The Complete EU AI Act Compliance Guide for High-Risk AI Systems (2026)
Better Societies — Updated 27 May 2026 — Enforcement deadline: 2 December 2027
The EU AI Act is the world's first comprehensive AI regulation. Companies building or deploying high-risk AI systems in the European Union must be fully compliant by 2 December 2027. Most haven't started. This guide explains what you need to do, in plain language.
This is not a legal document. It's a practical overview for founders, compliance officers, and product teams who need to understand what the regulation requires and where to begin. For authoritative legal advice on your specific situation, consult qualified EU law counsel.
Key date: 2 December 2027. High-risk AI systems must comply with the full obligations of the EU AI Act. Penalties for prohibited AI practices apply from 2 August 2026. General-purpose AI model rules apply from 2 August 2025.
What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It establishes a risk-based framework for AI systems placed on the EU market or used within the EU. The regulation applies regardless of where your company is incorporated; if your AI system affects people in the EU, you're in scope.
The Act divides AI systems into four risk categories:
- Unacceptable risk: prohibited outright (social scoring, real-time biometric surveillance in public spaces, manipulation through subliminal techniques).
- High risk: permitted but subject to strict obligations before deployment (detailed documentation, human oversight, conformity assessment).
- Limited risk: transparency obligations only (e.g., chatbots must disclose they are AI).
- Minimal risk: no mandatory requirements.
The vast majority of compliance work is concentrated on high-risk systems. That's where this guide focuses.
Is your AI system high-risk?
High-risk AI systems are defined in Annex III of the regulation. A system is high-risk if it is used in any of the following areas:
- AI screening job applicants or resumes, or making decisions about hiring, promotions, or terminations.
- AI in credit scoring or loan decisions.
- AI determining eligibility for public benefits or essential services.
- AI used in education or vocational training, including AI tutoring systems or grading tools.
- AI-based biometric identification systems.
- AI in critical infrastructure: energy grids, water systems, transport networks.
- AI in border control, asylum processing, or law enforcement.
- AI used in the administration of justice or democratic processes.
If your AI system does any of these, you're in scope for the full obligations under the Act.
Note that the Act also covers safety components of regulated products (medical devices, vehicles, machinery). If your AI model is embedded in a regulated product as a safety-critical component, you may have additional obligations under sector-specific legislation.
Important: The Digital Omnibus political agreement (reached between European Parliament and Council negotiators in May 2026) extended the enforcement deadline for high-risk systems from August 2026 to 2 December 2027. This is a meaningful reprieve, but companies that haven't started should start now. The documentation required takes 6-12 weeks to produce correctly.
Fines and enforcement
The AI Act carries some of the highest fines in EU regulatory history:
| Violation type | Maximum fine |
|---|---|
| Prohibited AI practices (unacceptable risk) | €35M or 7% of global annual revenue, whichever is higher |
| Non-compliance with high-risk obligations | €15M or 3% of global annual revenue, whichever is higher |
| Incorrect or misleading information to authorities | €7.5M or 1.5% of global annual revenue, whichever is higher |
Fines reach 3% of global annual revenue or €15M, whichever is higher, for high-risk non-compliance; and up to 7% for the worst violations like prohibited AI practices.
How the fines are actually calculated: if your global revenue is high enough that 3% of it exceeds €15M, the regulator can fine you up to that 3%. If your revenue is lower, the fine maxes out at €15M. They take whichever is larger.
Core obligations for high-risk AI systems
If your system is high-risk, you must fulfil the following obligations before placing it on the EU market. These are not optional, and they cannot be satisfied retroactively after an incident.
1. Risk management system (Article 9)
You must establish, implement, document, and maintain a risk management system for your AI system throughout its entire lifecycle. This isn't a one-time risk assessment; it's an ongoing process that identifies, evaluates, and mitigates risks to health, safety, and fundamental rights.
The risk management file must be updated when the system is substantially modified or when new risks are identified through post-market monitoring.
2. Technical documentation (Annex IV)
The technical documentation is the centrepiece of your compliance posture. It must be prepared before the system is placed on the market and kept up to date throughout the system's lifecycle. It must be available to national competent authorities on request.
Annex IV specifies the required content in detail. It includes:
- A general description of the AI system, its intended purpose, and the category of users.
- A description of the system's components, including training data, algorithms, and hardware requirements.
- The system's design choices and trade-offs, including the reasoning behind them.
- A description of changes made to the system through its lifecycle.
- Validation and testing results, including key performance metrics and known or foreseeable misuse.
- Post-market monitoring information.
Most companies underestimate the scope of this document. It is not a product specification. It is a regulator-facing file that must demonstrate that you have systematically identified and mitigated risks.
3. Data governance (Article 10)
Training, validation, and test datasets must meet quality criteria. You must be able to demonstrate that your data is relevant, representative, and free from errors and biases that could lead to discriminatory outcomes. Data governance practices must be documented.
This is often the hardest obligation for organisations to fulfil retrospectively. If you can't describe where your training data came from, how it was cleaned, and what quality checks were applied, you have a gap.
4. Human oversight (Article 14)
High-risk AI systems must be designed to allow effective human oversight. This means humans must be able to understand what the system is doing, intervene when needed, and override or shut down the system.
You must document what your human oversight mechanisms are, who is responsible for exercising them, and how they are trained. This isn't satisfied by having a "human in the loop" checkbox; the oversight must be meaningful and documented.
5. Accuracy, robustness, and cybersecurity (Article 15)
The system must achieve an appropriate level of accuracy throughout its lifecycle and must be resilient to errors, faults, and inconsistencies. You must document the accuracy metrics, how they were measured, and what baselines are acceptable.
Cybersecurity requirements apply to systems that are adversarially robust; you must be able to demonstrate that the system is designed to prevent and detect adversarial manipulation.
6. Quality management system (Article 17)
Providers of high-risk AI systems must put in place a quality management system (QMS). This covers the whole development lifecycle: from initial design through testing, deployment, and post-market monitoring. The QMS must include policies, procedures, and responsibilities for AI governance.
7. Transparency and instructions for use (Article 13)
High-risk AI systems must be accompanied by instructions for use that include the system's capabilities and limitations, its intended purpose, the conditions under which it is expected to operate reliably, and relevant information for human oversight.
8. Conformity assessment (Article 43)
Before placing a high-risk AI system on the market, providers must undergo a conformity assessment. For most Annex III systems, this is a self-assessment (internal conformity assessment), meaning you assess yourself against the requirements and declare conformity via an EU Declaration of Conformity.
For biometric identification systems and AI used in critical infrastructure, third-party assessment by a notified body is required.
9. Registration in the EU database
Providers must register their high-risk AI systems in the EU public database managed by the EU AI Office before placing the system on the market. The registration process requires completing a standardised form with information about the system.
The documentation you need to produce
Across all the obligations above, the core deliverables are:
| Document | Primary obligation | Who it's for |
|---|---|---|
| Technical File (Annex IV) | Articles 11-12 | Regulators, notified bodies |
| Risk Management File | Article 9 | Internal + regulators |
| Data Governance Documentation | Article 10 | Internal + regulators |
| Human Oversight Policy | Article 14 | Internal teams |
| Quality Management System | Article 17 | Internal + regulators |
| Instructions for Use | Article 13 | Deployers + end users |
| Post-Market Monitoring Plan | Article 72 | Internal + regulators |
| Incident Reporting Procedure | Article 73 | Internal + EU AI Office |
| EU Declaration of Conformity | Article 47 | Public + regulators |
Provider vs. deployer obligations
The AI Act distinguishes between providers (companies that develop and place AI systems on the market) and deployers (companies that use AI systems in their own operations).
If you built the AI model and make it available to others, you're a provider. If you're using a third-party model in your own product or operations, you're primarily a deployer; but if you substantially modify the system, you may take on provider obligations.
Deployers have their own obligations under the Act, including conducting a fundamental rights impact assessment for certain high-risk systems, implementing human oversight measures, and logging system operations. These are lighter than provider obligations but still require documentation and process.
General-purpose AI models (GPAI)
The AI Act introduced specific obligations for general-purpose AI models (like large language models) under Article 51. These apply from 2 August 2025.
Providers of GPAI models must:
- Prepare and maintain technical documentation about the model.
- Provide information to downstream providers who integrate the model.
- Comply with EU copyright law on training data.
- Publish a sufficiently detailed summary of training data used.
Models with systemic risk (estimated training compute above 10^25 FLOPs, or designated by the Commission) face additional obligations including adversarial testing (red-teaming) and incident reporting to the EU AI Office.
Timeline and what to do now
Here is the enforcement timeline as of 2026:
| Date | What takes effect |
|---|---|
| 1 August 2024 | AI Act enters into force |
| 2 February 2025 | Prohibited AI practices enforceable |
| 2 August 2025 | GPAI model obligations apply |
| 2 August 2026 | EU AI Office operational; codes of practice finalised |
| 2 December 2027 | Full high-risk obligations enforceable (extended via Digital Omnibus) |
Companies with high-risk AI systems should take the following steps now:
- Conduct an AI inventory to identify which of your systems are high-risk under Annex III.
- Assign ownership for compliance within your organisation (who is responsible for each obligation).
- Assess your data governance maturity: can you describe your training data provenance?
- Map your current documentation against the Annex IV requirements to identify gaps.
- Begin producing your Technical File. This is the longest-lead document and the centrepiece of your compliance posture.
- Prepare your risk management file in parallel.
- Establish your human oversight framework and document who is responsible.
- Engage with the EU AI Office's codes of practice relevant to your sector.
Why most companies are behind
The AI Act requires documentation that most software companies are not set up to produce. It demands a different kind of rigour: not just "does the product work?" but "can you demonstrate to a regulator that you identified all foreseeable risks, and mitigated them systematically?"
Most companies in scope have produced none of the required documentation. The Big Four consulting firms (Deloitte, EY, KPMG, PwC) typically charge €250,000 to €1 million or more for AI Act compliance work, billed over 18-24 months. That creates a gap for the majority of companies who need compliant documentation but can't absorb that budget or timeline.
How Better Societies helps
Better Societies delivers done-for-you EU AI Act compliance documentation for companies building high-risk AI systems. We produce the full set of Annex IV technical documentation, risk management files, human oversight policies, QMS frameworks, and conformity assessment materials in a 6-week engagement.
Our documentation is produced by AI safety specialists with direct experience in the regulatory frameworks that inform the AI Act, including ISO/IEC 42001, EU GDPR, and sector-specific standards for high-risk domains.
12-month audit defense included. If a regulator or notified body requests revisions to documentation we produced within 12 months of delivery, we revise it at no additional cost.
Learn about our compliance services →
Download this guide as PDF: Email info@bettersocieties.world with the subject "EU AI Act Guide PDF" and we'll send you the formatted version.
Help accelerate AI safety
Tell us who you are and what you're working on. We'll route you to the right program.