AI AuditsEU Get a quote

Guide

How to comply with the EU AI Act

Updated June 16, 2026 · By Max Langley, AI Audits EU

Complying with the EU AI Act is a sequence, not a single task. Classify each AI system, confirm your role, assess the gap against the obligations for that tier, build the technical file, complete the conformity assessment, and then keep the whole thing current. Here is the order that keeps you from doing work you do not need.

Step 1: classify every system

Build an inventory and put each AI system into a risk tier: prohibited, high-risk, limited-risk, or minimal-risk. This single step decides how much work follows. A misclassification at the start either buries you in obligations you do not have or, worse, leaves a high-risk system non-compliant.

Step 2: confirm your role

Decide whether you are the provider, the deployer, or both for each system. Providers of high-risk systems carry the documentation and conformity burden. Deployers must use the system as instructed, keep human oversight, and monitor outcomes. The role sets which duties land on you.

Step 3: run a gap assessment

Measure each high-risk system against the requirements: risk management, data governance, documentation, logging, transparency, human oversight, and accuracy, robustness, and cybersecurity. The output is a prioritised list of what exists, what is missing, and what to fix first. This is the cheapest, highest-leverage step and the usual starting point for an external assessment.

Step 4: build the technical file

Assemble the technical documentation set out in Annex IV and stand up the risk management system. This is the evidence that the system meets the Act's requirements, and it is what an assessor, a notified body, or a regulator will ask to see.

Step 5: complete conformity assessment and register

Run the conformity assessment, by internal control for most systems or through a notified body where the category requires it. Then draw up the EU declaration of conformity, affix CE marking, and register the system in the EU database before it goes live.

Step 6: keep it current

Run post-market monitoring, retain records, and report serious incidents. Re-assess after any substantial modification, such as retraining or a change of purpose. Compliance is a programme you maintain, not a certificate you frame.

How do I start complying with the EU AI Act?

Begin with an inventory and classification of every AI system you provide or deploy. You cannot decide what to do until you know each system's risk tier and your role. From there, high-risk systems follow a defined path through documentation, conformity assessment, and registration, while lighter tiers mainly face transparency duties.

Do I need a notified body?

Usually no. Most high-risk systems are assessed through internal control, which means you prepare the technical documentation and self-declare conformity. Only certain categories, mainly some biometric systems, require third-party assessment by an accredited notified body. In those cases you prepare the file and coordinate with one.

What does the technical documentation include?

A general description of the system, its intended purpose and development, the data used, the risk management measures, performance and accuracy metrics, human oversight design, and the steps taken to meet the Act's requirements. Annex IV of the Act sets out the full contents.

What happens when I change the model?

A substantial modification can require a fresh conformity assessment. If you retrain, change the intended purpose, or alter the system in a way that affects compliance, treat it as a trigger to revisit the documentation and re-assess, not as routine maintenance.

Sources

Start with a gap assessment

We classify your system, measure it against the Act, and hand you a prioritised roadmap, so you spend effort only where it is needed.

Get a quote Conformity assessment explained

This guide is general information, not legal advice. Confirm your obligations with qualified counsel.