The EU AI Act is now applying in phases, and 2026 is a real deadline rather than a future one. Obligations for high-risk systems begin in August 2026. If your company builds, sells, or even deploys AI whose output reaches the EU, the Act can apply to you, including companies with no office in Europe. That extraterritorial reach is the part most teams outside the EU underestimate.

The tier system decides your workload. Unacceptable practices are already banned. Limited-risk systems owe transparency. High-risk systems, the Annex III categories like hiring, credit, education, and critical infrastructure, carry the heavy obligations: risk management, human oversight, logging, documentation. So the first task is classification, because everything downstream depends on which tier each system lands in.

The penalties make this a board-level conversation, not a legal footnote. Prohibited use can cost up to 35 million euros or 7% of global turnover, whichever is higher. Other breaches reach 15 million or 3%. For a mid-size exporter selling into Europe, that is not a line item you absorb quietly.

The obligations are operational, not legal-only. Human oversight means a named person can intervene and override, and you can prove they were in the loop. Logging means the system's decisions are recorded and retrievable. Transparency means affected people are actually told. None of that lives in a policy paragraph. It lives in the steps a workflow forces.

“Human oversight is a workflow, not a paragraph.”

Run it as a controlled regulatory change. Assess which systems are in scope, classify each, assign the high-risk ones an oversight gate and a logging requirement, and put a review on the calendar before each obligation date. The run history then doubles as your conformity evidence when a market-surveillance authority or an enterprise customer asks.

Start with scope. List every AI system that touches an EU user, customer, or decision. Non-EU companies are the most likely to assume the Act does not reach them, and the most likely to be wrong. Map the surface first, then classify, then put the gates where the risk actually sits.

Regulatory Change Impact Assessment

Assess the impact of a new regulation or amendment: scope the change, analyze process / system / policy impact, build an action plan, track execution, and close with sign-off. Branches by impact magnitude, Major changes require executive sign-off, Severe changes require executive plus legal sign-off.

Implementation checklist

List every AI system whose output reaches an EU user, customer, or decision, including systems you only deploy.

Classify each system by risk tier. The high-risk Annex III categories carry the heavy obligations.

Assign each high-risk system a human-oversight gate with a named person who can override.

Turn on logging and record-keeping so each decision is retrievable. That is your conformity evidence.

Put a review before each obligation date on the calendar, and treat the Act as a recurring regulatory change.

“Human oversight is a workflow, not a paragraph.”

Regulatory Change Impact Assessment

Implementation checklist

List every AI system whose output reaches an EU user, customer, or decision, including systems you only deploy.

Classify each system by risk tier. The high-risk Annex III categories carry the heavy obligations.

Assign each high-risk system a human-oversight gate with a named person who can override.

Turn on logging and record-keeping so each decision is retrievable. That is your conformity evidence.

Put a review before each obligation date on the calendar, and treat the Act as a recurring regulatory change.

EU AI Act for operations and compliance teams in 2026

Regulatory Change Impact Assessment

Implementation checklist

Related reading

Learn more

EU AI Act for operations and compliance teams in 2026

Regulatory Change Impact Assessment

Implementation checklist

Related reading

Learn more