Blog

The EU AI Act in practice: a checklist for your organisation

The EU AI Act is no longer a distant prospect: the first prohibitions have applied since February 2025, and the bulk of the AI regulation takes effect in August 2026. Yet many organisations still don't know which obligations are coming their way or where to start. This AI Act checklist makes the EU AI Act practical: seven concrete steps you can take this month.

Step 1: map your AI applications

You can't govern what you don't know. The first step under the EU AI Act is a complete AI register: which systems does your organisation use, both bought and built in-house? Think beyond the obvious chatbot or prediction model, and include the AI hidden inside HR software (CV screening), fraud detection, customer segmentation or a smart feature in your CRM.

In practice we see organisations structurally underestimate their AI use by 30 to 50 percent, largely due to 'shadow AI': tools that teams adopt or use for free on their own. For each system, record the purpose, the supplier, the data used and who depends on it. This register is the foundation under every step that follows.

Step 2: determine the risk category per system

The AI regulation works with a risk-based pyramid. Unacceptable risk (such as social scoring or manipulative systems) has been banned since February 2025. High risk covers AI in recruitment, education, lending, critical infrastructure and public services, among others: this is where the heaviest requirements apply. Limited risk, such as chatbots, mainly demands transparency. Minimal risk, like a spam filter, carries virtually no obligations.

Run your register past these four categories and be strict when in doubt. For the public sector this matters especially: many government applications fall into the high-risk category more readily than organisations expect. A wrong call here cascades into every subsequent step.

Step 3: build AI literacy in your team

Since February 2025, Article 4 of the EU AI Act requires organisations to ensure sufficient 'AI literacy' among everyone working with AI systems. This is not an optional ambition but a direct obligation, regardless of your systems' risk category.

In concrete terms: make sure staff understand what a system can do, where it fails and when human oversight is needed. A short, role-specific training for different job groups, recorded in your training administration, is a realistic first move. Start with the teams that make daily decisions based on AI output.

Step 4: set up governance and human oversight

AI governance is the backbone of compliance. Appoint an owner, define who decides on new AI procurement and tie this into your existing risk and privacy processes. Anyone already working with frameworks like ISO 27001 or NIS2 will recognise the pattern: the AI Act builds on governance you probably already have in part.

For high-risk systems, meaningful human oversight is mandatory. That means a person can understand, override and correct the output, and there is a clear escalation route. Record for each system who holds this role and how intervention works in practice: without concrete arrangements, 'human oversight' remains a paper promise.

Step 5: ensure transparency and documentation

Transparency runs through the entire regulation. Users must know when they are dealing with an AI system or AI-generated content: a chatbot must identify itself, and synthetic content (deepfakes, AI text) must be labelled.

High-risk systems add technical documentation: logging, a description of the training data, performance, known limitations and a conformity assessment. Our advice: build this documentation now rather than reconstructing it after the fact. For bought-in AI, request the documentation and CE conformity from your supplier straight away, so you're not dependent on their pace when an audit arrives.

Step 6: build a timeline towards August 2026

The EU AI Act has a phased rollout. February 2025: prohibited applications and the AI literacy obligation. August 2025: obligations for providers of general-purpose AI models. August 2026: the lion's share of the rules, including requirements for high-risk systems. August 2027: the final obligations for AI in regulated products.

Map these dates against your register and decide for each system when it needs to be ready. August 2026 may feel far off, but for high-risk applications eighteen months is tight if you still have to arrange documentation, oversight and supplier contracts. Plan backwards from the deadline, not forwards from today.

Get started: scan, vouchers and sparring

The EU AI Act is extensive, but with this checklist it becomes manageable: inventory, classify, build literacy, set up governance, document transparently and create a timeline. The biggest mistake is waiting until August 2026 is close.

Want to know where your organisation stands today? With our maturity scan we map your AI register and risk profile in half a day and deliver a concrete action plan. For SMEs there are also schemes and vouchers that cover part of the cost. Feel free to get in touch to spar about your situation with no strings attached: we're happy to think along.