The European Union’s AI Act has already entered into force and set obligations for companies operating in the region [1]. The May 2026 Digital Omnibus introduced new updates since the regulation took effect, resetting key deadlines and adding extra restrictions [2]. For business leaders integrating AI into their workflows, understanding their current obligations is the first step toward regulatory compliance.
What does the regulation require from your organization, and how can you prepare for an EU AI Act compliance review? N-iX AI experts have analyzed the latest updates and developed practical guidance for companies building and deploying AI systems. Drawing on our experience delivering trustworthy AI, we created this guide to help you understand the requirements and plan your next steps.
EU AI Act compliance requirements summary
The EU AI Act is the world's first comprehensive AI law, and it applies beyond European borders. Here is what business leaders need to know:
- The EU AI Act applies to any company whose AI systems are placed on the EU market or used in the EU, regardless of where the company is based.
- The law is risk-based: the higher the potential for harm, the stricter the obligations.
- The May 2026 Digital Omnibus extended key deadlines but left the core framework intact.
- Transparency duties for chatbots, deepfakes, and AI-generated content apply from August 2026.
- Penalties reach up to €35M or 7% of global annual turnover for the most serious breaches.
- To prepare for EU AI Act compliance, businesses need to inventory their AI systems, classify them by risk tier, address compliance gaps, and establish ongoing monitoring.
The compliance timeline and what changed on May 7, 2026
The EU AI Act compliance requirements in 2026 are scheduled in phases, with each wave of obligations applying to different systems and roles. There are also two annexes that define which systems are subject to the strictest rules. Annex I covers AI built into regulated products such as medical devices, machinery, and vehicles. Annex III lists sensitive standalone use-case areas such as biometrics, employment, and law enforcement. Here is where each obligation stands today [1, 3].
|
Date |
What applies |
Status |
|
August 1, 2024 |
AI Act enters into force |
In effect |
|
February 2, 2025 |
Prohibited practices banned; AI literacy duties apply |
In effect |
|
August 2, 2025 |
General-purpose AI (GPAI) model obligations |
In effect |
|
August 2, 2026 |
Transparency duties (Article 50); AI Office enforcement begins |
Upcoming |
|
August 2, 2027 |
Deadline for GPAI models already on the market before August 2025 |
Upcoming |
|
December 2, 2027 |
Standalone high-risk systems (Annex III); moved back from 2 August 2026 |
Revised |
|
August 2, 2028 |
High-risk AI in regulated products (Annex I); moved back from 2 August 2027 |
Revised |
On May 7, 2026, the European Parliament, the Council of the EU, and the European Commission reached a provisional political agreement on the Digital Omnibus on AI [2]. This was the first set of amendments to the regulation since its adoption. Four changes matter most for business planning:
- The timeline changed significantly. High-risk deadlines were extended to allow companies and standards bodies to establish necessary infrastructure.
- A new prohibition was introduced: AI systems that generate non-consensual intimate imagery are now banned, in addition to the original prohibited practices.
- Lighter requirements for smaller companies were added, including reduced technical documentation requirements and broader access to regulatory sandboxes for real-world testing.
- Scope overlap was addressed. The Commission may now limit the scope of the AI Act where existing sectoral law already sets equivalent AI-specific requirements. This update reduces duplication for companies in regulated industries.
This agreement remains provisional until August 2026, when it's expected to be formally adopted [2]. The core risk-based framework remains unchanged, so current preparations will remain valid once finalized.
If you need assistance navigating these requirements and identifying deadlines for your AI systems, N-iX cybersecurity experts can help. We will conduct a thorough evaluation and develop an actionable compliance plan with clear ownership to help you implement the right changes.
Understanding the four key risk tiers of AI systems
The starting point for the AI Act compliance process is evaluating each system by risk level. This approach determines which obligations apply, which obligations the regulation exempts, and what the penalty exposure looks like. The Commission has since published EU AI Act compliance guidelines to help companies draw that line accurately, most recently with draft guidance on Article 6 in May 2026 [4].
1. Unacceptable risk: Banned outright
These systems are prohibited entirely and have been since February 2025. The list covers social scoring by public or private entities, manipulation that exploits psychological vulnerabilities, untargeted scraping of facial images from the internet, and emotion recognition in workplaces and educational settings. It also includes biometric categorization that infers sensitive characteristics, predictive policing of individuals based solely on profiling, and real-time remote biometric identification in public spaces by law enforcement, with narrow exceptions. The May 2026 update added AI nudification systems to this list.
Most commercial AI systems do not fall into this tier, but companies building employee-monitoring tools, HR-scoring systems, or customer-profiling engines should review it carefully. Breaching these prohibitions carries the highest penalty tier: up to €35M or 7% of global annual turnover [3].
2. High risk: Strict requirements, extended deadlines
High-risk systems are divided into two groups. The first covers AI built into safety-regulated products, such as medical devices, machinery, and vehicles (Annex I). The second covers standalone systems deployed in sensitive domains: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, and the administration of justice (Annex III). A practical rule: if a system influences a consequential decision about a person's health, livelihood, or access to services, it is likely to pose a high AI cybersecurity risk.
For these systems, the regulation requires documented risk management, data governance practices, technical documentation, automated logging, transparency to users, human oversight mechanisms, accuracy and robustness testing, and an assessment prior to deployment. Non-compliance carries fines up to €15M or 3% of global turnover [3].
3. Limited risk: Transparency duties apply
This tier covers systems in which the main concern is that users may not realize they are interacting with AI. Most businesses using generative AI in customer-facing products or marketing workflows will find at least some of their systems here: chatbots, virtual assistants, tools for generating or manipulating text and images, and deepfake generators. The obligations focus on disclosure: telling users they are interacting with AI, labeling synthetic content, and flagging deepfakes.
Learn more about generative AI security risks
4. Minimal risk: No new obligations
The majority of AI systems used in businesses daily belong to this category: recommendation engines, spam filters, AI-assisted scheduling, and most AI features in productivity tools. These systems carry no new obligations, though documenting that classification is still good practice.
5. General-purpose AI (GPAI) models: A cross-cutting category
GPAI models, including large language models deployed across multiple contexts, are governed separately. This tier is relevant to any company that develops or fine-tunes a foundation model, not only those building on top of existing ones. Since August 2025, most GPAI providers have had to meet requirements for transparency, technical documentation, copyright compliance, and energy use reporting. Providers of models assessed as posing systemic risk face additional requirements, including adversarial testing and incident reporting to the AI Office.

Article 50 explained: AI transparency duties arriving in August 2026
Transparency is often the first real EU AI Act compliance obligation most companies face. They apply to any organization that deploys chatbots or publishes AI-generated content, which means the August 2026 deadline is relevant to nearly every business using generative AI. On May 8, 2026, the European Commission published draft guidelines on the Article 50 transparency duties [5]. They include four key obligations:
- Users must be informed when they are interacting with an AI system, such as a chatbot or virtual assistant.
- Providers must embed machine-readable markings in AI-generated or AI-manipulated content.
- Deployers must tell people when they are subject to emotion recognition or biometric categorization.
- Deployers must label deepfakes and AI-generated text published when they concern matters of public interest.
One detail that often surprises teams is that the deepfake labeling rule applies regardless of intent. Even content created with satirical or creative purposes must be labeled if it falls under the scope. The AI Office and the Commission are finalizing a Code of Practice on AI content marking, which includes a proposed common EU "AI" label as a practical compliance route. Breaches of these duties can lead to the same penalties as high-risk violations: up to €15M or 3% of global annual turnover [3].
How to prepare for EU AI Act compliance: An 8-step roadmap
An effective EU AI Act compliance process does not require addressing every issue immediately. At N-iX, we use the APEX framework (Assess, Pilot, Expand, eXcel), which ensures AI governance is measured against actual systems and infrastructure before scaling. This framework helps businesses comply with the EU AI Act by evaluating compliance gaps, validating controls on live systems, expanding governance across the portfolio, and embedding compliance as an ongoing engineering discipline.
The steps below reflect that same logic: start with what is already required, build on a documented foundation, and govern AI as an ongoing practice. Our engineers recommend following this roadmap for compliance:
Step 1: Build AI literacy
AI literacy is a live obligation under Article 4 of the regulation. According to it, providers and deployers must ensure that staff working with AI systems have a proper understanding of what those systems do, what risks they carry, and how to use them responsibly. This applies to all teams across organizations, but staff training should be role-specific. Engineers need to understand model behavior and failure modes; legal and procurement teams need to identify when a system triggers obligations; product managers need to recognize when a feature change affects risk classification.
Step 2: Appoint an owner with real authority
Compliance without a named owner tends to be delayed. Assign a lead with budget, authority, and a clear mandate that covers both technical and governance decisions. In many organizations, the data security officer is well-placed for this role, given the overlap with GDPR obligations regarding automated decision-making and data governance. The owner should be able to prioritize technical compliance work in the engineering backlog, engage legal teams, and control supplier requirements.
Step 3: Inventory every AI system in use
The EU AI Act compliance obligations apply to providers, deployers, importers, distributors, and product manufacturers, so your obligations are shaped by the role your organization plays in each system. Map every AI solution in use: vendor tools, SaaS products with embedded AI, or any shadow AI adopted informally across teams. For each system, record what it does, who operates it, what data it processes, and which business function it serves. This inventory is the foundation for every step that follows.
Step 4: Classify each system by risk tier
Apply the Article 6 guidance and the Commission's draft classification guidelines [4] to each system in your inventory. For systems that touch Annex III domains, assess whether they actually impact a decision or only support one, since the Article 6(3) filter can move a system out of the high-risk tier. Document the reasoning behind every classification. This is typically the first thing a national market surveillance authority will examine, and the reasoning needs to be traceable.
Step 5: Run a gap analysis for high-risk systems
For any system classified as high-risk, compare current practices against the full set of EU AI Act compliance requirements [3]. These include risk management, data governance, automated logging, human oversight design, accuracy and robustness testing, cybersecurity measures, and a quality management system. The regulation also requires companies to provide technical documentation, ensure user transparency, implement robust cybersecurity measures, and establish a quality management system. The gap analysis tells you where engineering work is needed before the December 2027 deadline.
Step 6: Extend obligations into supplier contracts
AI Act obligations extend beyond your organization. Providers that supply AI components have their own duties, but deployers remain responsible for the systems they use, even when those systems come from vendors. Update procurement processes and supplier contracts to require risk-tier classification, technical documentation, and incident notification for each AI system. For high-risk systems, clearly define responsibility for conformity assessment and post-market monitoring.
Step 7: Set up ongoing monitoring
Compliance does not end at deployment. The regulation requires ongoing oversight of AI systems across all risk tiers. For high-risk systems, this means active post-market monitoring of performance, accuracy, and potential discriminatory outcomes, with serious incidents reported to national market surveillance authorities. For limited-risk systems, it means reviewing whether disclosure mechanisms remain accurate as the system evolves. For any system, it means tracking changes in use, context, or underlying data that could shift the original risk classification. The action items on this stage are to assign a named owner for monitoring, establish a review cadence, and document findings.
Step 8: Anchor your systems to trustworthy AI principles
The regulation's stated goal is to foster trustworthy AI, and it defines seven principles that support that goal [1]. Building these principles into engineering workflows from the start is the most practical way to meet that standard. These principles are: human oversight, technical robustness, privacy, transparency, fairness, accountability, and societal and environmental well-being. Compliance documentation that reflects these principles is also easier to explain to customers, partners, and regulators.
Our experts note that for SMEs and startups, penalties are calculated as the lower of the fixed euro amount or the turnover percentage [3]. The Omnibus also introduced lighter documentation requirements for smaller firms. These accommodations exist within the broader EU AI Act regulatory compliance framework, but they do not change the obligation to classify, disclose, or govern systems appropriately.

Why choose N-iX as your AI Act partner
Compliance with the EU AI Act is also a trust signal. Customers and partners want confidence that your AI is governed responsibly. Clear documentation, auditable decisions, and transparent AI features are becoming competitive differentiators. N-iX brings the engineering proficiency and regulatory knowledge to help you build that confidence from the ground up.
N-iX is a global technology partner for Pragmatic AI Software Engineering, with over 2,400 experts and 23 years of software, cloud, data, and security delivery. Our approach starts by measuring what AI actually delivers to your codebase and infrastructure before scaling. For AI Act compliance, this means every system we help you govern is assessed against real production conditions. Here is what working with N-iX on EU AI Act compliance looks like in practice:
- APEX framework. Our structured four-stage methodology, APEX, gives your compliance process a clear sequence, from auditing systems and sizing gaps to rolling out governance across your full portfolio and maintaining it as regulations evolve.
- AI system inventory and classification. We map every AI system across your portfolio, including vendor tools and embedded AI, and classify each one using the Commission's Article 6 criteria. Every classification decision is documented and auditable.
- Technical documentation and support. Our engineers work on the technical documentation, risk management records, and logging architecture required by high-risk systems, built to the standards regulators will examine.
- Transparency engineering. We implement watermarking, content labeling, and AI-disclosure features directly into your products, so your August 2026 obligations are met at the engineering level.
- Governance by design. We embed compliance controls into your development lifecycle, making your AI governance durable and maintainable as regulations evolve.
- Compliance certifications. N-iX adheres to ISO 9001, ISO 27001, PCI DSS, and GDPR, giving you confidence that our delivery processes meet regulatory requirements.
- Cross-industry experience. Our teams have delivered AI and data engineering projects across fintech, healthcare, logistics, manufacturing, and telecom sectors where AI Act obligations intersect with existing regulatory requirements.
Ready to start? Use this EU AI Act compliance guide as your baseline, and contact us to start your AI assessment.
Frequently Asked Questions
What is the EU AI Act?
The EU AI Act is the world's first comprehensive legal framework on Artificial Intelligence, which came into force in August 2024. It applies a risk-based approach: the higher the potential for harm, the stricter the obligations. Requirements vary by risk tier. For high-risk systems, obligations include risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy testing, and conformity assessment. Prohibited systems must be withdrawn. Limited-risk systems require disclosure. Most other systems face no new obligations.
Who needs to comply with the EU AI Act?
Any organization that places an AI system on the EU market or whose AI output is used in the EU must adhere to EU AI Act compliance obligations, regardless of its headquarters location. The regulation applies to providers, deployers, importers, distributors, and product manufacturers along the AI value chain.
What changed in the May 2026 Digital Omnibus?
The Omnibus extended the high-risk deadlines, added a ban on AI nudification applications, introduced lighter requirements for SMEs, and clarified how the AI Act interacts with sectoral product-safety law. The core risk-based framework was not changed. Formal adoption is expected before August 2026.
When do the main deadlines apply?
Prohibited practices, AI literacy duties, and GPAI obligations are now in effect. Transparency duties under Article 50 begin in August 2026. High-risk standalone systems (Annex III) must comply by December 2027. High-risk AI embedded in regulated products (Annex I) must comply by August 2028.
What are the penalties for non-compliance?
The regulation uses three penalty tiers. Breaching a prohibition can result in fines of up to €35M or 7% of global turnover. Violating high-risk or transparency requirements carries a penalty of up to €15M or 3% of global turnover. Supplying incorrect information to authorities can reach €7.5M or 1% of global turnover. For SMEs, fines are calculated as the lower of the fixed amount or the turnover percentage.
What is prohibited under the EU AI Act?
The regulation bans eight categories of AI outright. These cover systems that manipulate people through psychological vulnerabilities; exploit the vulnerabilities of specific groups such as children or people with disabilities; enable social scoring by public or private entities; perform untargeted scraping of facial images; recognize emotions in workplaces and educational settings; categorize individuals biometrically to infer sensitive characteristics; predict criminal behavior of individuals through profiling; and carry out real-time remote biometric identification in public spaces by law enforcement. The May 2026 Digital Omnibus added a ninth prohibition: AI systems that generate non-consensual intimate imagery.
References
- European Commission – AI Act. Shaping Europe's digital future (2026)
- Council of the European Union – Artificial intelligence: Council and Parliament agree to simplify and streamline rules (Press release 2026, May 7)
- European Parliament and Council of the European Union – Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (2024)
- European Commission – Draft Commission guidelines on the classification of high-risk AI systems under Article 6 of the AI Act (2026)
- European Commission – Draft guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 of the AI Act (2026)
Have a question?
Speak to an expert


