The European Regulation on Artificial Intelligence, known as the AI Act, is no longer a text to anticipate. Part of its obligations has been applying since February 2025, another part since August 2025, and the main wave — covering high-risk AI systems — enters into force on 2 August 2026. If your organisation uses, integrates or markets AI systems, the question is no longer whether to prepare but how to be compliant today.
Adopted in June 2024 and entered into force on 1 August 2024, the AI Act is the world’s first global legal framework dedicated to artificial intelligence. It sets common rules across all EU Member States to govern the development, marketing and use of AI systems. Its approach is risk-based: the higher the potential impact on fundamental rights, health or safety, the stricter the obligations.
For CISOs, DPOs and Risk Managers, this new regulation does not arrive on fresh ground. It adds to the GDPR, DORA, NIS2 and the broader stack of frameworks already in place. The real question is therefore not “how to bolt on yet another text” but “how to map our AI use cases, qualify the risks and build a compliance approach that stays consistent with the rest of our GRC programme”. This article answers the three essential questions: who is concerned, by what, and how to comply.
Who is concerned by the AI Act
The AI Act distinguishes several categories of actors, each with different obligations depending on their role along the AI value chain. Any organisation interacting with an AI system placed on the market or used in the EU can be concerned, even when established outside the Union.
Providers develop an AI system and place it on the market under their own name, whether they designed it themselves or had it built by a third party. They carry most of the obligations, especially for high-risk systems: conformity assessment, technical documentation, quality management, transparency.
Deployers use an AI system in a professional capacity. A bank using an AI-based credit scoring tool, a hospital deploying a diagnostic-assistance device, an HR department relying on a CV-screening tool — they are all deployers. Most European companies fall into this category, and their obligations are lighter than providers’ — but real, especially for high-risk systems.
Importers and distributors make AI systems developed outside the EU available on the European market. They must verify that the obligations applicable to providers have been properly met.
Product manufacturers that embed an AI system in a physical product (for instance a medical device containing diagnostic-assistance AI) take on the provider’s obligations for that system.
Authorised representatives represent in Europe providers established outside the EU.
The territorial scope is deliberately extraterritorial: a US-based provider offering an AI system to European companies must comply with the AI Act, exactly as is the case with the GDPR. The intent is to prevent circumvention through relocation.
The regulation also lays out several exclusions. AI systems used exclusively for military, defence or national security purposes fall outside its scope. Purely personal activities, scientific research and pre-market development benefit from partial or full exemptions.
What the AI Act requires: the four risk levels
The architecture of the regulation rests on a classification of AI systems by their level of risk to fundamental rights, health or safety. Four levels are defined, each triggering a distinct legal regime.
Unacceptable risk: outright prohibition
Some AI use cases are deemed incompatible with European values and are simply banned. This category became applicable as early as 2 February 2025, six months after the regulation entered into force.
Prohibited practices include: social scoring by public authorities (as in the Chinese system), subliminal manipulation techniques exploiting psychological vulnerabilities, real-time remote biometric identification in public spaces for law enforcement (subject to narrow exceptions), predictive policing based solely on algorithmic profiling, emotion recognition in the workplace or in education, and untargeted scraping of facial images from the internet to build facial recognition databases.
If your organisation considers or operates a system in this category, compliance is not about documentation or notification: the use must stop.
High risk: the big wave of August 2026
This is the category that carries most of the regulation’s obligations, and the one that affects the largest number of organisations. A system qualifies as high-risk in two cases.
On one hand, AI systems embedded in products already subject to EU conformity rules (medical devices, machinery, toys, automotive equipment, personal protective equipment, etc.) automatically fall into the high-risk category.
On the other hand, Annex III of the regulation explicitly lists fields of use classified as high-risk, including: biometrics and emotion recognition outside prohibited cases, critical infrastructure (energy, transport, water), education and vocational training (selection of students, assessment of results), employment and workforce management (CV screening, evaluation, task allocation), access to essential public and private services (credit scoring, social-aid allocation, life or health insurance pricing), law enforcement, migration and border control, the administration of justice and democratic processes.
For these systems, the obligations are dense. They include implementing a risk-management system across the full life cycle, governing training and testing data, producing exhaustive technical documentation, maintaining activity logs (automatic logging), providing clear information to deployers, enabling effective human oversight, ensuring an appropriate level of robustness, accuracy and cybersecurity, and operating a quality-management system on the provider’s side.
Deployer obligations are lighter but real: use the system in line with its instructions, ensure human oversight, monitor operation, retain logs, inform affected individuals in certain cases, and carry out a fundamental rights impact assessment for public bodies and some private actors.
The bulk of the obligations relating to high-risk systems becomes applicable on 2 August 2026.
Limited risk: transparency obligations
This category covers systems that do not present substantial risk but may mislead users about the nature or origin of content. Chatbots and conversational assistants, emotion-recognition systems outside prohibited or high-risk uses, and generators of synthetic content (deepfakes, AI-generated images, audio, video) belong here.
The main obligation is transparency: users must be informed when they interact with an AI, and any synthetic content must be identifiable as such, including through machine-readable technical markers.
Minimal risk: no obligation
The vast majority of AI systems in production today fall into this category: spam filters, AI embedded in video games, logistics optimisation, product recommendations, and so on. No obligation is imposed, but providers are encouraged to voluntarily adopt codes of conduct.
The specific case of general-purpose AI models
Beyond finished systems, the AI Act also governs general-purpose AI (GPAI) models — typically large language models such as GPT, Claude, Gemini, Mistral. Providers of these models must publish technical documentation, a copyright-compliance policy, and a sufficiently detailed summary of the data used for training.
For models with systemic risk (those whose training compute exceeds a given threshold), additional obligations apply: risk assessment, adversarial testing, reporting of serious incidents, reinforced cybersecurity. These obligations have been applicable since 2 August 2025.
The application timeline in a nutshell
| Milestone | Application date |
|---|---|
| Entry into force | 1 August 2024 |
| Prohibitions (unacceptable practices) | 2 February 2025 |
| General-purpose AI models + governance provisions | 2 August 2025 |
| High-risk AI systems (Annex III) + sanctions | 2 August 2026 |
| High-risk AI systems embedded in regulated products | 2 August 2027 |
At the time this article goes live, two of the five milestones are already in force. The third is only a few weeks away. For most organisations, the operational deadline is therefore 2 August 2026.
How to comply: a seven-step approach
Complying with the AI Act is not a one-off project. It is the build-out of a durable framework that fits with the other GRC requirements already in place. Below are the seven structuring steps that show up in most proven methods.
1. Map all AI systems in use
This is the foundation. Before qualifying or documenting, you need to know where AI is present in the organisation. The map should cover embedded AI in SaaS tools (productivity suites, HR, marketing, customer support), AI modules built into business software, in-house developments, APIs exposed to external models, and individual usage that has been authorised or merely tolerated (conversational assistants used by employees).
Experience shows that this first step systematically uncovers more use cases than the IT department or the CISO had imagined. It is also the right moment to identify responsibilities: who is the business sponsor, who is the actual deployer, which provider sits upstream.
2. Qualify the risk level of each system
For every identified system, determine whether it falls under a prohibited practice, a high-risk use case (Annex III or regulated product), a transparency obligation or a minimal-risk category. This qualification drives every subsequent action. When in doubt, default to high-risk to avoid under-estimating the obligations.
3. Set up governance and a single point of accountability
The AI Act does not impose a “Chief AI Officer” role the way GDPR mandates a DPO, but compliance coordination must be owned by a clearly identified body. In most organisations, this responsibility is added to the DPO’s, the CISO’s or a risk manager’s remit. The topics sit at the crossroads of data, legal, security and the business — so should the governance.
4. Build documentation and registers
For each high-risk system, the provider must produce exhaustive technical documentation (system purpose, data used, training methods, risk-management measures, performance metrics). The deployer must retain the logs generated by the system and maintain a register of decisions taken with its help. This documentation directly feeds audits and evidence of compliance.
5. Run the conformity assessment before going live
Before a high-risk system is deployed in production, a conformity-assessment procedure must be carried out. In most cases, this is a self-assessment by the provider, anchored in a quality-management system. For certain categories (biometrics notably), a notified body must intervene.
6. Enable human oversight and training
The AI Act does not accept that a high-impact decision is fully automated without a person being able to understand, contest or override the system’s output. This implies both a design that makes oversight possible (transparent recommendations, access to logs, ability to interrupt) and effective training of human operators. The regulation also imposes an adequate level of AI literacy across all relevant staff.
7. Monitor continuously and report incidents
Compliance is not a frozen state. AI systems evolve (model updates, data drift), and their compliance must be re-evaluated as they change. Serious incidents tied to a high-risk system must be reported to the competent authority. A continuous monitoring procedure, paired with an incident-management workflow, is therefore essential.
How the AI Act interacts with the GDPR
The AI Act and the GDPR share common ground but do not replace each other. As soon as an AI system processes personal data — which is frequent — the GDPR remains fully applicable, in parallel with the AI Act.
The CNIL (the French Data Protection Authority), in its early position papers published in 2024, clarified several points. The lawful basis for processing must be identified and documented. A Data Protection Impact Assessment (DPIA) is required for most high-risk systems. The data-minimisation principle calls for questioning the relevance of training data. Data-subject rights (information, access, objection) must be effective, which assumes transparency about how the system operates.
The GDPR’s DPIA and the AI Act’s fundamental rights impact assessment are not the same exercise, but they can and should be articulated within a single approach. This is precisely the kind of project where a unified GRC platform helps avoid documentation duplication.
The sanctions
The AI Act sets out three tiers of administrative fines, applicable from 2 August 2026:
- Up to €35 million or 7% of worldwide annual turnover (whichever is higher) for breaching the prohibitions
- Up to €15 million or 3% of worldwide annual turnover for breaching the other obligations applicable to providers, deployers, importers and other actors
- Up to €7.5 million or 1% of worldwide annual turnover for providing inaccurate information to authorities
These caps are calibrated on the GDPR model, at a higher level. For SMEs and start-ups, the caps are the lower of the two figures, scaling the fine to organisation size.
In France, the supervisory authority has not yet been formally designated at the time of publication, with several scenarios under consideration (CNIL, Arcom, a dedicated body). The regulation in any event requires every Member State to designate this authority.
Conclusion
The AI Act is not a regulation to be handled in a silo. For organisations that have already structured their GDPR, NIS2 or DORA programmes, the right reflex is to fold AI compliance into the existing GRC framework: unified asset mapping, shared registers, joint governance, continuous monitoring. This is the most economical path in time and energy, and the one that delivers sustainable compliance.
Make IT Safe supports its customers on exactly this type of cross-cutting approach — risk mapping, multi-framework compliance steering, continuous oversight. AI Act compliance naturally finds its place inside a unified cyber-and-compliance pilot.
Sources used for this article
- French government information service — What is the AI Act? (info.gouv.fr)
- CNIL — Entry into force of the European AI Regulation: first Q&A from the CNIL
- Service-Public.fr Entreprendre — Artificial intelligence: what the European regulation provides for businesses
- Regulation (EU) 2024/1689 of the European Parliament and of the Council (official text)
