EU AI Act Compliance & Governance

The EU AI Act is law. Are you ready?

The EU AI Act took effect Aug 2024 and obligations are rolling out through 2027. We classify your AI uses, document what is required for each, and set up the governance to keep you compliant — without the consulting-firm price tag.

Fixed-fee classifications

Technical docs included

Ireland + EU practice

EU AI Act risk classification

Reg. (EU) 2024/1689

UnacceptableBanned

Prohibited outright under Article 5. Most businesses never touch these.

Social scoring of citizensUntargeted facial-recognition scrapingManipulative subliminal AI

High-riskHeavy duty

Full compliance: registration, technical docs, risk management, post-market monitoring.

AI in recruitment / CV screeningCredit / loan decisioningCritical infrastructureMedical devices

LimitedTransparency

Disclose to users they're interacting with AI. Most SME chatbot/voice agent use lands here.

Chatbots ('I'm an AI')Synthetic content disclosureEmotion recognition disclosure

MinimalLight touch

No specific obligations beyond existing law (GDPR, consumer protection). Voluntary codes encouraged.

AI-enhanced spam filterInventory forecastingSpell-check / autocomplete

The rollout timeline

When obligations land.

Aug 2024

Entered into force

Act published, clock starts on the staggered application dates below.

Feb 2025

Prohibited practices ban

Unacceptable-risk AI (social scoring, manipulative subliminal AI, etc.) now banned. Applies to anyone placing AI on the EU market.

Aug 2025

GPAI obligations

General-purpose AI model rules apply. Codes of practice for foundation-model providers. Member State authorities designated.

Aug 2026

High-risk obligations

Full obligations for high-risk AI systems apply — registration, technical docs, conformity assessment, post-market monitoring.

Aug 2027

Annex I high-risk

Extended obligations for high-risk AI embedded in regulated products (medical devices, vehicles, etc.) — full applicability.

For typical Irish SMEs

What you actually need to do.

The honest truth: 80% of SME AI uses land in 'Limited' or 'Minimal' risk. The work is mainly classification, transparency notices, and basic governance — not the heavy industrial compliance machine.

Classify each AI use

Map every AI deployment in your business to its risk tier. Most will be Limited or Minimal — but the act of classifying is itself a duty.

Transparency disclosures

Chatbots say 'I'm an AI'. AI-generated content labelled as such. Synthetic media disclosed. Light to implement, mandatory to have.

Internal AI use policy

Written policy covering: where AI may/may not be used, sensitive-data rules, vendor evaluation criteria, incident reporting. We provide templates.

Vendor governance

Many SMEs deploy AI via third-party SaaS. You inherit responsibilities. We help you evaluate vendor compliance and document the chain of custody.

Training & literacy

Article 4 requires that staff using AI have appropriate AI literacy. Practical training — not theatre. Often paired with our AI Training service.

Records & monitoring

Light-touch incident log, complaint handling path, periodic review. Proportionate to risk, not corporate-scale paperwork.

How we engage

Three packages.

Quick audit

€1,800

1 week

Inventory of AI uses
Risk classification per use
Top 3 gaps with effort estimates
Written report + 1-hour readout

Compliance setup

€4,500

3 weeks

Everything in Quick audit
AI use policy (drafted to your business)
Transparency notice templates
Vendor questionnaire pack
Staff training session (90 min)

Ongoing partner

from €450/mo

Monthly

Quarterly compliance review
New AI use classification on demand
Incident response on call
Annual policy refresh
Updates as regulations evolve

A note on legal advice

We're AI specialists, not lawyers. Our work covers technical compliance, documentation, classification, and governance setup — the practical engineering side of being AI Act-ready. For regulatory legal opinions, formal certifications under high-risk Annex I, or representation before authorities, we work alongside Irish legal practices and recommend specific firms based on your need.

Frequently asked

AI Act questions.

If you deploy AI in the EU — yes, but lighter than you'd think. Most SME use lands in 'Limited' or 'Minimal' risk, which requires transparency notices and basic governance, not the industrial compliance machinery. The Act doesn't have an SME exemption, but it scales by risk tier.

Using a third-party GPAI model (like Claude/GPT) puts compliance responsibilities mostly on the provider, but you have 'deployer' duties: human oversight where required, transparency to end users, staff AI literacy. We help you document this correctly.

Yes — up to €35M or 7% of global turnover for prohibited AI uses; up to €15M or 3% for high-risk violations; up to €7.5M or 1.5% for misleading info to authorities. Practically, enforcement against SMEs will focus on egregious cases, but documentation gaps create real risk in any audit.

Only providers/deployers of high-risk AI systems need to register in the EU AI database. SME limited-risk use (chatbots, automation, classification) generally doesn't trigger registration. We classify your use cases first, then advise on what registration applies.

Heavy overlap — GDPR rights to explanation, data minimisation, DPIAs all carry through. Where you have AI processing personal data, you need both compliance regimes. We work alongside DPOs (yours or recommended). The AI Act adds risk-tier-specific duties on top of GDPR.

No — prohibited-AI rules are already in force, and transparency obligations apply broadly now. Plus, putting governance in place is a 4-12 week project. Doing it ahead of audit pressure is the cheaper path.

Related services

Often paired with

AI Readiness & Strategy

Audit + roadmap

AI Training & Workshops

Staff AI literacy

AI Integration

Compliant-by-design builds

A €1,800 audit beats a €1.8M fine.

Start with the Quick audit. We classify every AI use in your business, flag the gaps, and tell you honestly which package you need next.