You can cover the foundations of EU AI Act readiness in one working week: list every AI tool you use, sort each by risk level, work out whether you are a provider or deployer, check the duties already in force since February 2025, and send your vendors a short set of written questions. The main obligations apply from August 2, 2026.
EU AI Act Compliance: First Steps Your Business Can Take This Week
Why This Week, Not This Quarter
The main body of the EU AI Act, Regulation (EU) 2024/1689, applies from August 2, 2026. As of mid-June 2026, that is a matter of weeks away, not a distant horizon. Two sets of rules are already in force: the bans on prohibited practices and the AI literacy duty, both applicable since February 2, 2025, and the rules for general-purpose AI models, applicable since August 2, 2025. The good news for a small or medium business is that the genuinely necessary first steps are administrative, not technical, and they compress well. A focused person can complete each of the steps below in a half-day. None requires hiring anyone, and every one of them produces something you will need no matter how the details of your situation turn out. Here is the week, day by day.
Day 1: List Every AI System You Use
Everything else depends on the inventory, so it comes first. Open a spreadsheet and create one row per AI tool or AI feature, with columns for: name, what it does, who uses it, what it is used for, what data goes in, and the vendor. Cast the net wide. Include the obvious chatbots and image generators, but also AI features inside software you already own: the scoring module in your CRM, the screening feature in your applicant tracking system, the transcription in your meeting software, the recommendation engine in your webshop. Ask each team what they actually use, and say plainly that honest answers carry no penalty, because unapproved tools that stay hidden are the ones that hurt you later. Do not aim for perfection; aim for a first draft today that you correct all week.
Day 2: Sort Each System by Risk Level
Now classify each row using the Act's four levels. Most entries will take seconds.
| Risk level | Quick test | Typical examples from a real inventory |
|---|---|---|
| Prohibited | Is it a practice banned by Article 5, such as social scoring or emotion recognition of employees? | Workplace sentiment monitoring; manipulative systems causing significant harm |
| High risk | Is the use listed in Annex III: hiring, worker management, credit, education, essential services? | CV screeners, performance-scoring tools, creditworthiness checks |
| Limited risk | Does it talk to people or generate content? | Website chatbot, AI voice assistant, image and text generators |
| Minimal risk | Everything else | Spam filters, forecasting, grammar tools, route planning |
The single most useful question for spotting hidden high risk: does the output of this system flow into decisions about identifiable people, especially in hiring, management, credit, or access to services? If yes, flag the row. If you find anything resembling a prohibited practice, stop using it now; the ban has applied since February 2025 and carries the Act's highest fines, up to 35 million euros or 7 percent of worldwide annual turnover.
Day 3: Work Out Your Role for Each System
Duties under the Act depend on whether you are a provider or a deployer of each system, and you can be different things for different rows. You are a deployer when you use someone else's AI system in your professional activity; this is the role most businesses hold for almost everything, and it carries the lighter set of duties under Article 26. You are a provider when you develop an AI system, or have one developed, and place it on the market or put it into service under your own name; that carries the heavy obligations. Watch the boundary cases: putting your own brand on a third-party tool, or substantially modifying one, can shift you into the provider role. Add a role column to the inventory and fill it in. For most SMEs the honest result is deployer on every row, which immediately tells you that your compliance work is about oversight, vendor management, and transparency, not conformity assessments.
Day 4: Close the Gaps That Are Already Open
Two duties are in force today. First, Article 4 AI literacy: you must take measures to ensure staff who operate AI systems have a sufficient level of AI literacy for their roles. A practical response is a short internal session covering which tools are approved, what data must never be pasted into external services, how to check AI output before relying on it, and who decides in doubtful cases. Keep an attendance note; being able to show you did it matters. Second, the Article 5 prohibitions: confirm against your Day 2 classification that nothing in use crosses into banned territory. Day 4 is also the moment to fix the cheapest future gap: from August 2, 2026, people must be told when they are talking to AI, so check that your chatbot and voice assistant introduce themselves as AI. That fix is usually one line of configuration.
Day 5: Send Your Vendors Five Written Questions
For every flagged high-risk row, and any vendor you depend on heavily, send a short email and keep the answers on file: How do you classify this product under the EU AI Act, and under which Annex III point if high risk? What is your conformity assessment status and timeline? Where are the instructions for use and the human-oversight features documented? Will the system be registered in the EU database before August 2, 2026? What support will you give us to meet our deployer duties under Article 26? Vendors planning to be in business after 2026 have these answers ready. A vendor that cannot answer is itself a finding, and better discovered now, while there is still time to switch, than in an August scramble.
The Week at a Glance
| Day | Task | Output you keep |
|---|---|---|
| Day 1 | Inventory every AI tool and embedded AI feature | A register with one row per system |
| Day 2 | Classify each row: prohibited, high, limited, minimal | Risk column filled, problem rows flagged |
| Day 3 | Record your role for each system | Provider or deployer noted per row |
| Day 4 | Run AI literacy training; verify no banned practices; fix chatbot disclosure | Attendance note, prohibition check, disclosed bot |
| Day 5 | Email vendors the five compliance questions | Written vendor answers on file |
Keeping Momentum After the Week
The risk after a productive sprint is that the spreadsheet goes stale by autumn. Three light habits prevent that. First, give the inventory an owner and a monthly fifteen-minute review slot; new tools and new AI features inside existing software arrive constantly, and the register only has value while it reflects reality. Second, set a hard internal checkpoint well before August 2, 2026, at which every flagged high-risk row must have either complete vendor documentation and an assigned human overseer, or a decision to stop using the tool; an explicit go or no-go beats a quiet drift into the deadline. Third, fold the AI questions into processes you already run: the procurement checklist gains a line about AI Act classification, the onboarding pack gains the usage policy, and the annual review of suppliers gains the five vendor questions. Compliance that lives inside existing routines survives; compliance that depends on someone remembering a special project does not. Treated this way, the Act becomes less a legal event and more a one-time tidying of how your business adopts software, which is work that pays for itself even where the regulation never bites.
What This Week Does Not Solve
Honesty about scope keeps the momentum real. If you flagged high-risk uses, the deeper deployer work remains: assigning and training the humans who oversee each system, arranging log retention of at least six months, preparing worker notifications before workplace AI goes live, and being ready to explain AI-assisted decisions to the people affected. If you build AI products, the provider track is a project of months, not days. And the Act sits alongside GDPR, which continues to govern the personal data flowing through all of it. But none of that deeper work can even start without the inventory, the classification, the role call, and the vendor answers. Those fit in a week, the week is available now, and every later step is faster because you took it. There is also a sales argument hiding in the homework: enterprise customers are already adding AI Act questions to their procurement questionnaires, and a small supplier that can produce an inventory, a policy, and vendor answers on request looks markedly more trustworthy than competitors improvising in the meeting. The same five documents that keep regulators satisfied also help win and keep contracts in the years ahead.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.