How-To Guide

How to Prepare for the EU AI Act in 2026

Step-by-step 2026 guide to EU AI Act compliance: classify your AI systems, document obligations, build governance, and meet the August 2026 deadlines.

By Ramanath, CTO & Co-Founder at Presenc AI · Last updated: May 15, 2026

What this is

The EU AI Act phases in through 2026 and 2027, with general-purpose AI (GPAI) provisions live since August 2025, prohibited-practice provisions since February 2025, and high-risk system provisions starting August 2026. This guide walks through what your company needs to do this year. It is informational, not legal advice; engage counsel for material decisions.

Step 1: Determine If the Act Applies to You

The Act applies if you:

  • Place an AI system on the EU market (regardless of where you are based).
  • Put an AI system into service in the EU.
  • Use AI outputs that affect persons in the EU (even if the system is hosted elsewhere).
  • Are a deployer of an AI system in the EU.

If yes to any: you are in scope. Many US and UK brands underestimate their scope because they sell to EU customers without realising they are "placing on the EU market".

Step 2: Classify Your AI Systems

CategoryExamplesTreatment
ProhibitedSocial scoring; manipulative AI exploiting vulnerabilities; real-time biometric ID in public (with narrow exceptions)Banned (since Feb 2, 2025)
High-riskAI in hiring, credit scoring, education access, critical infrastructure, law enforcement, employment management, essential services accessHeavy obligations from Aug 2, 2026
Limited riskChatbots, deepfakes, emotion-recognition (some)Transparency obligations
Minimal riskSpam filters, video games, most consumer AIVoluntary codes of conduct
General-purpose AI (GPAI)Foundation models like GPT-5, Claude, GeminiProvider obligations (already in force)

Most companies have a mix. The biggest compliance burden falls on high-risk systems and on GPAI providers.

Step 3: For High-Risk Systems, Build the Documentation

High-risk AI systems require:

  1. Risk management system covering the AI lifecycle.
  2. Data governance documenting training, validation, and testing data.
  3. Technical documentation detailing system design, performance, and limitations.
  4. Logging automatic event-logging during operation.
  5. Transparency and user information deployers can understand and use.
  6. Human oversight design supporting effective human review.
  7. Accuracy, robustness, and cybersecurity appropriate to the risk.
  8. Quality management system for the provider.
  9. Conformity assessment before placing on the market.
  10. Registration in the EU database for high-risk systems.

Start with a gap analysis against this list. Most companies have parts in place but no consolidated documentation.

Step 4: For Limited-Risk Systems, Build the Transparency Layer

  • Chatbots disclosed as AI to users at the start of interaction.
  • AI-generated images / audio / video labelled where required.
  • Emotion-recognition or biometric categorisation disclosed.
  • Deepfakes labelled in line with the Act's transparency requirements.

Step 5: For GPAI Providers, Meet the Provider Obligations

  • Maintain technical documentation describing the model and training process.
  • Provide information to downstream providers integrating the model.
  • Have policies for copyright compliance.
  • Publish a sufficiently detailed summary of training data.
  • For "systemic risk" models (above a compute threshold): additional risk assessment, red-teaming, incident reporting, and cybersecurity.

Step 6: Governance and Process

  1. Designate a named AI governance owner (often the CTO, CISO, or Chief AI Officer).
  2. Run quarterly AI inventory reviews.
  3. Assign each in-scope system to a risk category and owner.
  4. Stand up an internal AI Act committee with Legal, Engineering, Product, and Security.
  5. Train staff who develop or deploy AI on the Act's basic requirements.

Step 7: Vendor Management

If you rely on third-party AI (LLM APIs, AI SaaS, GPAI models), update procurement to require:

  • The provider's AI Act compliance posture.
  • The provider's technical documentation under NDA.
  • Allocation of responsibility in the contract (provider vs deployer vs distributor).
  • Incident notification obligations from the provider.
  • Right to audit or access compliance documentation.

Step 8: Plan for the Timeline

DateProvision
Feb 2, 2025 (in force)Prohibited practices; AI literacy obligations for employees
Aug 2, 2025 (in force)GPAI provider obligations; penalties for non-compliance
Aug 2, 2026Most provisions apply to high-risk systems and limited-risk transparency
Aug 2, 2027Specific high-risk obligations for products covered by Annex I (medical devices, machinery, toys, etc.)

Common Mistakes

  1. Assuming you are out of scope because you are based outside the EU.
  2. Classifying high-risk systems as limited-risk to avoid the heavier obligations.
  3. Treating GPAI provider obligations as the model vendor's problem only — deployers still have obligations.
  4. No designated governance owner.
  5. Vendor contracts that don't allocate AI Act responsibility.
  6. Missing the staff AI literacy obligation (already in force since Feb 2025).

Frequently Asked Questions

Different provisions phase in on different dates. Prohibited practices and AI literacy obligations were live February 2, 2025. GPAI provider obligations live August 2, 2025. The bulk of the high-risk system provisions apply from August 2, 2026. Some Annex I product categories follow on August 2, 2027.
Yes if you place AI systems on the EU market, put them into service in the EU, or your AI outputs affect persons in the EU. Many US, UK, and APAC brands are in scope because they sell to EU customers — geography of the company headquarters doesn't determine scope.
AI in hiring, credit scoring, education access, critical infrastructure, law enforcement, employment management, essential services, biometric identification (some), and certain product-safety components. Annex III of the Act has the full list. Most consumer AI products (chatbots, content tools, basic recommendations) are limited or minimal risk.
Up to €35M or 7% of global turnover for prohibited-practice violations; up to €15M or 3% of global turnover for high-risk system non-compliance; up to €7.5M or 1.5% for incorrect, incomplete, or misleading information. Penalties scale with company size and severity.

Track Your AI Visibility

See how your brand appears across ChatGPT, Claude, Perplexity, and other AI platforms. Start monitoring today.