EU AI Act Readiness

Start here, because everything else depends on it. The Act can apply even if your company sits entirely outside the EU. If your system is placed on the EU market, or its output is used in the EU, the rules can reach you — much the way GDPR does. A US team serving European users is rarely out of scope by default.

Identify your role. Your obligations differ depending on what you are in the chain for a given system. Most teams hold more than one role across their products:

• Provider — you develop the system, or have it developed, and put it on the market under your name. This role carries the heaviest obligations.
• Deployer — you use an AI system in the course of your business (for example, an off-the-shelf model embedded in your workflow).
• Importer / distributor — you bring a third-party system into the EU market or make it available.

This is the step most teams skip, and the one every other obligation flows from. The Act sorts systems into four tiers. Classification is a reasoned, documented judgement — not a label you pick by vibe.

• Prohibited — uses the Act bans outright (for example, certain social-scoring and manipulative techniques). If anything you build sits here, it needs to change before launch, not after.
• High-risk — systems used in sensitive areas such as recruitment, credit scoring, biometrics, education, or critical infrastructure. These attract the bulk of the substantive requirements.
• Limited-risk — systems with transparency duties, such as telling users they’re interacting with AI or labelling generated content.
• Minimal-risk — most other systems, with light or no specific obligations today.

The Act phases in rather than landing all at once, so "when do we need to be ready" has a different answer for each obligation. Prohibited-use rules and AI-literacy duties already apply. Requirements for general-purpose AI and the bulk of high-risk obligations arrive through 2026.

The practical task is to take each system from step 02 and attach the dates that actually bind it. A minimal-risk feature and a high-risk hiring tool are on completely different clocks, and planning runway around a single “deadline” is how teams get caught short.

With roles, tiers, and timelines in hand, compare where your product, processes, and documentation are today against what the applicable tier requires. Gaps usually cluster in three places:

• Product — data governance, human oversight, accuracy and robustness measures, logging.
• Process — risk management, post-market monitoring, incident handling, the way decisions get reviewed.
• Documentation — technical documentation, instructions for use, conformity records, and the evidence that ties it all together.

The output is a concrete list of what’s missing, not a general sense that “we should do more on AI governance.”

A gap list isn’t a plan until it’s sequenced. Order the work so the items with deadline or enforcement risk come first, and group the rest into what’s achievable before each phase-in date. Plain-language and prioritised beats exhaustive — a roadmap nobody can act on protects nobody.

Turn it into a report you can hand over. The final artefact is a written report: your systems, their classifications and the reasoning, the gaps, and the sequenced plan to close them. That’s the document your board, your investors, and the enterprise customers running diligence on you will actually ask to see — and the one that turns “we take compliance seriously” into something demonstrable.