No confusion: This is what you should do before August 2 to comply with Europe's AI regulations

# No confusion: this is what you should do before August 2 to comply with Europe's AI regulations

The EU AI Act entered into force on August 1, 2024. Its first hard deadline falls on August 2, 2025, when the prohibited practices provisions become enforceable. A second cluster of requirements follows roughly a year later, applying to high-risk AI systems. Most organisations deploying AI in Europe are somewhere between "we know the regulation exists" and "we have a plan", which means the gap between current state and required state is real for most businesses.

## What August 2 actually requires

The August 2, 2025 deadline covers two things. The prohibited practices provisions of the AI Act become enforceable, meaning that any AI system falling into Article 5's list of banned applications must be discontinued. This list includes social scoring systems operated by public authorities, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), AI that exploits psychological vulnerabilities to distort behaviour, and subliminal manipulation techniques. Separately, the AI literacy requirement under Article 4 also applies from this date. Every organisation deploying or developing AI systems in the EU must ensure that staff who work with those systems have a sufficient level of AI knowledge to do so competently.

These two requirements arrive together but have very different operational profiles. Prohibited practices compliance is a binary decision: a system either falls into Article 5 or it does not. If it does, it stops. AI literacy is continuous: it requires organisations to define what "sufficient" means for their context, deliver training, and keep records of who was trained and when. Neither of these requires the full technical documentation apparatus that applies to high-risk systems, but both require that you know what you are running.

## The inventory: the work that precedes every other step

Every EU AI Act compliance program starts with the same thing: an inventory of AI systems. You cannot classify what you have not identified, and you cannot document, monitor, or discontinue what you do not know exists. The inventory requirement is not stated as a single article in the regulation, but it is the implied precondition of nearly every obligation that follows.

A functional AI inventory records each system's name and vendor, its intended purpose, the data it processes, the business function it supports, and the population of people affected by its outputs.Practically speaking, this means interviewing across HR, finance, customer service, legal, and operations, because AI tools accumulate at the edge of organisations without central procurement visibility. A company that relies only on its IT asset register will miss the tools that arrived via departmental SaaS subscriptions.

A 2025 McKinsey report on the state of AI found that 78 percent of respondents reported their organisations were using AI in at least one business function, up from 72 percent the previous year. The distribution is wide: AI tools appear in HR analytics, customer interaction, credit assessment, and content generation. Each of these may or may not carry high-risk classification depending on how the system is used, by whom, and in what context.

## How classification works in practice

Once you have an inventory, each system needs a risk classification. The AI Act creates four tiers: unacceptable risk (prohibited), high risk (heavily regulated), limited risk (transparency obligations only), and minimal risk (no specific obligations).

The high-risk classification is where most of the compliance weight sits. Article 6 and Annex III define high-risk by sector and function. AI systems used in employment and worker management, including CV screening, performance evaluation, and task allocation, are high-risk. Systems used in education to assess students or determine access to educational institutions are high-risk. AI systems used in credit scoring, insurance pricing, and financial services risk assessment are high-risk. Systems used in healthcare for clinical decision support are high-risk. Biometric categorisation and emotion recognition systems used in the workplace are high-risk.

The sector obligations matter here. Because if, for example, your organisation uses an AI tool for recruitment shortlisting, it is high-risk under the Act regardless of how the vendor describes it. The same logic applies to a bank running automated credit decisions or a hospital using an AI diagnostic support tool. Classification follows function and sector, not vendor labelling.

For limited-risk systems, the main requirement is transparency. Chatbots and AI-generated content must be disclosed as such. The EU AI Act's transparency rules require that users are informed they are interacting with an AI system, and that AI-generated content is labelled accordingly. For generative AI providers specifically, the Act requires watermarking of synthetic media and disclosure of the content's AI origin.

## Governance before documentation

Most compliance programs reach for documentation templates first. The more durable move is to build governance infrastructure: the people, process, and accountability structures that make documentation a byproduct of how decisions are made, rather than a retrospective filing exercise.

A governance framework for AI Act compliance requires at minimum a designated accountability owner, a process for reviewing new AI deployments against the classification criteria, a vendor due diligence protocol, and a mechanism for reporting serious incidents. Under the Act, providers and deployers of high-risk AI systems must report serious incidents to national market surveillance authorities, with timeframes that require pre-existing processes rather than ad hoc responses.

Vendor due diligence deserves particular attention. Organisations deploying third-party AI tools bear deployer obligations under the Act even when they did not build the underlying model. This means reviewing vendor contracts to confirm that technical documentation, conformity assessments, and CE marking requirements are in place for high-risk systems. If a vendor cannot produce conformity documentation for a high-risk system, the deploying organisation carries compliance exposure it cannot offload.

## The high-risk requirements: what comes after August 2025

The full set of high-risk obligations, including technical documentation requirements, conformity assessment, CE marking, and registration in the EU database, applies to new high-risk AI systems from August 2026, with a longer transition for certain existing systems. This does not mean high-risk compliance preparation can wait until 2026. Technical documentation for high-risk systems requires a complex procedure involving a risk management system, data governance records, detailed system specifications, human oversight mechanisms, accuracy and robustness testing results, and post-market monitoring plans. Building this from scratch in the months before a deadline is a significantly hard, time-consuming problem that requires a solution now, and building it incrementally as part of a long-term governance program.

The AI Act's human oversight requirement for high-risk systems is specific. Article 14 requires that high-risk AI systems be designed to allow human oversight by natural persons during deployment, with the capacity to intervene, override, or stop the system. Organisations need to document not just that oversight is possible but that it is operationally embedded.

The conformity assessment pathway depends on the system type. For most high-risk AI systems, providers can conduct internal conformity assessments. For biometric identification systems and certain other categories, third-party notified body assessment is required. The CE marking requirement follows successful conformity assessment and must appear on the system before it enters the EU market.

## Data protection and the AI Act

The GDPR is business as usual while your organisation works through AI Act compliance. Where AI systems process personal data, which is most high-risk deployments, a Data Protection Impact Assessment is required under GDPR alongside the technical documentation required by the Act. The EDPB and EDPS have both issued guidance noting that AI Act compliance does not replace GDPR compliance, and that the two frameworks interact directly on questions of purpose limitation, data minimisation, and the use of personal data in training datasets.

Building AI documentation in a way that satisfies both frameworks simultaneously, rather than sequentially, is the more efficient path. The risk management documentation required by the AI Act and the DPIA required by GDPR cover substantial overlapping ground on data processing risks.

## What this means for SMEs in particular

The Act includes specific provisions for small and medium enterprises, including reduced fees for conformity assessments and access to regulatory sandboxes at the national level. The Stanford AI Index 2025 documents that AI adoption among smaller firms has accelerated sharply, which means the compliance surface for SMEs is wider than it might have been had the Act been adopted three years earlier. Regulatory sandboxes allow SMEs to develop and test high-risk AI systems under national authority supervision before full market deployment, with the compliance learning that entails.

## What to do

The sequence for an organisation starting now: build the inventory, classify each system against the Act's risk tiers, discontinue any prohibited practices, deliver AI literacy training with documented records, establish governance accountability, begin vendor due diligence on third-party tools, and identify which systems will require high-risk documentation before their applicable deadline. This is not a one-time exercise. The Act builds in post-market monitoring obligations and incident reporting requirements that make compliance an ongoing operational function rather than a project with a close date.

Companies that began this sequence in early 2025 likely have documentation, governance, and vendor alignment in place when enforcement begins in earnest. Companies that begin in the weeks before a deadline will still have to file in time, and think about a long-term running system.