Where to Start With the EU AI Act: A First-Steps Guide

Regulation (EU) 2024/1689 runs to roughly 113 articles and an architecture that rewards sequential work. Your obligations depend on what each AI system does and your role in relation to it. Until you have catalogued those systems and classified them, you cannot know which obligations apply, in what order, and to whom.

The steps below take a company from standing start to a credible first-draft compliance position in roughly two weeks. They do not require a lawyer at the outset — just internal coordination and a willingness to write things down.

For a quick overview, the EU AI Act summary page covers the landscape in five minutes. This guide is the slower, operational version — what a first working session looks like, who to pull in, and what "done" means for each step.

Before you start: the one thing to understand

Your obligations depend on what each system does and your role in relation to it — not on the vendor or the underlying model. A company using a recruiting tool to screen applicants is a deployer under Article 26; a company building a credit-scoring product and selling it to banks is a provider under Article 16. The obligations are materially different.

The Act's scope is broad — for most organisations the question is not whether it applies but which obligations it triggers. The answer starts with cataloguing and classifying your AI systems. Everything else follows from that.

Step 1 — Build your AI inventory (week one)

The AI inventory is the single most important output of the first phase. You cannot classify or comply with what you have not catalogued. This step takes longer than most compliance managers expect, for a specific reason: a significant proportion of the AI in any organisation was not formally procured.

Who to involve. Pull in product, engineering, procurement, and HR at a minimum. Add whoever manages vendor contracts and whoever runs SaaS subscriptions — including tools bought on a department credit card. The goal is to surface everything: not just models your data team built, but AI features switched on by default inside existing tools (co-pilot features in productivity suites, smart-routing in a support tool), and any SaaS adopted without a formal procurement process.

How to surface shadow AI. Shadow AI — tools used without IT or legal visibility — is the largest source of inventory gaps. Ask each department lead to list every tool that makes or suggests decisions, generates outputs used downstream, or processes personal data automatically. Ask procurement for SaaS contracts from the last three years touching HR, finance, or customer operations. Ask engineering whether any third-party model APIs are called in production code.

What to record for each system. For every system you surface, capture: name and vendor; the system's intended purpose and the context in which it operates; what data it processes; whether it makes or supports a consequential decision about a natural person; your company's role (did you build it, buy it, or integrate it into something you sell); and the population affected.

The output is a living register you update as tools change. An AI inventory template provides a ready-made structure. For more on running this process end to end, see the AI inventory guide.

Step 2 — Screen for prohibited uses (Article 5)

Once the inventory exists, run a first pass against the eight prohibitions in Article 5. These have been illegal since 2 February 2025 — anything matching is a live problem, not a 2027 one.

The prohibitions cover: real-time remote biometric identification in publicly accessible spaces for law enforcement (narrow exceptions apply); retrospective biometric identification in the same context; subliminal manipulation and exploitation of vulnerabilities; social scoring by public authorities; predicting offending risk based solely on profiling; untargeted scraping of facial images for recognition databases; and emotion recognition in workplaces or educational settings.

Most companies will clear this screen quickly. Pay particular attention if you use emotion-recognition in HR tools or if any system touches biometric data or public-safety functions. Article 5 breaches carry fines up to €35 million or 7% of total worldwide annual turnover. The Article 5 guide covers each prohibition.

Step 3 — Classify each system (Article 6 + Annex III)

High-risk classification is governed by Article 6 read together with Annex III. Annex III lists eight areas: biometrics; critical infrastructure; education and vocational training; employment, worker management, and access to self-employment; access to essential private and public services (including creditworthiness scoring — excluding fraud detection — and life/health insurance risk assessment); law enforcement; migration, asylum, and border control; and administration of justice and democratic processes. The full scope of each area is detailed in the Annex III reference.

For each system that touches one of these areas, apply the Article 6(3) filter before concluding it is high-risk. A system is not high-risk if it performs a narrow procedural task, improves the result of a previously completed human activity, detects decision patterns without replacing or influencing human assessment, or does only preparatory work — provided it does not pose a significant risk of harm to health, safety, or fundamental rights. The filter requires only one of those conditions, not all four. One hard exception: any system that profiles natural persons is always high-risk, regardless of the filter.

Document your reasoning, including the Article 6(3) analysis where you apply it. That reasoning is part of the compliance record. The Article 6 guide and the risk classification tool walk through the analysis step by step.

Step 4 — Confirm your role for each system

For every system on your inventory, confirm your legal role. The Act assigns obligations by role — getting it wrong means you either over-invest or miss what matters.

A provider (Article 16) develops a system and places it on the market under its own name: the heaviest obligation stack (risk management under Article 9, technical documentation under Article 11, conformity assessment under Article 43, registration under Article 49).

A deployer (Article 26) uses someone else's system in a professional capacity. Deployers must follow provider instructions, maintain human oversight, keep logs for at least six months, and — for public bodies and deployers of creditworthiness or life/health-insurance systems — run a Fundamental Rights Impact Assessment (Article 27).

Importers (Article 23) and distributors (Article 24) carry supply-chain verification duties. Article 25 shifts any of these roles into provider obligations if you put your own name on a high-risk system, substantially modify it (Article 3(23)), or change its intended purpose.

Work through this question explicitly for each system. The provider vs deployer guide covers the boundary and the Article 25 triggers in detail.

Step 5 — Meet the obligations already in force

Two obligations apply to all AI systems regardless of risk tier, and they have been live since 2 February 2025.

Article 4 (AI literacy) requires providers and deployers to ensure staff who work with AI have sufficient knowledge to use it competently. No formal certification is mandated, but it is a documented duty. Assess whether your organisation has provided relevant training to employees who use AI in their roles. If not, this is a week-one task, not a 2027 one. The Article 4 guide covers what "sufficient" looks like in practice.

Article 50 limited-risk transparency obligations apply from 2 August 2026 — this date was not deferred. Customer-facing chatbots, synthetic-media features, and emotion-recognition in non-prohibited contexts trigger Article 50 disclosure duties. Identifying scope now means you build the mechanisms before the deadline rather than racing to them.

Step 6 — Plan the high-risk work against the deadline

If Step 3 identified high-risk systems, the documentation work starts now. Under the Digital Omnibus agreed in May 2026, the deadline for stand-alone Annex III systems is 2 December 2027; for high-risk AI embedded in regulated products under Annex I it is 2 August 2028.

These are dates to work toward, not to wait for. The Article 9 risk management system, Article 11 / Annex IV technical documentation, Article 14 human oversight design, and — for biometric systems — a notified-body conformity assessment under Article 43, all take months to assemble. A company starting in mid-2026 has time to do this properly. The non-compliance ceiling for high-risk failures is €15 million or 3% of worldwide turnover. Build a timeline backward from 2 December 2027 and identify who internally owns each obligation. The implementation roadmap provides that framework.

What good looks like after two weeks

At the end of two weeks you should have: a complete AI inventory reviewed by product, engineering, and procurement; a documented Article 5 screen; a first-pass classification of every inventoried system with written Article 6 reasoning; a confirmed role for each system with Article 25 shifts noted; evidence that Article 4 AI literacy is addressed; and a prioritised list of which systems carry which obligations, with an initial plan for the high-risk work.

This is not a complete compliance programme. It is the foundation that makes one possible. Without the inventory and classification, the documentation, assessments, and governance work have no starting point.

How Confir helps

Confir is a rule-based, deterministic EU AI Act compliance tool. The classification logic encodes the Act's explicit rules — not a probabilistic AI model — so the same inputs produce the same output every time, and the rule that fired is human-readable and audit-defensible.

In practice, Confir walks your inventory entries through the Article 5 and Article 6 / Annex III classification in a guided plain-English workflow, derives your role via Article 25 scenario logic, and flags which systems trigger which obligations. For high-risk systems it drives the structured assessment and generates the Article 11 / Annex IV documentation pack and the Article 47 / Annex V Declaration of Conformity.

Starting plan: €600/year, credit-card checkout, no consultants. confir.eu.

Frequently Asked Questions

Do I have to comply with the EU AI Act if I only use third-party AI tools?

Yes. The Act applies to deployers as well as providers. Using a recruiting tool, a credit-assessment service, or a customer-facing chatbot in a professional capacity makes you a deployer under Article 26 with real obligations: follow provider instructions, maintain human oversight, monitor for risks, retain logs for at least six months, and — for certain system types — run a Fundamental Rights Impact Assessment under Article 27.

Which EU AI Act obligations are already in force?

Article 5 prohibitions and Article 4 AI literacy have applied since 2 February 2025. GPAI model obligations and penalties (Article 99) apply from 2 August 2025. General application including Article 50 limited-risk transparency applies from 2 August 2026. High-risk Annex III obligations apply from 2 December 2027 under the Digital Omnibus agreed in May 2026.

What is the difference between a provider and a deployer?

A provider (Article 16) builds a system and places it on the market under its own name — the heaviest obligation stack. A deployer (Article 26) uses someone else's system; obligations exist but are lighter. Most companies using off-the-shelf SaaS AI tools are deployers. Article 25 shifts you into provider territory if you rebrand, substantially modify, or change the intended purpose of a high-risk system.

Our company is small — do the fines really apply to us?

Yes, but Article 99(6) caps fines for small companies and start-ups at the lower of the fixed-sum ceiling or the percentage of turnover. A company with €2 million in annual revenue facing an Article 5 breach would be capped at 7% of €2 million (€140,000), not at €35 million. That is proportionate, but still significant. The more useful point: most early-stage compliance work is low-cost if done methodically. The cost of non-compliance scales with revenue; the cost of the inventory and classification process does not.

What counts as a "substantial modification" that shifts me to provider obligations?

Substantial modification is defined in Article 3(23). In practice it means a change that materially affects a system's performance, intended purpose, or the population it processes — beyond routine maintenance, parameter updates, or configuration within the original provider's intended-use documentation. Fine-tuning a third-party model on your own data, building an application layer that changes what the system decides, or redeploying it in an unintended context all point toward Article 25. Document the analysis.

Do I need to run a Fundamental Rights Impact Assessment?

Not automatically. The Article 27 FRIA is mandatory for public-body deployers, and for deployers of creditworthiness/credit-scoring systems (Annex III point 5(b)) and life/health-insurance risk-assessment systems (Annex III point 5(c)). Private-sector employers using high-risk HR tools are generally not required to run one, though Article 27(4) allows the FRIA to build on an existing GDPR DPIA (Article 35 GDPR) where one is already in place.

Can I do this without hiring a consultant?

For the first two weeks — inventory, Article 5 screen, Article 6 classification, role confirmation — yes. These steps require internal coordination, not specialist legal advice. Legal support earns its cost when you need to defend an Article 6(3) exemption claim, prepare technical documentation for complex systems, or finalise the Declaration of Conformity. Start the process; bring in specialist help when the questions get genuinely ambiguous.

Related guides

• EU AI Act summary: five things to do now
• How to build an AI inventory for EU AI Act compliance
• AI inventory template
• EU AI Act Article 5: prohibited practices
• EU AI Act Article 6 and Annex III: high-risk classification
• Provider vs deployer: understanding your role
• EU AI Act Article 4: AI literacy obligations
• EU AI Act compliance implementation roadmap