Getting Started with AI Compliance: A Beginner's Guide

The EU AI Act (Regulation 2024/1689) is already in force, and the most significant compliance deadlines are approaching fast. If you are new to AI compliance, the regulation can feel overwhelming — it is long, technically complex, and cross-references dozens of other pieces of EU legislation.

This guide cuts through that complexity with a practical 90-day roadmap. It covers what triggers your obligations, how to build an AI inventory, how to classify your systems by risk, and what to do differently depending on that classification.

What Triggers Your AI Act Obligations

Your obligations under the AI Act depend on your role. The regulation distinguishes between providers — organisations that develop and place AI systems on the market — and deployers — organisations that use AI systems in their own operations.

If you build and sell AI systems, or build AI systems for internal deployment, you are a provider. If you use AI tools bought from a vendor, integrated via API, or embedded in SaaS products you have purchased, you are likely a deployer. The distinction matters because providers bear primary documentation and conformity assessment obligations, while deployers have a different set of obligations centred on use within intended purpose, human oversight, and fundamental rights impact assessments for certain high-risk deployments.

Most SMEs and enterprises that are not AI product companies will be deployers. This guide focuses primarily on the deployer path, while noting where provider obligations differ.

Two obligations already apply to everyone: the AI literacy requirement under Article 4 (in force since February 2025) and the prohibition on specific AI practices under Article 5 (also in force since February 2025). You cannot defer these while you figure out the rest.

Step 1: Build an AI Inventory (Weeks 1-2)

You cannot classify what you have not found. Start by building a complete inventory of every AI system your organisation uses — both systems you have built and third-party tools that incorporate AI.

For each system, document:

• Name and vendor — what the system is called and who provides it
• Purpose — what the system is used for, and which business function uses it
• Data inputs — what personal data, if any, the system processes
• Decision influence — does the system's output influence decisions about individuals?
• Users — which employees or business units rely on the output
• Deployment context — is this customer-facing, internal, or both?

Common categories to audit: HR and recruiting tools (applicant tracking, CV screening, performance systems), customer-facing tools (chatbots, recommendation engines, content personalisation), financial tools (credit decisioning, fraud detection, pricing models), security tools (network monitoring, access control), and any internal productivity tools with AI features.

This inventory will serve as your permanent AI register — a living document that must be updated whenever a new AI tool is adopted or an existing one changes significantly.

Step 2: Classify Risk (Weeks 3-4)

With your inventory in hand, apply the AI Act's four-tier risk framework to each system.

First, check Article 5 — the prohibited practices list. Eight categories of AI are outright banned in the EU: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time biometric identification in public spaces by law enforcement, biometric categorisation to infer sensitive attributes, emotion recognition in workplaces and educational institutions, untargeted facial scraping, and predictive policing. If any system in your inventory resembles these categories, seek legal advice immediately.

Second, check Annex III — the high-risk list. Eight sectors are covered: biometrics, critical infrastructure, education, employment, essential services (credit, insurance, social benefits), law enforcement, migration, and administration of justice. For each system in your inventory, ask: does it operate in one of these sectors AND does it make or materially influence decisions about natural persons? If yes, it is high-risk and subject to the full compliance regime by August 2, 2026.

Third, check Article 50 — the transparency obligations. Even non-high-risk systems have disclosure obligations if they are chatbots (users must be informed they are interacting with AI), generate synthetic content (must be labelled), or use emotion recognition.

Everything else is minimal risk — no specific obligations beyond Article 4 AI literacy.

Step 3: Start Documentation (Weeks 5-8)

For any high-risk AI system in your inventory, begin the compliance documentation process. The core documentation requirements under Articles 9–15 are:

• Risk management system (Article 9): a documented, ongoing process for identifying, evaluating, and mitigating risks
• Data governance (Article 10): documentation of training data quality, representativeness, and bias assessment (primarily for providers)
• Technical documentation (Article 11): comprehensive Annex IV documentation of the system's design, performance, and limitations
• Logging (Article 12): automatic event logging to enable post-market monitoring
• Transparency to deployers (Article 13): instructions for use covering intended purpose and limitations
• Human oversight (Article 14): documented oversight mechanisms and the ability for humans to intervene

For deployers using third-party high-risk AI systems, the provider should supply the technical documentation and instructions for use. Your obligation is to ensure those documents exist, are adequate, and that you operate the system within its intended purpose.

Step 4: Ongoing AI Literacy (Continuous)

Article 4 requires all providers and deployers to ensure their personnel have sufficient AI literacy. This is not a one-time training event — it is an ongoing obligation. Build a programme that covers: what AI systems your organisation uses, how each system works at a level appropriate to the employee's role, known limitations and failure modes, how to escalate concerns, and updates when new systems are adopted.

Keep records. National competent authorities will ask for evidence of AI literacy compliance, and a documented training programme with attendance records is the minimum standard.

What Free Resources Are Available

The European Commission and ENISA have both published guidance documents to support compliance. The European AI Office (operating within the Commission) maintains the AI Act implementation portal at the European Commission digital strategy site. ENISA has published AI risk assessment methodology. The EDPB has issued guidance on the intersection of GDPR and AI. National competent authorities in larger member states (Germany's BSI, France's CNIL, the Netherlands' Autoriteit Persoonsgegevens) have also published sector-specific AI guidance.

Common Beginner Mistakes

The most common early-stage mistakes are: not completing the inventory before classifying (leading to missed systems); treating "our vendor is compliant" as sufficient without verifying documentation exists; postponing Article 4 AI literacy because it feels less urgent than the 2026 deadline; and treating risk classification as a one-time exercise rather than a process that needs revisiting when systems or use cases change. A classification done correctly in week 4 will still need to be re-evaluated when a new AI tool is adopted or an existing one is deployed in a new context.

---

Last updated: May 2026. For informational purposes only — not legal advice.

Frequently Asked Questions

We use AI features embedded in software we bought — do we have any obligations?

Yes. Deployers of high-risk AI systems have obligations under Article 26, even when using a third-party system. These include: using the system only within its intended purpose as specified by the provider; ensuring adequate human oversight is in place; registering the system in the EU database before deploying in the categories specified in Article 49; and conducting fundamental rights impact assessments before deploying certain Annex III systems. You also inherit the AI literacy obligation under Article 4 regardless of whether the AI is built in-house or bought from a vendor.

How do we handle AI features built into products like Microsoft 365 or Google Workspace?

These are general-purpose tools where AI features have been embedded by a provider subject to its own EU AI Act obligations. For most productivity AI features (writing suggestions, email summarisation, meeting transcription), the risk level is minimal or limited, and your obligations are primarily around Article 4 literacy and checking that you are not using the tools in ways that constitute prohibited practices. Where these tools are used to generate outputs that influence decisions about individuals — performance assessments, HR decisions — you should evaluate whether the specific use case creates a high-risk deployment that triggers Article 26 deployer obligations.

What is the penalty for not complying with the August 2026 high-risk deadline?

Non-compliance with the obligations for high-risk AI systems under Articles 9–15 carries administrative fines of up to €15 million or 3% of global annual turnover, whichever is higher, under Article 99(3). Deploying a prohibited AI system under Article 5 carries fines of up to €35 million or 7% of global annual turnover. National competent authorities have been designated across EU member states and are building enforcement capacity. The European AI Office has a direct role in overseeing general-purpose AI model providers and can coordinate enforcement action.

Sources

• EUR-Lex, Regulation (EU) 2024/1689 (EU AI Act), full text including Annex III and Article 26: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
• European AI Office, AI Act implementation guidance: https://digital-strategy.ec.europa.eu/en/policies/european-ai-office
• ENISA, AI risk assessment methodology: https://www.enisa.europa.eu/topics/artificial-intelligence
• European Data Protection Board, Statement on AI and GDPR interaction: https://edpb.europa.eu/our-work-tools/our-documents/other-guidance/statement-processing-personal-data-context-ai-models_en