AI Sigil Logo
Contact Us
Back to all insights
A compass

Sections

Kickstarting Compliance with the EU AI Act: Four Essential Steps

Four Ways to Kickstart Compliance with the EU AI Act

The European Union’s Artificial Intelligence Act (AI Act) represents the world’s first comprehensive AI regulation, poised to affect companies far beyond Europe’s borders. This complex law governs the development, deployment, and use of AI systems and general-purpose AI models within the EU while also having extraterritorial scope that imposes obligations on many U.S.-based organizations that develop, sell, or use AI technologies.

How to Prepare for U.S. Compliance

The AI Act takes a staggered approach to application. The first set of obligations, focusing on prohibited AI practices and AI literacy, took effect in February of 2025. Requirements for providers of general-purpose AI models (GPAI) will take effect on August 2, 2025, with many remaining rules scheduled for August 2, 2026. Now is the time for U.S. companies to kickstart their compliance journeys. Below are four key steps to prepare for this new law.

1. Determine whether your organization is in scope

The first step is determining whether your organization falls within the scope of the EU AI Act. The Act applies broadly to providers, deployers, importers, and distributors of AI systems operating in the EU. It extends to organizations outside the EU that either (1) place AI systems on the EU market or put them into service within the EU, or (2) enable AI outputs to be used by individuals located in the EU (subject to certain exceptions). Given this expansive scope, compliance obligations may apply to various U.S.-based entities across different industries, including cloud service providers, security vendors, and companies offering services like identity verification, HR tools, customer service chatbots, threat detection, and AI-driven decision-making systems.

2. Identify where your AI systems land on the risk spectrum and whether they are GPAI

If your organization is covered, the next step is to understand how your product fits within the AI Act’s risk spectrum, which categorizes AI systems based on whether they pose unacceptable, high, limited, or minimal risk. This classification is essential because each tier has distinct obligations. Organizations should inventory the AI systems currently in use or under development and assess which systems fall into which tier to identify the applicable requirements. Special attention should be given to products that could be considered high-risk or potentially prohibited under the Act.

A brief description of the tiers and their respective obligations follows:

  • The Act prohibits the use of AI systems in connection with specific practices that entail unacceptable risk, such as social scoring by governments or certain real-time biometric surveillance.
  • High-risk systems, such as those used in critical infrastructure, recruitment, employment, education, life insurance, law enforcement, or identity verification, are subject to strict regulatory requirements under the AI Act. Obligations include mandatory risk assessments, detailed technical documentation, human oversight mechanisms, and cybersecurity and data governance controls.
  • Certain limited-risk AI systems need to comply with minimal transparency and/or marking requirements, primarily affecting systems designed to interact directly with natural persons.
  • Minimal risk AI systems may be covered by future voluntary codes of conduct to be established.

The Act also has specific rules for GPAI, effective August 2, 2025, which apply even to models placed on the market or put into service before that date. These models, trained with a large amount of data using self-supervision at scale, exhibit significant generality and can competently perform a wide range of distinct tasks. The AI Act imposes stricter rules (e.g., model evaluations, risk mitigation plans, incident reporting, and enhanced cybersecurity measures) for models that pose systemic risks.

3. Design a governance program and take steps toward compliance

With the applicability analysis and AI system inventory complete, your organization should perform a gap assessment against its existing compliance measures. From there, you can identify the steps that still need to be taken. Creating cross-functional playbooks for classification, transparency, and oversight will pay dividends as the Act takes effect and enforcement begins. Examples of steps organizations should undertake for compliance readiness include:

  • Internal Governance: Establish internal AI governance committees to track use cases, update risk registers, and engage legal, compliance, and security teams.
  • Risk Documentation and Technical Controls: Maintain detailed documentation for AI systems, particularly those categorized as high-risk. Implement technical controls and perform regular risk assessments in line with the AI Act’s requirements.
  • Human Oversight Mechanisms: Ensure qualified personnel can understand, monitor, and, where necessary, override automated decision-making processes to fulfill the AI Act’s human oversight requirements.
  • Third-Party Oversight and AI Literacy: Engage vendors, partners, and contractors to confirm that they maintain appropriate levels of AI governance and literacy, especially where their tools or services fall under the AI Act or are integrated into your own AI systems or GPAI.
  • Training and Awareness Programs: Implement an organization-wide AI training program with enhanced modules tailored to employees directly involved in AI development, deployment, or oversight.
  • Cyber readiness: Although the Act does not specify data protection measures, this is an opportune moment to review and update your organization’s data and cybersecurity practices. Organizations may have existing obligations regarding EU data protection principles such as data minimization, purpose limitation, and lawful data sourcing, particularly when handling data from EU residents. Adding AI to the mix of products and services may add complexity, requiring additional security measures to prevent adversarial attacks, model manipulation, and unauthorized access, especially for high-risk systems.

4. Keep an eye on the U.S. (and other jurisdictions)

The U.S. does not yet have a national AI regulation analogous to the AI Act; however, companies cannot ignore domestic developments. Both the Biden Administration and the Trump Administration have issued executive orders on AI, but federal policymaking remains in its early stages. Significant activity is occurring at the state level. A robust compliance program should track emerging federal and state laws and consider how they interact with the AI Act.

One noteworthy example is the Colorado Artificial Intelligence Act, passed in 2024 and set to take effect in 2026. Like the AI Act, it employs a risk-based approach and imposes obligations on developers and deployers of high-risk AI systems. However, there are key differences, such as the Colorado law being more limited in scope and defining high risk more generally, rather than codifying specific uses as high risk.

Organizations should also monitor other markets, as additional jurisdictions may follow the EU’s lead in regulating AI.

Conclusion

Preparation should begin now, as the August 2, 2025, effective date is fast approaching. These steps will help in-house professionals operationalize these legal requirements and ensure compliance, even amid a rapidly evolving legal landscape.

More Insights

A magnifying glass

State AI Regulation: A Bipartisan Debate on Federal Preemption

June 20, 2025 AI,AI Regulation,Artificial Intelligence Governance,Regulatory Framework
The One Big Beautiful Bill Act includes a provision to prohibit state regulation of artificial intelligence (AI), which has drawn criticism from some Republicans, including Congresswoman Marjorie...
Read More
A network diagram

IBM Launches Groundbreaking Unified AI Security and Governance Solution

June 20, 2025 AI,AI Security,Artificial Intelligence Governance,Data Security
IBM has introduced a unified AI security and governance software that integrates watsonx.governance with Guardium AI Security, claiming to be the industry's first solution for managing risks...
Read More
A key

Ethical AI: Building Responsible Governance Frameworks

June 20, 2025 AI,AI Ethics,AI Governance
As AI becomes integral to decision-making across various industries, establishing robust ethical governance frameworks is essential to address challenges such as bias and lack of transparency...
Read More
A tree with roots representing local innovation and branches symbolizing global connectivity

Reclaiming Africa’s AI Future: A Call for Sovereign Innovation

June 20, 2025 AI,AI Governance,AI Regulation Awareness,Global AI Policy
As Africa celebrates its month, it is crucial to emphasize that the continent's future in AI must not merely replicate global narratives but rather be rooted in its own values and contexts. Africa is...
Read More
A shield

Mastering AI and Data Sovereignty for Competitive Advantage

June 20, 2025 AI,AI Governance,AI Regulation,Regulatory Compliance
The global economy is undergoing a transformation driven by data and artificial intelligence, with the digital economy projected to reach $16.5 trillion by 2028. Organizations are urged to prioritize...
Read More
A lock and key representing the safeguarding of ethical standards in technology.

Pope Leo XIV: Pioneering Ethical Standards for AI Regulation

June 20, 2025 AI,AI Ethics,Global AI Policy,Technology Policy
Pope Leo XIV has emerged as a key figure in global discussions on AI regulation, emphasizing the need for ethical measures to address the challenges posed by artificial intelligence. He aims to...
Read More
A map of the United States highlighting state boundaries

Empowering States to Regulate AI

June 20, 2025 AI,AI Governance,AI Regulation,Regulatory Framework
The article discusses the potential negative impact of a proposed moratorium on state-level AI regulation, arguing that it could stifle innovation and endanger national security. It emphasizes that...
Read More
A shield - conveying protection and defense against misuse of AI.

AI Governance Made Easy: Wild Tech’s Innovative Solution

June 20, 2025 AI,AI Governance,AI Regulation,Artificial Intelligence Governance
Wild Tech has launched a new platform called Agentic Governance in a Box, designed to help organizations manage AI sprawl and improve user and data governance. This Microsoft-aligned solution aims to...
Read More
A network diagram

Unified AI Security: Strengthening Governance for Agentic Systems

June 20, 2025 AI,AI Security,Artificial Intelligence Governance,Regulatory Compliance
IBM has introduced the industry's first software to unify AI security and governance for AI agents, enhancing its watsonx.governance and Guardium AI Security tools. These capabilities aim to help...
Read More

Ready to become AI compliant?

Take the first steps in your transformation towards international AI compliance.

Book a Discovery Call See Frameworks

Explore

Need More Assistance?

Our expert sales team is here to answer your questions, just leave your email and we’ll get in touch.

Research & Market Studies
A digital energy meter
AI Safeguards: A Step-by-Step Guide to Building Robust Defenses
As AI becomes more powerful, protecting against its misuse is critical. This requires well-designed "safeguards"...
A light bulb
Algorithmic Audits: A Practical Guide to Fairness, Transparency, and Accountability in AI
Algorithmic auditing is crucial for ensuring AI systems are fair, transparent, and accountable. A comprehensive...
A compass
AI Explainability: A Practical Guide to Building Trust and Understanding
As AI systems exert increasing influence over our lives, understanding how they arrive at conclusions...
A shield symbolizing protection against unregulated AI practices.
AI Governance: Transparency, Ethics, and Risk Management in the Age of AI
AI is rapidly transforming society, creating both opportunities and risks. A proposed AI governance framework...
Latest News on AI Compliance
A road sign
Texas Takes Bold Steps in AI Regulation with TRAIGA
The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) has been passed by the Texas legislature...
A lightbulb illustrating innovation and ideas in AI and governance.
AI Governance: Ensuring Fairness in Power Grid Decision-Making
As artificial intelligence begins to reshape grid operations, there is a critical need for governance...
A bridge
Guidelines for Ethical AI Development
Responsible AI development involves ethical design and use of AI systems to ensure they align...
A light bulb
Empowering AI Literacy for Electoral Integrity
The EU AI Act mandates that organizations providing or deploying AI systems ensure their staff...

© 2023 AI Sigil

Medium Envelope