EU AI Act primer

What teams should understand before they build readiness records.

This guide gives a plain-English view of roles, risk tiers, key records, deadlines, and adjacent privacy duties. It is a product education page, not legal advice.

The EU AI Act in one page.

The EU AI Act, Regulation (EU) 2024/1689, creates a risk-based framework for AI systems placed on, supplied into, or used in the EU market. It does not treat every AI tool equally. The obligations depend on the role your organisation plays, the intended purpose of the system, the people affected, and the risk category.

Useful mental model: inventory first, classify intended purpose, identify obligations, maintain evidence, monitor changes, and export records when a reviewer asks.

1. Know your role.

A team can have different duties depending on whether it builds, deploys, imports, or distributes an AI system. One organisation can hold more than one role for different systems.

ProviderDevelops or places an AI system on the market under its own name.
DeployerUses an AI system in its own operations, products, or services.
ImporterPlaces a non-EU AI system on the EU market.
DistributorMakes an AI system available in the supply chain without being the provider.

2. Classify the system by intended purpose.

The EU AI Act uses risk tiers. The most operationally important split is whether a system is prohibited, high-risk, limited-risk, or lower-risk. High-risk systems often need the strongest evidence trail.

Common risk signals

  • Employment, worker management, recruitment, education, credit, law enforcement, migration, healthcare, or essential service access.
  • Systems that affect people, access to opportunities, safety, rights, or essential decisions.
  • Systems using personal data, special category data, biometric inputs, or sensitive profiling.

Art. 5 Art. 6 Annex III

3. Maintain the records reviewers usually ask for.

Readiness work is not only about a score. A reviewer will want to see what system exists, what it does, why the risk tier was chosen, who owns it, what controls are in place, and what evidence supports those claims.

InventoryName, owner, purpose, users, vendor, deployment status, and risk tier.
Technical documentationAnnex IV-style draft inputs, architecture, data, performance, and limitations.
Risk and controlsRisk management, human oversight, accuracy, robustness, and cybersecurity evidence.
Operational evidenceMonitoring records, incident reports, policy acknowledgements, and audit-pack snapshots.

Art. 9 Art. 10 Art. 11 Art. 12 Art. 13 Art. 14 Art. 15 Art. 72 Art. 73

4. Do not separate AI Act work from privacy work.

Many AI systems also process personal data. That means GDPR duties may sit beside AI Act duties. A DPIA and a Fundamental Rights Impact Assessment can overlap in facts, but they are not the same document.

  • Map personal and special category data used by the system.
  • Explain lawful basis, transparency notices, retention, rights handling, and automated decision concerns.
  • Record human review, appeal routes, bias mitigation, and affected groups.
  • Keep privacy records aligned with AI governance records so the story is consistent.

5. Dates and enforcement matter.

The EU AI Act applies in stages. Some provisions apply earlier than the general full-application date, while many high-risk system obligations become central around the main enforcement milestones.

Key date: 2 August 2026 is the main full-application date many teams are using as the readiness planning anchor. Exact applicability should be checked against your system type, role, and any later guidance.

Penalty exposure can be significant, but the practical value of readiness work is not fear. It is being able to explain what AI you use, how you classified it, and what evidence supports the operating controls.

6. Where AICVS fits.

AICVS is designed to help teams turn scattered AI use into structured readiness records. It supports inventory, likely risk classification, evidence, Annex IV draft inputs, DPIA/FRIA readiness, explainability, monitoring, incidents, and audit-pack exports based on available records.

What it does not do

  • It does not provide legal advice.
  • It does not certify EU AI Act compliance.
  • It does not replace a notified body, auditor, solicitor, DPO, or qualified reviewer.
  • It does not guarantee a complete technical file when your underlying records are incomplete.

Ready to turn the theory into records?

Start with one AI system, classify likely risk, attach evidence, and generate a readiness output based on available records.

Start readiness check