In brief

What is the EU AI Act and what must an organisation do before 2 August 2026?

The EU AI Act (Regulation 2024/1689) is the world's first horizontal regulation of artificial intelligence. It sorts AI systems into four risk levels — unacceptable (banned), high, limited and minimal — and imposes growing obligations as the risk rises. Prohibited practices and the AI-literacy obligation have applied since 2 February 2025; general-purpose AI model obligations since 2 August 2025; the requirements for high-risk systems (Annex III) and transparency (Article 50) become applicable on 2 August 2026. Fines reach €35M or 7% of worldwide turnover. Before August 2026, an organisation must: inventory its AI systems, determine each one's risk class, document high-risk systems, assign responsibilities and train its teams.

Definition

EU AI Act (Regulation 2024/1689) — The European Union regulation on artificial intelligence, adopted in 2024, governing the placing on the market and use of AI systems through a risk-based approach. It applies to both providers and deployers, including outside the EU where a system's output is used within the Union.

2 Feb 2025
Prohibited practices + AI literacy
2 Aug 2025
General-purpose AI models (GPAI)
2 Aug 2026
High-risk systems + transparency
€35M / 7%
Maximum fine (worldwide turnover)

Are you in scope?

If your organisation designs, integrates or uses an AI system whose output is used in the European Union, you fall within the regulation — whether it is a model built in-house, an off-the-shelf copilot, or an AI feature buried inside business software. Being a 'deployer' is enough to trigger obligations. The first step is always an inventory: you cannot comply with what you have not recorded.

The four risk levels

  • Unacceptable risk — prohibited practices (social scoring, manipulation, mass biometric identification). Banned since February 2025.
  • High risk — AI in recruitment, credit, education, critical infrastructure, justice (Annex III). Documentation, risk management, human oversight and registration are mandatory.
  • Limited risk — chatbots, generated content, deepfakes. Transparency obligation: users must know they are interacting with AI (Article 50).
  • Minimal risk — the vast majority of uses (spam filters, recommendations). No binding obligations; good practice encouraged.

Our approach

We start from your context and engineering good practices to make the AI Act concrete, rather than a report that gathers dust. Every system is placed, obligations are clarified with an owner and a deadline, and the documentation to prepare is identified. For strictly legal matters, we work with a specialist. We handle the AI Act alongside the GDPR: the two regimes overlap heavily.

What you get

  • Help with the inventory of AI systems (built, integrated, purchased)
  • Help classifying systems by risk level
  • Points of attention and documentation to prepare (Annex IV)
  • Human-oversight and risk-management recommendations
  • Clarification of provider / deployer roles
  • Team awareness (AI literacy)
  • A preparation roadmap towards the 2 August 2026 deadline
FAQ

Frequently asked

Answers to the most common questions — timelines, sectors, compliance, hosting, methodology.

When does the AI Act actually bite?

In stages. Prohibited practices and the AI-literacy obligation have applied since 2 February 2025. General-purpose AI model obligations since 2 August 2025. High-risk system and transparency requirements become applicable on 2 August 2026. Extended deadlines run to 2027–2030 for certain systems embedded in regulated products.

We don't "build" AI, we just bought a copilot. Are we in scope?

Yes. The regulation also covers 'deployers' — organisations that use an AI system. Your obligations are lighter than a provider's, but they exist: informing individuals, human oversight, respecting usage conditions, and AI literacy for your teams.

How long does getting compliant take?

Inventory and classification take 2 to 4 weeks. Documenting and remediating a high-risk system takes 6 to 12 weeks depending on complexity. We prioritise by regulatory risk and exposure so the critical work is done before the deadline.

Do you handle the AI Act and GDPR together?

Yes, always. The two regimes share most of their documentation (impact assessments, registers, legal bases). Handling them together avoids producing the same deliverables twice and keeps AI compliance and data protection consistent.

Ready to unlock
your data?

Let’s discuss your transformation challenges. An initial conversation, no commitment, to frame your need and see how to move forward.