How to Comply With the EU AI Act
EU AI Act compliance is an 8-step program: inventory your AI systems, classify each by risk tier, assign accountability, produce technical documentation, register high-risk systems, implement post-market monitoring, train your team, and automate the whole thing. Core high-risk duties apply from 2 August 2026.
The 8-step compliance program
- Inventory your AI systems. List every AI system your organization builds, buys, or embeds. Capture owner, purpose, data sources, users, and decision impact. This is the foundation for classification and every downstream duty.
- Classify each system by risk tier. For each system, determine whether it is prohibited, high-risk (Annex I or Annex III), limited-risk (transparency duties), or minimal-risk. Document the reasoning so it is defensible under audit.
- Assign a responsible person. Name an accountable owner for each high-risk system and a program-level compliance lead. Ensure sufficient AI literacy across staff who develop, deploy, or use AI systems — this is a standalone duty under Article 4.
- Prepare technical documentation. For each high-risk system, produce the technical file required by Annex IV: intended purpose, design, data, risk management, monitoring, harmonized standards applied, and the EU declaration of conformity.
- Register high-risk systems. Register standalone high-risk AI systems in the EU database before placing them on the market or putting them into service. Public authorities acting as deployers must also register their use of high-risk systems.
- Implement post-market monitoring. Set up a monitoring plan that tracks performance, incidents, and complaints across the lifecycle. Log serious incidents and report them to the competent authority within the required timeframes.
- Train your team. Roll out role-based training. Developers, product managers, deployers, and reviewers each need different levels of detail on obligations, controls, and incident response. Keep training records.
- Automate with a tool like Zilonex Govern. Move the inventory, classification, technical documentation, and monitoring evidence into a single platform. Zilonex Govern ships with an EU AI Act control library and generates Annex IV documentation from your system data.
Deadlines you cannot miss
| Date | What applies |
|---|---|
| 2 February 2025 | Prohibited practices; AI literacy duty |
| 2 August 2025 | General-purpose AI model rules; governance |
| 2 August 2026 | Core high-risk system requirements |
| 2 August 2027 | Embedded high-risk product categories |
What a defensible classification looks like
Classification is the single most common audit failure point. For each AI system, record: the intended purpose, whether it is safety-critical under Annex I, whether the use case sits inside Annex III, and the reasoning that led to the tier decision. Have a second reviewer sign off.
Frequently asked questions
Who has to comply with the EU AI Act?
The Act applies to providers who develop or place AI systems on the market, deployers who use them in a professional context, importers, distributors, product manufacturers embedding AI, and authorized representatives. It applies extraterritorially where an AI system's output is used within the regulated market.
When is the main compliance deadline?
Core high-risk system requirements apply from 2 August 2026. Prohibited practices already apply from 2 February 2025 and general-purpose AI model rules from 2 August 2025. Certain embedded high-risk categories have until 2 August 2027.
How do I know if my AI system is high-risk?
A system is high-risk if it falls within one of the Annex III use cases (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes) or is a safety component of a product covered by Union harmonization legislation listed in Annex I.
What documentation do I need for a high-risk system?
Technical documentation covering: system description and intended purpose, design specifications, data and data governance, monitoring and control mechanisms, risk management system, changes made during the lifecycle, harmonized standards applied, EU declaration of conformity, and post-market monitoring plan.
Do I need a conformity assessment?
Yes. High-risk AI systems must undergo conformity assessment before being placed on the market. For most Annex III systems, providers can self-assess against harmonized standards. Some categories — such as biometric identification — require a notified body.
What about general-purpose AI models?
Providers of general-purpose AI models must produce technical documentation, publish a summary of training data, and put in place a copyright policy. Models classified as posing systemic risk carry additional evaluation, adversarial testing, and incident reporting duties.
Can a tool automate compliance?
Yes. Purpose-built platforms like Zilonex Govern maintain the model inventory, run classification, generate technical documentation, and track post-market monitoring. This replaces spreadsheet-based tracking that fails at any meaningful scale.
Meet the 2026 deadline with confidence
Zilonex Govern runs your inventory, classification, Annex IV documentation, and post-market monitoring in one platform.
Start Zilonex Govern free for 14 days