What EU AI Act Compliance Actually Means for Enterprises
In short
EU AI Act compliance means meeting legally binding obligations that vary by your role (provider or deployer) and your AI system's risk classification. The rules are not uniform — a chatbot and a medical diagnostic tool face completely different requirements.
EU AI Act compliance is an enterprise's adherence to Regulation 2024/1689 — the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and mandates proportional obligations for every provider and deployer whose outputs reach the EU market.
The regulation is not a single deadline. It applies in progressive waves, with each phase activating a new layer of obligations.
The Enforcement Timeline You Must Know
The Act entered into force on August 1, 2024. Since then, four enforcement milestones govern when each obligation becomes legally binding.
| Date | Obligation | Who It Affects |
|---|---|---|
| Feb 2, 2025 | Prohibited AI practices banned outright | All providers and deployers |
| Aug 2, 2025 | GPAI model obligations and codes of practice | General-purpose AI model providers |
| Aug 2, 2026 | Full high-risk AI obligations (Annex I and III systems) | Providers and deployers of high-risk AI |
| Aug 2, 2027 | High-risk AI in legacy Annex I systems | Operators of existing regulated-sector systems |
| Ongoing | Notified body conformity assessments | High-risk AI providers seeking EU market access |
The penalty structure scales with severity, according to the GLACIS EU AI Act Compliance Guide (April 2026):
- €35M or 7% of global turnover: Prohibited AI practices (whichever is higher)
- €15M or 3% of global turnover: Other violations of the regulation
- €7.5M or 1.5% of global turnover: Providing incorrect information to authorities
Two enforcement bodies share jurisdiction. The AI Office within DG CNECT handles General-Purpose AI model enforcement centrally. Member-state market surveillance authorities handle high-risk AI at national level, as confirmed by Presenc AI (May 2026).
The EU AI Act applies to any provider or deployer whose AI outputs are used in the EU — including companies headquartered in the US, UK, or Asia. Non-EU companies are not exempt.
Provider vs. Deployer: Who Bears What Obligation
The Act draws a critical distinction between two roles, each carrying different legal burdens.
A provider is any natural or legal person that develops an AI system or general-purpose AI model and places it on the EU market — or puts it into service under their own name or trademark. A deployer is any entity using an AI system under its authority in a professional context.
- Provider obligations (high-risk AI): Technical documentation, conformity assessments, CE marking, post-market monitoring, EU database registration, incident reporting
- Deployer obligations (high-risk AI): Fundamental rights impact assessments, human oversight implementation, use-case logging, staff training, transparency to affected persons
A single enterprise can be both. If you fine-tune a third-party model (e.g. an OpenAI base model) and deploy it internally for HR decisions, you are simultaneously a provider and a deployer — and carry the full burden of both roles.
In our experience across 100+ enterprise AI implementations at Alice Labs, the provider-deployer boundary is the most commonly misunderstood aspect of the regulation. Most enterprises that customize foundation models do not realize they have stepped into the provider role — and with it, the heavier compliance obligations.
Steps 1–2: Inventory Your AI Systems and Classify Risk
In short
Before you can comply, you need a complete inventory of every AI system in use, then map each to one of four risk tiers: unacceptable, high, limited, or minimal. Classification determines every subsequent obligation.
You cannot assess risk or assign compliance obligations without first knowing what AI systems your enterprise uses. An AI inventory is the non-negotiable foundation — and in practice, it routinely uncovers systems that business units deployed without IT or legal awareness.
Building Your AI Inventory: What to Capture
A complete inventory requires surveying every department, not just IT. Many high-risk systems enter enterprises through SaaS procurement — an HR team subscribing to an AI-driven recruitment platform, or a finance team using an automated credit-decisioning tool.
For each AI system, document:
- System name and vendor
- Business purpose and use case
- Data inputs (personal data, biometric data, financial data)
- Decision outputs (advisory, automated, binding)
- Affected populations (employees, customers, EU residents)
- Provider vs. deployer role for your organization
A screened study of 50 European AI companies published on SSRN (Shucrani et al., May 2026) found significant gaps in how enterprises classify their own systems — particularly in HR, finance, and customer-service contexts. Underclassification is a material compliance risk.
The European Commission's AI Act Service Desk offers a free compliance checker at ai-act-service-desk.ec.europa.eu — use it as your starting classification baseline, then validate with legal counsel.
The Four Risk Tiers: What Each Means
Once your inventory is complete, map every system to one of the Act's four tiers. The tier determines the entire compliance pathway.
| Risk Tier | Examples | Core Obligation | Penalty for Breach |
|---|---|---|---|
| Unacceptable | Social scoring by governments, real-time biometric surveillance in public spaces | Prohibited entirely — cannot be deployed | Up to €35M or 7% of global turnover |
| High | Employment AI, credit scoring, biometric identification | Full conformity assessment, documentation, EU database registration | Up to €15M or 3% of global turnover |
| Limited | Chatbots, deepfake generators, emotion-recognition tools | Transparency disclosures only (must identify as AI) | Up to €7.5M or 1.5% of global turnover |
| Minimal | Spam filters, AI in video games, recommendation engines | No mandatory obligations under the Act | N/A |
Annex III: The High-Risk Categories That Catch Enterprises Off-Guard
Annex III defines eight categories of high-risk AI. Many enterprise tools already in common use fall within these categories — often without the deploying organization realizing it.
- Biometric identification: Employee access control, identity verification in customer onboarding, facial recognition in timekeeping systems
- Critical infrastructure: AI managing energy grids, water systems, or transport networks
- Education and vocational training: AI-graded assessments, admissions scoring, learning-performance monitoring
- Employment and HR: CV screening tools, performance monitoring, promotion algorithms, workforce analytics
- Essential private and public services: Credit scoring, insurance risk assessment, social benefit eligibility
- Law enforcement: Predictive policing tools (certain forms also prohibited)
- Migration and border control: Visa risk-scoring, border management AI
- Administration of justice: AI assisting in legal interpretation or dispute resolution
Enterprises in regulated industries — particularly financial services, HR technology, and healthcare — should assume Annex III applies until a formal classification exercise proves otherwise. Uncertainty about classification is not a legal defense under the regulation.
Our enterprise AI strategy framework provides a structured approach to mapping AI systems against regulatory obligations before deployment — a step that, in our experience, saves significant remediation cost later. See also our EU AI Act compliance checklist for 2026 for a practical tool you can use alongside this guide.
Steps 3–4: Meet High-Risk Obligations and Document Everything
In short
High-risk AI systems require six concrete compliance pillars: a quality management system, technical documentation, data governance, human oversight, accuracy and robustness testing, and post-market monitoring. Documentation is not optional — it is the evidentiary record regulators will request.
If your inventory confirms a high-risk system, six parallel workstreams activate simultaneously. Each is a hard requirement under Regulation 2024/1689 — and each must be completed before the system is placed on the EU market or put into service.
The Six High-Risk Compliance Pillars
- 1. Quality management system (QMS): A documented QMS covering design, development, testing, and post-deployment monitoring. Must include roles, responsibilities, and review cadences.
- 2. Technical documentation: Comprehensive pre-deployment documentation covering the system's purpose, architecture, training data, performance metrics, known limitations, and risk mitigations. Updated when the system changes materially.
- 3. Data governance: Training, validation, and testing datasets must meet quality criteria. Bias examination is mandatory. Data lineage must be documented.
- 4. Human oversight mechanisms: Systems must be designed so that human operators can understand, monitor, and intervene. This is not a checkbox — it requires technical implementation (audit logs, override mechanisms, interpretability outputs).
- 5. Accuracy, robustness, and cybersecurity: The system must meet declared performance levels and be resilient to attempts to alter its behavior. Testing against adversarial inputs is expected.
- 6. Post-market monitoring: Providers must proactively collect and analyze real-world performance data after deployment. Serious incidents must be reported to national market surveillance authorities.
Technical Documentation: What Regulators Will Expect
Technical documentation under Annex IV of the Act is the primary evidentiary record for conformity assessments. It must be maintained for 10 years after the system is placed on the market.
The documentation package must include:
- General description of the AI system, its intended purpose, and version history
- Description of the components, algorithms, and model architecture (with sufficient detail for auditor review)
- Training methodology, dataset characteristics, and pre-processing procedures
- Validation and testing procedures — including performance metrics, test sets, and known failure modes
- Risk management documentation per the QMS
- Description of human oversight measures and their technical implementation
- Cybersecurity measures and resilience testing outcomes
From our work implementing AI governance frameworks for enterprises in regulated sectors, the documentation gap is where most organizations are furthest behind. Building documentation retroactively — after a system is already in production — is significantly more costly than integrating it into the development process from the start.
Conformity Assessment: Self-Assessment vs. Notified Body
Most high-risk AI systems in Annex III can be self-assessed by the provider — using internal procedures against harmonized standards. However, systems in specific categories (notably biometric identification used by law enforcement) require a third-party notified body assessment.
- Self-assessment path: Provider conducts internal conformity procedures, issues EU declaration of conformity, affixes CE marking
- Notified body path: Accredited third-party auditor conducts assessment; required for biometric systems in law enforcement and certain other categories
Following assessment, providers must issue an EU declaration of conformity and affix the CE marking. This is a prerequisite for EU market placement — not a post-market formality.
For enterprises evaluating whether to build or buy AI systems with high-risk implications, our build vs. buy AI analysis covers the governance tradeoffs in detail.
Step 5: Register High-Risk AI and Understand GPAI Obligations
In short
High-risk AI systems must be registered in the EU database before deployment. General-Purpose AI models face separate obligations — including transparency, technical documentation, and for systemic-risk models, adversarial testing and incident reporting.
Registration and GPAI compliance are two distinct tracks that run in parallel for many enterprises — particularly those that deploy foundation models alongside purpose-built high-risk systems.
EU Database Registration for High-Risk AI
Providers of high-risk AI systems listed in Annex III must register their systems in the EU database for AI systems (managed by the European Commission) before placing the system on the market. Deployers of certain high-risk systems in public-interest domains also have registration obligations.
Registration requires submitting:
- Provider name, address, and contact details
- System name, version, and intended purpose
- Description of the system's capabilities and limitations
- Member states where the system is or will be deployed
- A link to the instructions for use (for publicly visible entries)
- Declaration of conformity reference number
The database is publicly accessible for most categories — meaning regulators, civil society organizations, and the press can query it. Registration accuracy matters beyond pure legal compliance.
General-Purpose AI: What the GPAI Rules Require
General-Purpose AI models — including large language models like GPT-4 and Gemini — face obligations that have been in force since August 2, 2025. The General-Purpose AI Code of Practice, finalized in mid-2025 and signed by OpenAI, Google, and Microsoft (Presenc AI, May 2026), operationalizes these requirements.
All GPAI model providers must:
- Maintain technical documentation sufficient for downstream providers to comply with their own obligations
- Provide information and documentation to downstream providers integrating the model
- Publish a summary of training data used to develop the model (copyright-compliant)
- Comply with EU copyright law in relation to training data
GPAI models posing systemic risk (those trained with compute exceeding 10²⁵ FLOPs) face additional obligations:
- Adversarial testing (red-teaming) before deployment
- Serious incident reporting to the AI Office
- Cybersecurity protection proportionate to systemic risk
- Energy efficiency reporting
For enterprises that deploy GPAI models via API — for example, building internal tools on top of GPT-4 or Claude — the obligations primarily sit with the model provider. However, enterprises that fine-tune or substantially modify these models step into provider obligations themselves.
Understanding AI governance at the infrastructure level is a prerequisite for GPAI compliance. Our AI governance guide covers the organizational structures that underpin this work.
Ready to accelerate your AI journey?
Book a free 30-minute consultation with our AI strategists.
Book ConsultationStep 6: Build an Internal AI Governance Structure That Scales
In short
Compliance is not a one-time project — it requires a permanent internal governance structure: an AI governance committee, designated compliance roles, a monitoring cadence, and documented escalation procedures. Enterprises that treat this as a project rather than a function will fall out of compliance as regulation evolves.
The EU AI Act is a living framework. The European Commission updates implementing acts, the AI Office issues guidance, and member-state authorities develop national enforcement postures. An enterprise without a standing governance function cannot track and respond to these changes at the speed regulation demands.
Standing AI Governance Committee: Minimum Viable Structure
A functional AI governance committee requires representation from at least four functions: legal/compliance, IT/engineering, business (the AI system owners), and risk management. For enterprises operating in regulated sectors (financial services, healthcare, energy), a data protection officer should also participate.
The committee's standing responsibilities include:
- Quarterly inventory review: Add new systems, reclassify existing systems as use cases evolve, retire decommissioned systems
- Regulatory monitoring: Track AI Office guidance, harmonized standards development (CEN/CENELEC), and member-state enforcement actions
- Incident response: Own the escalation and reporting process for serious incidents involving high-risk AI systems
- Supplier governance: Audit third-party AI vendors against their stated compliance posture; maintain contractual obligations for providers
- Training and awareness: Ensure staff operating high-risk AI systems receive adequate training on human oversight obligations
Fundamental Rights Impact Assessment (FRIA)
Deployers of high-risk AI systems in certain contexts — particularly public authorities and private entities providing public services — must conduct a Fundamental Rights Impact Assessment before deployment. This is distinct from a standard data protection impact assessment (DPIA) under GDPR, though the two should be coordinated.
A FRIA must assess the potential impact of the AI system on:
- The right to non-discrimination and equal treatment
- Privacy and data protection rights
- Access to justice and effective remedy
- Rights of vulnerable groups (children, people with disabilities)
- The right to human dignity
The FRIA must be documented and made available to market surveillance authorities upon request. It is not a one-time exercise — systems that change materially require a revised assessment.
Post-Market Monitoring: The Ongoing Obligation
Providers must establish a post-market monitoring system proportionate to the risk level and market volume of their AI system. This means proactively collecting and analyzing data on system performance in real-world conditions — not waiting for incidents to occur.
- Performance drift detection: Monitor for degradation in accuracy, fairness, or reliability over time
- Serious incident reporting: Report to national market surveillance authorities within 15 days for serious incidents or malfunctions posing risk to health, safety, or fundamental rights
- Log retention: Automatic logging capabilities must be built in; logs retained for at least six months by deployers
In our Alice Labs implementations, we consistently find that enterprises with mature MLOps practices adapt most quickly to post-market monitoring requirements. If your organization is building this capability, our MLOps guide provides the technical foundation. For a broader view of how compliance fits into an enterprise AI strategy, see our enterprise AI strategy framework.
Enforcement Reality: How Authorities Will Act and What Penalties Apply
In short
Enforcement is split between the AI Office (GPAI) and 27 national market surveillance authorities (high-risk AI). Penalties are tiered by violation type, ranging from €7.5M to €35M or 1.5% to 7% of global turnover — with SME-adjusted caps that do not apply to large enterprises.
Understanding the enforcement architecture is not academic — it determines which authority your enterprise will face in a compliance investigation and what procedural rights apply.
The Two-Track Enforcement Architecture
The AI Office, established within the European Commission's DG CNECT, is the central enforcement body for General-Purpose AI model obligations. It has the authority to conduct investigations, request information, and impose penalties directly on GPAI providers — including non-EU companies.
National market surveillance authorities (one per member state) enforce high-risk AI obligations within their jurisdiction. They can investigate providers and deployers, order systems to be withdrawn from the market, and impose financial penalties.
For enterprises operating across multiple EU member states, this creates a multi-authority landscape. A German financial services firm deploying AI-driven credit scoring could face action from BaFin (as the sector regulator), the German market surveillance authority, and in some circumstances the AI Office — simultaneously.
Penalty Structure: The Full Picture
Penalties are set as the higher of a fixed euro amount or a percentage of global annual turnover — meaning large enterprises face higher absolute fines. SME-specific caps apply to small and medium enterprises but not to large corporations.
- Prohibited AI practices (Article 5 violations): Up to €35 million or 7% of global annual turnover
- Non-compliance with other obligations: Up to €15 million or 3% of global annual turnover
- Incorrect, incomplete, or misleading information to authorities: Up to €7.5 million or 1.5% of global annual turnover
These figures are sourced from the GLACIS EU AI Act Compliance Guide (April 2026). Member states may impose additional national penalties in regulated sectors.
The Shadow AI Enforcement Risk
One enforcement risk that enterprises consistently underestimate is shadow AI — AI tools adopted by employees without IT or legal approval. A business unit deploying a third-party AI recruitment tool without a compliance review does not absolve the enterprise of deployer obligations.
Market surveillance authorities can trace AI system use to deployers even when the provider is headquartered outside the EU. If your enterprise lacks an AI usage policy and shadow AI controls, enforcement exposure is higher than your formal inventory suggests.
Our article on shadow AI in enterprises covers the detection and governance approaches in detail. For a structured assessment of your organization's overall AI readiness — including governance maturity — see our AI readiness assessment framework.
Frequently Asked Questions: EU AI Act Compliance
In short
The most common questions enterprises ask about EU AI Act compliance — answered concisely with specific references to the regulation.
When does the EU AI Act apply to high-risk AI systems?
High-risk AI obligations under Annex I and Annex III apply from August 2, 2026. The prohibition on unacceptable-risk AI practices has been in force since February 2, 2025. GPAI model obligations have applied since August 2, 2025.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies to any provider or deployer whose AI outputs are used in the EU, regardless of where the company is headquartered. US, UK, and Asian companies serving EU customers are in scope.
What qualifies as high-risk AI under the EU AI Act?
High-risk AI systems are those listed in Annex III of Regulation 2024/1689: biometric identification, critical infrastructure management, education, employment and HR, essential services (credit, insurance), law enforcement, migration, and administration of justice. Many common enterprise tools in HR and finance fall in this category.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops or places an AI system on the EU market under their own name. A deployer uses an AI system in a professional context. Providers carry heavier obligations (conformity assessment, CE marking, technical documentation). An enterprise that fine-tunes a third-party model becomes a provider, not just a deployer.
What are the obligations for General-Purpose AI (GPAI) models?
All GPAI providers must maintain technical documentation, provide information to downstream providers, publish training data summaries, and comply with EU copyright law. Models with systemic risk (trained with more than 10²⁵ FLOPs) also face adversarial testing, incident reporting, and cybersecurity requirements.
What are the maximum fines under the EU AI Act?
Fines reach €35 million or 7% of global annual turnover for prohibited AI practice violations (whichever is higher). Other violations carry fines up to €15 million or 3% of global turnover. Providing incorrect information to authorities carries fines up to €7.5 million or 1.5% of global turnover (GLACIS, April 2026).
Do all high-risk AI systems need a third-party conformity assessment?
No. Most Annex III high-risk AI systems can be self-assessed by the provider using internal conformity procedures. Third-party notified body assessments are required for specific categories, notably biometric identification systems used by law enforcement.
Are there exemptions for SMEs under the EU AI Act?
SMEs benefit from reduced fine caps and some procedural accommodations, including access to regulatory sandboxes. However, the substantive obligations — risk classification, technical documentation, conformity assessments — apply to SMEs as well as large enterprises. Size affects penalty magnitude, not compliance scope.
About the Authors & Reviewers

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.
- AI automation & agent systems lead
- Workflow design across 100+ deployments
- Specialist in RAG, integrations & APIs

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.
- 8+ years in AI strategy & implementation
- Top-5 AI Speaker, Sweden (Mindley 2025)
- 100+ enterprise AI engagements
Frequently Asked Questions
When does the EU AI Act apply to high-risk AI systems?
High-risk AI obligations under Annex I and Annex III apply from August 2, 2026. The prohibition on unacceptable-risk AI practices has been in force since February 2, 2025. GPAI model obligations have applied since August 2, 2025.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act applies to any provider or deployer whose AI outputs are used in the EU, regardless of headquarters location. US, UK, and Asian companies serving EU customers are fully in scope.
What qualifies as high-risk AI under the EU AI Act?
High-risk AI systems are those listed in Annex III: biometric identification, critical infrastructure, education, employment and HR, essential services, law enforcement, migration, and administration of justice. Many enterprise HR and finance tools fall in this category.
What is the difference between a provider and a deployer?
A provider develops or places an AI system on the EU market under their own name. A deployer uses an AI system professionally. Providers carry heavier obligations. Enterprises that fine-tune third-party models become providers and carry full provider obligations.
What are the obligations for General-Purpose AI (GPAI) models?
All GPAI providers must maintain technical documentation, provide downstream provider information, publish training data summaries, and comply with EU copyright law. Systemic-risk models (above 10²⁵ FLOPs) face additional adversarial testing and incident reporting requirements.
What are the maximum fines under the EU AI Act?
Fines reach €35 million or 7% of global annual turnover for prohibited AI practice violations. Other violations carry up to €15 million or 3%. Providing incorrect information to authorities carries up to €7.5 million or 1.5% of global turnover (GLACIS, April 2026).
Do all high-risk AI systems need a third-party conformity assessment?
No. Most Annex III systems can be self-assessed by the provider. Third-party notified body assessments are required for specific categories, primarily biometric identification systems used by law enforcement.
Are there exemptions for SMEs under the EU AI Act?
SMEs benefit from reduced fine caps and access to regulatory sandboxes. However, the substantive obligations — risk classification, documentation, conformity assessments — apply to SMEs and large enterprises alike. Size affects penalty magnitude, not compliance scope.
EU AI Act Risk Categories: Unacceptable, High & Limited Risk
Next in AI Governance & ComplianceBest AI Governance Consulting Firms 2026: 13 Compared
Further reading
- GLACIS EU AI Act Compliance Guide (April 2026)· glacis.io
- Cleo Labs EU AI Act Compliance Guide 2026· cleolabs.co
Related services
Related reading
EU AI Act Compliance Checklist 2026: 10-Step Guide
Step-by-step EU AI Act compliance checklist for enterprises. Risk classification, Annex IV documentation, FRIA, AI literacy, conformity assessment — before 2 Aug 2026.
dataWhat Is AI Governance? Frameworks & Compliance (2026)
AI governance covers policy, process, and tooling for responsible AI. EU AI Act, NIST AI RMF, ISO 42001, OECD principles compared — with Alice Labs methodology.
listicleEnterprise AI Strategy: 6-Step Framework for 2026
A practical 6-step framework to build an enterprise AI strategy in 2026. Covers readiness, use case prioritization, governance, pilots, scale & ROI — with EU AI Act alignment.
deepdiveWhy Ai Projects Fail
Most AI projects fail before reaching production. Based on RAND, MIT Sloan, and 100+ Alice Labs engagements — the 7 root causes, with concrete fixes for each.
glossaryWhat Is Shadow AI? Risks, Examples & How to Manage It
Shadow AI = unsanctioned AI use bypassing IT and governance. 5 risk categories, Samsung 2023 incident, EU AI Act + GDPR implications, audit methodology.
Sources
- GLACIS EU AI Act Compliance GuideApri“Fine structure: €35M/7% for prohibited practices, €15M/3% for other violations, €7.5M/1.5% for incorrect information”
- Cleo Labs EU AI Act Compliance Guide 20262026“August 2, 2026 deadline for high-risk AI system obligations”
- Presenc AI EU AI Act OverviewMay “AI Office within DG CNECT enforces GPAI centrally; member-state MSAs handle high-risk AI. GPAI Code of Practice signed by OpenAI, Google, Microsoft.”
- Shucrani et al., SSRNMay “Screened study of 50 European AI companies found significant gaps in self-classification, particularly in HR, finance, and customer-service AI”
- Regulation (EU) 2024/1689 (EU AI Act)Augu“Full text of the EU AI Act, including Annex III high-risk categories, Annex IV technical documentation requirements, and penalty structure”
Next scheduled review: