AI Regulation Watch

Business Compliance Handbook for Artificial Intelligence Regulations: A Practical Guide to Implementing the AI Act

The EU Artificial Intelligence Act (AI Act, Regulation (EU) 2024/1689) entered into force on 1 August 2024, and its provisions […]

The EU Artificial Intelligence Act (AI Act, Regulation (EU) 2024/1689) entered into force on 1 August 2024, and its provisions apply in phases — most rules for high-risk systems apply from 2 August 2026, with extended transition periods for certain categories of systems. This places concrete, measurable requirements on businesses that must be met — and the time for preparation is passing quickly. Compliance with the AI Act is not a one-time activity but a continuous governance programme that must be embedded in a company’s organisational structure. This handbook provides a practical roadmap for companies wishing to approach this challenge systematically. This text is informational in nature and does not replace individual legal advice.

Step 1: AI System Inventory — Knowing What You Have

Every compliance programme begins with a complete inventory of AI systems that a company develops, procures, or uses. A surprisingly large number of organisations lack this visibility — AI systems are procured and deployed at business unit level without central recording.

What the inventory should cover:

For each AI system or AI-driven tool, document: name and version, supplier or internal team that developed it, business purpose and context of use, categories of users exposed to the system (employees, clients, business partners, the general public), types of data processed, geographic origin and location of the system, and the date on which the system was introduced.

Where to look for AI systems: Beyond obvious AI applications (chatbots, recommendation engines), companies must not overlook: AI components within HR tools (candidate selection, performance assessment), AI in CRM systems (customer scoring, predictive analytics), AI in financial systems (fraud detection, credit assessment), AI in security systems (video surveillance, access control), and AI in analytics platforms.

Step 2: Risk Classification for Each System

With the inventory in hand, each system must be classified according to the AI Act risk matrix: unacceptable risk, high risk, limited risk, or minimal risk.

Key questions for classification:

Does the system make decisions that materially affect the lives, rights, or opportunities of natural persons? This is the central criterion for identifying high-risk systems.

Does it fall within any of the explicitly listed high-risk categories in Annex III of the AI Act: critical infrastructure, education, employment, social services, financial services, law enforcement, justice?

Who is the subject of the system’s decisions — do they belong to vulnerable categories (children, patients, asylum seekers)?

Does the system interact with a natural person without transparent disclosure of the AI nature of the interaction?

For systems where doubt exists, a more conservative classification is recommended, together with consultation with legal and technical experts.

Step 3: Gap Analysis for High-Risk Systems

For each system classified as high-risk, the next step is a gap analysis comparing the current state against the requirements of the AI Act:

Risk management system — is there a documented, ongoing process for identifying and mitigating risks for this system?

Data standards — are the training and testing datasets documented? Have bias-reduction procedures been applied?

Technical documentation — does complete documentation exist in the format required by the AI Act (purpose, technical characteristics, performance benchmarks, known limitations)?

Logging — can the system automatically record relevant transactions and decisions for the purposes of subsequent review?

Instructions for use — is there a clear, comprehensible set of instructions intended for the deployer/user?

Human oversight — are mechanisms in place that enable effective monitoring and intervention?

Each identified gap becomes an item in an action plan with deadlines and responsibilities.

Step 4: Internal Governance Structure

Compliance with the AI Act requires a clear internal allocation of responsibilities. For companies of a certain size and AI intensity, recommended governance models include:

AI Compliance Officer (AICO) — analogous to the DPO (Data Protection Officer) function under the GDPR (General Data Protection Regulation, Regulation (EU) 2016/679), this is the person or team responsible for monitoring AI regulatory requirements, coordinating compliance efforts, and communicating with regulators. In smaller companies, this role may be assumed by an existing compliance or legal team.

AI Ethics/Risk Committee — a cross-functional committee that approves the introduction of new high-risk AI systems, monitors the performance and ethical metrics of existing systems, and makes decisions on corrective measures.

AI Inventory Register — a centralised database of all AI systems, continuously updated and accessible to the compliance and legal teams.

Internal responsible AI use policy — a document defining which AI systems may and may not be used, under what conditions, and with what safeguards. This document must be accessible to all employees.

Step 5: Documentation and Technical Requirements

For high-risk AI systems, the AI Act requires specific technical documentation that must be drawn up before the system is placed on the market:

Content of technical documentation: General description of the system and its purpose; detailed explanation of the logic and algorithms; description of datasets used for training, validation, and testing; description of risk management measures; performance, accuracy, and robustness benchmarks; known limitations and conditions under which the system may fail; description of human oversight mechanisms; description of procedures for monitoring the system in production.

This documentation must be retained and kept up to date throughout the entire lifecycle of the system. Competent authorities may request access to the documentation, and its absence or incompleteness may be subject to sanctions.

Step 6: Ethical Guidelines and Responsible AI Practice

Compliance with the AI Act is a necessary but not sufficient condition for responsible AI practice. Companies that wish to be not only legally compliant but also trustworthy towards users, clients, and the public should adopt ethical guidelines for AI use that go beyond the minimum legal requirements.

Key principles of ethical guidelines recommended by EU institutions, including the Ethics Guidelines for Trustworthy AI issued in 2019 by the European Commission’s High-Level Expert Group on Artificial Intelligence (AI HLEG), include:

Transparency and explainability — users should be informed when they are interacting with AI systems and should be able to understand the basis for automated decisions that affect them.

Fairness and non-discrimination — AI systems must not reproduce or amplify discriminatory patterns based on protected characteristics.

Privacy and data protection — the processing of data in AI systems must be minimal, necessary, and compliant with the GDPR.

Safety and robustness — AI systems must be designed to operate safely under real-world conditions, including edge cases and attempts at manipulation.

User well-being — AI must not be used to manipulate or exploit users.

Step 7: Continuous Monitoring and Updating

AI compliance is not a one-off project — it is an ongoing programme. Companies must establish procedures for:

Regular review of the AI inventory and updating of classifications in light of new systems or changes in the purpose of existing ones.

Monitoring the performance and potential bias of high-risk systems in production.

Tracking the evolution of the regulatory framework — the AI Act is accompanied by delegated acts, technical standards, and interpretative guidelines that are continuously developing.

Reporting serious incidents to the competent authority in accordance with the prescribed procedures.

Frequently Asked Questions (Q&A)

Must every company using AI comply with the AI Act? Not automatically. Companies that use exclusively minimal-risk AI systems (spam filters, e-commerce recommendations) are not subject to specific AI Act obligations. Obligations arise for high-risk systems and, with regard to transparency, for limited-risk systems. The key is to carry out a classification before concluding whether the regulation is applicable.

How can SMEs (small and medium-sized enterprises) meet AI Act requirements without significant resources? The AI Act provides for certain accommodations for SMEs in terms of the complexity of documentation and administrative requirements, but not an exemption from substantive obligations. A practical approach for SMEs: focus on deploying ready-made, certified AI systems from reputable providers rather than developing proprietary ones; use standardised documentation templates and compliance tools that are emerging on the market; consider shared compliance resources within trade associations.

Does the use of ChatGPT or similar tools for internal productivity require special measures? The use of generally available AI tools for internal productivity typically falls in the minimal-risk category and does not require specific AI Act compliance. However, an internal policy is recommended that regulates: what types of confidential data employees may use as input to public AI services, and how AI-generated content that enters business processes is to be handled.

What is the AI Act sandbox and how can it benefit companies? The AI Act provides for the establishment of regulatory sandboxes — controlled environments in which innovative AI systems can be tested with direct cooperation from regulators and with temporary flexibility in the application of certain requirements. EU Member States are required to establish such sandboxes, with the exact deadline, based on available information, subject to ongoing changes in the regulatory framework. This is particularly valuable for start-ups and innovative projects in the development phase that wish to test systems before a full market launch.

Conclusion

Implementing the AI Act is not merely a regulatory obligation — it is also an opportunity for companies to systematise their AI activities, reduce operational risks, and build trust with clients and partners. Organisations that treat AI regulation as strategic risk management rather than a bureaucratic hurdle will find themselves in a stronger market position. Compliance with the AI Act, similarly to the GDPR, will in the future be not only a legal obligation but also a competitive differentiator and a prerequisite for business cooperation with certain corporate partners and the public sector.

For a structured analysis of AI systems in your company, the development of an AI compliance programme, and documentation requirements, schedule a consultation with our team specialising in artificial intelligence regulation.

Sources: – https://eur-lex.europa.eu/eli/reg/2024/1689/oj (Regulation (EU) 2024/1689 — AI Act) – https://www.ey.com/en_uk/trust/artificial-intelligence-regulation-compliance – https://www.pwc.com/gx/en/issues/data-privacy/ai-governance.html – https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai

The content of this website is informational and does not constitute legal advice. For specific legal advice, contact a lawyer directly. The firm operates in accordance with the Law on the Legal Profession and the Code of Professional Ethics for Lawyers.

Scroll to Top