EU AI Act Compliance: Avoid €35M Fines Before August 2026

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework governing artificial intelligence systems, applicable to any company that develops, places on the market, or uses AI within the European Union, regardless of where the company is established. It establishes a four-tier risk classification — prohibited, high-risk, limited-risk, and minimal-risk — with fines reaching EUR 35 million or 7% of global annual turnover for the most serious violations. Prohibitions on unacceptable AI practices took effect in February 2025, while full obligations for high-risk AI systems under Annex III apply from August 2026.

Our regulatory technology team combines legal expertise in the EU AI Act with practical experience in information systems, data governance, and European digital regulation.

The Compliance Window Is Already Open

The AI Act is not a future regulation. Its first obligations — the prohibitions on unacceptable AI practices — became enforceable in August 2025. Companies using AI in recruitment, credit scoring, customer interaction, or any process affecting individuals in the EU are already subject to enforcement. The August 2026 deadline for high-risk AI system obligations appears distant, but conformity assessments, technical documentation, and risk management systems require months of preparatory work. Companies that begin in 2026 will not finish in time.

The Inventory Problem

The starting point is always the inventory. Most organisations lack a complete picture of all the AI systems they use: HR tools with automated screening algorithms, marketing platforms with behavioural segmentation, customer scoring systems, service chatbots, predictive analytics tools. Each must be classified within the Regulation’s taxonomy to determine which obligations apply. Misclassification — particularly underestimating the risk level — is the most common error and the one that creates the greatest enforcement exposure. A system that processes CV data to rank candidates is almost certainly high-risk under Annex III, regardless of how the vendor markets it.

High-Risk System Obligations in Practice

For systems classified as high-risk, the obligations are substantial. The provider must maintain detailed technical documentation, implement a risk management system, ensure training data quality, guarantee system transparency and interpretability, design effective human oversight mechanisms, and register the system in the EU database before commercialisation. We coordinate this process with data protection obligations under the GDPR, which overlap significantly when AI systems process personal data and require coordinated impact assessments.

The Contract Layer

The AI Act restructures contractual relationships across the AI supply chain. Agreements with AI system providers must be reviewed to ensure that Regulation obligations are correctly allocated between provider and deployer, that access rights to the technical documentation required for compliance are in place, and that contracts address serious incident scenarios requiring authority notification. This contractual review is an integral component of our compliance service.

Building Compliance as a Competitive Asset

AI governance is the necessary internal complement to regulatory compliance. Organisations that manage their AI systems well do not merely avoid fines: they build trust assets with customers, partners, and regulators that generate real competitive advantage in a market where algorithmic opacity is increasingly unacceptable to institutional buyers, insurers, and counterparties conducting due diligence.