Most organisations don’t fall short on the EU AI Act because they ignored it — they fall short because they can’t say with confidence which risk tier a system sits in, or where a vendor’s duties end and theirs begin. The Act has applied in phases since February 2025, and the high-risk Annex III deadline now lands 2 December 2027. Undocumented classification, vendor reliance, and stale risk files are exactly what market-surveillance authorities examine first. This guide maps where you stand, tier by tier — before a regulator writes the roadmap for you.
What’s inside this guide:
✔ The four risk tiers and the obligations attached to each, from prohibited practices to voluntary codes
✔ A phased deadline table (Feb 2025 → Aug 2028), including how the 2025 Digital Omnibus re-timed the high-risk clock
✔ Role-by-role duties for providers, deployers, importers, distributors, and general-purpose AI model providers
✔ A complete, article-referenced readiness checklist spanning governance, classification, high-risk obligations, transparency, and post-market monitoring
✔ The evidence and documentation pack a market-surveillance authority will actually ask for
✔ A worked example — a high-risk AI recruitment tool — showing how obligations split between provider and deployer
✔ The penalty structure by infringement tier, up to €35M or 7% of global turnover
✔ A 3-phase roadmap from AI inventory to full high-risk conformity
✔ The 5 most common readiness pitfalls seen in early AI Act programmes
✔ A quick-reference obligation matrix by role (Annex A)
VISTA InfoSec LLC,347 Fifth Ave,
Suite 1402-526, New York, NY 10016
© Copyright 2026. VISTA InfoSec. All Rights Reserved. | Disclosure Policy | Privacy Policy | Sitemap
Enquire Now
WhatsApp us