EU AI Act Compliance

The EU AI Act (Regulation (EU) 2024/1689) entered into force on

1 August

2024 and is being applied in stages: Since

2 February 2025, AI systems with unacceptable risk have been prohibited — including social scoring, manipulative AI, and real-time remote biometric identification. Since

2 August 2025, transparency obligations for GPAI models apply. From

2 August 2026, high-risk AI systems under Annex III (including biometrics, education, employment, and credit scoring) must be fully compliant. High-risk systems under Annex I (product safety) have until

2 August 2027. For certain AI in large-scale EU IT systems, an extended deadline of

31 December

2030 applies.

Annex III of the EU AI Act defines eight high-risk areas: (1) Biometric identification and categorization of persons, (2) Management and operation of critical infrastructure (energy, transport, water, gas), (3) General and vocational education (access, assessment, exam monitoring), (4) Employment and human resources management (candidate selection, promotion, termination), (5) Access to essential services (credit scoring, insurance, social benefits), (6) Law enforcement (risk assessment, lie detection, evidence analysis), (7) Migration and border control (visa applications, asylum procedures), (8) Administration of justice and democratic processes. In addition, AI systems embedded in products with CE marking fall under Annex I.

Providers of high-risk AI systems must meet comprehensive requirements under the EU AI Act: a risk management system covering the entire lifecycle (Art. 9), quality requirements for training, validation, and test datasets (Art. 10), complete technical documentation per Annex IV (Art. 11), automatic logging capability (Art. 12), transparency and provision of information to operators (Art. 13), measures for human oversight (Art. 14), and accuracy, robustness, and cybersecurity (Art. 15). Prior to placing on the market, a conformity assessment must be conducted and an EU Declaration of Conformity must be issued.

The fines under the EU AI Act are structured in three tiers: Up to €

35 million or 7% of global annual turnover (whichever is higher) for the use of prohibited AI practices. Up to €

15 million or 3% of turnover for violations of obligations relating to high-risk AI systems or GPAI models. Up to €7.5 million or 1.5% of turnover for providing false or incomplete information to authorities. Proportionally lower caps apply to SMEs and start-ups. Fines are also reduced for natural persons not acting in a commercial capacity.

GPAI models such as GPT-4, Claude, or Gemini have been subject to their own obligations since August 2025: providers must create technical documentation, publish a summary of training data, comply with EU copyright law, and cooperate with downstream providers. GPAI models with systemic risk (threshold: training compute exceeding 10^

25 FLOPs) have additional obligations: model evaluation according to the state of the art, adversarial testing and red teaming, assessment and mitigation of systemic risks, cybersecurity measures, and incident reporting to the EU AI Office. The AI Office oversees compliance directly at EU level.

The EU AI Act, the GDPR, and the NIS 2 Directive address different aspects with some overlap: The GDPR protects personal data — the AI Act regulates AI systems regardless of whether they process personal data. NIS 2 focuses on cybersecurity for critical infrastructure — the AI Act additionally requires robustness and accuracy specifically for AI. The Cyber Resilience Act (CRA) governs product security for connected devices and overlaps with the AI Act in the area of embedded AI. The EU Product Liability Directive extends liability to AI-related damages. Organizations need an integrated compliance strategy that covers all regulatory frameworks — which is exactly what ADVISORI provides from a single source.

Since February 2025, providers and operators of AI systems must ensure that their staff possess sufficient AI competence (Art.

4 EU AI Act). This encompasses technical knowledge, an understanding of regulatory requirements, and awareness of associated risks. The obligation applies regardless of risk class — including organizations that only deploy AI systems with minimal risk. In practice, this means: training programs for employees who develop, operate, or make decisions about AI. Documentation of qualification measures. ADVISORI offers tailored training formats for this purpose — from 90-minute board briefings to multi-day hands-on workshops for development teams.

ADVISORI is one of the few consulting firms that combines AI transformation and regulatory expertise under one roof. As an ISO 27001/9001/14001-certified organization, we bring proven expertise in information security, risk management, and compliance. Our consultants are familiar with the interfaces to GDPR, NIS2, DORA, and CRA and develop integrated compliance strategies. With our own multi-agent AI platform Synthara, we not only implement AI from a regulatory perspective but also use it operationally — giving us firsthand knowledge of requirements from both the provider and operator perspective. As a Microsoft, AWS, and Google Cloud partner, we cover all relevant AI technology stacks. This sets us apart from pure legal advisory firms or IT service providers without hands-on AI experience.