EU AI Act Compliance Guide 2025 — Executive Shield Partners
EU AI Act — Regulation (EU) 2024/1689

AI Governance Is Now Law

The EU AI Act is the world's first comprehensive AI regulation. Every company placing AI systems on the EU market — regardless of where you are headquartered — must comply. This guide covers everything your organization needs to know.

€35MMax Fine
7%of Turnover
Aug 2026High-Risk Deadline
27EU States
Extraterritorial Scope

Does the EU AI Act Apply to You?

If any of the following statements is true, your organization must comply with the EU AI Act.

EU-Based Company

Your company is established in the EU and develops, deploys, or uses AI systems in any capacity.

Non-EU Provider

Your company is outside the EU but places AI systems on the EU market or the output is used in the EU.

EU Deployer

You are an EU-based organization using AI systems in your operations, regardless of where the system was developed.

Key Legal Insight

The EU AI Act has extraterritorial scope. A US, Chinese, or Indian company selling AI tools to EU clients must comply. Non-EU providers must appoint an EU Authorized Representative. Both the provider (developer) and deployer (user) share liability under the Act's chain of responsibility framework.

Article 5 & Annex III

The Four Risk Categories

Every AI system your organization uses must be classified into one of four risk tiers. Each tier carries different compliance obligations.

Prohibited

Unacceptable Risk

Banned entirely. Cannot be placed on the EU market under any circumstances.

  • Social scoring by governments
  • Subliminal manipulation
  • Real-time biometric ID in public
  • Untargeted facial image scraping
  • Emotion recognition in schools/workplace
€35M or 7% fine
Strict Compliance

High Risk

Full compliance required: risk management, documentation, human oversight.

  • Critical infrastructure
  • Education & vocational training
  • Employment & recruitment
  • Finance & credit scoring
  • Law enforcement
  • Migration & border control
  • Justice & democratic processes
€15M or 3% fine
Transparency

Limited Risk

Users must be informed they are interacting with AI.

  • Chatbots & virtual assistants
  • Emotion recognition systems
  • AI-generated content (deepfakes)
  • Biometric categorization
€7.5M or 1.5% fine
Voluntary

Minimal Risk

No mandatory obligations. Voluntary codes of conduct encouraged.

  • AI-enabled video games
  • Spam filters
  • Inventory management
  • Recommendation systems (non-critical)
No penalties

High-Risk AI Systems — Full Detail

AI systems for remote biometric identification, biometric categorization, and emotion recognition. Includes real-time and post-systems.

  • Facial recognition systems
  • Fingerprint matching for identification
  • Voice biometric identification
  • Emotion detection and analysis
  • Biometric categorization systems

AI systems intended to be used as safety components in the management and operation of road traffic, supply of water, gas, heating, and electricity.

  • Traffic management systems
  • Water supply management
  • Electricity grid management
  • Gas pipeline control

AI systems used to determine access or admission, evaluate learning outcomes, or assess appropriate level of education.

  • Automated exam scoring
  • Student admission systems
  • Learning outcome assessment
  • Plagiarism detection with consequences

AI systems used for recruitment, promotion, termination, task allocation, and performance monitoring.

  • Resume screening and ranking
  • Job interview analysis
  • Performance evaluation systems
  • Worker behavior monitoring

AI systems used to evaluate credit scores, creditworthiness, or establish access to essential services.

  • Credit scoring algorithms
  • Loan approval systems
  • Insurance risk assessment
  • Emergency service dispatch

AI systems used by law enforcement for risk assessment, polygraphs, evidence evaluation, crime analytics, and facial recognition.

  • Recidivism risk scoring
  • Polygraph and similar systems
  • Evidence reliability assessment
  • Deepfake detection for evidence

AI systems used by competent authorities for assessing asylum applications, visa applications, and border control.

  • Asylum claim risk assessment
  • Visa application evaluation
  • Automated border checks

AI systems used for assisting judicial decisions and influencing voting behavior in elections.

  • Case law research assistants
  • Sentencing recommendation systems
  • Evidence analysis for courts
Articles 8-15

Requirements for High-Risk AI Systems

If your organization uses any high-risk AI system, these 8 mandatory requirements apply. Each must be documented and auditable.

01

Risk Management System

A continuous, iterative process run throughout the entire lifecycle of the AI system (Article 9). Must identify, estimate, and evaluate risks to health, safety, and fundamental rights.

Deliverable: Risk management plan with identified risks, mitigations, and residual risk analysis.
02

Data & Data Governance

Training, validation, and testing datasets must meet quality criteria including relevance, representativeness, completeness, accuracy, and freedom from errors (Article 10).

Deliverable: Data quality assessments, bias testing reports, data governance procedures.
03

Technical Documentation

Must be drawn up before placing the system on the market, demonstrating compliance and providing authorities with necessary information (Article 11).

Deliverable: Complete technical documentation with system architecture, algorithms, and intended purpose.
04

Record-Keeping & Logging

Automatic logging of events during operation to enable traceability and monitoring of the system's functioning (Article 12).

Deliverable: Logging infrastructure with automatic event capture, minimum 6-month retention.
05

Transparency & Information

Systems must be designed so deployers can understand output and use it appropriately. Instructions for use must be provided (Article 13).

Deliverable: Instructions for use document with capabilities, limitations, and known risks.
06

Human Oversight

Must enable natural persons to interpret output, decide not to use the system, and intervene on operation (Article 14).

Deliverable: Human oversight protocol with defined intervention points and trained supervisors.
07

Accuracy, Robustness & Security

Must achieve appropriate levels consistent with intended purpose, including resilience against errors and cybersecurity attacks (Article 15).

Deliverable: Test reports demonstrating accuracy metrics, robustness testing, and security assessment.
08

Quality Management System

A systematic, documented approach ensuring compliance including procedures for design, testing, validation, and post-market monitoring (Article 17).

Deliverable: Quality management manual with procedures, responsibilities, and review schedules.

Additional Obligations by Role

Role
Key Obligations
Documentation
Liability
Provider
Ensure compliance, QMS, technical docs, CE marking, registration
Full technical documentation, EU DoC, risk management plan
Primary
Deployer
Use per instructions, assign oversight, monitor, retain logs
Deployment records, oversight logs, incident reports
Joint
Importer
Verify conformity, ensure documentation, cooperate with authorities
Verification records, supplier documentation
Secondary
Distributor
Verify CE marking, report non-compliance to authorities
Distribution records, conformity checks
Limited
Authorized Rep
Verify technical docs, cooperate with authorities, retain documents
Mandate, full technical documentation (10 years)
Delegated
Implementation Calendar

Critical Compliance Dates

The EU AI Act applies in stages. Missing any of these deadlines exposes your organization to penalties.

Key Milestones

August 1, 2024
Regulation Enters into Force
20 days after publication in the Official Journal. The clock starts ticking.
February 2, 2025
Prohibited AI Practices Banned
Chapter II (Article 5) applies immediately. All prohibited practices must cease.
August 2, 2025
GPAI Obligations Apply
Chapter III obligations for general-purpose AI models. Transparency and evaluation requirements for systemic risk models.
August 2, 2026
High-Risk AI Full Applicability
All high-risk AI system requirements apply. This is the most critical deadline for most organizations.
August 2, 2027
Complete Enforcement
All provisions applicable across all EU member states. Full penalties in effect.

12-Month Action Plan

If your organization has not started preparing, follow this roadmap to achieve compliance before the August 2026 deadline.

Month 1-2: Discovery
AI System Inventory
Catalog all AI systems, classify risk tiers, identify gaps.
Month 3-4: Governance
Establish AI Governance Body
Create ethics board, appoint DPO, define policies and procedures.
Month 5-6: Assessment
Conduct Risk Assessments
Full gap analysis, FRIAs for high-risk systems, DPIAs where needed.
Month 7-8: Remediation
Fix Critical Gaps
Update systems, implement controls, human oversight measures.
Month 9-10: Documentation
Prepare Compliance Package
Technical docs, risk assessments, conformity declaration.
Month 11-12: Certification
Audit & Continuous Monitoring
Internal audit, external assessment, ongoing monitoring.
Article 85 & 99

Penalties for Non-Compliance

The EU AI Act establishes a tiered penalty structure. Use the calculator below to estimate your organization's exposure.

€35M
OR 7% OF GLOBAL TURNOVER

For prohibited AI practices under Article 5. Applies to social scoring, manipulation, and banned biometric systems.

€15M
OR 3% OF GLOBAL TURNOVER

For violations of high-risk AI system obligations or failure to comply with authority requests.

€7.5M
OR 1.5% OF GLOBAL TURNOVER

For providing incorrect information to authorities or failing to comply with transparency obligations.

Penalty Exposure Calculator

Maximum Penalty
€35.0M
or 35% of €100M turnover
Action Items

Compliance Checklist

A practical checklist for organizations preparing for EU AI Act compliance. Click each item to track your progress.

Inventory & Assessment

Progress 0/6

Governance & Documentation

Progress 0/6

Technical Implementation

Progress 0/6

People & Training

Progress 0/6
Overall Compliance Progress
Complete all items to ensure full EU AI Act readiness.
0%
Organizational Structure

AI Governance Framework

Establishing clear roles and responsibilities is essential for ongoing compliance. This matrix shows who owns what.

AI Ethics Board

Senior oversight body responsible for strategic AI governance decisions, policy approval, and regulatory alignment.

Strategic

AI Risk Manager

Operational role managing risk assessments, compliance monitoring, incident response, and day-to-day governance.

Operational

Legal & Compliance

Ensures regulatory compliance, manages documentation, liaises with supervisory authorities, and tracks regulatory updates.

Regulatory

Accountability Matrix

Role
Oversight
Risk Assessment
Documentation
Reporting
Board of Directors
Primary
Partial
Partial
Primary
CEO / MD
Primary
Primary
Partial
Primary
DPO / CDPO
Partial
Primary
Primary
Partial
AI System Owner
None
Partial
Primary
Primary
Compliance Officer
Partial
Partial
Primary
Primary
Legal Counsel
Partial
Primary
Partial
None
Real-World Cases

Compliance Scenarios

These scenarios illustrate how the EU AI Act applies to common real-world situations your organization may face.

Situation: The board of a mid-size financial institution discovers their compliance team has been using an AI-powered credit scoring tool for 8 months without proper risk assessment. A customer complaint triggered the investigation.

Questions:

  • Who bears primary responsibility?
  • What immediate actions are required?
  • What are the potential penalties?

Answers:

  • The CEO and Board share responsibility for oversight failure. The AI System Owner is responsible for the deployment without assessment.
  • Immediate suspension of the AI system, conduct a retroactive FRIA, notify the supervisory authority, and implement a proper governance framework.
  • Up to €15M or 3% of global turnover for high-risk system non-compliance, plus potential individual liability for executives under national law.
Key Takeaway: AI systems cannot be deployed without proper risk assessment. Ignorance at the board level is not a defense.

Situation: A US-based SaaS company provides AI-powered HR analytics tools to EU clients. A German client reports that the tool may be biased against candidates over 50. The company has no EU presence and claims EU law doesn't apply.

Questions:

  • Does the EU AI Act apply?
  • What must the company do?
  • Who is liable?

Answers:

  • Yes. The Act applies to all AI systems placed on the EU market, regardless of provider location. Article 2 establishes extraterritorial scope.
  • The company must designate an EU authorized representative, conduct a FRIA, and ensure compliance with high-risk system obligations for employment-related AI.
  • Both the US provider (as the AI system provider) and the German client (as the deployer) share liability under the Act's chain of responsibility framework.
Key Takeaway: The EU AI Act applies extraterritorially. Non-EU companies selling to EU clients must comply and appoint an EU Authorized Representative.

Situation: An organization uses a third-party AI tool for document classification. The vendor releases an update that changes the underlying model without notice. The new model starts misclassifying sensitive documents, leading to a potential data breach.

Questions:

  • Who is responsible for the update?
  • What documentation is required?
  • What should the organization do?

Answers:

  • The vendor (as provider) must notify deployers of significant changes. The organization (as deployer) must monitor and validate updates before deployment.
  • The vendor must provide technical documentation, conformity assessment, and change logs. The organization must maintain records of deployment decisions.
  • Immediately roll back to the previous version, conduct impact assessment, review the vendor contract, and consider reporting to the supervisory authority if personal data was affected.
Key Takeaway: Deployers cannot blindly trust vendor updates. You must validate changes and maintain your own compliance documentation.
Knowledge Check

Test Your Understanding

Quick assessment to verify your team's understanding of the EU AI Act. 10 questions covering all key areas.

About This Guide

Prepared by Executive Shield Partners

This guide is maintained by Executive Shield Partners, a leading governance, risk, and compliance advisory firm specializing in AI regulation. We help organizations worldwide navigate the complex regulatory landscape with practical, actionable guidance.

This content is provided for informational purposes and does not constitute legal advice. Always consult qualified legal counsel for your specific situation.

500+
Clients Advised
50+
Expert Consultants
25+
Countries