Book a call
Book a call

EU AI Act Compliance Services

The EU AI Act is the world's first comprehensive AI regulation. Staged implementation since August 2024. As of mid-2026, prohibited practices have been banned since February 2025, General Purpose AI obligations have been in force since August 2025. The August 2, 2026 high-risk AI system deadline is the current legal date; the May 2026 Digital Omnibus provisional agreement would move stand-alone high-risk systems to 2 December 2027 and embedded systems to 2 August 2028, pending formal adoption.

Book a free intro call See pricing
By Julian Gage Last reviewed: 17 February 2026

We classify your AI systems, build the documentation regulators expect, and get you ready before EU AI Act deadlines hit.

What you get:

  • Your AI systems classified as prohibited, high-risk, limited, or minimal
  • Technical documentation and transparency obligations handled
  • GPAI and high-risk requirements mapped to clear deadlines

The EU AI Act is the world’s first comprehensive AI regulation. Staged implementation since August 2024. As of mid-2026, prohibited practices have been banned since February 2025, General Purpose AI obligations have been in force since August 2025. The August 2, 2026 high-risk AI system deadline is the current legal date; the May 2026 Digital Omnibus provisional agreement would move stand-alone high-risk systems to 2 December 2027 and embedded systems to 2 August 2028, pending formal adoption.

If you build, deploy, or place on the market AI systems used in the EU, the AI Act applies to you. This page covers what the AI Act requires, the urgent 2026 deadlines, and how to build compliance.

Key takeaways

  • The EU AI Act applies wherever AI systems are placed on the EU market, put into service in the EU, or produce output used in the EU, so it reaches providers, deployers, importers, and distributors regardless of where the company is headquartered.
  • The Act sorts AI systems into four risk levels (prohibited, high-risk, limited, and minimal), and high-risk systems under Article 6 and Annex III carry by far the most extensive obligations.
  • The August 2, 2026 high-risk deadline is the current legal date, while the May 2026 Digital Omnibus provisional agreement would move stand-alone high-risk systems to 2 December 2027 and embedded systems to 2 August 2028, pending formal adoption.
  • General Purpose AI model obligations under Articles 53 to 55 have been in force since August 2, 2025, with models placed on the market before that date required to be compliant by August 2, 2027.
  • AI systems that process personal data fall under both the AI Act and GDPR, and most growing companies handle the overlap through a coordinated governance function led by the Data Protection Officer, with AI specialists engaged for technical work.

Does the EU AI Act apply to my company?

The AI Act applies to providers of AI systems placed on the market or put into service in the EU, and to deployers of AI systems located in the EU. It also applies to providers and deployers of AI systems whose output is used in the EU, and to importers and distributors of AI systems in the EU.

Most AI companies serving EU customers are in scope as providers. Companies using AI tools internally on EU employees or customers may be in scope as deployers.

The AI Act applies regardless of where your company is headquartered, similar to GDPR’s extra-territorial reach.

AI system risk categories

The Act categorizes AI systems into four risk levels:

  • Prohibited AI practices (Article 5). Banned since February 2, 2025. Examples include cognitive behavioral manipulation, social scoring by public authorities, real-time biometric identification in public spaces by law enforcement (with narrow exceptions), and emotion recognition in workplaces and educational institutions.
  • High-risk AI systems (Article 6, Annex III). Subject to the most extensive requirements. Annex III lists eight categories including critical infrastructure, education, employment (including CV screening, performance monitoring, hiring decisions), essential private and public services, law enforcement, migration and border control, justice and democratic processes, and biometrics. Many SaaS products fall in scope, particularly HR Tech, EdTech, FinTech credit scoring, and insurance underwriting. See our guide to high-risk classification for how Article 6 and Annex III decide whether a system is in scope.
  • Limited risk AI systems (Article 50). Subject to transparency obligations. Examples include chatbots, emotion recognition outside prohibited contexts, AI-generated content (deepfakes), and biometric categorization.
  • Minimal risk AI systems. Most AI systems fall here with no specific obligations beyond voluntary codes of conduct.

General Purpose AI models

Separately from the risk classification, providers of General Purpose AI models (foundation models that can be adapted to many tasks) face specific obligations under Articles 53 to 55.

GPAI obligations applicable since August 2, 2025 include technical documentation, copyright compliance documentation including respect for opt-outs by rightsholders, training data summary publication, and downstream provider support.

GPAI models with systemic risk (typically those with very large computational training) face additional Article 55 obligations including model evaluation, systemic risk assessment and mitigation, serious incident reporting, and cybersecurity protection.

Providers of GPAI models placed on the market before August 2, 2025 must be compliant by August 2, 2027.

What do we need to do for the EU AI Act?

High-risk AI systems face the most extensive Act requirements:

  • Risk management system. Continuous risk identification, evaluation, and mitigation throughout the AI system lifecycle.
  • Data governance. Training, validation, and testing data must be relevant, representative, free of errors, complete, and have appropriate statistical properties.
  • Technical documentation. Article 11 requires extensive documentation enabling assessment of compliance.
  • Record-keeping. Article 12 requires automatic logging of events.
  • Transparency. Information to deployers including instructions for use, characteristics, performance metrics, and limitations.
  • Human oversight. Article 14 requires human oversight measures appropriate to the risk.
  • Accuracy, robustness, and cybersecurity. Article 15 requirements.
  • Quality management system. Article 17 requires a quality management system covering compliance strategy, design specifications, data management, risk management, post-market monitoring, and incident reporting.
  • Conformity assessment. Pre-market conformity assessment before placing the system on the market.
  • CE marking and EU database registration. Public-facing high-risk AI systems must bear CE marking and be registered in the EU database under Article 71.
  • Post-market monitoring. Article 72 ongoing monitoring requirements.
  • Serious incident reporting. Article 73 requirements for reporting serious incidents to authorities.

Penalties

Up to €35 million or 7 percent of global annual turnover for prohibited AI practices.

Up to €15 million or 3 percent for high-risk system violations.

Up to €7.5 million or 1.5 percent for other infractions.

Combining AI Act with GDPR

AI systems that process personal data are subject to both the AI Act and GDPR. The two frameworks have meaningful overlap.

GDPR Article 35 DPIAs and AI Act Article 27 fundamental rights impact assessments share substantial content and can be conducted as a single coordinated assessment.

GDPR Articles 13 and 14 transparency obligations and AI Act Article 50 transparency obligations are complementary.

GDPR Article 22 automated decision-making rights overlap with AI Act high-risk system requirements.

Most growing AI companies handle both through a coordinated privacy and AI governance function, often led by the Data Protection Officer (DPO) with AI-specific specialists engaged for technical work.

How Engage Compliance helps

EU AI Act compliance is included in our DPO services for AI companies. Specific work includes:

  • AI system inventory and classification (prohibited, high-risk, limited, minimal, GPAI).
  • Risk management system design for high-risk systems.
  • Technical documentation drafting per Article 11.
  • Quality management system design per Article 17.
  • Fundamental rights impact assessment.
  • Transparency obligations design.
  • GPAI compliance for foundation model providers.
  • Coordination with notified bodies for conformity assessment where required.

We work with AI companies wherever they are based. Anyone placing AI systems on the EU market or serving people in the EU or UK can be in scope, not only European companies. We cover the broader privacy obligations that come with the AI Act, including GDPR, UK GDPR, US state privacy laws (CCPA/CPRA, Virginia, Colorado, Texas, and more), and 30+ regulations worldwide, from the same engagement.

Get started

If you are an AI company evaluating or executing EU AI Act compliance, book a consultation. The August 2, 2026 deadline is the current legal date for high-risk systems; the May 2026 Digital Omnibus provisional agreement would move stand-alone systems to 2 December 2027 and embedded systems to 2 August 2028, pending formal adoption. Preparation work typically takes 6 to 12 months.

  • Same-business-day response
  • Professional indemnity and cyber insurance
  • Named DPO notified to the supervisory authority
Book a free intro call Free risk assessment

FAQ

Frequently asked questions

Is the EU AI Act in force?

Yes. The Regulation has applied since 1 August 2024 and is rolling out in stages. General Purpose AI model obligations have applied since 2 August 2025. A 2026 simplification package, the Digital Omnibus on AI, defers several high-risk deadlines but does not undo the law.

When do high-risk obligations apply?

Under the Digital Omnibus agreement reached in May 2026, standalone high-risk systems (Annex III) move to 2 December 2027, and high-risk AI embedded in regulated products (Annex I) moves to 2 August 2028. 2 August 2026 remains a live date for transparency duties and other provisions. These changes take legal effect only once the Omnibus is formally published, expected before 2 August 2026.

What about AI-generated content labeling?

Transparency duties for synthetic content carry a short grace period to 2 December 2026 for systems already on the market. A new prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material also takes effect on 2 December 2026.

Do we need a DPO and AI governance, or just one?

They are different roles. A DPO covers data protection. AI governance covers the AI Act's risk, documentation, and oversight duties. Many AI companies need both, and we can scope where they overlap.

Related

ServiceOutsourced DPO servicesPricingOutsourced DPO cost guideServiceDPO for AI companiesServiceEU AI Act GPAI complianceGuideGDPR and the EU AI ActGuideEU AI Act high-risk classification guide