EU AI Act Compliance Guide: 2026 Business Checklist


Data Freshness Patch — June 29, 2026. This article was rechecked against official AI Act implementation material and the latest US state/federal AI policy developments available on the review date.
- The European Commission’s AI Act page confirms the risk-based model, prohibited-practice rules from February 2025, transparency rules in August 2026, and GPAI rules from August 2025.
- The Commission’s AI Omnibus implementation timeline states that certain stand-alone high-risk AI rules apply from December 2027, while product-integrated high-risk AI rules apply from August 2028.
- The Commission extended the targeted consultation on draft high-risk classification guidelines to 23 July 2026, with final guidelines expected by the end of 2026.
Editorial note: Treat this as a compliance research article, not legal advice. Before publication or client use, verify any date-sensitive requirement against official EU, Colorado, or federal sources.
EU AI Act Compliance Guide: What Businesses Must Do in 2026
Estimated reading time: 24 minutes. Content depth: mixed — built for business, legal, compliance, product, and technical teams.
Who Should Read This?
AI Governance Leads
Use this to convert the AI Act into an inventory, classification, and control program.
Compliance Officers
Use it to identify evidence, deadlines, audit owners, and policy gaps before regulators ask.
CTOs and Product Managers
Use it to understand which product decisions create high-risk, transparency, or GPAI obligations.
CISOs and Security Teams
Use it to map logging, access control, incident response, and third-party AI exposure.
🆕 New to this topic? Start here
What does this article cover?
This article explains what businesses must do to prepare for the EU AI Act. It helps you understand which AI tools need attention, which deadlines matter, and what evidence your team should keep. The goal is simple: turn a complicated law into practical work your legal, product, and technical teams can actually complete.
New to EU AI Act compliance? Some background
The EU AI Act is a European law for artificial intelligence, which means software that can make predictions, recommendations, decisions, or content. It matters now because companies are using AI inside hiring, customer service, finance, healthcare, software, and operations. The law does not ban most AI. It asks companies to handle higher-risk uses with stronger controls.
Key terms used in this article
- AI system
- Software that can produce outputs such as predictions, content, recommendations, or decisions that influence people or environments.
- Provider
- The organization that develops or places an AI system on the market under its own name or trademark.
- Deployer
- The organization that uses an AI system in a professional context, such as a company using an AI hiring tool.
- High-risk AI
- An AI system used in sensitive areas where mistakes can affect health, safety, rights, employment, education, credit, or access to essential services.
- GPAI model
- A general-purpose AI model that can support many different tasks, often used as the foundation for chatbots, assistants, and internal AI tools.
- Conformity assessment
- A formal process for checking whether a high-risk AI system meets the law’s requirements before it is placed on the market or put into service.
Key Takeaways
- The AI Act entered into force on 1 August 2024, with staged application dates rather than one single compliance date.[2]
- As of the 2026 Omnibus update, stand-alone high-risk AI obligations are set for 2 December 2027, while embedded product high-risk systems move to 2 August 2028.[3][4]
- Prohibited AI practices, AI system definition, and AI literacy obligations already started applying from 2 February 2025.[11][12]
- GPAI model obligations are already live, with Commission enforcement powers applying from 2 August 2026 and legacy-model compliance by 2 August 2027.[8]
- The best first step is not buying a compliance tool. It is building a defensible AI inventory that captures use case, role, risk tier, decision impact, data, controls, and owner.[1]
EU AI Act compliance means proving that your organization knows which AI systems it builds or uses, how each system is classified, which legal role your company plays, and what evidence shows the system is controlled. It is not only a legal policy. It is an operating model that connects product design, data governance, risk management, cybersecurity, vendor oversight, logging, human review, and post-market monitoring.
The biggest 2026 update is that the deadline story has changed. The original “August 2026” framing is now too broad. Some obligations already apply. GPAI enforcement starts in August 2026. Article 50 transparency duties still matter in 2026. However, high-risk obligations have been reshaped by the Digital Omnibus AI process, with new dates for stand-alone and embedded high-risk systems.[2][3][4]
EverydayOnAI Editorial Position
Most EU AI Act guides still treat compliance as a countdown problem: “Do X before the deadline.” That is incomplete. The stronger view is this: the deadline changed, but the evidence burden did not disappear. Companies that use the extra time only to wait will still fail. Companies that use it to build inventories, classification records, impact reviews, and runtime monitoring will turn the delay into a durable governance advantage.
What Is EU AI Act Compliance?
EU AI Act compliance is the practical process of aligning AI systems with Regulation (EU) 2024/1689. In plain terms, it asks a company to answer six questions: Is this an AI system? Who is responsible for it? What risk tier applies? Which obligations follow? What evidence proves the controls work? Who reviews the system after deployment?
The Act is risk-based. Some uses are prohibited. Some systems are high-risk and require strict controls. Some systems mainly need transparency notices. Many ordinary AI tools remain low-risk, but should still be inventoried for governance and change-management reasons.
The compliance challenge is operational. A legal team can interpret the Act, but it cannot classify every model, plugin, chatbot, workflow, vendor integration, employee tool, and agent on its own. That is why a useful compliance program starts with system discovery.
- Compliance starts with knowing which AI systems exist.
- Risk tier determines obligations, not AI hype or model size alone.
- Evidence matters more than policy language.
Why EU AI Act Compliance Matters Now
⚠️ This section reflects the state as of June 2026. Regulations, standards, and Commission guidance in this area are actively evolving.
The AI Act entered into force on 1 August 2024. The first rules, including AI system definition, AI literacy, and prohibited practices, started applying from 2 February 2025.[2][11][12] That means the compliance program is no longer theoretical.
The Digital Omnibus AI process then changed the timeline for high-risk AI systems. The European Parliament approved simplification measures in June 2026. Those measures postpone high-risk obligations to 2 December 2027 for stand-alone high-risk systems and 2 August 2028 for embedded product systems.[3] The Council described the change as a way to reduce legal uncertainty while support tools and standards are prepared.[4]
That delay is useful, but it can be misleading. GPAI obligations are already part of the live compliance environment, and Commission enforcement powers for GPAI providers apply from 2 August 2026.[8] Article 50 transparency obligations for certain AI-generated content and deepfake labeling also remain a 2026 workstream, with the Commission publishing an Article 50 code of practice in June 2026.[13]
Mini Case Study: The Digital Omnibus Timeline Reset
Organization: European Parliament. Methodology: formal parliamentary approval vote on AI Act simplification measures. Specific result: Parliament approved the package by 423 votes in favour, 57 against, and 174 abstentions, while listing the new high-risk dates.[3]
Why it matters: this is not a blog rumor or industry preference. It is an official legislative signal that companies should rewrite their 2026 EU AI Act roadmaps around multiple dates, not one generic deadline.
- The AI Act already applies in stages.
- High-risk dates changed, but prohibited, GPAI, and transparency workstreams remain active.
- The right 2026 response is recalibration, not delay.
How the EU AI Act Works: Scope, Roles, and Risk Tiers
The EU AI Act applies by role and market effect. A non-EU company can still be in scope if it places an AI system on the EU market or if the AI system’s output is used in the EU. The practical implication is simple: server location is not a safe shortcut.
The four practical risk tiers
Prohibited
Unacceptable practices such as harmful manipulation or certain forms of social scoring. These are the highest enforcement risk.
High-risk
Systems in regulated products or Annex III areas that can affect health, safety, or fundamental rights.
Transparency
Systems such as certain chatbots, deepfakes, and AI-generated content workflows that require user-facing disclosure or marking.
Low / minimal risk
Most ordinary AI use cases. These may not face mandatory AI Act duties, but still need inventory and policy controls.
The operator role matters
A company can be a provider, deployer, importer, distributor, product manufacturer, or authorised representative. These roles are not labels for the whole company. They apply per system and per deployment. A business may be a deployer for a third-party hiring tool, a provider for an internal AI product sold to clients, and a distributor for another system.
The Act’s provider obligations include quality management, technical documentation, conformity assessment, CE marking, registration, corrective action, and accessibility obligations for high-risk systems.[1] Deployers have separate duties, including using systems according to instructions, human oversight, monitoring, logs where relevant, and fundamental rights impact assessment duties in defined situations.
Infographic: The EU AI Act Compliance Stack
- Discover: find every AI use case, including shadow AI and vendor AI.
- Classify: map risk tier, role, and market scope.
- Control: implement documentation, data, oversight, logging, cybersecurity, and transparency controls.
- Evidence: store proof of classification, tests, notices, decisions, and changes.
- Review: monitor performance, incidents, modifications, and regulatory updates.
- The Act applies through role, risk, market access, and decision impact.
- One company may hold multiple operator roles.
- The inventory must capture both systems and responsibilities.
EU AI Act Compliance Requirements for High-Risk Systems
High-risk systems are where EU AI Act compliance becomes evidence-heavy. Under Article 6, a system may be high-risk if it is a safety component of a product covered by Annex I legislation and requires third-party conformity assessment, or if it falls under Annex III use cases and does not qualify for a limited exemption.[1] The Commission’s 2026 draft guidelines now give practical examples, but the consultation remains open until 23 July 2026.[5][6]
Core requirements for high-risk AI
Article 8 through Article 15 set the core requirements. In practice, teams should translate those requirements into eight evidence folders:
- Risk management: known and foreseeable risks, mitigation, residual risk, and review cycle.
- Data governance: dataset origin, suitability, bias checks, data gaps, and data-preparation steps.
- Technical documentation: system description, design, intended purpose, models, data, performance, and controls.
- Record keeping and logs: traceability of relevant events and post-market monitoring.
- Transparency to deployers: clear instructions for use, performance limits, oversight needs, and expected lifecycle.
- Human oversight: defined review points, override ability, escalation, and trained reviewers.
- Accuracy, robustness, and cybersecurity: validation metrics, adversarial risk, model weaknesses, and monitoring.
- Conformity assessment: evidence that required assessment has been completed before market placement or use.
For documentation retention, the Act requires providers to keep technical documentation, quality management documentation, notified-body records, and the EU declaration of conformity for 10 years after placing the high-risk AI system on the market or putting it into service.[1]
- High-risk compliance is a structured evidence program.
- Article 6 classification must be documented, especially when claiming a system is not high-risk.
- Technical documentation, logs, oversight, and conformity assessment cannot be improvised at audit time.
Primary Compliance Risks
The largest AI Act risks are rarely caused by a single bad model. They come from missing governance links between legal interpretation, product design, data flows, and operational use.
Risk 1: misclassification
Misclassification is the root failure. A system used in hiring, education, credit, insurance, essential services, migration, or biometrics may be treated as a harmless automation tool because the product team describes it as “recommendation only.” The regulator will look at material influence, affected people, and decision context.
Risk 2: role confusion
Many companies assume they are only deployers because they buy vendor AI. That may be wrong if they substantially modify the system, change the intended purpose, place it under their own brand, or build a custom layer that changes decision impact.
Risk 3: missing GPAI dependency evidence
GPAI is now a live compliance dependency. The GPAI Code of Practice has transparency, copyright, and safety/security chapters for model providers.[7] Even deployers should track which GPAI models support their systems, what supplier evidence exists, and whether the use case changes obligations downstream.
Risk 4: treating AI governance as a yearly policy review
AI systems change faster than policies. New prompts, plugins, retrieval sources, tool permissions, datasets, and vendor model versions can change risk. Compliance must attach to lifecycle events, not only board calendars.
Before
One AI policy, no complete inventory, informal vendor review, unclear role mapping, and no durable evidence that classification decisions were reviewed.
After
System-level registry, owner assignment, risk tier, role mapping, supplier evidence, logging plan, human oversight model, review date, and change triggers.
- Misclassification and role confusion create the most costly failures.
- GPAI dependencies need supplier evidence, not assumptions.
- Compliance should follow system changes, not just annual policy cycles.
Impact on Chatbots, RAG Systems, and AI Agents
Chatbots, RAG systems, and AI agents are not automatically high-risk. Their classification depends on purpose, context, users, and decision impact. A customer-support chatbot that answers delivery questions is very different from a chatbot that screens job applicants or triages patients.
| System type | Data source | Main attack surface | Risk level | Common failure mode | Required defense |
|---|---|---|---|---|---|
| Chatbot | User prompts, system prompt, model knowledge | Misleading output, missing disclosure, sensitive prompt logging | Medium | Users believe they are interacting with a human or receive unsupported advice | Article 50 disclosure review, output limits, escalation, logging redaction |
| RAG system | Prompt plus retrieved internal or external documents | Untrusted retrieval content, stale sources, confidential document leakage | High | Retrieved content silently changes the answer or exposes restricted information | Source allowlist, document-level permissions, chunk filtering, citation validation |
| AI agent | Prompt, memory, tools, APIs, workflow state | Tool permissions, autonomous action, external content ingestion | High | Agent performs an action outside intended purpose or without proper human approval | Least privilege, action approval gates, audit trail, rollback, monitoring |
For compliance teams, the lesson is not “agents are illegal.” The lesson is that agentic systems create more paths where intended purpose can drift. If an agent can access HR records, rank candidates, draft rejection messages, and update a recruiting platform, the compliance classification should analyze the whole action chain, not only the model response.
- Chatbots, RAG, and agents need use-case classification.
- RAG adds data-source and permission risk.
- Agents add action, autonomy, and audit risk.
Architecture and Trust Boundaries for Compliant AI Systems
EU AI Act compliance becomes easier when the architecture shows where trust changes. A useful architecture diagram separates user input, system instructions, model output, retrieval content, tools, external APIs, sensitive data, and human approval gates.

Interactive Compliance Architecture Diagram
AI Agent Compliance Diagram
Decision Tree: Early Risk Triage
- Architecture should expose trust boundaries.
- Agents need least privilege, approval gates, and logs.
- Classification should analyze the full workflow, not the isolated model.
Defense and Governance Controls
A good EU AI Act control library should not live only in legal documents. It should connect to engineering tickets, procurement gates, model release workflows, access controls, and incident response playbooks.
Control family 1: inventory and ownership
Every system record should have a business owner, technical owner, compliance owner, intended purpose, user group, affected people, vendor dependency, model dependency, data source, geography, and review date.
Control family 2: classification evidence
Record the Article 6 logic. If a system is in an Annex III area but considered not high-risk, document the exemption logic before deployment and preserve it for review. The Act specifically requires providers to document the assessment when they consider an Annex III system not high-risk.[1]
Control family 3: human oversight
Oversight is not a human name in a policy. It is a defined control: who reviews what, when they can override, what evidence is captured, what training they receive, and what happens when they disagree with the system.
Control family 4: supplier evidence
Vendor AI creates inherited risk. Procurement should request classification support, technical documentation summaries, data processing terms, model-update procedures, security controls, and GPAI evidence where relevant.
// Defensive pseudo-code: AI system compliance triage
function classifyAISystem(system) {
assert(system.intendedPurpose);
assert(system.owner);
assert(system.affectedUsers);
let record = {
isAISystem: checkAISystemDefinition(system),
operatorRole: mapOperatorRole(system),
riskTier: "low",
requiredEvidence: ["inventory record", "owner approval"],
reviewTriggers: ["purpose change", "model update", "new data source", "new geography"]
};
if (usesProhibitedPractice(system)) {
record.riskTier = "critical";
record.requiredEvidence.push("legal escalation", "deployment stop record");
return record;
}
if (isAnnexIIIUseCase(system) && materiallyInfluencesDecision(system)) {
record.riskTier = "high";
record.requiredEvidence.push(
"Article 6 classification memo",
"technical documentation",
"human oversight plan",
"logging plan",
"post-market monitoring plan"
);
}
if (requiresTransparencyNotice(system)) {
record.requiredEvidence.push("Article 50 transparency notice");
}
if (usesGPAIModel(system)) {
record.requiredEvidence.push("GPAI supplier evidence");
}
return record;
}
- Controls must attach to systems, owners, and release workflows.
- Human oversight needs defined actions and evidence.
- Vendor and GPAI evidence should be collected before deployment.
Implementation Blueprint: 90-Day EU AI Act Compliance Plan
The goal of the first 90 days is not to finish every obligation. The goal is to stop flying blind. By day 90, your organization should know its AI footprint, highest-risk systems, role map, missing evidence, and the owners for each compliance workstream.
Days 1–15: discovery sprint
Survey product, security, legal, procurement, data, HR, customer support, and business teams. Include employee tools and vendor AI, not only official models.
Days 16–30: classification triage
Apply risk-tier screening. Flag prohibited practices, Annex III use cases, regulated products, transparency duties, GPAI dependencies, and high-impact workflows.
Days 31–50: role and obligation mapping
Identify provider, deployer, importer, distributor, and product manufacturer roles per system. Map required evidence to each role.
Days 51–70: evidence buildout
Create templates for technical documentation, classification memos, instructions for use, human oversight, logging, supplier evidence, and FRIA/DPIA alignment.
Days 71–90: operating model
Connect compliance review to product release, procurement, model updates, access changes, incident response, and quarterly governance reporting.
Interactive Widget: EU AI Act Compliance Triage Tool
Static triage: If your AI is used in Annex III areas and materially influences decisions about people, treat it as a high-priority high-risk review. If it is a chatbot or content generator, check transparency obligations. If it relies on a GPAI model, collect supplier evidence.
- The first 90 days should create visibility and prioritization.
- Discovery must include vendor and shadow AI.
- Evidence templates should be tied to product and procurement workflows.
Metrics, Logging, and Audit Evidence
Metrics turn compliance into management. Without metrics, executives cannot see whether AI risk is shrinking or simply becoming better documented.
Board-level metrics
- Percentage of known AI systems with assigned owner and risk tier.
- Number of systems in prohibited, high-risk, transparency, GPAI-dependent, and low-risk categories.
- Percentage of high-risk candidates with completed classification memo.
- Percentage of vendor AI systems with supplier evidence reviewed.
Operational metrics
- Classification review cycle time.
- Model update approvals completed before production release.
- Systems with human oversight tests completed.
- Incidents or near misses involving AI outputs, data leakage, bias, or unauthorized tool use.
For high-risk systems, logs should support traceability and post-market monitoring. Article 12 requires logging capabilities appropriate to the system’s intended purpose, and Article 19 requires providers to keep automatically generated logs under their control for a period appropriate to the intended purpose, at least six months unless other law requires otherwise.[1]
Animated Explainer: Evidence Flow
Inventory → classification → controls → deployment → monitoring → audit evidence.
The moving marker shows why a static spreadsheet is not enough. Evidence has to follow the system through change.
- Compliance needs board and operational metrics.
- Logs must support traceability and monitoring.
- Evidence should move with the system lifecycle.
Narrative Attack Scenario: The “Low-Risk” Hiring Assistant
Context: A company deploys an internal AI assistant to summarize résumés and draft interview recommendations. The team records it as a productivity tool because humans still approve final decisions.
Attacker goal: A malicious applicant wants the system to rank their application higher and hide missing qualifications.
Attack path: The applicant embeds manipulative text inside a résumé. The RAG pipeline retrieves the résumé, the assistant summarizes it as highly qualified, and the recruiter sees a confident recommendation without source-level warnings.
Failure point: The company treated retrieved content as trusted and did not classify the workflow as an employment-related system that materially influences a human decision.
Business impact: The organization faces unfair hiring outcomes, documentation gaps, and weak evidence that human oversight was meaningful.
Defense that would have stopped it: Source isolation, résumé content filtering, transparent recruiter warnings, human-review checklist, classification memo, and audit logs linking recommendation output to retrieved sources.
Common Mistakes in EU AI Act Compliance
Checklist: Avoid These Mistakes
- ★ Treating “August 2026” as the only date and missing GPAI, transparency, or already-applicable rules.
- ★ Classifying models instead of use cases and workflows.
- ★ Assuming vendor AI transfers all responsibility away from the deployer.
- Failing to document why an Annex III system is considered not high-risk.
- Using human oversight as a vague phrase rather than a tested workflow.
- Logging prompts, outputs, and user data without redaction or retention rules.
- Letting RAG content or AI-agent tools change system behavior without a new review.
- Building a policy before building a system inventory.
These mistakes are fixable. The common pattern is that teams jump straight to legal templates without mapping the systems. A better sequence is inventory, classification, obligations, controls, evidence, then policy.
- Most failures begin with weak inventory and classification.
- Dates must be managed as a staged timeline.
- Human oversight, logging, and vendor review must be operational.
FAQ
What is EU AI Act compliance?
EU AI Act compliance is the process of identifying whether your AI systems fall under the Act, classifying each system by risk tier, assigning provider or deployer obligations, and creating evidence that required controls are in place. For most businesses, the first practical step is an AI inventory that records intended purpose, users, affected people, data sources, model type, and decision impact.
How does the EU AI Act classify AI systems?
The EU AI Act uses a risk-based structure. Some AI practices are prohibited, high-risk systems face strict obligations, certain systems face transparency duties, and most low-risk systems have no mandatory AI Act obligations. High-risk status is mainly triggered when an AI system is a safety component of a regulated product or when it falls into an Annex III area and materially affects decisions about people.
Why did the EU AI Act deadline change in 2026?
The 2026 Digital Omnibus AI amendments were designed to reduce legal uncertainty and give companies time to implement standards and support tools. As approved by the European Parliament in June 2026, stand-alone high-risk AI obligations apply from 2 December 2027, while embedded product high-risk systems apply from 2 August 2028. Other obligations, including transparency duties and GPAI enforcement, still have earlier dates.
How should a business start an EU AI Act compliance program?
Start with a use-case inventory, not a legal memo. List every AI system, map its intended purpose and affected users, classify the risk tier, assign accountable owners, and record evidence for each decision. Then prioritize prohibited practices, GPAI dependencies, transparency obligations, high-risk systems, and deployer impact assessments in that order.
What are examples of high-risk AI under the EU AI Act?
Examples include certain AI systems used in employment, education, access to essential services, critical infrastructure, migration, law enforcement, justice, and biometrics. A hiring-screening model, creditworthiness system, student admission ranking tool, or remote biometric identification system may be high-risk when it materially influences a decision about a person.
What should an EU AI Act compliance checklist include?
A practical checklist should include AI inventory, risk classification, prohibited-practice screening, provider and deployer role mapping, technical documentation, data governance evidence, logging, human oversight, transparency notices, conformity assessment planning, post-market monitoring, incident response, and periodic review of classification decisions.
Conclusion: Treat the Extra Time as an Evidence Window
The strongest EU AI Act compliance programs in 2026 will not be the ones with the longest policy documents. They will be the ones that can show a reliable chain of evidence: this is our AI inventory, this is how we classified each system, this is our role, these are the controls, these are the logs, these are the human review points, and this is how we update the record when the system changes.
The updated deadline landscape gives businesses more room for high-risk implementation. It does not remove the need to act. Prohibited practices, AI literacy, GPAI obligations, transparency duties, and classification work are already active planning priorities. If your organization waits until the final months before the new dates, you will have less time to fix architecture, vendor contracts, data controls, and product workflows.
EverydayOnAI Forward View
The real competitive advantage will come from making AI governance boring. Not weak. Boring. A mature company should be able to launch, update, monitor, and retire AI systems through a repeatable process. The EU AI Act is forcing that discipline. Smart teams will use it to improve product quality, procurement, security, and trust at the same time.
Your next step is clear: build the inventory, classify the top 20 systems, assign owners, and create evidence records before the next model or vendor update changes the facts.
5 Things to Remember
- EU AI Act compliance is an operating model, not a one-time legal memo.
- The 2026 timeline changed: high-risk deadlines shifted, but other obligations remain active.
- Classify workflows and decision impact, not model names.
- GPAI, chatbots, RAG systems, and agents need different evidence patterns.
- Start with inventory, risk tier, role mapping, controls, and audit evidence.
References
- European Union, “Regulation (EU) 2024/1689 of the European Parliament and of the Council,” July 2024. The final AI Act text defines risk tiers, operator obligations, conformity assessment, documentation, transparency, and penalty levels. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
- European Commission, “AI Act — Shaping Europe’s digital future,” Updated 2026. The Commission states that the AI Act entered into force on 1 August 2024 and is implemented through staged application dates. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- European Parliament, “AI Act: EP approves simplification measures and “nudifier” app ban,” June 2026. Parliament approved Digital Omnibus AI amendments and listed new application dates for stand-alone high-risk and embedded high-risk systems. https://www.europarl.europa.eu/news/en/press-room/20260611IPR45207/ai-act-ep-approves-simplification-measures-and-nudifier-app-ban
- Council of the European Union, “Artificial Intelligence: Council and Parliament agree to simplify and streamline rules,” May 2026. The Council announced a political agreement to delay high-risk AI rules to 2 December 2027 for stand-alone systems and 2 August 2028 for embedded systems. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
- European Commission, “Draft Commission guidelines on the classification of high-risk AI systems,” May 2026. The draft guidelines explain how providers and deployers should assess high-risk classification under Article 6 and Annex III. https://digital-strategy.ec.europa.eu/en/library/draft-commission-guidelines-classification-high-risk-ai-systems
- European Commission, “Targeted consultation on the draft guidelines for the classification of high-risk AI systems,” May 2026. The consultation opened on 19 May 2026 and closes on 23 July 2026, meaning classification examples remain subject to refinement. https://digital-strategy.ec.europa.eu/en/consultations/targeted-consultation-draft-guidelines-classification-high-risk-artificial-intelligence-systems
- European Commission, “The General-Purpose AI Code of Practice,” July 2025. The GPAI Code contains transparency, copyright, and safety/security chapters to help model providers demonstrate compliance. https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
- European Commission, “Guidelines for providers of general-purpose AI models,” April 2026. The Commission states that GPAI enforcement powers apply from 2 August 2026 and legacy GPAI models have until 2 August 2027 to comply. https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers
- NIST, “AI Risk Management Framework,” January 2023. NIST AI RMF is voluntary guidance for incorporating trustworthiness considerations into AI design, development, use, and evaluation. https://www.nist.gov/itl/ai-risk-management-framework
- ISO, “ISO/IEC 42001:2023 — Artificial intelligence management systems,” December 2023. ISO/IEC 42001 provides an integrated management-system approach for AI risk assessment and treatment. https://www.iso.org/standard/42001
- European Commission, “Guidelines on prohibited artificial intelligence practices,” February 2025. The Commission published non-binding guidance and examples for AI practices considered unacceptable under the AI Act. https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
- European Commission, “Guidelines on AI system definition,” February 2025. The Commission published guidance to help providers assess whether a software system qualifies as an AI system under the Act. https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-ai-system-definition-facilitate-first-ai-acts-rules-application
- European Commission, “Code of Practice on Transparency of AI-Generated Content,” June 2026. The code supports compliance with Article 50 obligations for marking and labelling AI-generated and manipulated content. https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content
EU AI Act Compliance Cluster
Continue the EU AI Act Cluster
Next Step: Classify Your AI Systems
After the pillar overview, the most important operational step is classification. Use the classification guide to decide whether each system is prohibited, high-risk, limited-risk, GPAI-related, or low-risk before building documentation.