EU AI Act Compliance: Know Your Obligations Before the Deadlines Bite
The EU AI Act is the world's first comprehensive law for artificial intelligence — and it applies to far more organisations than the ones building frontier models. If you develop, deploy, distribute, or even just *use* AI systems that touch the EU market, some part of the Act applies to you.
The obligations phase in between 2025 and 2027, and the penalties are severe: up to €35 million or 7% of global turnover for prohibited practices. ShieldIQ helps SMEs work out which risk tier their AI use falls into, what they must do about it, and how to evidence it — in around fifteen minutes.
Start your free EU AI Act assessment →
What Is the EU AI Act?
The EU AI Act is a regulation that governs the development, placing on the market, and use of AI systems in the EU. Like GDPR, it has extraterritorial reach: it applies to providers and deployers outside the EU where the system's output is used within the EU.
It takes a risk-based approach, sorting AI systems into four tiers:
- Unacceptable risk — banned outright (e.g. social scoring, certain biometric categorisation, manipulative systems).
- High risk — permitted but heavily regulated (e.g. AI in recruitment, credit scoring, critical infrastructure, education, and safety components). The bulk of the obligations live here.
- Limited risk — transparency duties (e.g. telling people they are interacting with a chatbot, labelling AI-generated content / deepfakes).
- Minimal risk — the vast majority of AI; no mandatory obligations, voluntary codes encouraged.
General-purpose AI (GPAI) models carry their own layer of transparency and, for the most capable models, systemic-risk obligations.
The Compliance Timeline
The Act entered into force in August 2024 and applies in stages:
- February 2025 — prohibitions on unacceptable-risk AI and AI-literacy obligations take effect.
- August 2025 — governance rules and obligations for general-purpose AI models apply.
- August 2026 — the majority of obligations, including most high-risk system requirements, apply.
- August 2027 — extended deadline for high-risk AI that is a safety component of regulated products.
Acting now — classifying your systems and building the governance — is far cheaper than retrofitting under deadline pressure.
What High-Risk AI Compliance Requires
If you provide or deploy a high-risk AI system, the Act expects a documented, ongoing programme. The core obligations include:
- A risk management system running across the AI lifecycle
- Data governance — appropriate, representative, and well-documented training, validation, and test data
- Technical documentation demonstrating conformity
- Record-keeping / logging to ensure traceability
- Transparency and clear information for deployers
- Human oversight designed into the system
- Accuracy, robustness, and cybersecurity appropriate to the use case
- A conformity assessment and registration before the system goes to market
Deployers (organisations using high-risk AI) have their own duties: human oversight, monitoring, and using the system in line with the instructions.
How ShieldIQ Helps You Meet the EU AI Act
Risk classification. ShieldIQ's guided assessment walks you through each AI system you use and helps you place it in the right risk tier — the essential first step everything else depends on.
Gap analysis. For high-risk and GPAI obligations, ShieldIQ's AI scores where you stand across governance, documentation, oversight, and security, with a prioritised plan.
Policy library. Editable AI governance, acceptable-use, and human-oversight policies aligned to the Act's requirements.
Risk register. Document and treat the risks your AI systems create — the lifecycle risk management the Act expects.
Evidence and activity trail. Keep the technical documentation, logs, and decisions an auditor or regulator will ask to see.
AI inventory. Maintain a register of the AI systems you build and use — you cannot govern what you have not catalogued.
Start free — no card required →
The EU AI Act and Other Frameworks
AI governance does not sit in isolation — it overlaps heavily with the frameworks ShieldIQ already covers:
- GDPR compliance — AI that processes personal data triggers GDPR alongside the AI Act
- ISO 27001 compliance — your ISMS underpins the security and governance the AI Act expects
- NIST CSF compliance — strong cyber-risk management supports AI system security and robustness
- NIS2 compliance — for AI embedded in essential or important entities' operations
Frequently Asked Questions
Does the EU AI Act apply to my small business?
Possibly. It applies based on what your AI *does*, not your size. If you deploy AI in areas the Act treats as high-risk — recruitment screening, credit decisions, certain biometric or safety uses — obligations apply even to small organisations. Most everyday AI use is minimal-risk, but you still need to classify it to be sure.
**We only *use* third-party AI tools — are we off the hook?**
No. Deployers of high-risk AI have their own obligations (human oversight, monitoring, correct use), and limited-risk transparency duties apply broadly. Knowing which tools you use and what they do is the starting point — exactly what ShieldIQ's AI inventory and assessment provide.
What counts as a general-purpose AI (GPAI) model?
A model trained on broad data that can perform a wide range of tasks — large language and multimodal models, for example. If you build on top of one, the provider carries most GPAI duties, but your use can still create high-risk or transparency obligations depending on the application.
How do penalties work?
Fines scale with the breach: up to €35M or 7% of worldwide turnover for prohibited practices, up to €15M or 3% for most other breaches, and lower amounts for supplying incorrect information. Early classification and governance are the cheapest insurance.