's highest penalty tier of €35 million or 7% of global annual turnover, whichever is greater.

Social Scoring by Public Authorities

AI systems that evaluate or classify individuals or groups based on social behavior or personal characteristics over time, leading to detrimental or unfavorable treatment in unrelated social contexts. This prohibition targets government social credit systems but extends to private-sector analogues — for example, insurance or lending systems that use unrelated behavioral signals to score creditworthiness in ways that disadvantage protected characteristics.

Exploitation of Vulnerabilities

AI that exploits vulnerabilities of specific groups — including age, disability, or socioeconomic situation — to manipulate behavior in ways that cause physical, psychological, or financial harm. This prohibition has significant implications for personalized marketing systems, particularly those targeting children or economically vulnerable populations with manipulative pricing or content nudges.

Subliminal Manipulation

AI techniques that operate below conscious awareness to distort behavior in ways that cause harm to individuals or groups. The prohibition covers dark-pattern AI systems — recommendation engines, feed algorithms, and persuasive technology architectures deliberately designed to override rational decision-making without the user's awareness.

Real-Time Remote Biometric Identification in Public Spaces

The use of AI for live biometric identification of individuals in publicly accessible spaces by law enforcement is banned with narrow exceptions for specific serious crimes and under judicial authorization. For private-sector organizations, real-time facial recognition and emotion recognition systems in public or semi-public spaces — retail environments, stadiums, transportation hubs — require careful legal review. Retroactive biometric identification systems (processing recorded footage) face a separate, less absolute restriction under high-risk provisions.

Emotion Inference in Workplace and Education

AI systems that infer emotions of individuals in workplaces and educational institutions are prohibited with limited exceptions for medical and safety reasons. This prohibition directly impacts employee monitoring platforms that use facial analysis to infer sentiment, engagement, or stress levels, as well as educational technology platforms that attempt to infer student attention or emotional state through camera analysis.

Biometric Categorization by Sensitive Attributes

AI systems that categorize individuals based on biometric data to infer or deduce their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation are prohibited. Systems used for profiling based on protected characteristics — even indirectly through biometric proxies — fall squarely within this prohibition.

Action Required If You May Be Affected

If your organization deployed any of the above capabilities before February 2025, you should have already discontinued them. If you are uncertain whether a system falls within a prohibition, seek legal counsel specializing in EU AI regulation and conduct a documented risk assessment. Voluntary disclosure to national market surveillance authorities before an investigation begins is treated as a significant mitigating factor in penalty calculations under Article 99.

High-Risk AI: The Eight Categories That Carry the Heaviest Obligations

Annex III of the EU AI Act identifies eight specific application areas where AI systems are classified as high-risk by default. Any AI system deployed in these categories — regardless of its technical sophistication — must satisfy the full set of Article 9 through Article 15 requirements before August 2, 2026. The compliance timeline for high-risk systems is extensive: conformity assessments, technical documentation, quality management systems, and human oversight mechanisms cannot be implemented overnight.

1. Biometric Identification and Categorization

Remote biometric identification systems, biometric verification for access control, and categorization of individuals by personal attributes. Post-August, any biometric system must meet high-risk requirements unless used exclusively for direct security authentication with no logging of identification data.

2. Critical Infrastructure Management

AI used in safety components for critical digital infrastructure, road traffic, water supply, gas, heating, and electricity. Utilities and infrastructure operators using AI for predictive maintenance, anomaly detection, or automated control systems in regulated infrastructure must classify those systems as high-risk.

3. Education and Vocational Training

AI that determines access to or admission to educational institutions, evaluates learning outcomes, assesses performance in exams, or infers emotional states of students. EdTech platforms using AI for grading, admissions screening, or personalized learning pathway assignment are high-risk by default.

4. Employment, Worker Management, and Access to Self-Employment

AI for recruitment and applicant filtering, CV screening, performance monitoring, task allocation, and employment termination decisions. This is the highest-impact category for enterprise software vendors — virtually every AI-assisted HR platform serving EU employees is affected.

5. Access to Essential Private and Public Services

AI for creditworthiness assessment, insurance risk and pricing, emergency service dispatch, and public benefit eligibility. FinTech companies, insurers, and government service providers using AI to make or influence access decisions face high-risk classification across their core product lines.

6. Law Enforcement

AI used by law enforcement for individual risk assessment, polygraph-like tools, evidence reliability evaluation, crime prediction, profiling, and crime analysis. Private-sector vendors supplying AI to law enforcement agencies must ensure their systems meet high-risk requirements regardless of the vendor's own risk profile.

7. Migration, Asylum, and Border Control

AI for risk assessment of migration applicants, document authenticity verification, examination of visa and asylum applications, and border control monitoring. Organizations supplying technology to EU immigration authorities or operating in border management contexts must treat their AI systems as high-risk.

8. Administration of Justice and Democratic Processes

AI assisting courts in researching, interpreting facts, or applying law, and AI used to influence electoral outcomes or voter behavior. LegalTech platforms offering AI-assisted judicial decision support tools in EU jurisdictions must treat those systems as high-risk regardless of the level of human oversight claimed.

One critical nuance: Article 6(3) provides a self-assessment mechanism allowing providers of Annex III systems to conclude their AI is not high-risk if it does not pose significant risk to health, safety, or fundamental rights. This exception is narrow and requires documented justification. The European AI Office is expected to issue guidance on the exception's scope. Until that guidance is published, treat any system falling within an Annex III category as high-risk by default.

Mandatory Requirements for High-Risk AI Systems

If your organization is a provider (developer) or deployer of high-risk AI systems, Articles 9 through 15 impose a comprehensive set of obligations. These are not light-touch disclosure requirements — they require documented processes, technical controls, and ongoing governance mechanisms that must be operational before your AI system is placed on the EU market or put into service.

Article 9: Risk Management System

You must establish, implement, document, and maintain a risk management system covering the entire lifecycle of the AI system. The system must identify and analyze known and reasonably foreseeable risks, estimate and evaluate risks arising from intended use and foreseeable misuse, adopt appropriate risk mitigation measures, and test residual risk acceptability. Risk management is a continuous process — not a one-time assessment — and must be updated as new risks emerge post-deployment.

Documentation Required:

  • • Risk management plan describing methodology and scope
  • • Risk register identifying all identified risks with likelihood and impact assessments
  • • Mitigation measures implemented for each identified risk
  • • Post-market monitoring plan describing how new risks will be detected and addressed

Article 10: Data and Data Governance

Training, validation, and testing datasets must be subject to appropriate data governance practices addressing data collection processes, data preparation, examination for possible biases, and data gaps. The Act does not mandate specific technical standards for bias testing, but the data governance requirement imposes a structured obligation to examine datasets for the biases most likely to affect your system's risk classification. For systems affecting protected characteristics under EU law — gender, race, age, disability — bias examination is expected to be extensive.

Documentation Required:

  • • Data governance policy covering training, validation, and testing data
  • • Data collection and labeling process documentation
  • • Bias examination results and any bias mitigation measures applied
  • • Dataset characteristics summary (size, sources, features, known limitations)

Article 11: Technical Documentation

Providers must prepare technical documentation before placing a high-risk AI system on the market. Annex IV prescribes the content in detail: general system description, elements and development process documentation, performance metrics and monitoring approach, testing and validation documentation, instructions for use, and post-market monitoring plan. Technical documentation must be maintained and updated throughout the system's lifetime and made available to national authorities on request within 30 days.

Documentation Required:

  • • General system description including intended purpose, version history, and deployment context
  • • Architecture diagram and component description
  • • Training methodology including algorithms, datasets, and validation approach
  • • Performance metrics, accuracy benchmarks, and known limitations
  • • Instructions for use covering intended deployers and technical requirements

Article 12: Record-Keeping and Logging

High-risk AI systems must be capable of automatic logging of events relevant to identifying risks and enabling post-market monitoring. Logs must capture the period of each use, the input data, and any significant events or anomalies. For high-risk systems where results are used for consequential decisions about individuals — lending decisions, employment screening, medical diagnosis assistance — audit logs must be retained for periods sufficient to enable regulatory review. The Act specifies a minimum of six months for many categories, with longer retention for law enforcement applications.

Article 13: Transparency and Provision of Information to Deployers

High-risk AI systems must be sufficiently transparent that deployers can understand the system's output and use it appropriately. Providers must supply deployers with instructions for use covering the system's characteristics, limitations, known biases, performance in relation to specific groups, and the need for human oversight. Instructions must be understandable by deployers without specialist AI expertise — plain language documentation covering what the system does, what it cannot do reliably, and when human review is required.

Article 14: Human Oversight

High-risk AI systems must be designed and developed with effective human oversight capabilities. This means building in technical measures that allow natural persons overseeing the system to understand the system's capabilities and limitations, interpret outputs, detect anomalies and malfunctions, intervene and stop the system in real time, and avoid over-reliance on the system's outputs. Human oversight is not satisfied by a nominal review process — the system must be designed so that meaningful human intervention is practically feasible, not just formally required.

Article 15: Accuracy, Robustness, and Cybersecurity

High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity. Accuracy levels must be declared in technical documentation. The system must be resilient to errors, faults, inconsistencies, and adversarial inputs. For AI systems processing personal data, cybersecurity requirements overlap with GDPR Article 32 technical security obligations — creating an opportunity to address both regulatory frameworks simultaneously through a coordinated security controls implementation program.

Conformity Assessment and EU AI Database Registration

Before placing a high-risk AI system on the EU market, providers must conduct a conformity assessment demonstrating the system satisfies all applicable requirements. The conformity assessment process depends on the system type. Most high-risk AI systems — those not covered by existing EU product safety legislation — can use the internal conformity assessment route (Annex VI), allowing providers to self-assess against the Act's requirements and declare conformity. High-risk AI systems that are safety components of products already covered by EU harmonization legislation (medical devices, machinery, vehicles) require a third-party notified body assessment.

Conformity Assessment Steps for Most High-Risk AI Systems

  1. 1Complete all Article 9–15 technical documentation requirements and quality management system implementation.
  2. 2Conduct internal conformity assessment against all applicable requirements using the Annex VI procedure, documenting evidence of compliance for each requirement.
  3. 3Draft and sign the EU Declaration of Conformity (Annex V) for the specific AI system, including the provider's identity, system description, applicable requirements, and a statement that the system is in conformity with the Act.
  4. 4Affix the CE marking to the AI system or its documentation where applicable (required for AI systems that are safety components of CE-marked products).
  5. 5Register the AI system in the EU AI Database maintained by the European AI Office before placing the system on the market. Public authorities using high-risk AI must also register. The database is publicly accessible — registration creates a transparency record that both regulators and civil society can access.
  6. 6Retain all conformity assessment documentation for ten years after the AI system has been placed on the market and make it available to national market surveillance authorities within 30 days of request.

Start Your EU AI Act Compliance Program Today

LowerPlane's AI governance controls map EU AI Act obligations to your existing ISO 27001, SOC 2, and GDPR compliance program. With August 2, 2026 approaching, companies that start now have time to complete high-risk AI assessments, documentation, and registrations before enforcement begins.

Book a DemoRead Our GDPR Guide

Transparency Requirements for Limited-Risk AI Systems

Limited-risk AI systems — primarily those where the risk of deception or manipulation is the primary concern — face targeted transparency obligations under Articles 50 and 52. Unlike high-risk requirements, transparency obligations are not gated behind a conformity assessment. They apply immediately upon deployment and require specific disclosures to users interacting with the system.

Chatbots and Conversational AI

Any AI system designed to interact with humans in natural language — chatbots, virtual assistants, customer service AI — must inform users at the beginning of the interaction that they are communicating with an AI, unless this is obvious from context. The disclosure must be clear and prominent — a single-line mention buried in terms of service does not satisfy the requirement. This obligation applies to the deployer, not the provider, making this a compliance obligation for any business using a third-party chatbot product.

Deepfakes and AI-Generated Content

AI systems that generate or manipulate image, audio, or video content that could falsely appear authentic must label their outputs as AI-generated. This applies to synthetic media — deepfake videos, AI-generated images, voice cloning — used for purposes other than artistic, satirical, or clearly fictional content. The label requirement extends to deployers distributing AI-generated content in advertising, news, or informational contexts. For content intended for public dissemination, machine-readable watermarking is expected to become standard under forthcoming implementing acts.

Emotion Recognition and Biometric Categorization

AI systems that infer emotions — even those not prohibited under the unacceptable risk category — must inform individuals when they are subject to emotion recognition. Similarly, AI systems categorizing individuals using biometric data must disclose this to the people being analyzed. These disclosures are required regardless of whether the emotion or biometric inference triggers any consequential decision — the transparency obligation stands independently.

The EU AI Act and GDPR: Managing the Regulatory Intersection

Most AI systems that process personal data of EU residents simultaneously engage both the EU AI Act and the General Data Protection Regulation. These two frameworks were designed to be complementary, but managing their overlapping obligations requires deliberate coordination to avoid compliance gaps and to maximize the efficiency of shared documentation.

The intersection is particularly dense for high-risk AI systems. A recruitment AI screening EU job applicants must satisfy AI Act requirements for risk management, data governance, human oversight, and technical documentation, while simultaneously satisfying GDPR requirements for lawful basis of processing, data subject rights, Data Protection Impact Assessment, and automated decision-making restrictions under Article 22. The compliance work overlaps substantially — and an integrated approach that addresses both frameworks together is significantly more efficient than treating them as parallel independent tracks.

Obligation AreaEU AI Act RequirementGDPR Parallel
Impact AssessmentArticle 9 Risk Management SystemArticle 35 DPIA requirement
Data QualityArticle 10 Data GovernanceArticle 5(1)(d) Accuracy principle
Technical DocumentationArticle 11 Technical DocumentationArticle 30 Records of Processing
Audit TrailsArticle 12 Logging RequirementsArticle 5(2) Accountability; Article 22 automated decision logging
Human ReviewArticle 14 Human OversightArticle 22(3) Right to human review of automated decisions
Security ControlsArticle 15 CybersecurityArticle 32 Technical security measures
Transparency to UsersArticle 50 Transparency obligationsArticles 13/14 Privacy notices; Article 22(2)(b) Automated decision disclosure

Companies that have already built robust GDPR compliance programs have a meaningful head start on EU AI Act compliance. A DPIA conducted for a high-risk AI system under GDPR can be extended to satisfy the Article 9 risk management documentation requirements. Records of processing under Article 30 overlap significantly with Article 11 technical documentation. LowerPlane's cross-framework control mapping surfaces these overlaps automatically, allowing compliance teams to satisfy both frameworks from a single evidence artifact rather than maintaining duplicate documentation.

Penalty Structure: What Non-Compliance Actually Costs

The EU AI Act's penalty regime is among the most severe in the history of technology regulation — exceeding even GDPR's maximum penalties for the most serious violations. Understanding the penalty structure is essential for prioritizing your compliance investments. The Act establishes three penalty tiers based on violation type, with amounts calculated as whichever is higher between the absolute cap and the percentage of global annual turnover.

!

Tier 1: Prohibited Practice Violations

Maximum penalty: €35 million or 7% of global annual turnover, whichever is higher.

Applies to: Any violation of Article 5 prohibited practices — social scoring, subliminal manipulation, exploitation of vulnerabilities, unauthorized real-time biometric identification, emotion inference in workplaces and educational institutions, and biometric categorization by sensitive attributes. For a company with €500M in global revenue, the maximum exposure is €35 million. For a company with €1 billion in revenue, the maximum is €70 million.

2

Tier 2: High-Risk AI Obligation Violations

Maximum penalty: €15 million or 3% of global annual turnover, whichever is higher.

Applies to: Violations of Articles 9–15 obligations for high-risk systems — inadequate risk management, non-compliant data governance, missing technical documentation, absent logging, insufficient human oversight, and cybersecurity failures. This tier also covers GPAI model provider violations and deployer non-compliance with their Article 26 obligations.

3

Tier 3: Information and Documentation Violations

Maximum penalty: €7.5 million or 1.5% of global annual turnover, whichever is higher.

Applies to: Providing incorrect, incomplete, or misleading information to notified bodies or national authorities. A provider who supplies false documentation during a conformity assessment or market surveillance investigation faces this additional penalty on top of any underlying violation penalty.

Penalty Calculation Factors

National market surveillance authorities have discretion in determining penalty amounts within the statutory maximums. Key factors that influence the final amount include:

Aggravating Factors:

  • • Duration and severity of the violation
  • • Scale and number of individuals affected
  • • Intentional or negligent nature of the infringement
  • • Prior violations or warnings ignored
  • • Failure to cooperate with authorities

Mitigating Factors:

  • • Self-reporting before investigation
  • • Prompt corrective action taken
  • • Cooperation with investigation
  • • Evidence of good faith compliance efforts
  • • SME status (reduced penalties for SMEs)

Your Step-by-Step EU AI Act Compliance Checklist

With August 2, 2026 less than four months away, the following checklist provides a structured path to compliance. The timeline is aggressive but achievable for companies that begin immediately. Organizations that wait until July will not have sufficient time to complete high-risk AI documentation and conformity assessment processes.

Phase 1: AI Inventory and Classification (Weeks 1–2)

Phase 2: Prohibited Practice Remediation (Weeks 2–3)

Phase 3: High-Risk AI Compliance Program (Weeks 3–10)

Phase 4: Conformity Assessment and Registration (Weeks 10–14)

Phase 5: Transparency, Training, and Governance (Weeks 12–16)

How LowerPlane Supports EU AI Act Compliance

LowerPlane was built for exactly this kind of regulatory complexity: multiple overlapping frameworks, extensive documentation requirements, and ongoing governance obligations that cannot be managed in spreadsheets. Our AI governance controls address EU AI Act obligations directly while leveraging evidence from your existing compliance program to minimize duplicated effort.

AI System Inventory and Classification

LowerPlane's AI inventory module provides a structured registry for every AI system in your organization. Classification workflows guide teams through the Annex I and Annex III criteria with documented decision trees. Classification results are stored with supporting evidence and can be exported for regulatory submissions or internal audit purposes.

Risk Management Documentation

Our risk management workflows satisfy Article 9 requirements while integrating with your existing GDPR DPIA process. For AI systems that process personal data, a single assessment workflow generates documentation satisfying both AI Act risk management requirements and GDPR DPIA obligations — eliminating the most common source of duplicated compliance effort for AI-enabled products.

Technical Documentation Templates

LowerPlane provides Annex IV-aligned technical documentation templates pre-structured to capture all required elements. Teams complete documentation through a guided workflow rather than starting from a blank document. Documentation is linked to the AI system registry and flagged for review when systems undergo material changes, ensuring ongoing accuracy without manual tracking.

Cross-Framework Control Mapping

LowerPlane's 400+ control library maps EU AI Act obligations to GDPR, ISO 27001, and SOC 2 controls with 80–90% overlap identification. Evidence collected for ISO 27001 Annex A controls automatically satisfies relevant Article 15 cybersecurity requirements. Companies already pursuing ISO 27001 or SOC 2 can achieve EU AI Act compliance 40–60% faster by leveraging existing evidence artifacts.

Key Takeaways

  1. 1

    The EU AI Act becomes fully applicable August 2, 2026 — with less than four months remaining, organizations with high-risk AI systems must begin compliance programs immediately to complete documentation and registration before the deadline.

  2. 2

    Prohibited AI practices have been illegal since February 2025. If your organization continues to operate social scoring systems, subliminal manipulation AI, unauthorized biometric identification, or emotion inference in workplaces, enforcement risk is active today — not in August.

  3. 3

    High-risk AI classification is broader than most companies assume. Any AI system embedded in HR, credit, insurance, education, healthcare, or infrastructure management is likely high-risk by default — triggering extensive documentation, conformity assessment, and registration requirements.

  4. 4

    The EU AI Act and GDPR are complementary frameworks with extensive overlap. Companies with mature GDPR programs have a significant compliance head start — a coordinated approach satisfying both frameworks simultaneously is dramatically more efficient than treating them as separate compliance tracks.

  5. 5

    Penalty exposure under the EU AI Act exceeds GDPR — up to €35 million or 7% of global turnover for prohibited practice violations. The Act's enforcement infrastructure is designed for systematic rather than selective enforcement. The risk of non-compliance is not theoretical.

  6. 6

    AI governance is not a one-time compliance project. The Act requires ongoing risk management, post-market monitoring, and documentation updates throughout the AI system lifecycle. Build AI governance into your operational compliance program, not your project backlog.

Frequently Asked Questions

Does the EU AI Act apply to my US company if we only have EU customers, not EU employees?
Yes. The EU AI Act applies based on where the AI system is deployed and who it affects — not where the provider or deployer is established. Article 2 establishes extraterritorial scope: the Act applies to providers placing AI systems on the EU market, deployers using AI systems that affect individuals in the EU, and importers and distributors of AI systems. If your AI product is used by EU businesses to affect EU residents — or if EU residents directly interact with your AI system — you are within scope regardless of your company's physical location.
Are there reduced obligations for SMEs and startups?
The EU AI Act includes several SME-specific provisions. Micro and small enterprises (under 50 employees and under €10M turnover) benefit from reduced administrative obligations and simplified conformity assessment procedures. Member states are required to provide dedicated support channels and regulatory sandboxes where SMEs can develop and test high-risk AI systems with regulatory guidance before full compliance obligations apply. Penalties for SMEs are calculated at the lower percentage tier. However, the substantive safety and transparency obligations remain — SMEs cannot deploy prohibited AI or unassessed high-risk AI, they simply have lighter documentation and process requirements to satisfy those obligations.
We use third-party AI tools in our products — are we a provider or deployer under the Act?
It depends on how you integrate and deploy the AI capability. If you simply use an AI platform's API within its intended purpose and present outputs to end users without substantial modification, you are generally a deployer with deployer-level obligations under Article 26. If you fine-tune a foundation model, add a substantial layer of your own AI system architecture, or present the AI capability under your own name in a way that EU users reasonably understand as your AI product, you may be reclassified as a provider — with the full provider obligation set including technical documentation and conformity assessment. The European AI Office is developing guidance on the provider-versus-deployer boundary.
What is a General Purpose AI (GPAI) model and what are the compliance requirements?
General Purpose AI (GPAI) models are AI models trained on large amounts of data capable of performing a wide range of tasks, as defined in Article 3(63). Their obligation set under Chapter V (Articles 53–56) has been in force since August 2025. All GPAI model providers must prepare and maintain technical documentation, publish a summary of training data content, and establish a copyright compliance policy. GPAI models posing systemic risk (generally those trained with over 10^25 FLOPs) face additional obligations: model evaluation and adversarial testing, incident reporting to the European AI Office, cybersecurity protection measures, and energy efficiency reporting. Companies that train and release their own AI models for use by third parties should assess whether they meet the GPAI threshold.
Can we conduct the conformity assessment internally, or do we need a third party?
For most high-risk AI systems under Annex III — those not covered by existing EU product safety legislation — internal conformity assessment using the Annex VI procedure is permitted. You document compliance with each applicable requirement, sign the Declaration of Conformity, and register in the EU AI database without requiring a notified body. Third-party notified body assessment is mandatory only for high-risk AI systems that are safety components of products already subject to EU harmonization legislation (such as medical devices under the MDR, or machinery under the Machinery Regulation). If your AI system enhances an existing CE-marked product, your existing product compliance process likely already involves a notified body who will need to be engaged for the AI-specific assessment.
Which national authority will enforce the EU AI Act against our company?
Each EU member state designates a national market surveillance authority (MSA) responsible for AI Act enforcement within that country. For companies established in the EU, the relevant authority is generally the MSA of the member state where the company is established. For non-EU companies, the relevant authority is typically the MSA of the member state where the company's EU representative is located, or where the company first places the AI system on the EU market. The European AI Office has direct supervisory authority over GPAI model providers and coordinates cross-border enforcement for non-EU providers. For US companies, the Irish, Dutch, or Luxembourg MSAs are likely to be primary enforcement contacts, mirroring the GDPR enforcement pattern.
How does the EU AI Act interact with GDPR for AI systems that process personal data?
The EU AI Act and GDPR are designed to be complementary. For AI systems processing personal data, both frameworks apply simultaneously and you must satisfy both sets of obligations. The good news is that the frameworks have substantial overlaps: the AI Act's Article 9 risk management requirements parallel GDPR's Article 35 DPIA, Article 10 data governance parallels GDPR's accuracy and data minimization principles, and Article 14 human oversight parallels GDPR's Article 22 human review rights for automated decisions. An integrated compliance approach addressing both frameworks from a single documentation and evidence collection exercise is far more efficient than managing them separately. LowerPlane's cross-framework mapping automates this overlap identification.

Stay Ahead of AI Regulation

Join 5,000+ compliance professionals receiving weekly insights on the EU AI Act, GDPR enforcement, and emerging regulatory requirements. Practical guidance delivered to your inbox — no noise.

No spam. Unsubscribe anytime.