EU AI Act Compliance: A Practical Starter Guide
Who the EU AI Act applies to
The Act reaches both providers (those who build or place an AI system on the market) and deployers (those who use one in a professional capacity) when the system's output is used in the EU — regardless of where your company is based. A UK or US business serving EU users is typically in scope. The depth of your obligations then depends on how risky the system is.
The four risk tiers
| Tier | What it means | Typical obligation |
|---|---|---|
| Unacceptable | Practices the Act prohibits (e.g. certain social scoring). | Not allowed — stop or redesign. |
| High-risk | Systems used in sensitive areas (e.g. employment, credit, essential services). | Risk management, data governance, technical documentation, human oversight, conformity assessment. |
| Limited-risk | Systems that interact with people (e.g. chatbots) or generate content. | Transparency — disclose that AI is in use. |
| Minimal-risk | Most everyday AI (e.g. spam filters). | Few or no specific obligations. |
Classifying each system correctly is the single most important first step — it determines everything else.
What documentation you need
For high-risk systems you generally need a risk assessment, technical documentation (commonly mapped to Annex IV), data-governance records, instructions for use, and logs that support traceability. GeraCompliance helps classify AI systems, generate risk assessments, and produce Annex IV-style technical documentation while tracking your compliance milestones — so you start from a structured template instead of a blank page.
A defensible baseline in five moves
- Inventory every AI system you build or use.
- Classify each one by risk tier.
- Document the high-risk systems (risk assessment + Annex IV-style technical docs).
- Assign human oversight and record how decisions can be reviewed.
- Keep evidence — versioned records and logs you can show an auditor.
For the evidence step, tamper-evident records help: GeraWitness provides cryptographic receipts and provenance for documents and events, and PrivacyGuard supports the data-protection side that sits alongside AI Act work.
Frequently asked questions
Who does the EU AI Act apply to?
Providers and deployers of AI systems whose output is used in the EU, wherever the organisation is based.
What is the fastest way to start?
Inventory and classify your AI systems, then document the high-risk ones. GeraCompliance turns this into a guided, fixed-scope workflow.
This guide is general information, not legal advice. Confirm your specific obligations with a qualified adviser; the Act's detailed requirements and timelines apply per system and per role.
Start your EU AI Act baseline.