AI Governance & ComplianceHow-ToFreshLast reviewed: · 45d ago

    EU AI Act Compliance Guide: Step-by-Step for Enterprises

    TL;DR

    Quick Answer
    Cited by AI
    EU AI Act compliance requires 6 steps: inventory AI systems, classify risk, apply tier obligations, document, register, and audit. Fines reach €35M or 7% of turnover.

    The EU AI Act (Regulation 2024/1689) applies progressively through 2027 — with fines up to €35 million or 7% of global turnover. Here is how enterprises get compliant.

    EU AI Act compliance refers to an enterprise's adherence to Regulation 2024/1689, which classifies AI systems by risk level — unacceptable, high, limited, and minimal — and mandates proportional obligations for providers and deployers placing AI outputs in the EU market.

    Eric Lundberg - Author at Alice Labs
    Written by
    Linus Ingemarsson - Reviewer at Alice Labs
    Reviewed by
    Published
    18 min read
    €35M

    Maximum fine for prohibited AI practices (or 7% of global turnover)

    GLACIS EU AI Act Compliance Guide, April 2026

    Aug 2, 2026

    Deadline for high-risk AI system obligations

    Cleo Labs EU AI Act Compliance Guide 2026

    50+

    Enterprise AI implementations by Alice Labs since 2023

    Alice Labs internal

    What you'll learn

    • How to classify your AI systems under the EU AI Act's four risk tiers
    • Which compliance obligations apply to providers versus deployers
    • The exact documentation, registration, and audit requirements for high-risk AI
    • Key enforcement deadlines and which rules are already in force in 2026
    • How to build an internal governance structure that scales with regulation
    • What penalties apply and how market surveillance authorities enforce them

    Key Takeaways

    • The EU AI Act entered into force on August 1, 2024, with prohibited practices banned from February 2, 2025 and high-risk AI obligations applying from August 2, 2026
    • Fines for prohibited AI practices reach €35 million or 7% of global annual turnover, whichever is higher (GLACIS, April 2026)
    • The AI Office, established within DG CNECT, centrally enforces General-Purpose AI rules; member-state market surveillance authorities handle high-risk AI (Presenc AI, May 2026)
    • Any provider or deployer whose AI outputs are used in the EU falls under scope, regardless of where the company is headquartered
    • The General-Purpose AI Code of Practice was finalized in mid-2025 and signed by OpenAI, Google, and Microsoft (Presenc AI, May 2026)
    • High-risk AI systems must complete technical documentation, conformity assessments, and EU database registration before market placement
    01 / 07Chapter

    What EU AI Act Compliance Actually Means for Enterprises

    In short

    EU AI Act compliance means meeting legally binding obligations that vary by your role (provider or deployer) and your AI system's risk classification. The rules are not uniform — a chatbot and a medical diagnostic tool face completely different requirements.

    EU AI Act compliance is an enterprise's adherence to Regulation 2024/1689 — the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and mandates proportional obligations for every provider and deployer whose outputs reach the EU market.

    The regulation is not a single deadline. It applies in progressive waves, with each phase activating a new layer of obligations.

    The Enforcement Timeline You Must Know

    The Act entered into force on August 1, 2024. Since then, four enforcement milestones govern when each obligation becomes legally binding.

    Date Obligation Who It Affects
    Feb 2, 2025 Prohibited AI practices banned outright All providers and deployers
    Aug 2, 2025 GPAI model obligations and codes of practice General-purpose AI model providers
    Aug 2, 2026 Full high-risk AI obligations (Annex I and III systems) Providers and deployers of high-risk AI
    Aug 2, 2027 High-risk AI in legacy Annex I systems Operators of existing regulated-sector systems
    Ongoing Notified body conformity assessments High-risk AI providers seeking EU market access

    The penalty structure scales with severity, according to the GLACIS EU AI Act Compliance Guide (April 2026):

    • €35M or 7% of global turnover: Prohibited AI practices (whichever is higher)
    • €15M or 3% of global turnover: Other violations of the regulation
    • €7.5M or 1.5% of global turnover: Providing incorrect information to authorities

    Two enforcement bodies share jurisdiction. The AI Office within DG CNECT handles General-Purpose AI model enforcement centrally. Member-state market surveillance authorities handle high-risk AI at national level, as confirmed by Presenc AI (May 2026).

    Territorial Scope Is Broad

    The EU AI Act applies to any provider or deployer whose AI outputs are used in the EU — including companies headquartered in the US, UK, or Asia. Non-EU companies are not exempt.

    Provider vs. Deployer: Who Bears What Obligation

    The Act draws a critical distinction between two roles, each carrying different legal burdens.

    A provider is any natural or legal person that develops an AI system or general-purpose AI model and places it on the EU market — or puts it into service under their own name or trademark. A deployer is any entity using an AI system under its authority in a professional context.

    • Provider obligations (high-risk AI): Technical documentation, conformity assessments, CE marking, post-market monitoring, EU database registration, incident reporting
    • Deployer obligations (high-risk AI): Fundamental rights impact assessments, human oversight implementation, use-case logging, staff training, transparency to affected persons

    A single enterprise can be both. If you fine-tune a third-party model (e.g. an OpenAI base model) and deploy it internally for HR decisions, you are simultaneously a provider and a deployer — and carry the full burden of both roles.

    In our experience across 100+ enterprise AI implementations at Alice Labs, the provider-deployer boundary is the most commonly misunderstood aspect of the regulation. Most enterprises that customize foundation models do not realize they have stepped into the provider role — and with it, the heavier compliance obligations.

    02 / 07Chapter

    Steps 1–2: Inventory Your AI Systems and Classify Risk

    In short

    Before you can comply, you need a complete inventory of every AI system in use, then map each to one of four risk tiers: unacceptable, high, limited, or minimal. Classification determines every subsequent obligation.

    You cannot assess risk or assign compliance obligations without first knowing what AI systems your enterprise uses. An AI inventory is the non-negotiable foundation — and in practice, it routinely uncovers systems that business units deployed without IT or legal awareness.

    Building Your AI Inventory: What to Capture

    A complete inventory requires surveying every department, not just IT. Many high-risk systems enter enterprises through SaaS procurement — an HR team subscribing to an AI-driven recruitment platform, or a finance team using an automated credit-decisioning tool.

    For each AI system, document:

    • System name and vendor
    • Business purpose and use case
    • Data inputs (personal data, biometric data, financial data)
    • Decision outputs (advisory, automated, binding)
    • Affected populations (employees, customers, EU residents)
    • Provider vs. deployer role for your organization

    A screened study of 50 European AI companies published on SSRN (Shucrani et al., May 2026) found significant gaps in how enterprises classify their own systems — particularly in HR, finance, and customer-service contexts. Underclassification is a material compliance risk.

    Use the Official Compliance Checker

    The European Commission's AI Act Service Desk offers a free compliance checker at ai-act-service-desk.ec.europa.eu — use it as your starting classification baseline, then validate with legal counsel.

    The Four Risk Tiers: What Each Means

    Once your inventory is complete, map every system to one of the Act's four tiers. The tier determines the entire compliance pathway.

    Risk Tier Examples Core Obligation Penalty for Breach
    Unacceptable Social scoring by governments, real-time biometric surveillance in public spaces Prohibited entirely — cannot be deployed Up to €35M or 7% of global turnover
    High Employment AI, credit scoring, biometric identification Full conformity assessment, documentation, EU database registration Up to €15M or 3% of global turnover
    Limited Chatbots, deepfake generators, emotion-recognition tools Transparency disclosures only (must identify as AI) Up to €7.5M or 1.5% of global turnover
    Minimal Spam filters, AI in video games, recommendation engines No mandatory obligations under the Act N/A

    Annex III: The High-Risk Categories That Catch Enterprises Off-Guard

    Annex III defines eight categories of high-risk AI. Many enterprise tools already in common use fall within these categories — often without the deploying organization realizing it.

    • Biometric identification: Employee access control, identity verification in customer onboarding, facial recognition in timekeeping systems
    • Critical infrastructure: AI managing energy grids, water systems, or transport networks
    • Education and vocational training: AI-graded assessments, admissions scoring, learning-performance monitoring
    • Employment and HR: CV screening tools, performance monitoring, promotion algorithms, workforce analytics
    • Essential private and public services: Credit scoring, insurance risk assessment, social benefit eligibility
    • Law enforcement: Predictive policing tools (certain forms also prohibited)
    • Migration and border control: Visa risk-scoring, border management AI
    • Administration of justice: AI assisting in legal interpretation or dispute resolution

    Enterprises in regulated industries — particularly financial services, HR technology, and healthcare — should assume Annex III applies until a formal classification exercise proves otherwise. Uncertainty about classification is not a legal defense under the regulation.

    Our enterprise AI strategy framework provides a structured approach to mapping AI systems against regulatory obligations before deployment — a step that, in our experience, saves significant remediation cost later. See also our EU AI Act compliance checklist for 2026 for a practical tool you can use alongside this guide.

    03 / 07Chapter

    Steps 3–4: Meet High-Risk Obligations and Document Everything

    In short

    High-risk AI systems require six concrete compliance pillars: a quality management system, technical documentation, data governance, human oversight, accuracy and robustness testing, and post-market monitoring. Documentation is not optional — it is the evidentiary record regulators will request.

    If your inventory confirms a high-risk system, six parallel workstreams activate simultaneously. Each is a hard requirement under Regulation 2024/1689 — and each must be completed before the system is placed on the EU market or put into service.

    The Six High-Risk Compliance Pillars

    • 1. Quality management system (QMS): A documented QMS covering design, development, testing, and post-deployment monitoring. Must include roles, responsibilities, and review cadences.
    • 2. Technical documentation: Comprehensive pre-deployment documentation covering the system's purpose, architecture, training data, performance metrics, known limitations, and risk mitigations. Updated when the system changes materially.
    • 3. Data governance: Training, validation, and testing datasets must meet quality criteria. Bias examination is mandatory. Data lineage must be documented.
    • 4. Human oversight mechanisms: Systems must be designed so that human operators can understand, monitor, and intervene. This is not a checkbox — it requires technical implementation (audit logs, override mechanisms, interpretability outputs).
    • 5. Accuracy, robustness, and cybersecurity: The system must meet declared performance levels and be resilient to attempts to alter its behavior. Testing against adversarial inputs is expected.
    • 6. Post-market monitoring: Providers must proactively collect and analyze real-world performance data after deployment. Serious incidents must be reported to national market surveillance authorities.

    Technical Documentation: What Regulators Will Expect

    Technical documentation under Annex IV of the Act is the primary evidentiary record for conformity assessments. It must be maintained for 10 years after the system is placed on the market.

    The documentation package must include:

    • General description of the AI system, its intended purpose, and version history
    • Description of the components, algorithms, and model architecture (with sufficient detail for auditor review)
    • Training methodology, dataset characteristics, and pre-processing procedures
    • Validation and testing procedures — including performance metrics, test sets, and known failure modes
    • Risk management documentation per the QMS
    • Description of human oversight measures and their technical implementation
    • Cybersecurity measures and resilience testing outcomes

    From our work implementing AI governance frameworks for enterprises in regulated sectors, the documentation gap is where most organizations are furthest behind. Building documentation retroactively — after a system is already in production — is significantly more costly than integrating it into the development process from the start.

    Conformity Assessment: Self-Assessment vs. Notified Body

    Most high-risk AI systems in Annex III can be self-assessed by the provider — using internal procedures against harmonized standards. However, systems in specific categories (notably biometric identification used by law enforcement) require a third-party notified body assessment.

    • Self-assessment path: Provider conducts internal conformity procedures, issues EU declaration of conformity, affixes CE marking
    • Notified body path: Accredited third-party auditor conducts assessment; required for biometric systems in law enforcement and certain other categories

    Following assessment, providers must issue an EU declaration of conformity and affix the CE marking. This is a prerequisite for EU market placement — not a post-market formality.

    For enterprises evaluating whether to build or buy AI systems with high-risk implications, our build vs. buy AI analysis covers the governance tradeoffs in detail.

    04 / 07Chapter

    Step 5: Register High-Risk AI and Understand GPAI Obligations

    In short

    High-risk AI systems must be registered in the EU database before deployment. General-Purpose AI models face separate obligations — including transparency, technical documentation, and for systemic-risk models, adversarial testing and incident reporting.

    Registration and GPAI compliance are two distinct tracks that run in parallel for many enterprises — particularly those that deploy foundation models alongside purpose-built high-risk systems.

    EU Database Registration for High-Risk AI

    Providers of high-risk AI systems listed in Annex III must register their systems in the EU database for AI systems (managed by the European Commission) before placing the system on the market. Deployers of certain high-risk systems in public-interest domains also have registration obligations.

    Registration requires submitting:

    • Provider name, address, and contact details
    • System name, version, and intended purpose
    • Description of the system's capabilities and limitations
    • Member states where the system is or will be deployed
    • A link to the instructions for use (for publicly visible entries)
    • Declaration of conformity reference number

    The database is publicly accessible for most categories — meaning regulators, civil society organizations, and the press can query it. Registration accuracy matters beyond pure legal compliance.

    General-Purpose AI: What the GPAI Rules Require

    General-Purpose AI models — including large language models like GPT-4 and Gemini — face obligations that have been in force since August 2, 2025. The General-Purpose AI Code of Practice, finalized in mid-2025 and signed by OpenAI, Google, and Microsoft (Presenc AI, May 2026), operationalizes these requirements.

    All GPAI model providers must:

    • Maintain technical documentation sufficient for downstream providers to comply with their own obligations
    • Provide information and documentation to downstream providers integrating the model
    • Publish a summary of training data used to develop the model (copyright-compliant)
    • Comply with EU copyright law in relation to training data

    GPAI models posing systemic risk (those trained with compute exceeding 10²⁵ FLOPs) face additional obligations:

    • Adversarial testing (red-teaming) before deployment
    • Serious incident reporting to the AI Office
    • Cybersecurity protection proportionate to systemic risk
    • Energy efficiency reporting

    For enterprises that deploy GPAI models via API — for example, building internal tools on top of GPT-4 or Claude — the obligations primarily sit with the model provider. However, enterprises that fine-tune or substantially modify these models step into provider obligations themselves.

    Understanding AI governance at the infrastructure level is a prerequisite for GPAI compliance. Our AI governance guide covers the organizational structures that underpin this work.

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    05 / 07Chapter

    Step 6: Build an Internal AI Governance Structure That Scales

    In short

    Compliance is not a one-time project — it requires a permanent internal governance structure: an AI governance committee, designated compliance roles, a monitoring cadence, and documented escalation procedures. Enterprises that treat this as a project rather than a function will fall out of compliance as regulation evolves.

    The EU AI Act is a living framework. The European Commission updates implementing acts, the AI Office issues guidance, and member-state authorities develop national enforcement postures. An enterprise without a standing governance function cannot track and respond to these changes at the speed regulation demands.

    Standing AI Governance Committee: Minimum Viable Structure

    A functional AI governance committee requires representation from at least four functions: legal/compliance, IT/engineering, business (the AI system owners), and risk management. For enterprises operating in regulated sectors (financial services, healthcare, energy), a data protection officer should also participate.

    The committee's standing responsibilities include:

    • Quarterly inventory review: Add new systems, reclassify existing systems as use cases evolve, retire decommissioned systems
    • Regulatory monitoring: Track AI Office guidance, harmonized standards development (CEN/CENELEC), and member-state enforcement actions
    • Incident response: Own the escalation and reporting process for serious incidents involving high-risk AI systems
    • Supplier governance: Audit third-party AI vendors against their stated compliance posture; maintain contractual obligations for providers
    • Training and awareness: Ensure staff operating high-risk AI systems receive adequate training on human oversight obligations

    Fundamental Rights Impact Assessment (FRIA)

    Deployers of high-risk AI systems in certain contexts — particularly public authorities and private entities providing public services — must conduct a Fundamental Rights Impact Assessment before deployment. This is distinct from a standard data protection impact assessment (DPIA) under GDPR, though the two should be coordinated.

    A FRIA must assess the potential impact of the AI system on:

    • The right to non-discrimination and equal treatment
    • Privacy and data protection rights
    • Access to justice and effective remedy
    • Rights of vulnerable groups (children, people with disabilities)
    • The right to human dignity

    The FRIA must be documented and made available to market surveillance authorities upon request. It is not a one-time exercise — systems that change materially require a revised assessment.

    Post-Market Monitoring: The Ongoing Obligation

    Providers must establish a post-market monitoring system proportionate to the risk level and market volume of their AI system. This means proactively collecting and analyzing data on system performance in real-world conditions — not waiting for incidents to occur.

    • Performance drift detection: Monitor for degradation in accuracy, fairness, or reliability over time
    • Serious incident reporting: Report to national market surveillance authorities within 15 days for serious incidents or malfunctions posing risk to health, safety, or fundamental rights
    • Log retention: Automatic logging capabilities must be built in; logs retained for at least six months by deployers

    In our Alice Labs implementations, we consistently find that enterprises with mature MLOps practices adapt most quickly to post-market monitoring requirements. If your organization is building this capability, our MLOps guide provides the technical foundation. For a broader view of how compliance fits into an enterprise AI strategy, see our enterprise AI strategy framework.

    06 / 07Chapter

    Enforcement Reality: How Authorities Will Act and What Penalties Apply

    In short

    Enforcement is split between the AI Office (GPAI) and 27 national market surveillance authorities (high-risk AI). Penalties are tiered by violation type, ranging from €7.5M to €35M or 1.5% to 7% of global turnover — with SME-adjusted caps that do not apply to large enterprises.

    Understanding the enforcement architecture is not academic — it determines which authority your enterprise will face in a compliance investigation and what procedural rights apply.

    The Two-Track Enforcement Architecture

    The AI Office, established within the European Commission's DG CNECT, is the central enforcement body for General-Purpose AI model obligations. It has the authority to conduct investigations, request information, and impose penalties directly on GPAI providers — including non-EU companies.

    National market surveillance authorities (one per member state) enforce high-risk AI obligations within their jurisdiction. They can investigate providers and deployers, order systems to be withdrawn from the market, and impose financial penalties.

    For enterprises operating across multiple EU member states, this creates a multi-authority landscape. A German financial services firm deploying AI-driven credit scoring could face action from BaFin (as the sector regulator), the German market surveillance authority, and in some circumstances the AI Office — simultaneously.

    Penalty Structure: The Full Picture

    Penalties are set as the higher of a fixed euro amount or a percentage of global annual turnover — meaning large enterprises face higher absolute fines. SME-specific caps apply to small and medium enterprises but not to large corporations.

    • Prohibited AI practices (Article 5 violations): Up to €35 million or 7% of global annual turnover
    • Non-compliance with other obligations: Up to €15 million or 3% of global annual turnover
    • Incorrect, incomplete, or misleading information to authorities: Up to €7.5 million or 1.5% of global annual turnover

    These figures are sourced from the GLACIS EU AI Act Compliance Guide (April 2026). Member states may impose additional national penalties in regulated sectors.

    The Shadow AI Enforcement Risk

    One enforcement risk that enterprises consistently underestimate is shadow AI — AI tools adopted by employees without IT or legal approval. A business unit deploying a third-party AI recruitment tool without a compliance review does not absolve the enterprise of deployer obligations.

    Market surveillance authorities can trace AI system use to deployers even when the provider is headquartered outside the EU. If your enterprise lacks an AI usage policy and shadow AI controls, enforcement exposure is higher than your formal inventory suggests.

    Our article on shadow AI in enterprises covers the detection and governance approaches in detail. For a structured assessment of your organization's overall AI readiness — including governance maturity — see our AI readiness assessment framework.

    07 / 07Chapter

    Frequently Asked Questions: EU AI Act Compliance

    In short

    The most common questions enterprises ask about EU AI Act compliance — answered concisely with specific references to the regulation.

    When does the EU AI Act apply to high-risk AI systems?

    High-risk AI obligations under Annex I and Annex III apply from August 2, 2026. The prohibition on unacceptable-risk AI practices has been in force since February 2, 2025. GPAI model obligations have applied since August 2, 2025.

    Does the EU AI Act apply to companies outside the EU?

    Yes. The Act applies to any provider or deployer whose AI outputs are used in the EU, regardless of where the company is headquartered. US, UK, and Asian companies serving EU customers are in scope.

    What qualifies as high-risk AI under the EU AI Act?

    High-risk AI systems are those listed in Annex III of Regulation 2024/1689: biometric identification, critical infrastructure management, education, employment and HR, essential services (credit, insurance), law enforcement, migration, and administration of justice. Many common enterprise tools in HR and finance fall in this category.

    What is the difference between a provider and a deployer under the EU AI Act?

    A provider develops or places an AI system on the EU market under their own name. A deployer uses an AI system in a professional context. Providers carry heavier obligations (conformity assessment, CE marking, technical documentation). An enterprise that fine-tunes a third-party model becomes a provider, not just a deployer.

    What are the obligations for General-Purpose AI (GPAI) models?

    All GPAI providers must maintain technical documentation, provide information to downstream providers, publish training data summaries, and comply with EU copyright law. Models with systemic risk (trained with more than 10²⁵ FLOPs) also face adversarial testing, incident reporting, and cybersecurity requirements.

    What are the maximum fines under the EU AI Act?

    Fines reach €35 million or 7% of global annual turnover for prohibited AI practice violations (whichever is higher). Other violations carry fines up to €15 million or 3% of global turnover. Providing incorrect information to authorities carries fines up to €7.5 million or 1.5% of global turnover (GLACIS, April 2026).

    Do all high-risk AI systems need a third-party conformity assessment?

    No. Most Annex III high-risk AI systems can be self-assessed by the provider using internal conformity procedures. Third-party notified body assessments are required for specific categories, notably biometric identification systems used by law enforcement.

    Are there exemptions for SMEs under the EU AI Act?

    SMEs benefit from reduced fine caps and some procedural accommodations, including access to regulatory sandboxes. However, the substantive obligations — risk classification, technical documentation, conformity assessments — apply to SMEs as well as large enterprises. Size affects penalty magnitude, not compliance scope.

    About the Authors & Reviewers

    Published
    Written by
    Eric Lundberg - Co-Founder, Alice Labs at Alice Labs
    Eric Lundberg

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.

    • AI automation & agent systems lead
    • Workflow design across 100+ deployments
    • Specialist in RAG, integrations & APIs
    Reviewed by
    Linus Ingemarsson - Co-Founder, Alice Labs at Alice Labs
    Linus Ingemarsson

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.

    • 8+ years in AI strategy & implementation
    • Top-5 AI Speaker, Sweden (Mindley 2025)
    • 100+ enterprise AI engagements
    Published
    Reviewed for technical accuracy, methodology and source integrity.·All claims trace to public sources cited in-line.

    Frequently Asked Questions

    When does the EU AI Act apply to high-risk AI systems?

    High-risk AI obligations under Annex I and Annex III apply from August 2, 2026. The prohibition on unacceptable-risk AI practices has been in force since February 2, 2025. GPAI model obligations have applied since August 2, 2025.

    Does the EU AI Act apply to companies outside the EU?

    Yes. The Act applies to any provider or deployer whose AI outputs are used in the EU, regardless of headquarters location. US, UK, and Asian companies serving EU customers are fully in scope.

    What qualifies as high-risk AI under the EU AI Act?

    High-risk AI systems are those listed in Annex III: biometric identification, critical infrastructure, education, employment and HR, essential services, law enforcement, migration, and administration of justice. Many enterprise HR and finance tools fall in this category.

    What is the difference between a provider and a deployer?

    A provider develops or places an AI system on the EU market under their own name. A deployer uses an AI system professionally. Providers carry heavier obligations. Enterprises that fine-tune third-party models become providers and carry full provider obligations.

    What are the obligations for General-Purpose AI (GPAI) models?

    All GPAI providers must maintain technical documentation, provide downstream provider information, publish training data summaries, and comply with EU copyright law. Systemic-risk models (above 10²⁵ FLOPs) face additional adversarial testing and incident reporting requirements.

    What are the maximum fines under the EU AI Act?

    Fines reach €35 million or 7% of global annual turnover for prohibited AI practice violations. Other violations carry up to €15 million or 3%. Providing incorrect information to authorities carries up to €7.5 million or 1.5% of global turnover (GLACIS, April 2026).

    Do all high-risk AI systems need a third-party conformity assessment?

    No. Most Annex III systems can be self-assessed by the provider. Third-party notified body assessments are required for specific categories, primarily biometric identification systems used by law enforcement.

    Are there exemptions for SMEs under the EU AI Act?

    SMEs benefit from reduced fine caps and access to regulatory sandboxes. However, the substantive obligations — risk classification, documentation, conformity assessments — apply to SMEs and large enterprises alike. Size affects penalty magnitude, not compliance scope.

    Previous in AI Governance & Compliance

    EU AI Act Risk Categories: Unacceptable, High & Limited Risk

    Next in AI Governance & Compliance

    Best AI Governance Consulting Firms 2026: 13 Compared

    Further reading

    Related services

    Related reading

    comparison

    EU AI Act Compliance Checklist 2026: 10-Step Guide

    Step-by-step EU AI Act compliance checklist for enterprises. Risk classification, Annex IV documentation, FRIA, AI literacy, conformity assessment — before 2 Aug 2026.

    data

    What Is AI Governance? Frameworks & Compliance (2026)

    AI governance covers policy, process, and tooling for responsible AI. EU AI Act, NIST AI RMF, ISO 42001, OECD principles compared — with Alice Labs methodology.

    listicle

    Enterprise AI Strategy: 6-Step Framework for 2026

    A practical 6-step framework to build an enterprise AI strategy in 2026. Covers readiness, use case prioritization, governance, pilots, scale & ROI — with EU AI Act alignment.

    deepdive

    Why Ai Projects Fail

    Most AI projects fail before reaching production. Based on RAND, MIT Sloan, and 100+ Alice Labs engagements — the 7 root causes, with concrete fixes for each.

    glossary

    What Is Shadow AI? Risks, Examples & How to Manage It

    Shadow AI = unsanctioned AI use bypassing IT and governance. 5 risk categories, Samsung 2023 incident, EU AI Act + GDPR implications, audit methodology.

    Sources

    1. GLACIS EU AI Act Compliance GuideApri“Fine structure: €35M/7% for prohibited practices, €15M/3% for other violations, €7.5M/1.5% for incorrect information”
    2. Cleo Labs EU AI Act Compliance Guide 20262026“August 2, 2026 deadline for high-risk AI system obligations”
    3. Presenc AI EU AI Act OverviewMay “AI Office within DG CNECT enforces GPAI centrally; member-state MSAs handle high-risk AI. GPAI Code of Practice signed by OpenAI, Google, Microsoft.”
    4. Shucrani et al., SSRNMay “Screened study of 50 European AI companies found significant gaps in self-classification, particularly in HR, finance, and customer-service AI”
    5. Regulation (EU) 2024/1689 (EU AI Act)Augu“Full text of the EU AI Act, including Annex III high-risk categories, Annex IV technical documentation requirements, and penalty structure”

    Next scheduled review:

    Ready to accelerate your AI journey?

    Book a free 30-minute consultation with our AI strategists.

    Book Consultation
    Share

    Get in Touch!

    The lab usually responds within 24 hours.

    Need help with AI?Get in touch