EU AI Act guide for Compliance Officers
EU AI Act guide for Compliance Officers
The EU AI Act establishes the most comprehensive regulatory framework for AI systems in any major jurisdiction, and it falls to Compliance Officers to operationalise it. Unlike GDPR, which was primarily about data flows, the AI Act reaches into product architecture, engineering practices, and vendor contracts. Building a compliance program that satisfies its requirements means working across legal, engineering, product, and procurement, with a clear view of which obligations apply, to whom, and by when.
What the EU AI Act requires
The Act's obligations scale with risk. For high-risk AI systems under Annex III (covering employment, education, credit, biometrics, and critical infrastructure), the core obligations span Articles 9 through 17. Article 9 requires a documented, iterative risk management system. Article 10 sets standards for training data governance and bias examination. Article 11 requires a comprehensive technical file maintained throughout the system lifecycle. Article 13 mandates transparency documentation for deployers. Article 14 requires human oversight by design. Article 17 requires a quality management system covering governance, processes, and post-market monitoring. Your organisation must also register high-risk AI systems in the EU database under Article 49 before placing them on the market. For GPAI models (foundation models your organisation builds or uses), providers face obligations under Article 53 from August 2, 2026, including maintaining technical documentation and publishing training data summaries. Fines for GPAI non-compliance reach EUR 15 million or 3% of global annual revenue. Article 50, requiring AI-generated content labelling, also applies from August 2, 2026.
What this means for your business
The compliance program you need to build has three distinct layers. First, an inventory and classification layer: you cannot comply with obligations you have not mapped. Every AI system in use or under development must be classified against the Act's risk tiers, including third-party tools your teams use internally. Second, a documentation layer: Articles 9, 11, and 17 together require a substantial body of living documentation. Unlike a one-time audit, this documentation must be maintained as systems evolve. Third, a vendor oversight layer: under Article 25, deployers of third-party AI systems inherit certain obligations from providers. Your procurement and vendor management processes need to include AI Act due diligence, covering whether providers can supply the technical documentation and conformity information the Act requires you to hold. Non-compliance carries serious consequences: fines for high-risk system violations reach EUR 30 million or 6% of global annual revenue under Article 99.
Steps to get compliant
1. Build an AI system inventory. Work with IT, engineering, and procurement to identify every AI system in use or development, including embedded AI in third-party software. Classify each against Annex III and the GPAI definition.
2. Prioritise August 2, 2026 obligations. GPAI providers and any organisation deploying AI-generated content features must meet Article 53 and Article 50 requirements by this date. Assess whether either applies and act immediately.
3. Develop your Article 9 risk management documentation for each high-risk system. Assign an owner, set a review cadence, and treat it as a living program rather than a project with an end date.
4. Update vendor due diligence templates to include AI Act requirements. Request conformity documentation from AI tool providers and document the responses as part of your Article 17 quality management system.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.