EU AI Act Compliance: A Practical Starter Guide

Gera Services · Compliance guide · Updated 30 June 2026

Quick answer: If you build, sell, or use an AI system whose output reaches people in the EU, the EU AI Act likely applies to you. The work is: (1) inventory every AI system, (2) classify each by risk tier, (3) for any high-risk system, produce a risk assessment and technical documentation and assign human oversight. GeraCompliance turns this into a guided, fixed-scope workflow so you reach a defensible baseline quickly.

Who the EU AI Act applies to

The Act reaches both providers (those who build or place an AI system on the market) and deployers (those who use one in a professional capacity) when the system's output is used in the EU — regardless of where your company is based. A UK or US business serving EU users is typically in scope. The depth of your obligations then depends on how risky the system is.

The four risk tiers

TierWhat it meansTypical obligation
UnacceptablePractices the Act prohibits (e.g. certain social scoring).Not allowed — stop or redesign.
High-riskSystems used in sensitive areas (e.g. employment, credit, essential services).Risk management, data governance, technical documentation, human oversight, conformity assessment.
Limited-riskSystems that interact with people (e.g. chatbots) or generate content.Transparency — disclose that AI is in use.
Minimal-riskMost everyday AI (e.g. spam filters).Few or no specific obligations.

Classifying each system correctly is the single most important first step — it determines everything else.

What documentation you need

For high-risk systems you generally need a risk assessment, technical documentation (commonly mapped to Annex IV), data-governance records, instructions for use, and logs that support traceability. GeraCompliance helps classify AI systems, generate risk assessments, and produce Annex IV-style technical documentation while tracking your compliance milestones — so you start from a structured template instead of a blank page.

A defensible baseline in five moves

  1. Inventory every AI system you build or use.
  2. Classify each one by risk tier.
  3. Document the high-risk systems (risk assessment + Annex IV-style technical docs).
  4. Assign human oversight and record how decisions can be reviewed.
  5. Keep evidence — versioned records and logs you can show an auditor.

For the evidence step, tamper-evident records help: GeraWitness provides cryptographic receipts and provenance for documents and events, and PrivacyGuard supports the data-protection side that sits alongside AI Act work.

Frequently asked questions

Who does the EU AI Act apply to?

Providers and deployers of AI systems whose output is used in the EU, wherever the organisation is based.

What is the fastest way to start?

Inventory and classify your AI systems, then document the high-risk ones. GeraCompliance turns this into a guided, fixed-scope workflow.

This guide is general information, not legal advice. Confirm your specific obligations with a qualified adviser; the Act's detailed requirements and timelines apply per system and per role.

Start your EU AI Act baseline.

Open GeraCompliance →