Getting ready for the EU AI Act
The rules are set. The work of preparing for them is not.
Europe now has a law that governs how artificial intelligence is built and used. For most organisations the headline question is not whether it applies, but how much work it asks of them, and when that work has to be done. The honest answer is that the heavy lifting is administrative, not technical, and it takes longer than people expect.
Risk decides the burden
The law does not treat every AI system the same. It sorts them by how much harm they could do to people. A tool that filters spam sits at one end. A system that decides who gets a loan, who is shortlisted for a job, or how a patient is triaged sits much higher up. The further up that scale your system sits, the more you have to prove: that it was tested, that it is monitored, that a person can step in, and that you kept records of all of it.
So the first task is not legal. It is simple bookkeeping. List the AI systems you actually run, write down what each one decides or influences, and note who would be affected if it got that decision wrong. That single inventory tells you which systems carry real obligations and which barely register.
If you cross borders, raise the floor
Many of the organisations we work with operate in more than one country, and the temptation is to tune compliance market by market. In practice that creates a patchwork that is expensive to maintain and easy to get wrong. The cleaner move is to take the strictest rule that applies to you anywhere and make it your baseline everywhere. You carry a little more overhead in the lighter-touch markets, but you stop managing a dozen subtly different versions of the truth.
Most of the effort is records and oversight, not new technology, and those are exactly the things that take time to put in place.
The work is mostly evidence
When teams imagine compliance, they picture re-engineering their models. The reality is quieter. The obligations that consume the most time are documentation, human oversight, and the ability to explain a decision after the fact. You need to show what data trained a system, who signed it off, how it is watched in production, and what happens when it drifts. None of that is glamorous, and none of it can be bolted on the week before an audit.
That is why starting now matters more than starting perfectly. A team that has spent six months building the habit of recording decisions and keeping a person in the loop is in a far stronger position than one that has a polished policy document and no evidence behind it.
A sensible first ninety days
Begin with the inventory. Then, for each higher-risk system, name an owner, write down how a human reviews and overrides it, and start keeping a plain log of changes and incidents. Close the obvious gaps, the system nobody owns, the model nobody can explain, before you worry about the edge cases. By the time the deadlines bite, the routine is already part of how you work rather than a scramble against the clock.
If you are not sure which of your systems carry real obligations, a short conversation usually makes it clear. We can help you build the inventory and put the oversight in place without slowing your teams down.