Preparing your organization for the AI Act starts with three concrete steps: identify your AI systems, determine which risk category they fall into, and ensure that your documentation and governance are in order. The AI Act is the first comprehensive European law regulating the use of AI, and its requirements apply to every organization that uses or develops AI, regardless of sector. In this article, we answer the most frequently asked questions about what the law specifically requires of you and how to get started in practice.
Specifically, what does the AI Act require of organizations?
The AI Act requires organizations to classify their AI systems by risk, document how those systems work, and demonstrate that they are used safely and transparently. The scope of these obligations depends directly on the risk level of your AI applications. For most organizations, the two most important obligations are: ensuring AI literacy among employees and maintaining a clear overview of which AI systems you use.
Specifically, this means the following for organizations that use AI as users (deployers):
- Ensure that employees have a sufficient understanding of how the AI systems they use work and what risks are associated with them (AI literacy, Article 4).
- For high-risk AI: Ensure human oversight so that an employee can always intervene or override a decision.
- For high-risk AI: Conduct a fundamental rights impact assessment before putting the system into use.
- Transparency toward users when they interact with an AI system, such as a chatbot.
- Maintaining logs and documentation regarding the use of high-risk systems.
Organizations that develop or market AI systems themselves face significantly stricter obligations, including comprehensive technical documentation, conformity assessments, and registration in the EU database. But even if you only purchase and use existing AI tools, you still have an active responsibility.
Which AI systems fall into the high-risk category?
High-risk AI systems are defined in Article 6 of the AI Act and include two categories: systems incorporated as safety components in regulated products, and systems that fall under one of the eight domains listed in Annex III. These are applications in which errors or misuse can have direct consequences for fundamental rights, safety, or access to essential services.
The eight areas listed in Annex III are:
- Biometrics (facial recognition, emotion recognition)
- Critical infrastructure (energy, water, transportation)
- Education and Vocational Training (Admission, Student Evaluation)
- Employment and Human Resources Management (Recruitment, Performance Evaluation)
- Access to essential services (creditworthiness, insurance, emergency calls)
- Law Enforcement
- Migration and Border Control
- The Administration of Justice and Democratic Processes
Important: Any system that performs profiling of natural persons always falls into the high-risk category, regardless of the domain. A system that performs only a narrow procedural or preparatory task and does not pose a significant risk to fundamental rights may fall outside the high-risk category, but the provider must document this with supporting evidence. If you’re unsure whether your system is high-risk, always document your reasoning in writing.
When do the requirements of the AI Act take effect?
The AI Act will take effect in phases. As of February 2, 2025, the prohibitions on unacceptable AI practices and the requirement for AI literacy will take effect. As of August 2, 2026, most of the obligations for high-risk systems listed in Annex III will take effect. This means that organizations must already comply with part of the law, while other obligations are still to come.
The complete timeline at a glance:
- February 2, 2025: Prohibited practices (Article 5) and the AI literacy requirement (Article 4) take effect.
- August 2, 2025: Requirements for GPAI models, governance, penalty provisions, and designation of national supervisory authorities.
- August 2, 2026: Most of the requirements for high-risk Annex III systems take effect.
- August 2, 2027: Requirements for high-risk AI used as a safety component in regulated products (Annex I).
So by 2026, it will already be urgent to take action if you’re using high-risk AI. In January 2026, Finland became the first member state to formally grant enforcement powers to its national authority. Other EU countries are following suit. Waiting is no longer an option.
How do you assess the AI systems in your organization?
You can map out AI systems by conducting a structured AI inventory: go through all departments, ask targeted questions of team leaders and IT, and document every system that supports decision-making, automates processes, or makes predictions. In doing so, many organizations discover that they are using more AI than they realized, because AI is increasingly built into standard software.
A practical four-step approach:
- For each department, take stock of the following: What software, tools, or services are used that incorporate AI? Examples include HR software with recruitment algorithms, customer service platforms that use AI to handle customer inquiries, or financial tools that perform risk assessments.
- Describe the purpose and functionality: What does the system do, based on what data, and what decisions does it support or make?
- Classify the risk level: Use the four categories from the AI Act: unacceptable risk (prohibited), high risk, limited risk, minimal risk.
- Determine your role: Are you a provider (you develop or market the system) or a deployer (you use a system from another provider)? This determines which obligations apply to you.
Record the results in a central registry. This document serves as the basis for your compliance approach and is also useful in the event of audits by regulatory authorities.
What is the difference between an AI provider and an AI user?
An AI provider is the party that develops and markets an AI system. An AI user (deployer) is the organization that deploys an existing AI system within its own context. This distinction is crucial because providers have significantly greater obligations than users, but users are not exempt from responsibility either.
As a provider, you are responsible for technical documentation, conformity assessments, CE marking (for high-risk AI), registration in the EU database, and actively monitoring your system after it is placed on the market. As a deployer, you are responsible for ensuring correct use in accordance with the provider’s instructions, human oversight, AI literacy among your employees, and a fundamental rights impact assessment for high-risk applications.
Please note: the line between provider and user can shift. If you modify a system, put your own name on it, or use it for a purpose for which it was not intended, you become the provider yourself from a legal standpoint. This also applies to importers and distributors who make substantial modifications. Review your contracts with your software vendors to understand who bears which responsibilities.
What are the first steps you should take to become AI Act-compliant?
The first step toward AI Act compliance is a comprehensive inventory of your AI systems, followed by risk classification and the establishment of an internal governance structure. Don’t start with the most onerous requirements, but rather with the actions that are already legally required: avoiding prohibited practices and promoting AI literacy.
A concrete list of priorities for 2026:
- Right now: Check whether your organization uses AI applications that fall under the prohibited practices listed in Article 5. Examples include emotion recognition in the workplace or social scoring. Stop using these applications immediately.
- Short term: Conduct an AI inventory as described in the previous section and classify each system.
- Within a few months: Ensure that employees who use AI systems are AI-literate. This does not have to be extensive training, but employees must understand what the system does, what its limitations are, and when they need to intervene.
- Establishing Governance: Appoint a person responsible for AI compliance, develop an internal policy, and define how to handle reports of incidents or deviations.
- Review contracts with suppliers: Make sure you know, for each AI supplier, which obligations fall to them and which fall to you as the deployer.
The fines for non-compliance are substantial: violations of prohibited practices can result in fines of up to 35 million euros or 7% of global annual revenue. Non-compliance with other obligations can result in fines of up to 15 million euros or 3%. So starting early is not only wise—it’s necessary.
How Pegamento Helps with AI Act Compliance
We understand that the AI Act is a complex issue for many organizations, especially if you’re already using AI in your customer interactions or business processes. At Pegamento, we help organizations gain control over their use of AI and implement it in a responsible manner. Specifically, we do this by:
- To provide insight into which of our AI-driven solutions fall under which risk category and what documentation is associated with them.
- To provide transparent technical documentation so that you, as the deployer, can meet your obligations.
- Build customized solutions using standard building blocks, so you don’t need a costly development process but still get a system that fits your situation and is set up to be compliant.
- We offer everything under one roof: from implementation to management and support, without you having to coordinate multiple vendors.
- Using Agentic AI for customer service: self-thinking assistants that don’t just follow instructions, but take the initiative on their own. This marks the evolution from traditional RPA to Agentic AI, in which bots have evolved into autonomous assistants capable of assessing and handling complex tasks.
Would you like to know where your organization currently stands in terms of AI Act compliance, or would you like to discuss how to use AI responsibly? Please contact us, and we’d be happy to help you find a solution.
Frequently Asked Questions
What happens if my organization hasn't taken any steps toward AI Act compliance yet?
If you haven’t taken any steps yet, it’s important to start immediately with the obligations that are already in effect: check whether you’re using prohibited AI practices and ensure your employees are AI-literate. For high-risk systems listed in Annex III, you have until August 2026, but given the preparation time required, delaying action is risky. National regulators in the EU are taking action, and fines for non-compliance can reach up to 35 million euros or 7% of global annual revenue.
How do I know if the AI tools I purchase from a supplier are compliant?
Explicitly ask your supplier for technical documentation and inquire who the provider is under the AI Act. As the deployer, you are responsible for proper use, but the provider is responsible for conformity assessments and CE marking for high-risk systems. Check contracts to see who bears which responsibilities and ensure you have access to the information you need to fulfill your own obligations, such as instructions for human oversight and logs.
What exactly does AI literacy entail, and how do I organize this in practice?
AI literacy (Article 4) means that employees working with AI systems must have a sufficient understanding of what the system does, what its limitations are, and when they need to intervene or override a decision. This does not have to be extensive training: targeted instruction for each tool, tailored to the employee’s role, is often sufficient. Keep a record of which trainings were provided, to whom, and when, so you can demonstrate this in the event of an audit.
Does the AI Act also apply to small organizations and SMEs?
Yes, the AI Act applies to any organization that uses or develops AI systems within the EU, regardless of company size or sector. However, there are lighter obligations for micro-enterprises regarding certain specific requirements, such as the costs of conformity assessments. For core obligations, such as avoiding prohibited practices and ensuring AI literacy, the size of your organization makes no difference. A structured approach is particularly valuable for SMEs, as the capacity available for compliance is often limited.
What is a Fundamental Rights Impact Assessment, and when should I conduct one?
A Fundamental Rights Impact Assessment (FRIA) is an analysis of the potential impact of a high-risk AI system on fundamental rights such as privacy, non-discrimination, and access to services. As the deployer of a high-risk AI system, you are required to conduct this assessment before putting the system into use. The assessment documents the risks you have identified, the measures you are taking to mitigate them, and how you have established human oversight.
What are common mistakes when conducting an AI inventory?
A common mistake is that organizations focus only on standalone AI tools and forget that AI is also built into existing software such as HR systems, CRM platforms, or financial applications. Another pitfall is underestimating the risk level: systems that create profiles of employees or customers always fall into the high-risk category, even if they seem harmless at first glance. If in doubt, always document your reasoning in writing so that, in the event of an audit, you can demonstrate how you arrived at your classification.
How should I handle AI systems that we’ve developed internally or significantly customized?
If you have developed an AI system internally, branded it under your own name, or deployed it for a purpose for which it was not originally intended, you are legally considered a provider rather than a deployer. This means that the more stringent obligations for providers apply to you, including technical documentation, conformity assessments, and registration in the EU database for high-risk systems. Assess this carefully for each system and document your reasoning.


