Hael
Sign inRequest a demo
EU AI Act · Requirements

EU AI Act requirements: a complete guide

Updated 30 June 2026 · 8 min read
Key takeaway
The EU AI Act's requirements depend on two things: your role in the AI supply chain and the risk tier of each system. The heaviest set of obligations applies to providers of high-risk AI systems, who must build a full compliance programme spanning risk management, data governance, documentation, oversight, and a conformity assessment. This guide sets out what is required, in the order you would actually tackle it.
  • Requirements depend on your role and the risk tier; the heaviest fall on providers of high-risk systems.
  • High-risk providers need risk management, data governance, documentation, logging, transparency, human oversight, and robustness.
  • A conformity assessment, CE marking where applicable, and EU database registration are required before market.
  • Deployers have real duties too, including oversight, monitoring, and sometimes a fundamental rights impact assessment.
  • Current as of June 2026. This is general information, not legal advice.

Step one: establish your obligations

Before building anything, fix two facts for each AI system. First, your role: are you the provider (you develop and place it on the market), the deployer (you use it), or an importer or distributor. Second, the risk tier: prohibited, high, limited, or minimal. Most of what follows applies to providers of high-risk systems. Deployers, importers, and distributors have lighter but real duties, and limited-risk systems mainly face transparency obligations.

The core requirements for high-risk systems

A provider of a high-risk AI system must put the following in place:

  • Risk management system. A continuous, lifecycle process to identify, evaluate, and mitigate risks to health, safety, and fundamental rights. It is not a one-off document but an ongoing system that is updated as the AI and its use evolve.
  • Data and data governance. Training, validation, and testing data must be relevant, representative, and, as far as possible, free of errors and bias for the intended purpose. You must govern how data is collected, prepared, and examined.
  • Technical documentation. Documentation that demonstrates the system meets the requirements, detailed enough for authorities to assess compliance. This is drawn up before the system goes to market and kept up to date.
  • Record-keeping (logging). The system must automatically log events over its lifetime to support traceability and post-market monitoring.
  • Transparency and instructions for use. Deployers must receive clear, complete information so they can use the system correctly and understand its capabilities and limitations.
  • Human oversight. The system must be designed so that people can effectively oversee it, intervene, and stop it where necessary.
  • Accuracy, robustness, and cybersecurity. The system must perform consistently and resist errors, faults, and attempts to manipulate it.

Conformity assessment and registration

Before a high-risk system is placed on the market, the provider must carry out a conformity assessment to demonstrate it meets the requirements, affix the CE marking where applicable, draw up an EU declaration of conformity, and register the system in the EU database. For some systems this is a self-assessment; for others it involves a notified body.

Deployer obligations

Deployers of high-risk systems are not passive. They must use the system in line with the provider's instructions, assign competent human oversight, monitor operation, keep logs where under their control, and inform the provider or authorities of serious incidents or risks. In some cases deployers must also carry out a fundamental rights impact assessment.

How to operationalise this

The requirements describe a governance system, not a single deliverable. In practice that means giving each high-risk system an owner, a documented risk assessment, a controlled set of evidence, and a process that keeps documentation and oversight current as the system changes. Organisations that treat this as an operating capability, rather than a one-time audit, find it far easier to stay compliant and to answer buyers, auditors, and regulators on demand.

A note on timing

Following the Digital Omnibus agreement of May 2026, the obligations for stand-alone high-risk Annex III systems are scheduled to apply from 2 December 2027 (provisional, pending formal adoption), deferred from the original August 2026 date. This extends the runway but not the need to start, because building these systems well takes time and buyers ask about readiness today.

Key terms

EU AI Act requirements
The set of obligations the Act places on providers and deployers of AI systems, scaled by risk tier.
Risk management system
A continuous lifecycle process to identify, evaluate, and mitigate risks from a high-risk AI system.
Data governance
Controls over how training, validation, and test data are collected, prepared, and examined for quality and bias.
Technical documentation
The Annex IV file demonstrating a high-risk system meets the Act's requirements.
Human oversight
Design and process measures that let a person effectively oversee, intervene, and stop a high-risk system.
Conformity assessment
The formal process by which a high-risk system is shown to meet the Act before it goes to market.

References

Related guides

Keep reading on EU AI Act.

Free check

See where you stand on EU AI Act, free.

Answer a few questions and get an indicative view of what EU AI Act expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
EU AI Act · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to EU AI Act~ 5 MIN