The regulation that can fine your organisation seven percent of global annual revenue is no longer on the horizon. It activated in August 2025. The organisations treating it as a future planning exercise have already missed the first compliance window — and the hard deadlines are accelerating.
AI & Data · Business Infomatics Research Desk
Somewhere between the excitement of deploying AI tools across every function and the institutional tendency to treat regulatory compliance as something that happens to other organisations in other sectors, a remarkable thing happened: the EU AI Act went live. Not as a draft. Not as a consultation. The prohibitions on unacceptable-risk AI practices took effect in February 2025. The obligations for general-purpose AI models and the EU-level governance infrastructure came online in August 2025. The requirements for high-risk AI systems — the category that covers a substantial portion of the AI deployments that enterprise B2B organisations are running right now — are enforced from August 2026.
The readiness picture is not encouraging. A 2025 PwC survey of European enterprises found that fewer than 12 percent could demonstrate substantial compliance across all applicable Act requirements. A Gartner survey conducted in late 2025 found that 48 percent of security and compliance leaders rated their organisations as 'behind or significantly behind' on SBOM and AI documentation standards directly implicated by the Act. And a pattern has emerged that should concern any leader with AI investments in scope: the organisations least prepared for the EU AI Act are not the ones who decided to ignore it. They are the ones who decided it was a problem for the legal team, or for next year's planning cycle, and then never looked closely at what it actually requires.
EU AI Act enforcement timeline and fine structure. High-risk AI obligations are fully active from August 2026 — not 2027, not 'upcoming'. Source: European Commission, 2025.
€35M or 7% of global revenue — the maximum fine for prohibited AI practice violations. €15M or 3% for high-risk AI non-compliance. Enforcement is active. (EU AI Act, Article 99)
What the Act Actually Requires — Without the Legal Fog
The EU AI Act classifies AI systems into four risk tiers, and the obligations that attach to each tier are specific enough that most organisations will find themselves in scope for the high-risk category in ways their legal teams have not fully mapped. The high-risk category under Annex III covers AI systems used in: hiring, performance evaluation, and work allocation; credit scoring and creditworthiness assessment; insurance risk evaluation; medical device integration; law enforcement and judicial applications; critical infrastructure management; and biometric identification. These are not edge cases. They describe systems that a significant share of enterprise B2B organisations are currently running in production.
For high-risk AI systems, the Act mandates specific technical and governance requirements before deployment and on an ongoing basis. A conformity assessment demonstrating the system meets Act requirements. Technically detailed documentation of the system's intended purpose, performance characteristics, data used for training, and the human oversight mechanisms in place. Logging and traceability of the system's outputs in a form that allows retrospective audit. Registration of the system in the EU database for high-risk AI. And meaningful human oversight requirements — not a nominal approval step, but genuine human review capacity for decisions where the AI's output has significant consequences for individuals.
EU AI Act readiness by sector, mid-2026. Tech and software leads at 31% — still a minority. Healthcare and manufacturing trail significantly. Source: PwC AI Compliance Survey, 2026.
The Documentation Problem Nobody Wants to Talk About
The gap between where most organisations sit on AI documentation and where the Act requires them to be is wider than any single compliance programme can bridge quickly. AI tools in enterprise environments have been deployed at a pace that outstripped the documentation practices that regulated industries normally apply before rolling out systems with significant decision-making power. A hiring tool that uses machine learning to rank candidates has been live for two years at many organisations without anyone having produced a technical specification of the model's training data, known error rates, or the human review process governing its outputs. The Act does not grandfather these deployments. It requires that documentation be produced, validated, and maintained.
The organisations with the most credible path to compliance are those that started with an AI inventory — a systematic account of every AI system in use, including tools embedded in SaaS products and managed by third-party vendors — and used that inventory to classify each system against the Act's risk tiers before attempting to address any specific compliance requirement. The inventory exercise itself is harder than it sounds. AI capabilities are now embedded in CRM platforms, HR systems, financial tools, and productivity software in ways that were not always visible at procurement and are not always visible to the teams running compliance programmes. The 'shadow AI' problem that created management challenges is now a compliance problem.
High-risk AI use cases: deployment vs. adequate governance documentation. Nearly every enterprise deploys HR AI (72%) — fewer than a quarter have the documentation the Act requires. Source: Gartner, 2026.
The Third-Party Problem Is the Compliance Gap Nobody Expected
One of the most significant and least-discussed compliance challenges the EU AI Act creates for enterprise organisations is the obligation it places on them in relation to AI systems they did not build but that they deploy. If a company purchases a workforce management platform that uses AI to make scheduling recommendations, or a CRM that uses machine learning to score leads, the organisation deploying that system has compliance obligations under the Act even though the underlying AI was built and trained by the vendor.
This creates a procurement and vendor management challenge that most organisations are only beginning to understand. The contract terms that govern existing enterprise software relationships were not written with EU AI Act compliance obligations in mind. They do not typically require vendors to produce AI documentation in a form that allows the deploying organisation to meet its own Act requirements. They do not guarantee that the AI capabilities within the product are classified against the Act's risk tiers. And renegotiating those terms with large enterprise software vendors — who are managing hundreds of enterprise customer compliance relationships simultaneously — is not a rapid process.
The organisations navigating this most effectively have taken two steps. They have made EU AI Act documentation requirements a standard element of procurement terms for any software that includes AI decision-making capabilities, effective immediately for new contracts and at first renewal for existing ones. And they have identified which existing high-risk vendor AI deployments require the most urgent attention — typically those in hiring, credit, and healthcare contexts — and have initiated direct conversations with those vendors about documentation and conformity evidence, rather than waiting for standard procurement cycles to create the leverage.
A Practical Compliance Roadmap
Five-step EU AI Act compliance framework. Most organisations are between Step 1 and 2. Steps 3–5 require 12–18 months for complex enterprises. Source: Business Infomatics framework.
Step One: Inventory Before Everything Else
No compliance programme can be designed without knowing what it is meant to cover. An AI inventory must capture every system that meets the Act's definition of an AI system — which is broad enough to include machine learning models, rule-based systems using outputs from machine learning, and AI capabilities embedded within third-party software — and document the system's purpose, the data it uses, and the decisions or recommendations it produces. This inventory is not a one-time exercise. AI deployment in enterprise environments is continuous, and the inventory requires a governance mechanism that captures new deployments before they become undocumented compliance exposures.
Step Two: Classify, Then Prioritise
Once the inventory exists, classification against the Act's risk tiers determines which systems face the most stringent requirements and therefore which compliance investments are most urgent. The mistake to avoid at this step is attempting to reclassify systems downward to reduce compliance burden. The classification criteria in Annex III are specific and will be applied by regulators against the actual function of the system, not the organisation's preferred categorisation of it. An honest classification exercise that identifies all high-risk systems produces a compliance roadmap that is more burdensome than a minimalist one — and dramatically lower-risk when the first enforcement action in your sector establishes what regulators are looking for.
The Board Conversation That Needs to Happen
The EU AI Act is not primarily a technical compliance challenge. It is a governance challenge that requires executive-level ownership. The decisions that determine compliance exposure — which AI systems to deploy, what documentation standards to require from vendors, how human oversight mechanisms are designed, whether the risk of a specific AI application is within the organisation's tolerance — are strategic decisions, not operational ones. The organisations with the most coherent approach to AI Act compliance have elevated it to board-level visibility as a regulatory risk with defined ownership, defined audit mechanisms, and defined escalation paths for non-compliance findings. The boards that first encounter the Act when a fine is proposed will find themselves significantly less well-positioned than those that have been asking the right questions for the preceding two years.
