The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and is being phased in over three years. Since February 2025, the prohibitions on unacceptable AI systems apply. Since August 2025, the rules for general-purpose AI models are in effect. And from August 2026, the full obligations for high-risk AI systems will apply. For organizations that develop, deploy, or use AI, the time to act is now.
This article explains how the risk classification works, what the obligations are per category, and what a conformity assessment entails.
The risk-based framework
The AI Act classifies AI systems into four risk categories. The first is unacceptable risk: AI systems that are prohibited because they violate fundamental rights. Examples include social scoring by governments, real-time biometric identification in public spaces (with limited exceptions for law enforcement), and manipulative AI that exploits vulnerable groups. These systems may not be used within the EU, regardless of where they were developed.
The second category is high risk. This is where most obligations apply. High-risk AI systems are those deployed in critical domains such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice. AI systems that serve as a safety component of a product falling under existing EU product legislation (such as medical devices or machinery) are automatically classified as high risk.
The third category is limited risk, covering AI systems with transparency obligations, such as chatbots and deepfake generators. Users must be informed they are interacting with AI. The fourth is minimal risk, covering most AI applications like spam filters and AI in video games, with no specific requirements.
Obligations for high-risk AI
Organizations developing or deploying high-risk AI systems must comply with extensive requirements. These include a risk management system maintained throughout the AI system's lifecycle, data governance requirements ensuring training data is relevant, representative, and as free from errors as possible, technical documentation, logging and traceability, transparency and user information, human oversight, and requirements for accuracy, robustness, and cybersecurity.
The conformity assessment
Before a high-risk AI system can be placed on the EU market, a conformity assessment must be performed. For most high-risk systems, the provider can perform this assessment internally based on Annex VI of the regulation. For biometric identification systems, assessment by a notified body is mandatory.
The assessment involves verifying the quality management system, reviewing technical documentation, checking the adequacy of the risk management system, and testing the system for accuracy and robustness. After successful assessment, the provider draws up an EU declaration of conformity and affixes the CE marking.
The relationship with ISO 42001
ISO 42001 provides a management system framework for responsible AI use. While ISO 42001 certification does not automatically mean AI Act compliance, there is significant overlap. An organization with a functioning AI management system according to ISO 42001 already has many structural requirements in place: risk assessment, governance, documentation, and monitoring.
The difference lies in specificity. The AI Act sets concrete, legally binding requirements for specific AI systems. ISO 42001 provides the organizational framework within which those requirements can be implemented. We advise organizations to use ISO 42001 as a foundation and layer the AI Act-specific requirements on top.
Next steps
Start with an AI inventory. Map all AI systems you develop, provide, or deploy. Classify each system according to the AI Act risk model. Then assess per high-risk system whether you meet the requirements. Establish a timeline to close any gaps before August 2026.
Secure Audit helps organizations classify their AI systems, perform gap analyses against AI Act requirements, and establish a compliant AI management system. Contact us for an AI Act readiness assessment.
About the author
Partner | IT Auditor