The EU AI Act became fully enforceable on 2 August 2026 for high-risk AI systems. Most coverage focuses on AI developers. But the obligations that affect the most businesses are the ones placed on deployers — the companies that use AI tools to make or support decisions.
If your business uses a CV screening tool, a credit scoring model, a fraud detection system, a chatbot that handles customer queries, or an AI-powered HR platform, you are an AI deployer. You have specific obligations under the AI Act regardless of whether you built the tool.
Here is what you need to do.
1. Inventory every AI tool your team uses
Start with a complete list of every AI-powered tool in use across your business — not just the ones you're aware of. CV screeners, fraud detection systems, chatbots, scoring tools, automated email systems, AI writing assistants, predictive analytics, decision-support tools.
Shadow AI adoption is common. Individual teams adopt tools that never go through a formal procurement process. Your inventory is only useful if it's complete. Survey team leads, review subscription payments, and check which tools your staff have connected to business accounts.
2. Classify each tool by risk level
The AI Act establishes four risk categories: prohibited, high-risk, limited risk, and minimal risk. The category determines your obligations.
Prohibited systems cannot be used at all — these include social scoring systems, most real-time biometric surveillance in public spaces, and AI that exploits psychological vulnerabilities. High-risk systems carry significant obligations. Limited-risk systems have transparency requirements. Minimal-risk systems have no specific obligations beyond general EU law.
If you don't know the category for a tool you're using, you're already behind.
3. Check if any tool qualifies as high-risk
High-risk AI includes systems used in specific sectors and use cases that are explicitly listed in Annex III of the AI Act. Categories that catch many SMBs:
- HR and employment: AI used in recruitment, CV screening, interview assessment, promotion decisions, task allocation, and performance monitoring
- Credit and financial services: credit scoring, insurance risk assessment, pricing tools
- Access to essential services: AI that determines access to education, healthcare, housing, or public benefits
- Law enforcement and border control (relevant for regulated industries)
If you use an AI-powered HR tool to screen applications, shortlist candidates, or assess employee performance — that's high-risk.
4. For every high-risk tool: read the provider's instructions for use
The AI Act places explicit obligations on deployers of high-risk AI to follow the provider's instructions for use. This isn't a suggestion. Providers are required to supply instructions; deployers are required to follow them.
Read the documentation for each high-risk tool you use. Understand the intended purpose, the limitations, the requirements for human oversight, and the conditions under which the system should not be used. Document that you've done this.
5. Assign a named person responsible for human oversight of each high-risk system
High-risk AI systems require meaningful human oversight — not just a checkbox. The AI Act requires that the person responsible has the competence and authority to understand the system, monitor its outputs, and intervene or suspend the system when necessary.
A team is not sufficient. A named individual with documented responsibility, training records, and the actual ability to override the system is what the regulation requires.
6. Set up log retention
High-risk AI systems must maintain automatically generated logs of their operation. You are required to retain these logs for a minimum of 6 months (or longer where sector-specific regulations require it).
Check with your providers whether logging is enabled, where logs are stored, and whether they are accessible to you as the deployer. If logging is not available, that is a compliance gap at the provider level — and something to address contractually.
7. Tell your employees when AI is being used to make decisions that affect them
Where AI is used to make or significantly support decisions about employees — hiring, promotion, performance assessment, task allocation, working time monitoring — employees have a right to be informed. This is a legal obligation under the AI Act, not a courtesy.
Review your employment contracts, staff handbooks, and onboarding materials. Update them to disclose what AI tools are in use and what decisions they influence. The disclosure must be clear and specific — a generic reference to "technology tools" is not sufficient.
8. Run a Data Protection Impact Assessment for any high-risk AI that processes personal data
GDPR and the AI Act overlap significantly. If a high-risk AI system processes personal data — and most do — you need a DPIA under GDPR as well as compliance with the AI Act's requirements.
The two frameworks interact: the GDPR DPIA should address the AI-specific risks (opaque decision-making, potential for discrimination, data quality issues) that the AI Act highlights. Run them together.
9. Register as a deployer of high-risk AI in the EU database where required
The AI Act established an EU-wide database for high-risk AI systems. Providers are required to register their systems. For certain high-risk use cases (standalone AI systems used in the areas covered by Article 6(2)), deployers also have registration obligations.
Check whether any of your high-risk tools fall into the categories that require deployer registration. The EU AI Office maintains updated guidance on this.
10. Document everything
In an investigation, the regulator will ask: what AI tools do you use, how did you assess their risk level, what oversight is in place, what training have staff received, and how do you handle incidents involving AI outputs.
The documentation must exist before you need it. What tools you use. What risk category each falls into. What oversight is in place. What training staff have received. What your process is if an AI system produces an incorrect or harmful output.
The full enforcement deadline for high-risk AI systems was 2 August 2026. National market surveillance authorities are now actively reviewing implementation.
Knowing the 10 steps and having them documented, monitored, and auditable are two different things.
Check your AI Act compliance
Find out which AI tools you use are in scope, what your obligations are, and where your gaps are.
Free Compliance CheckThis article is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a qualified attorney licensed in your jurisdiction.