EU AI Act Compliance Guide

EU AI Act Compliance Documentation: What Your Organisation Needs in 2025–2026

The EU AI Act is now in force. Most organisations using AI tools — from ChatGPT to automated CV screening — need compliance documentation in place before August 2026. This guide explains exactly what documents you need and why.

Key deadline: 2 August 2026. High-risk AI system obligations become fully enforceable. Fines of up to €15 million or 3% of global turnover apply.

What Is the EU AI Act?

Regulation (EU) 2024/1689 — the EU AI Act — is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and is being phased in through to 2027. It applies to any organisation that develops, deploys, or uses AI systems in the European Union — regardless of company size or where the organisation is based.

The Act takes a risk-based approach. AI systems are classified into four tiers — unacceptable risk (prohibited), high risk, limited risk, and minimal risk — and your compliance obligations depend on where your AI systems sit in that framework.

Key Compliance Deadlines

DateWhat Applies
2 February 2025 Prohibited AI practices banned. AI literacy obligations begin. All organisations using AI must ensure staff are appropriately trained. Now in effect
2 August 2025 Governance rules and obligations for General Purpose AI (GPAI) model providers take effect. Now in effect
2 August 2026 Main deadline. Full obligations for high-risk AI systems (Annex III) become enforceable — including HR tools, credit assessment, and customer-facing AI. Technical documentation, risk management, human oversight, and transparency requirements all apply.
2 August 2027 Extended deadline for high-risk AI embedded in regulated products (medical devices, vehicles, machinery).

Does the EU AI Act Apply to My Organisation?

Almost certainly yes, if your organisation uses any AI tools in your operations. The Act applies to deployers — organisations that use AI systems — not just developers and vendors. Company size does not exempt you, though SMEs benefit from simplified procedures and proportionate fees.

Common use cases that trigger obligations include:

According to a late 2025 survey cited by JAIKIN, fewer than 30% of European SMEs have begun steps toward EU AI Act compliance. The majority still believe the regulation only affects large technology companies — a significant misconception.

What Compliance Documents Do You Need?

The documents required depend on your risk classification. For most SMEs and businesses using AI tools — rather than building them — the following five documents form the core of a defensible compliance baseline:

01
AI Use Policy
Governs how staff may and may not use AI tools. Covers permitted uses, prohibited practices, human oversight requirements, data protection obligations, and transparency rules. Required under Art. 4 (AI Literacy) and Art. 50 (Transparency).
02
AI Risk Register
Documents all AI systems in use, their risk classification, likelihood and impact of failure, and mitigation controls. Supports the risk management obligations under Art. 9 for high-risk systems and demonstrates due diligence.
03
Gap Analysis
Maps your current AI practices against what the EU AI Act requires. Identifies where you fall short, references the specific articles that apply to your systems, and prioritises remediation actions.
04
Compliance Roadmap
A phased action plan tied to the real EU AI Act obligation deadlines. Shows what needs to be done, by when, and who is responsible — giving your board and legal team a clear picture of your compliance trajectory.
05
Controls Checklist
A practical list of the controls your organisation must implement — from approved tools registers to incident reporting procedures. Assigns ownership and priority to each control so nothing falls through the cracks.

What Happens If You Don't Comply?

The EU AI Act carries significant penalties, enforced by national market surveillance authorities from August 2026:

For SMEs, penalties are capped proportionately, but remain material. Authorities may also order the suspension or prohibition of non-compliant AI systems from August 2026 onwards.

Generate Your Compliance Pack in Minutes

Answer a few questions about your organisation and AI systems. We generate all five documents — tailored to you, delivered to your inbox.

49
one-time
Generate My Compliance Pack →
No account needed  ·  Takes 3 minutes  ·  Word document delivered by email

Frequently Asked Questions

Does the EU AI Act apply to small businesses?

Yes. The Act does not exempt organisations based on size. Any business deploying AI systems in the EU — including SMEs — is subject to its obligations as a deployer. However, SMEs benefit from simplified documentation requirements, proportionate fees, and priority access to regulatory sandboxes under Art. 62.

We just use ChatGPT for writing emails. Do we need compliance documents?

Using ChatGPT or Microsoft Copilot for internal productivity tasks typically falls under the Limited Risk or Minimal Risk categories. You are not exempt from the Act, but your obligations are lighter — primarily transparency and AI literacy requirements. An AI Use Policy is still recommended to protect your organisation and demonstrate good governance.

What is the August 2026 deadline?

From 2 August 2026, the full obligations for high-risk AI systems listed in Annex III become enforceable. This includes AI used in HR and recruitment, credit assessment, customer scoring, and other areas that affect individuals. National market surveillance authorities will have powers to inspect, audit, and fine organisations from this date.

Is an AI compliance pack the same as being compliant?

No — and we're transparent about this. A compliance documentation pack gives you the baseline documentation your organisation needs as a starting point. It is not a legal certification, a conformity assessment, or a guarantee of compliance. We strongly recommend reviewing the documents with qualified legal counsel, particularly if your organisation uses high-risk AI systems.

How is AiDact different from hiring a lawyer?

AiDact generates a personalised documentation baseline in minutes for €49. A lawyer would charge significantly more and take considerably longer to produce equivalent initial documentation. AiDact is designed for organisations that need to get their documentation in order quickly and cost-effectively — not to replace specialist legal advice for complex high-risk AI deployments.

What AI systems count as high-risk under the EU AI Act?

Annex III of the Act lists the categories of high-risk AI systems. These include AI used in biometric identification, critical infrastructure, education and training, employment and HR management, access to essential services (credit, insurance), law enforcement, migration and border control, and administration of justice. If your organisation uses AI tools in any of these areas, high-risk obligations apply.