Skip to content

Assess Your EU AI Act Readiness

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
Assess Your EU AI Act Readiness

EU AI Act readiness is the extent to which an organisation's AI systems, documentation, and governance already meet the obligations set for their risk tier under the Act. The European Union has established itself as the global pioneer in comprehensive AI regulation with the landmark EU AI Act. This legislation represents the most structured and detailed approach to AI governance globally, creating significant compliance obligations for organisations operating in or serving the EU market.

The Risk-Based Classification System

The cornerstone of the EU approach is its four-tier risk classification system:

Unacceptable Risk

Systems posing unacceptable risks are explicitly prohibited, including:

  • Social scoring by governments

  • Certain forms of predictive policing

  • Emotion recognition in schools and workplaces

  • Certain types of biometric categorisation

  • Indiscriminate scraping of facial images for facial recognition databases

  • Cognitive behavioral manipulation that causes harm

These prohibitions apply with limited exceptions, such as certain law enforcement applications under strict conditions.

High Risk

Systems affecting safety, fundamental rights, or critical infrastructure are classified as high-risk and face rigorous obligations, including:

  • Risk Management Systems: Continuous monitoring and mitigation throughout the lifecycle

  • Data Governance: Detailed documentation and quality management for training, validation, and testing datasets

  • Technical Documentation: Comprehensive design specifications and validation procedures

  • Record-Keeping: Automated logging of system activity

  • Transparency: Clear information provision to users

  • Human Oversight: Effective monitoring capabilities and intervention mechanisms

  • Accuracy & Robustness: Detailed testing and verification requirements

  • Cybersecurity: Protections against vulnerabilities and attacks

High-risk systems include AI used in:

  • Critical infrastructure

  • Educational or vocational training

  • Employment and worker management

  • Access to essential services

  • Law enforcement

  • Migration and border control

  • Administration of justice

Limited Risk

Systems posing limited risk face transparency obligations, ensuring users know they're interacting with AI. These requirements apply to:

  • Chatbots and virtual assistants

  • Emotion recognition systems

  • Biometric categorisation systems

  • AI-generated or manipulated content ("deep fakes")

Minimal Risk

Systems with minimal risk face no additional obligations beyond existing law. Most AI applications fall into this category.

Compliance Mechanisms

The EU AI Act establishes robust compliance mechanisms:

Conformity Assessments

High-risk AI systems must undergo conformity assessments before market placement. These assessments can be:

  • Self-assessments by providers for most high-risk systems

  • Third-party assessments by notified bodies for specific categories

CE Marking

Following successful conformity assessment, high-risk systems must bear the CE mark indicating compliance.

EU Database Registration

High-risk AI systems must be registered in a central EU database, providing transparency and enabling oversight.

Governance Structure

The Act establishes a multi-level governance structure:

  • European AI Office: Housed within the Commission

  • AI Board: Coordinating body of member state representatives

  • National Supervisory Authorities: With investigative and enforcement powers

Penalties

The Act includes severe penalties for non-compliance:

  • Up to €35 million or 7% of global annual turnover for prohibited applications

  • Up to €15 million or 3% of turnover for other violations

  • Up to €7.5 million or 1.5% of turnover for providing incorrect information

General Purpose AI Models

For general purpose AI models (GPAIs) with significant impact potential:

  • Self-Assessment: Requirements to perform self-assessments and risk mitigation

  • Incident Reporting: Obligation to report serious incidents

  • Testing: Model evaluation and testing requirements

  • Cybersecurity: Enhanced cybersecurity protection

Unique Features

Several features distinguish the EU approach:

Extraterritorial Reach

The Act applies to any AI system affecting EU citizens, regardless of where the provider is based.

Comprehensive Documentation

The technical documentation requirements exceed those of any other territory, requiring detailed information on development processes, validation procedures, and risk management.

Mandatory Conformity Assessments

The formal conformity assessment process creates a structured approach to compliance verification unlike other territories.

Prohibited Applications

The explicit prohibition of certain AI applications goes beyond most other regulatory approaches.

Timeline for Implementation

The AI Act will be implemented on the following timeline:

  • Publication: Expected Q2 2024

  • Entry into Force: 20 days after publication

  • Prohibitions: Effective after 6 months

  • Governance Structure: Established after 12 months

  • GPAI Requirements: Effective after 12 months

  • Core Provisions: Fully applicable after 24 months

  • Product-Embedded AI: Applicable after 36 months

Implications for Organisations

Organisations operating in or serving the EU market should:

  1. Classify AI systems according to the four-tier risk system

  2. Implement requirements for each risk category

  3. Prepare for conformity assessments where required

  4. Develop comprehensive documentation exceeding most current practices

  5. Establish governance structures with clear oversight mechanisms

Assess Your EU AI Act Readiness

To evaluate your organisation's readiness for the EU AI Act, take our free EU-specific assessment:

Take our EU AI Act Readiness Assessment

This assessment evaluates your compliance with specific EU AI Act requirements and provides actionable recommendations tailored to your AI applications and risk categories.

Frequently asked questions

What is EU AI Act readiness?

EU AI Act readiness is the extent to which an organisation's AI systems, documentation, and governance already satisfy the obligations attached to their risk tier under the Act. It covers everything from having systems correctly classified through to having the technical documentation and oversight mechanisms a conformity assessment would expect to see.

How is an AI system's risk tier decided under the EU AI Act?

Risk tier depends on what the system does and who it affects, not on the underlying technology. The Act sorts systems into unacceptable, high, limited, and minimal risk categories, with the classification driven by the system's use case, such as employment decisions or biometric identification, rather than its architecture.

What does a conformity assessment involve?

A conformity assessment checks a high-risk AI system against the Act's requirements before it goes to market. For most high-risk systems this is a self-assessment against harmonised standards; certain categories require assessment by an independent notified body instead.

Who is responsible for EU AI Act compliance inside an organisation?

Responsibility usually sits with a mix of technical, legal, and business stakeholders working together, since the requirements span system design, documentation, and organisational governance. Many organisations establish a dedicated AI governance function or committee to own this rather than leaving it with a single technical team.

If you want support with this, VerityAI offers our AI governance practice.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI