EU AI Act readiness

The EU AI Act is risk-tiered, so readiness starts with honest classification and ends with evidenced obligations. This guide takes a system from “we think the Act applies” to a defensible readiness position.

When to use this

You need to demonstrate readiness for the EU AI Act for a specific system, or to triage which of your systems the Act touches and how heavily.

What you will produce

A system classified into the correct EU AI Act risk category, with the applicable obligations identified and evidenced, and a readiness report.

Steps

1. Register and ground the system. Capture it in AI System Records and run intake, the intake signals (automated decisions, public-facing, personal and special-category data, sector) drive classification.
2. Classify against the Act. Route to the EU AI Act framework, which organises the regime into risk classes and article-anchored categories. Confirm whether the system is prohibited, high-risk, limited-risk or minimal-risk.
3. Identify your role. Provider and deployer obligations differ. If you build the system, expect provider duties; if you only use it, deployer duties. Record this in the assessment.
4. Assess the obligations. Work the EU AI Act controls relevant to the classification, recording maturity and rationale per control.
5. Evidence them. Through the Evidence Tracker and Testing Centre, capture the evidence each obligation needs: risk management, data governance, transparency, human oversight, accuracy and robustness, and record-keeping.
6. Add depth where it matters. For high-risk systems, pair the Act with GTSAF for control depth and ISO/IEC 42005 for an impact assessment.
7. Track and report. Work gaps on the Remediation Roadmap and produce a readiness workpaper pack.

Modules and frameworks involved

intake & risk tiering, EU AI Act, GTSAF, ISO/IEC 42005, evidence & findings and reporting.

Next

• Govern a GenAI chatbot: a common limited-risk case.
• Board assurance pack: roll readiness up for leadership.
• Scenario guides: the full set.