Fundamentals

EU AI Act Compliance: The Complete Guide (2026)

Updated 14 July 2026 11 min read

The EU AI Act is the world's first comprehensive law on artificial intelligence. It applies to any organisation whose AI system is used — or whose output is used — inside the EU, regardless of where the company is based. This guide explains how it works, what it asks of you, and how to become compliant without drowning in legal text.

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is a risk-based regulation. Instead of treating all AI the same, it sorts systems into tiers and applies obligations proportional to the risk each one poses to health, safety and fundamental rights. It entered into force in 2024 and applies in stages through 2027.

Crucially, it is extraterritorial: if people in the EU use your AI system, or your system's output is used in the EU, you are in scope even if your company sits in the US, UK or anywhere else.

The four risk tiers

Every AI system falls into one of four tiers:

  • Prohibited (Art. 5) — banned practices such as social scoring, untargeted facial-recognition scraping and certain manipulative or emotion-recognition uses.
  • High risk (Annex III) — systems used in areas like recruitment, education, essential services, law enforcement, migration and biometrics. These carry the heaviest obligations.
  • Limited risk (Art. 50) — systems that interact with people (chatbots) or generate synthetic media must meet transparency duties.
  • Minimal risk — everything else. No mandatory obligations, though voluntary codes of conduct are encouraged.

Most of the compliance work concentrates on the high-risk tier.

Who is a provider vs a deployer?

The Act splits duties between providers (who develop an AI system or have it developed and place it on the market under their name) and deployers (who use an AI system under their authority). A single company can be both. Providers of high-risk systems carry the bulk of the obligations; deployers have their own set under Article 26, including human oversight and monitoring.

What obligations apply to high-risk systems?

High-risk providers must implement: a risk management system (Art. 9), data governance (Art. 10), technical documentation / Annex IV (Art. 11), automatic logging (Art. 12), transparency and instructions for use (Art. 13), human oversight (Art. 14), and accuracy, robustness and cybersecurity (Art. 15). Deployers add Article 26 duties on top. This is where a compliance platform saves the most time — turning these articles into a concrete, trackable checklist.

Key deadlines

Compliance is phased:

  • 2 Feb 2025 — prohibited practices and AI-literacy duties.
  • 2 Aug 2025 — obligations for general-purpose AI (GPAI) models.
  • 2 Aug 2026 — transparency obligations under Article 50.
  • 2 Dec 2027 — full high-risk (Annex III) obligations.

Because some duties are already in force, "we'll deal with it later" is no longer an option for many systems.

How to get compliant, step by step

  1. Inventory every AI system you build or use.
  2. Classify each one against the risk tiers (our free risk checker does this in two minutes).
  3. Generate the obligations that apply to each system.
  4. Assign owners, track tasks and attach evidence as you close each duty.
  5. Produce audit-ready documentation — including the Annex IV technical file — on demand.

Conformly automates steps 2–5 so a small team can reach audit-ready status in days, not months.

Frequently asked questions

Does the EU AI Act apply to companies outside the EU?

Yes. It applies to any provider or deployer whose AI system, or its output, is used in the EU — regardless of where the company is established.

What are the penalties for non-compliance?

Fines reach up to €35M or 7% of global annual turnover for prohibited-practice breaches, up to €15M or 3% for other obligations, and up to €7.5M or 1% for supplying incorrect information — whichever is higher.

How do I know if my AI system is high risk?

A system is high risk if it falls under an Annex III use case (e.g. recruitment, education, essential services) or is a safety component of a regulated product. Run the free risk checker to find out in two minutes.

Find your risk class in 2 minutes

Free, no sign-up. Deterministic — not a chatbot.

Run the free check