The EU AI Act became the world's first comprehensive legal framework for artificial intelligence when it entered into force in August 2024, and the compliance deadlines are not theoretical anymore. Prohibited AI systems had to be switched off or dismantled by February 2025. High-risk AI obligations are rolling in through 2026 and 2027. If your organization builds, deploys, or imports AI systems into the European market, the clock is already running, and the penalties for non-compliance reach 35 million euros or seven percent of global annual turnover, whichever is higher.
Understanding what the Act actually requires, rather than what headlines say it requires, is the starting point for any serious compliance effort. This post breaks down the structure, the obligations that matter most to technology companies, and the practical steps organizations can take right now.
How the Act Classifies Risk
The EU AI Act does not regulate all AI uniformly. It applies a risk-based classification system with four tiers, and your obligations under the law depend entirely on which tier your AI system falls into.
Unacceptable risk systems are outright banned. These include AI that manipulates people using subliminal techniques that bypass conscious awareness, social scoring systems operated by public authorities, real-time biometric identification in public spaces (with narrow exceptions for law enforcement), and systems that exploit the vulnerabilities of specific groups such as children or people with disabilities to distort their behavior in a way that causes harm. Organizations operating in any of these categories had to cease operations by February 2, 2025.
High-risk systems face the most demanding compliance requirements. The Act defines two categories of high risk. The first covers AI systems used as safety components in products already regulated by EU law: machinery, medical devices, aviation equipment, vehicles, and similar sectors. The second covers AI used in eight specific areas: biometric identification and categorization, critical infrastructure management, education and vocational training, employment and worker management, essential private and public services (including credit scoring), law enforcement, migration and border control, and the administration of justice.
Limited-risk systems, such as chatbots and deepfake generators, must meet transparency requirements. Users must be told they are interacting with an AI system or viewing AI-generated content. General-purpose AI models, including large language models, face separate transparency and documentation requirements that apply regardless of risk classification.
Minimal-risk systems, which include most AI applications currently in commercial use, face no mandatory obligations under the Act, though voluntary codes of conduct are encouraged.
What High-Risk Compliance Actually Demands
For organizations in the high-risk category, the compliance burden is substantial and technical. The Act requires a documented risk management system that runs throughout the entire lifecycle of the AI system. This is not a one-time assessment but an ongoing process of identifying risks, evaluating them against intended purpose, and adopting mitigation measures.
Data governance is a specific and detailed requirement. Training, validation, and testing datasets must be subject to data governance practices that address the following: the design choices behind the data collection process, data preparation operations such as labeling and cleaning, the identification of potential biases, and the relevance and completeness of the data with respect to the intended purpose. This requires organizations to document their training pipelines in ways that most have not done historically.
Technical documentation must be drawn up before the system is placed on the market or put into service, and it must remain up to date. The regulation specifies the minimum content of this documentation in detail, including a general description of the system, the design specifications, information on training methodology, validation and testing procedures, and performance metrics. The documentation must be sufficient for a national competent authority to assess conformity.
Logging and record keeping is mandatory. High-risk AI systems must be capable of automatically logging events that are relevant to identifying risks, and these logs must be retained for periods specified by applicable law or, in the absence of such law, for at least six months.
Human oversight mechanisms must be built into the system by design. The system must allow the persons to whom human oversight has been assigned to understand the system's capabilities and limitations, monitor its operation, and intervene or interrupt the system through a stop function. This is not a procedural requirement but a technical one: the capability for override and intervention must exist in the system architecture itself.
Accuracy, robustness, and cybersecurity requirements apply to the system's technical performance. The Act requires that high-risk AI systems achieve appropriate levels of accuracy and that they are resilient to attempts by third parties to alter outputs through adversarial examples or data poisoning. This brings AI compliance into direct contact with cybersecurity standards.
Finally, conformity assessment must be completed before deployment. For most high-risk systems, this is a self-assessment process conducted by the provider. For certain categories, including AI used in biometrics and critical infrastructure, third-party conformity assessment is required. The result is a CE marking and an EU declaration of conformity, which must be kept for ten years after the system is placed on the market.
General-Purpose AI Models: A Separate Track
The regulation created a distinct compliance track for general-purpose AI models, which are defined as models trained on large amounts of data, capable of performing a wide range of tasks, and made available to other providers who integrate them into their own products. This category covers the large language models that underpin most modern AI applications.
Providers of general-purpose AI models must maintain technical documentation, draw up a policy for complying with EU copyright law in relation to training data, and publish a summary of training data. If the model is released under an open-source license, some requirements are reduced, but the copyright compliance obligation remains.
Models classified as posing systemic risk face additional obligations. The threshold for systemic risk classification is training with more than 10 to the 25th power floating-point operations, a threshold that currently captures only the largest frontier models. These models must conduct adversarial testing, report serious incidents to the European AI Office, implement cybersecurity measures, and report on energy consumption.
The distinction matters for enterprise buyers as well. If your organization deploys a general-purpose model from a provider and integrates it into a product or service, you become a deployer under the Act. Your obligations depend on whether your downstream use case falls into the high-risk categories. A deployer who uses a general-purpose model for high-risk purposes inherits the compliance obligations of a high-risk system provider, even if the underlying model was built by someone else.
The Governance Structure
Enforcement of the EU AI Act is distributed across a layered governance structure. The European AI Office, established within the European Commission, has primary oversight of general-purpose AI models and coordinates enforcement across member states. Each EU member state must designate one or more national competent authorities responsible for supervising the Act's implementation within their jurisdiction.
The Act also establishes an AI Board composed of representatives from each member state's supervisory authority. The Board coordinates consistent application of the regulation and advises the Commission on technical and regulatory matters.
Market surveillance authorities conduct post-market monitoring of AI systems and can require providers and deployers to produce documentation, conduct testing, or take corrective actions. They can also order withdrawal of non-compliant systems from the market and impose penalties directly.
For organizations subject to the General Data Protection Regulation, the interaction between the two frameworks is an active area of regulatory guidance. Personal data processed by AI systems must comply with GDPR in addition to the AI Act, and the data governance requirements of the two frameworks overlap significantly. Organizations should not treat these as separate compliance workstreams.
Timeline and What You Must Do Now
The Act's deadlines are phased. Prohibited AI practices were banned from February 2, 2025. General-purpose AI model obligations apply from August 2, 2025. High-risk AI systems in Annex I (existing regulated products) must comply by August 2, 2027. High-risk systems in Annex III (the eight specific application areas) must comply by August 2, 2026, with some extensions available for certain deployers.
The most pressing immediate action for most organizations is a thorough inventory of their AI systems. This means cataloging every system that processes data, makes recommendations, or generates outputs, and classifying each one against the Act's risk tiers. Many organizations will find they have AI systems they did not formally recognize as such, including automated scoring systems, content moderation tools, resume screening software, and predictive maintenance platforms.
Once the inventory is complete, organizations that have any systems in the high-risk tier need to begin gap analysis against the conformity requirements. This is a technical and documentation-intensive exercise that requires close coordination between legal, compliance, engineering, and data science teams. The six months between starting a gap analysis and completing conformity documentation is not an overestimate for complex systems.
For organizations that procure AI systems from third-party vendors, due diligence on vendor compliance is now a procurement requirement. Contracts must address who holds responsibility for conformity assessments, what technical documentation the vendor will provide, and what happens if the system is found non-compliant after deployment.
Training is not optional. The Act requires that staff using high-risk AI systems have sufficient AI literacy to understand the system's capabilities and limitations and to exercise human oversight effectively. This obligation applies to deployers, not just providers, and it applies to the people actually using the systems in operational settings.
How ITSulu Can Help
The EU AI Act compliance process sits at the intersection of legal requirements, technical architecture, data engineering, and organizational change management. ITSulu brings direct technical expertise to each of those dimensions. Our team has deep experience in AI system architecture, data pipeline design, and cybersecurity, which are the three technical areas where compliance gaps most often appear during conformity assessments.
We can conduct an AI system inventory and risk classification assessment across your environment, identifying which systems fall into high-risk categories and what documentation gaps exist. For organizations deploying general-purpose AI models in enterprise workflows, we help map the downstream use case against the Act's risk tiers and design the human oversight and logging mechanisms the law requires. Our experience with Kubernetes, cloud infrastructure, and automated operations means we can implement the technical changes required for compliance without disrupting production environments.
We also help organizations build the internal AI literacy programs the Act requires for staff who interact with high-risk systems, drawing on our corporate instruction and training practice to develop materials specific to your systems and use cases.
EU AI Act compliance is not a one-time project. It is an ongoing operational requirement that touches your development lifecycle, your vendor contracts, your data governance practices, and your staff training programs. We help organizations build the processes and technical foundations to meet those requirements sustainably rather than scrambling toward each deadline.
Contact ITSulu today to schedule a consultation.