Assess Your EU AI Act Readiness

EU AI Act readiness is the extent to which an organisation's AI systems, documentation, and governance already meet the obligations set for their risk tier under the Act. The European Union has established itself as the global pioneer in comprehensive AI regulation with the landmark EU AI Act. This legislation represents the most structured and detailed approach to AI governance globally, creating significant compliance obligations for organisations operating in or serving the EU market.
The Risk-Based Classification System
The cornerstone of the EU approach is its four-tier risk classification system:
Unacceptable Risk
Systems posing unacceptable risks are explicitly prohibited, including:
Social scoring by governments
Certain forms of predictive policing
Emotion recognition in schools and workplaces
Certain types of biometric categorisation
Indiscriminate scraping of facial images for facial recognition databases
Cognitive behavioral manipulation that causes harm
These prohibitions apply with limited exceptions, such as certain law enforcement applications under strict conditions.
High Risk
Systems affecting safety, fundamental rights, or critical infrastructure are classified as high-risk and face rigorous obligations, including:
Risk Management Systems: Continuous monitoring and mitigation throughout the lifecycle
Data Governance: Detailed documentation and quality management for training, validation, and testing datasets
Technical Documentation: Comprehensive design specifications and validation procedures
Record-Keeping: Automated logging of system activity
Transparency: Clear information provision to users
Human Oversight: Effective monitoring capabilities and intervention mechanisms
Accuracy & Robustness: Detailed testing and verification requirements
Cybersecurity: Protections against vulnerabilities and attacks
High-risk systems include AI used in:
Critical infrastructure
Educational or vocational training
Employment and worker management
Access to essential services
Law enforcement
Migration and border control
Administration of justice
Limited Risk
Systems posing limited risk face transparency obligations, ensuring users know they're interacting with AI. These requirements apply to:
Chatbots and virtual assistants
Emotion recognition systems
Biometric categorisation systems
AI-generated or manipulated content ("deep fakes")
Minimal Risk
Systems with minimal risk face no additional obligations beyond existing law. Most AI applications fall into this category.
Compliance Mechanisms
The EU AI Act establishes robust compliance mechanisms:
Conformity Assessments
High-risk AI systems must undergo conformity assessments before market placement. These assessments can be:
Self-assessments by providers for most high-risk systems
Third-party assessments by notified bodies for specific categories
CE Marking
Following successful conformity assessment, high-risk systems must bear the CE mark indicating compliance.
EU Database Registration
High-risk AI systems must be registered in a central EU database, providing transparency and enabling oversight.
Governance Structure
The Act establishes a multi-level governance structure:
European AI Office: Housed within the Commission
AI Board: Coordinating body of member state representatives
National Supervisory Authorities: With investigative and enforcement powers
Penalties
The Act includes severe penalties for non-compliance:
Up to €35 million or 7% of global annual turnover for prohibited applications
Up to €15 million or 3% of turnover for other violations
Up to €7.5 million or 1.5% of turnover for providing incorrect information
General Purpose AI Models
For general purpose AI models (GPAIs) with significant impact potential:
Self-Assessment: Requirements to perform self-assessments and risk mitigation
Incident Reporting: Obligation to report serious incidents
Testing: Model evaluation and testing requirements
Cybersecurity: Enhanced cybersecurity protection
Unique Features
Several features distinguish the EU approach:
Extraterritorial Reach
The Act applies to any AI system affecting EU citizens, regardless of where the provider is based.
Comprehensive Documentation
The technical documentation requirements exceed those of any other territory, requiring detailed information on development processes, validation procedures, and risk management.
Mandatory Conformity Assessments
The formal conformity assessment process creates a structured approach to compliance verification unlike other territories.
Prohibited Applications
The explicit prohibition of certain AI applications goes beyond most other regulatory approaches.
Timeline for Implementation
The AI Act will be implemented on the following timeline:
Publication: Expected Q2 2024
Entry into Force: 20 days after publication
Prohibitions: Effective after 6 months
Governance Structure: Established after 12 months
GPAI Requirements: Effective after 12 months
Core Provisions: Fully applicable after 24 months
Product-Embedded AI: Applicable after 36 months
Implications for Organisations
Organisations operating in or serving the EU market should:
Classify AI systems according to the four-tier risk system
Implement requirements for each risk category
Prepare for conformity assessments where required
Develop comprehensive documentation exceeding most current practices
Establish governance structures with clear oversight mechanisms
Assess Your EU AI Act Readiness
To evaluate your organisation's readiness for the EU AI Act, take our free EU-specific assessment:
Take our EU AI Act Readiness Assessment
This assessment evaluates your compliance with specific EU AI Act requirements and provides actionable recommendations tailored to your AI applications and risk categories.
Frequently asked questions
What is EU AI Act readiness?
EU AI Act readiness is the extent to which an organisation's AI systems, documentation, and governance already satisfy the obligations attached to their risk tier under the Act. It covers everything from having systems correctly classified through to having the technical documentation and oversight mechanisms a conformity assessment would expect to see.
How is an AI system's risk tier decided under the EU AI Act?
Risk tier depends on what the system does and who it affects, not on the underlying technology. The Act sorts systems into unacceptable, high, limited, and minimal risk categories, with the classification driven by the system's use case, such as employment decisions or biometric identification, rather than its architecture.
What does a conformity assessment involve?
A conformity assessment checks a high-risk AI system against the Act's requirements before it goes to market. For most high-risk systems this is a self-assessment against harmonised standards; certain categories require assessment by an independent notified body instead.
Who is responsible for EU AI Act compliance inside an organisation?
Responsibility usually sits with a mix of technical, legal, and business stakeholders working together, since the requirements span system design, documentation, and organisational governance. Many organisations establish a dedicated AI governance function or committee to own this rather than leaving it with a single technical team.
If you want support with this, VerityAI offers our AI governance practice.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI