The EU AI Act
Are You Ready for Regulation?
As governments accelerate AI regulation, the EU AI Act has emerged as the global benchmark, classifying AI by risk. Organisations deploying AI systems in areas that materially affect individuals’ rights are likely to fall within the high-risk category, making compliance a priority.
The Act entered into force on 1 August 2024. The critical date for deployers of high-risk systems is 2 August 2026, when the full suite of obligations becomes enforceable. Classification hinges on how the system is actually used. If your organisation relies on AI outputs or the AI shapes decisions affecting individuals, you are likely in high-risk territory. Both developers and deployers are accountable, meaning vendor assurances do not relieve your organisation of its legal obligations.
Regulatory Progress to Date
From 2 February 2025, prohibited AI practices such as emotion recognition in the workplace, became unlawful. At the same time, the AI literacy obligation took effect, requiring employers to ensure staff operating AI systems understand how they work, their risks and limitations, and the associated legal and ethical issues.
What Is Coming Next
The key date is 2 August 2026, when all high-risk AI systems must comply. In November 2025, the European Commission proposed a possible postponement to 2027, but this has not yet been approved. Organisations should therefore prepare to comply by the original date.
How the Act Has Been Applied So Far
The Act exempts purely procedural tasks, such as sorting documents, provided they do not involve profiling. Profiling includes automated processing that evaluates personal aspects such as performance or emotions. Most systems that generate scores, rankings, or recommendations involve profiling, rendering the exemption unavailable.
Draft guidelines clarify that systems generating scores or recommendations that materially affect individuals are high-risk, even if a human makes the final decision.
A Practical Governance Framework for Deployers
- Inventory of All AI Systems
Take inventory of AI use across your organisation. Capture tools adopted without formal approval and document each system’s purpose, provider, and version.
- Risk Classification
The critical question is whether the tool materially shapes decisions affecting individuals. When an administrative tool starts influencing outcomes, it becomes high-risk.
- Policies
Deployers must ensure AI systems are operated in accordance with provider instructions. Your policy framework should include an AI strategy; internal instructions on system use; guidelines for monitoring documentation; and policies on data quality and bias monitoring.
- Accountability
Designate clear responsibility for compliance. Appoint individuals with the necessary competence, training, and authority to oversee high-risk AI systems and intervene in results generated.
- Data Controls
Deployers must ensure input data is relevant and representative. This means addressing bias, maintaining data quality, complying with GDPR, and contracting with vendors for transparency and audit access.
- Human Oversight
Human overseers must understand the system’s capabilities, detect anomalies and discriminatory patterns, and have authority to override AI decisions. Identify who will oversee each system, ensure they have training and authority, and document the process.
- Testing
High-risk AI systems must be tested against pre-defined metrics before deployment, with consideration of impacts on vulnerable groups. Ensure providers demonstrate robust testing and maintain your own monitoring processes.
- Breach Management
Deployers must suspend use and report to authorities if the system poses risks to health, safety, or fundamental rights. Retain logs for at least six months. Your incident response plan should cover escalation, communication, and corrective action.
- Transparency Requirements
Inform affected individuals that AI is being used, how it functions, and its role in decisions. Individuals can request an explanation of decisions affecting them. If your system uses emotion recognition or generates deepfakes, disclose this.
Conclusion
Compliance demands continuous risk management, testing, monitoring, and documentation. While fines can reach €15 million or 7% of global turnover, regulators also have the power to recall non-compliant systems, causing severe business disruption.
This article is intended as a high-level overview, not legal advice. Contact Orbital Law to discuss how we can support your compliance efforts.

