EU AI Act compliance readiness before 2 August 2026
The EU AI Act applies in stages. It entered into force on 1 August 2024, with several obligations applying before the main 2 August 2026 milestone. Prohibited AI practices and AI literacy duties started applying from 2 February 2025, while obligations for general-purpose AI models began applying from 2 August 2025. The majority of remaining rules are widely associated with 2 August 2026.
For organisations using, building, buying, or distributing AI systems in the EU, the practical message is clear: do not wait until the deadline. EU AI Act compliance is easiest when inventory, ownership, classification, governance, and evidence are already in place.
This roadmap outlines what to implement before 2 August 2026.

Step 1: Build an AI inventory
Start by creating a central register of all AI systems used across the organisation. Include internal tools, third-party platforms, pilot projects, embedded AI features, and AI used in SaaS products.
Your AI inventory should capture:
- AI system name;
- business process;
- use case;
- system owner;
- technical owner;
- vendor or provider;
- your role, such as provider, deployer, importer, or distributor;
- whether the system is used in the EU market;
- affected users, such as customers, employees, prospects, or citizens;
- type of data used, such as personal data, sensitive data, public data, or business data;
- risk tier, such as prohibited, high risk, transparency required, or minimal risk;
- reason for the risk tier;
- required controls;
- evidence location;
- review date.
The inventory should be treated as a live compliance asset, not a one-off spreadsheet. Update it whenever a new AI tool is introduced, a vendor adds AI features, or an existing system changes.
Step 2: Classify AI risk
The EU AI Act uses a risk-based approach. Each AI system should be classified using a repeatable process rather than informal judgement.
For each system, assess whether:
- it involves a prohibited AI practice;
- it could fall within a high-risk category;
- it affects people’s access to employment, education, credit, public services, insurance, law enforcement, migration, justice, or critical infrastructure;
- it interacts directly with people;
- it generates or manipulates text, image, audio, or video content;
- it uses personal or sensitive data;
- its output is used to make or influence decisions about people;
- your organisation acts as a provider, deployer, importer, or distributor.
Once this review is complete, assign a risk tier and document the reason. For higher-risk systems, also document the controls required.
High-risk AI systems may need stronger controls, including risk management, technical documentation, logging, human oversight, data governance, accuracy, robustness, and cybersecurity.
Step 3: Define ownership and governance
AI governance should make it clear who approves AI use, who owns each system, who reviews risk, and how issues are escalated.
Your AI governance process should include:
- an AI policy and scope;
- an inventory with named owners;
- a risk classification method;
- a review cadence;
- procurement and vendor approval steps;
- human oversight rules for higher-impact systems;
- transparency notice requirements;
- incident logging and escalation;
- AI literacy training evidence;
- documentation and evidence retention.
AI governance should connect with existing privacy, cybersecurity, procurement, HR, product, legal, and compliance processes. This avoids creating a separate system that no one uses.
Step 4: Prepare transparency notices
Transparency duties may apply when people interact with certain AI systems or when content is AI-generated or manipulated. This is especially relevant for chatbots, virtual assistants, synthetic images, AI-generated text, deepfakes, customer service tools, and marketing content.
Prepare:
- user-facing AI notices;
- chatbot or virtual assistant disclosures;
- AI-generated content labelling rules;
- internal approval workflows for synthetic media;
- records showing where notices are displayed;
- vendor confirmation that AI-generated outputs can be identified where required.
For marketing and communications teams, this step is especially important. AI-generated content should go through brand, legal, and compliance review before being published in sensitive or public-facing contexts.
Step 5: Implement AI literacy training
AI literacy is already an active obligation under the EU AI Act. Organisations should ensure relevant staff understand how AI is used, what the risks are, and what controls apply.
Training should be role-based. For example, all employees may need basic guidance on safe AI use, confidentiality, hallucination risk, and responsible prompting. Managers may need training on accountability, approval rules, escalation, and human oversight. Marketing teams may need guidance on AI content labelling, copyright awareness, and brand safety. HR teams may need training on bias, fairness, and employment-related AI risks. Procurement teams may need support with vendor due diligence and AI contract questions. Legal and compliance teams may need deeper training on obligations, evidence, and incident response.
Keep records of training materials, completion dates, attendance, and role-based learning paths.
Step 6: Review vendors and third-party tools
Many AI risks sit inside third-party platforms. Procurement teams should ask AI-specific questions before buying, renewing, or expanding tools.
Ask vendors:
- whether AI is used in the product;
- what the AI system does;
- whether the system has been classified under the EU AI Act;
- whether it is high risk or subject to transparency duties;
- what data is used;
- whether customer inputs are used to train or improve models;
- what documentation is available;
- what logging, security, and human oversight features exist;
- how model or feature changes are communicated.
For higher-risk tools, contract terms should cover documentation access, data use restrictions, audit rights, incident notification, security controls, and liability.
Step 7: Build an evidence pack
By 2 August 2026, organisations should be able to show evidence of readiness.
Your evidence pack should include:
- AI policy;
- AI inventory;
- risk classification worksheets;
- vendor reviews;
- transparency notices;
- AI literacy training records;
- incident logs;
- human oversight procedures;
- technical documentation for high-risk systems where applicable;
- governance meeting records;
- change management records.
This evidence pack should be maintained like a management system, with clear owners and regular review dates.

Final readiness checklist before 2 August 2026
Before 2 August 2026, your organisation should aim to have:
- a complete AI inventory;
- documented risk classification for each AI system;
- clear ownership;
- AI policy and governance process;
- role-based AI literacy training;
- transparency notices and content labelling rules;
- vendor due diligence process;
- controls for any high-risk systems;
- logging and incident escalation;
- audit-ready evidence.
EU AI Act compliance becomes manageable when inventory, classification, governance, and evidence are in place early. The best-prepared organisations will treat AI compliance as an operating model, not a last-minute legal task.
