You’re looking at your August 2025 calendar, and it’s already marked. General Purpose AI model obligations went into effect on August 2nd. Your team uses OpenAI‘s API for your recruitment platform, and you’ve been fine-tuning it. Are you a provider under EU regulations now? Do you need Code of Practice compliance? Your high-risk AI requirements were supposed to kick in August 2026, but there’s talk of the Digital Omnibus pushing that to December 2027—or maybe August 2028. Do you start compliance work now or wait for clarity? What if the Omnibus doesn’t pass?
Welcome to the EU AI Act implementation tension landscape.
This guide provides the navigational framework you need. Rather than overwhelming you with everything at once, we’ve organised the implementation challenge into 8 focused decision frameworks. Each addresses a specific compliance question you’re facing, with technical detail where you need it and strategic context where it matters. Think of this page as your map to the territory—it shows you the landscape and directs you to the specific trails you need to hike.
The regulatory complexity stems from competing forces pulling in opposite directions: enforcement timelines march forward while technical standards lag behind, industry coalitions request implementation pauses citing competitiveness concerns against US voluntary frameworks, the Digital Omnibus proposal creates timeline uncertainty just as you’re trying to budget for 2026, and Member States show varied readiness for enforcement. Meanwhile, 45+ European companies—including Airbus, Siemens, and Mercedes-Benz—argue current rules could undermine Europe’s global AI standing.
What You’ll Find in This Guide
Immediate Compliance Decisions:
- Fine-Tuning Foundation Models Under the EU AI Act – When your API usage transforms you from deployer to provider
- High-Risk AI Systems in Employment – Classifying your recruitment and HR AI correctly
Strategic Planning Frameworks:
- EU AI Act Timeline Scenarios – Hedging Digital Omnibus uncertainty with contingent planning
- Managing Dual-Market AI Compliance – Architectural strategies for US-EU regulatory divergence
Resource Allocation Guides:
- Budgeting for EU AI Act Compliance – Cost models for SMB tech companies by use case
- AI Vendor Due Diligence Under EU Regulations – Compliance verification checklists and contract terms
Infrastructure Integration:
- Integrating EU AI Act Compliance with Existing GDPR Programs – Avoiding duplicative assessments
- EU AI Office Enforcement Priorities – What actually triggers penalties and mitigation strategies
Let’s start with the fundamentals before diving into your specific decision points.
What is the EU AI Act and why is implementation contentious?
The EU AI Act is the world’s first comprehensive legal framework specifically regulating artificial intelligence, establishing risk-based compliance obligations for AI systems deployed in the EU. Implementation tensions arise from conflicting pressures: enforcement timelines proceed while technical standards lag, industry requests implementation pause citing competitiveness concerns, Member States show varied readiness, and the Digital Omnibus proposal introduces timeline uncertainty just as companies begin compliance planning.
The risk-based classification framework operates across four tiers. Prohibited AI systems face outright bans with penalties up to €35 million or 7% of global revenue. High-risk AI systems, covering employment screening, credit scoring, educational assessment, and law enforcement applications, require conformity assessment, quality management systems, fundamental rights impact assessments, and EU database registration. General Purpose AI models displaying significant generality and trained with computation exceeding 10^23 FLOPs face transparency obligations including model documentation, copyright compliance, and Code of Practice adherence. Everything else falls into minimal risk territory with voluntary compliance.
The regulatory timeline conflicts create immediate planning challenges. August 2, 2025 marked the start of GPAI model obligations—these are already in force. Yet harmonised standards from CEN-CENELEC won’t arrive until late 2026 or beyond, leaving a compliance pathway uncertainty gap. Without harmonised standards providing presumption of conformity, companies must navigate common specifications or Commission guidelines, increasing conformity assessment complexity and cost.
Industry pushback reached public visibility in July 2025 when 45+ European companies—including Airbus, ASML, Lufthansa, Mercedes-Benz, Siemens Energy, and AI developer Mistral—requested a two-year implementation pause. Their argument: the AI Act’s “unclear, overlapping and increasingly complex” rules disrupt the traditional European balance between regulation and innovation. These companies warn the current approach could undermine Europe’s global standing not just in technology but across all AI-dependent industries. They point to competitive disadvantages against US companies operating under voluntary frameworks and Chinese companies benefiting from government-supported AI development.
The European Commission rejected a broad pause but signalled targeted delays where standards aren’t ready. That signal materialised as the Digital Omnibus proposal in November 2025. The core tension remains: how do you facilitate governance of rapidly evolving technology in a manner preserving public trust and democratic values without undermining Europe’s global AI competitiveness?
For initial classification decisions, see our guides on high-risk AI classification if you’re working with recruitment or HR tools, or GPAI provider classification if you’re customising foundation model APIs.
How does the Digital Omnibus affect compliance timelines?
The Digital Omnibus consolidates amendments to the AI Act, GDPR, and Data Act, shifting high-risk AI obligations from fixed dates—originally August 2, 2026—to standards-dependent triggers potentially extending deadlines to December 2, 2027 or August 2, 2028. This creates planning paralysis: invest now in uncertain requirements or wait for clarity while risking late preparation? The answer depends on scenario planning with contingent decision gates tied to regulatory milestones.
Under the Digital Omnibus proposal published November 19, 2025, high-risk AI requirements now become effective six months after the Commission confirms “adequate measures in support of compliance” are available for Annex III systems (employment, education, credit scoring), or at the latest December 2, 2027. For Annex I product safety systems, the trigger extends to twelve months after Commission confirmation or August 2, 2028 at the latest. This means if CEN-CENELEC finalises harmonised standards by June 2027 and the Commission declares them adequate, your Annex III compliance deadline becomes December 2, 2027. If standards take longer, you still face the hard stop of December 2027.
Beyond timeline extensions, the Digital Omnibus expands SME carve-outs with reduced documentation requirements, proportionate quality management systems, and capped penalty percentages. GDPR coordination receives clarification, particularly around special category data processing for bias mitigation—you can now use sensitive data like race or ethnicity information in fairness testing under expanded legal bases.
Here’s the critical detail: GPAI obligations remain unaffected by the Digital Omnibus. The August 2, 2025 deadline proceeded as scheduled. If you’re using foundation models from OpenAI, Anthropic, Google, or fine-tuning them yourself, those transparency requirements are already in force. There’s no deferral, no wait-and-see. The timeline uncertainty applies only to high-risk AI systems.
Strategic implications split into two categories. “No-regret” compliance moves deliver value regardless of which scenario unfolds: establishing documentation systems, conducting vendor compliance assessments, building bias testing frameworks, creating internal AI inventories and classification registers. These investments start immediately.
Deferred decisions pending regulatory clarity include full conformity assessment build-out, comprehensive quality management system implementation, and post-market monitoring infrastructure. The decision framework isn’t “do nothing and wait” versus “do everything now.” It’s “invest in foundations that serve multiple scenarios while keeping expensive commitments flexible.”
For the detailed scenario planning framework with decision gates and budget phasing models, see our guide on hedging Digital Omnibus uncertainty. For how timeline uncertainty affects your budget planning and resource allocation, see our compliance cost budgeting framework.
What’s the difference between GPAI and high-risk AI obligations?
GPAI models face transparency and documentation requirements effective August 2, 2025, focused on training data disclosure, copyright compliance, and systemic risk assessment for high-capability models. High-risk AI systems require conformity assessment, quality management, bias mitigation, and fundamental rights impact assessments, with timelines ranging from August 2026 (original) to December 2027/August 2028 (Digital Omnibus scenarios). These are distinct obligation sets—many systems face both simultaneously.
GPAI models are defined as AI models displaying significant generality and capable of performing a wide range of distinct tasks, with training compute exceeding 10^23 floating point operations (FLOPs). This captures foundation models like GPT-4, Claude, Gemini, and Llama. All GPAI providers must draw up and maintain technical documentation, provide information to downstream deployers, establish copyright compliance policies, and publish training data summaries. For models with systemic risk—those exceeding 10^25 FLOPs—enhanced obligations include model evaluations, systemic risk assessments, serious incident reporting within 15 days, and cybersecurity protection.
The Code of Practice, confirmed August 1, 2025, provides practical implementation guidance across Transparency, Copyright, and Safety/Security chapters. Twenty-five providers including Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, and OpenAI signed up. Adherence isn’t strictly mandatory, but the AI Office will consider your commitment when assessing fines.
High-risk classification depends entirely on use case. Annex III lists specific contexts: recruitment, worker performance evaluation, educational admissions, credit scoring, law enforcement risk assessment, and healthcare diagnosis. Annex I adds product safety components. The conformity assessment procedure varies by category—Annex III systems generally permit self-assessment while Annex I often requires third-party notified body evaluation. Either way, you’re building technical documentation, establishing risk management systems, implementing data governance, building human oversight mechanisms, and creating post-market monitoring systems.
Fine-tuning a GPAI model for a high-risk use case triggers both obligation sets simultaneously. If you take OpenAI’s GPT-4 API and fine-tune it on your recruitment data to improve candidate screening, you might transform from a GPAI deployer to a GPAI provider. Simultaneously, your recruitment screening use case lands in Annex III high-risk territory. You now face model documentation requirements, Code of Practice compliance, conformity assessment, quality management systems, fundamental rights impact assessment, and bias mitigation all at once.
For the technical decision tree mapping your fine-tuning activities to provider versus deployer classification, see our dedicated guide. For detailed high-risk classification including preparatory task exemptions, see our employment AI guide.
What are the key decision points for CTOs?
CTO decision points cluster into eight domains: GPAI provider versus deployer classification determining obligation scope, high-risk system classification triggering conformity assessment, GDPR-AI Act integration avoiding duplicative effort, US-EU dual-market architectural strategies, timeline scenario planning under Digital Omnibus uncertainty, compliance cost budgeting and SME relief mechanisms, vendor due diligence and contract term allocation, and enforcement risk calibration and penalty mitigation.
1. GPAI Provider Classification
Decision: Does your fine-tuning activity transform you from deployer to provider?
Provider status triggers model documentation with 10-year retention, copyright compliance policies, Code of Practice adherence, and potential systemic risk designation. The classification turns on whether you’re making “substantial modifications” to the base model. API-level prompting and retrieval-augmented generation typically maintain deployer status. Parameter-efficient fine-tuning sits in a grey area depending on compute intensity. Full retraining crosses into provider territory.
Navigate to: Our guide on when customisation triggers provider obligations provides the technical decision tree, Code of Practice compliance pathways, and contract term recommendations.
2. High-Risk AI Classification
Decision: Does your AI system fall under Annex III use cases requiring conformity assessment?
Misclassification creates penalty exposure. Over-classification wastes compliance resources. The Article 6(3) preparatory tasks exemption provides an out: AI performing “narrow procedural task” or “preparatory task” not determining final decision outcomes may escape high-risk designation. Resume screening used solely to shortlist candidates for human review might qualify. Resume screening directly determining who gets interviewed probably doesn’t.
Navigate to: Our employment AI edge cases guide provides concrete use case mapping, conformity assessment procedures, fundamental rights impact assessments, and bias mitigation implementation.
3. GDPR Integration
Decision: How do you coordinate fundamental rights impact assessments with existing data protection impact assessments?
You’ve invested in GDPR compliance infrastructure. The AI Act adds fundamental rights impact assessments evaluating bias, discrimination, and dignity impacts. Combined DPIA-FRIA workflows leverage your existing infrastructure, coordinate DPO and AI compliance roles, and reduce costs.
Navigate to: Our GDPR integration strategies guide provides combined assessment templates, organisational workflow integration, and strategies for leveraging GDPR infrastructure.
4. US-EU Dual-Market Operations
Decision: What architectural strategies maintain a single codebase while meeting divergent US voluntary frameworks versus EU binding regulations?
US AI regulation follows voluntary frameworks and state-level laws. The EU AI Act establishes binding cross-sector requirements with extraterritorial reach—US companies serving EU customers face obligations regardless of headquarters location. Feature flags for region-specific behaviour, API versioning for compliance variation, and configuration management minimising code divergence become essential architectural patterns.
Navigate to: Our dual-market compliance guide provides architectural strategies for divergent regulations, regulatory arbitrage risk assessment, and extraterritorial reach mechanics.
5. Timeline Planning
Decision: Do you invest in compliance now under timeline uncertainty or wait for Digital Omnibus clarity?
With GPAI obligations already in force, high-risk deadline depends on trilogue negotiations: August 2026 if Omnibus fails, December 2027 or August 2028 if Omnibus passes. Scenario planning enables contingent budgeting with decision gates tied to regulatory milestones: Commission adequacy determination (Q1-Q2 2026), trilogue completion (Q2 2026), Member State transposition (Q3-Q4 2026).
Navigate to: Our contingent compliance planning guide provides three timeline scenarios, no-regret compliance moves, decision gate frameworks, and contingent budget phasing models.
6. Compliance Cost Budgeting
Decision: How much should you budget for conformity assessment, quality management systems, and post-market monitoring?
SMBs (50-500 employees) face conformity assessment costs estimated between €30-100K, plus quality management system implementation, post-market monitoring infrastructure, documentation systems, and legal counsel. SME carve-outs provide relief: reduced documentation requirements, proportionate QMS scope, capped penalties, and regulatory sandbox access.
Navigate to: Our SMB cost models guide provides cost models by company size and use case, SME relief mechanisms mapped to cost savings, and ROI frameworks.
7. Vendor Due Diligence
Decision: What questions should you ask AI vendors, what documentation should they provide, and how do you allocate obligations in contracts?
Most SMBs buy rather than build AI. Vendor evaluation requires documentation requests (conformity certificates for high-risk AI, model documentation forms for GPAI), verification methods (third-party audit reports, harmonised standards certifications, AI Office registration confirmation), and contract terms allocating compliance obligations with indemnification clauses.
Navigate to: Our vendor compliance verification guide provides a vendor questionnaire, documentation requirements, verification procedures, and contract clause recommendations.
8. Enforcement and Penalty Mitigation
Decision: What violations actually trigger penalties, what enforcement discretion factors matter, and how do you mitigate penalty exposure?
Fines reach €15 million or 3% of global revenue for high-risk violations, €35 million or 7% for prohibited AI. The AI Office holds exclusive GPAI enforcement jurisdiction while national market surveillance authorities handle most high-risk systems. Enforcement discretion favours good faith compliance demonstrated through AI Pact participation, cooperation during investigations, and proactive self-reporting.
Navigate to: Our enforcement priorities guide provides penalty calculation methodology, enforcement discretion factors, jurisdiction splits, and penalty mitigation strategies.
How does US-EU regulatory divergence affect tech companies?
US AI regulation follows voluntary frameworks and state-level sector-specific laws, while the EU AI Act establishes binding cross-sector requirements with extraterritorial reach. For dual-market tech companies, this creates architectural challenges: maintaining a single codebase across divergent requirements, managing regulatory arbitrage risks, and addressing competitiveness tensions.
The regulatory philosophy divergence runs deep. The EU applies a precautionary principle—regulate before harm materialises. The US follows an innovation-first approach—foster industry self-regulation unless demonstrated harm triggers intervention. Biden’s Executive Order on AI delegated over 100 tasks to more than 50 federal agencies, creating a decentralised patchwork. State-level legislation adds further fragmentation: California privacy regulations, Colorado AI Act provisions, and Texas legislation all vary in focus, scope, and enforcement.
The EU AI Act’s extraterritorial reach operates like GDPR’s before it—the “Brussels Effect” extending European regulatory standards globally. Any AI system affecting individuals in the EU must comply regardless of where the system is developed, where the company is headquartered, or where data is processed. US companies deploying AI in EU markets face provider obligations if they develop the system or deployer obligations if they use it. OpenAI, headquartered in San Francisco, faces GPAI provider obligations for European users.
The competitiveness concerns raised by European industry drive much of this tension. The Digital Omnibus proposal emerges partly as Commission response to these concerns, cited explicitly alongside the Draghi competitiveness report identifying regulatory friction as innovation barrier. Timeline extensions and SME carve-outs aim to reduce compliance burden while maintaining the fundamental rights protection framework.
For architectural approaches managing these divergent requirements, your options cluster around configuration management strategies. Feature flags enable region-specific behaviour—EU users get fundamental rights disclosures and human oversight pathways while US users follow state-specific requirements. API versioning allows compliance variation across markets without forking the entire codebase. Configuration files centralising regulatory settings minimise code divergence while satisfying contradictory requirements.
Most tech companies serving both markets build to the highest regulatory bar—typically EU compliance plus California and Colorado state requirements—creating unified governance frameworks exceeding minimum requirements in all jurisdictions.
For detailed architectural strategies including feature flag patterns, API versioning approaches, and configuration management minimising code divergence, see our architectural strategies for US-EU regulatory divergence guide. For US company obligations under extraterritorial GPAI reach, see our fine-tuning foundation models guide.
What timeline scenarios should guide your planning?
Three scenarios demand contingent planning: Digital Omnibus passes—high-risk deadlines extend to December 2027/August 2028 tied to standards availability, Omnibus fails—August 2026 deadline holds despite standards delays, or partial trilogue amendments with further timeline uncertainty. With GPAI obligations already in force, strategic approach: start no-regret compliance moves immediately (documentation, vendor assessment, bias testing) while deferring expensive commitments (full conformity assessment, QMS build-out) pending regulatory clarity.
Under scenario one (Digital Omnibus passes), high-risk obligations shift to the extended timelines: December 2, 2027 for Annex III systems, August 2, 2028 for Annex I product safety. SME carve-outs expand with reduced documentation burdens, proportionate quality management, and capped penalties at 3% versus 7% for large enterprises. Your implementation timeline extends by 12-18 months from the original August 2026 deadline, providing breathing room to await harmonised standards conferring presumption of conformity.
Under scenario two (Digital Omnibus fails), August 2, 2026 high-risk deadline holds as originally drafted. Harmonised standards won’t be ready—CEN-CENELEC indicates late 2026 or beyond. You’re navigating conformity assessment through common specifications becoming mandatory compliance pathway. Without harmonised standards providing automatic presumption of conformity, you’re building more detailed technical documentation demonstrating compliance through alternative means.
Under scenario three (partial trilogue amendments), European Parliament, Council, and Commission cherry-pick amendments during trilogue negotiations—the legislative process where these bodies reach final agreement. Timeline extensions might pass while SME relief gets scaled back. Member States transpose differently, creating fragmented timeline landscape across the 27 jurisdictions.
Your scenario planning ties to monitorable regulatory milestones triggering budget releases and implementation decisions. Commission adequacy determination on harmonised standards availability—watch Q1-Q2 2026. Trilogue completion on Digital Omnibus—expected Q2 2026. Member State transposition if Omnibus passes—Q3-Q4 2026.
No-regret compliance moves deliver value regardless of scenario outcome. Documentation system establishment, vendor compliance assessment, bias testing framework development, internal AI governance workflows—start these immediately. The foundational infrastructure serves whatever final requirements emerge while building institutional capability you’ll need throughout the AI system lifecycle.
For the complete scenario planning framework with decision gates, budget phasing models, legacy system grandfathering strategies, and regulatory monitoring checklists, see our Digital Omnibus timeline scenarios guide. For how timeline uncertainty affects cost budgeting and resource allocation, see our compliance cost budgeting guide.
What should you budget for compliance?
Compliance costs vary by company size, AI use case, and risk classification. SMBs (50-500 employees) face conformity assessment costs estimated €30-100K, quality management system implementation, post-market monitoring infrastructure, documentation systems, and legal counsel. SME carve-outs provide relief through reduced documentation requirements, proportionate QMS scope, and capped penalties. ROI framework compares compliance investment against penalty exposure reaching €15 million or 3% of global revenue.
Itemised cost components break down across compliance activities. Conformity assessment ranges from €30K for straightforward SaaS applications to €100K+ for complex HealthTech or FinTech systems requiring third-party evaluation. Quality management system implementation costs vary from €20K for proportionate SME-scaled processes to €60K+ for comprehensive frameworks. Post-market monitoring infrastructure runs €15-40K depending on technical complexity. Technical documentation tools add €10-25K. Legal counsel typically €25-75K for initial setup.
SME relief mechanisms directly reduce these costs. Reduced documentation requirements potentially cut costs by 30-40%. Proportionate quality management systems save 40-50% versus full-scale implementations. Capped penalties at 3% global revenue versus 7% for large enterprises reduce maximum downside exposure. Priority regulatory sandbox access provides pre-market testing with reduced compliance burden.
Timeline scenario impacts on budget phasing matter substantially. Under scenario one (Digital Omnibus passes), major conformity assessment expenditure shifts from 2026 to 2027. Under scenario two (Omnibus fails), August 2026 deadline requires full budget deployment in current fiscal year.
ROI framework justification compares compliance investment against penalty exposure and market access value. For a €50 million revenue SaaS company, 3% penalty exposure equals €1.5 million—compliance investment of €100-150K provides 10:1 risk mitigation return. Market access value adds upside: EU represents 450 million consumers and 27 national markets.
For detailed cost models breaking down expenses by company size and use case, SME relief mechanism mapping to specific cost savings, and comprehensive ROI frameworks, see our AI Act compliance investment planning guide. For how GDPR infrastructure integration reduces duplicative assessment costs, see our GDPR integration guide.
What enforcement reality should you expect?
The European AI Office holds exclusive enforcement jurisdiction for GPAI models and certain high-risk AI systems, while national market surveillance authorities handle most high-risk systems. Penalties reach €15 million or 3% of global revenue for high-risk violations, with enforcement discretion favouring good faith compliance efforts demonstrated through AI Pact participation, cooperation during investigations, and proactive self-reporting.
The penalty structure operates in tiers aligned with violation severity. Prohibited AI practices carry maximum fines of €35 million or 7% of global revenue. High-risk AI non-compliance including failures in conformity assessment, quality management breaches, or fundamental rights impact assessment omissions face €15 million or 3% global revenue penalties. GPAI transparency violations also hit this tier. Providing incorrect information to authorities triggers €7.5 million or 1.5% global revenue fines.
Enforcement jurisdiction splits between the AI Office and 27 national market surveillance authorities. The AI Office supervises GPAI models, particularly those with systemic risk exceeding 10^25 FLOPs, and coordinates enforcement for cross-border high-risk systems. National authorities handle country-specific high-risk AI deployed within their jurisdictions. The AI Board coordinates between AI Office and national authorities to ensure consistent enforcement approaches.
Enforcement discretion factors matter substantially. Good faith compliance demonstrated through AI Pact participation signals genuine efforts despite implementation challenges. The AI Office has explicitly stated it will account for Code of Practice commitments when assessing GPAI fines. Cooperation during investigations versus obstruction affects penalty severity. Proactive self-reporting of incidents triggers more favourable treatment than enforcement discoveries through complaints.
Serious incident reporting obligations activate within 15 days of learning about incidents causing serious damage—death, serious personal injury, significant property damage, or serious harm to fundamental rights. National authorities receive reports with coordination to fundamental rights protection authorities.
Mitigation strategies focus on building enforcement discretion favour. AI Pact participation demonstrates voluntary early compliance. Robust documentation showing compliance due diligence proves genuine efforts rather than ignoring obligations. Proactive vendor compliance verification protects against third-party violations. Incident response procedures enabling rapid self-reporting position incidents as transparency demonstrations rather than concealed failures.
For detailed penalty calculation methodology, enforcement discretion factor analysis, jurisdiction mapping, serious incident reporting templates, and comprehensive penalty mitigation strategies, see our enforcement priorities guide. For how vendor contract terms allocate liability reducing your exposure, see our vendor due diligence guide.
Frequently Asked Questions
When exactly do I need to comply with EU AI Act requirements?
Timeline depends on AI system type. GPAI model obligations took effect August 2, 2025—compliance is already required if you’re a provider. High-risk AI system requirements face timeline uncertainty: the original August 2, 2026 deadline may extend to December 2, 2027 or August 2, 2028 if the Digital Omnibus passes. See our timeline scenarios guide for the contingent planning framework.
Does the EU AI Act apply to my company if I’m based in the US?
Yes, if you deploy AI systems in the EU market. The AI Act has extraterritorial reach—US companies operating as providers or deployers face compliance obligations regardless of company location. See our US-EU dual-market guide for US company obligations and architectural strategies.
How do I know if I’m a GPAI provider or just a deployer?
Classification depends on whether you modify the foundation model substantially. API-level prompting maintains deployer status while extensive fine-tuning triggers provider obligations. See our fine-tuning foundation models guide for the technical decision tree mapping your specific activities.
What’s the difference between conformity assessment and fundamental rights impact assessment?
Conformity assessment is a provider obligation verifying high-risk AI compliance with technical requirements, resulting in CE marking. Fundamental rights impact assessment is a deployer obligation evaluating potential effects on privacy, non-discrimination, and human dignity before deployment. Both are required for high-risk AI. See our GDPR integration guide for combined DPIA-FRIA workflows.
Is there compliance relief for small companies?
Yes. SME carve-outs provide reduced documentation requirements, proportionate quality management systems, capped penalty percentages at 3% versus 7%, and priority regulatory sandbox access. Companies under 250 employees typically qualify for most relief mechanisms. See our cost budgeting guide for SME cost savings quantification.
How do I verify my AI vendor’s compliance claims?
Request conformity certificates for high-risk AI and model documentation forms for GPAI. Verification methods include third-party audit reports, harmonised standards certifications, and AI Office registration confirmation. Contract terms should allocate obligations explicitly with indemnification clauses. See our vendor due diligence guide for the questionnaire and contract templates.
What happens if I’m using resume screening AI – is that high-risk?
Depends on use case specifics. Resume screening used solely to shortlist candidates for human review may qualify for the preparatory exemption. Resume screening directly determining interview invitations likely triggers high-risk classification. See our employment AI classification guide for the classification decision tree.
Should I wait for Digital Omnibus clarity before starting compliance?
No. Start no-regret compliance moves immediately—internal AI inventory, documentation system establishment, vendor assessment, bias testing framework development. Defer expensive commitments like full conformity assessment pending regulatory clarity. GPAI obligations are already in force—foundation model users must comply now. See our timeline scenarios guide for the decision gate framework.
Next Steps Based on Your Situation
Your path through EU AI Act compliance depends on your specific context. Use this decision framework to identify your starting point:
If you’re using foundation model APIs (OpenAI, Anthropic, Google, Meta): Start with our fine-tuning foundation models guide to determine your provider versus deployer classification. The August 2, 2025 deadline already passed—GPAI obligations are in force now.
If you’re building employment, recruitment, or HR AI: Begin with our employment AI classification guide to classify your system correctly and understand conformity assessment requirements.
If you’re planning your compliance budget: See our cost models for SMB tech companies for cost models by company size and use case, with SME relief mechanisms mapped to specific savings.
If you’re evaluating third-party AI vendors: Use our vendor compliance verification guide for the questionnaire, documentation requirements, and contract terms allocating compliance obligations.
If you’re serving both US and EU markets: Navigate to our dual-market compliance guide for architectural strategies minimising code divergence across divergent regulatory requirements.
If you already have GDPR compliance infrastructure: Leverage it through our GDPR integration guide for combined assessment workflows reducing duplicative effort.
If you’re uncertain about Digital Omnibus timeline impacts: Start with our timeline scenarios guide to understand the three scenarios and identify no-regret moves beginning immediately.
If you’re assessing penalty exposure and enforcement risk: Begin with our enforcement priorities guide to understand what actually triggers fines and how to mitigate penalty exposure.
The implementation tensions will persist through 2026 and beyond. Timeline uncertainty from the Digital Omnibus, competitiveness concerns driving industry pushback, standards development delays, and enforcement authority coordination challenges continue. Your advantage comes from systematic navigation: classify your systems correctly, plan for multiple timeline scenarios, leverage existing infrastructure where possible, and start foundational investments that serve all outcomes.
The choice isn’t between perfect compliance and ignoring obligations. It’s between strategic, scenario-aware implementation building institutional capability incrementally and reactive scrambling when deadlines crystallise. Start with the decision framework matching your immediate context, then expand through the resource library as implementation progresses.
