Your Practical Guide to the EU AI Act (2026)

The EU AI Act is already in force. Is your organization keeping up?

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence — and it applies to any organization that develops, deploys, or uses AI systems in or affecting the EU. That's most companies. This guide, written by Cerivo's in-house legal experts, cuts through the complexity and gives you a practical path to compliance.

‍

What's inside the guide

Risk levels, explained clearly The AI Act divides AI systems into four risk categories — prohibited, high-risk, limited risk, and minimal risk. Your obligations depend entirely on which category your systems fall into. The guide walks through each one with real-world examples.

Who the AI Act applies to Whether you're a provider, deployer, importer, or distributor of AI systems, the regulation has something to say to you. The guide breaks down each role and what it means in practice.

The prohibited AI list Eight categories of AI are now illegal in the EU — including social scoring, real-time biometric identification in public spaces, emotion recognition in workplaces, and AI that exploits vulnerable individuals. The guide covers all eight with examples.

High-risk AI obligations If you use AI in employment, education, critical infrastructure, law enforcement, or access to essential services, you're likely in high-risk territory. The guide outlines what providers and deployers must each do to comply.

The AI Act + GDPR overlap The AI Act doesn't replace the GDPR — it adds another layer. Many AI systems process personal data, which means dual compliance obligations. The guide explains where the frameworks intersect and how to avoid doing the work twice.

Compliance timeline Key deadlines are already behind us (prohibited AI rules: February 2025). Others are coming — including high-risk AI under Annex III (December 2027). The guide includes the full implementation timeline so you can prioritize.

A step-by-step compliance roadmap Six steps: map your AI assets, assess risk, establish governance, document, address GDPR obligations, and train your team. The guide explains each step and what good looks like.

A ready-to-use compliance checklist A practical checklist covering both AI Act and GDPR obligations — ready to use or adapt for your organization.

‍

Who wrote this guide

The guide was authored by Frederik Them Pedersen, attorney and AI Act expert at Cerivo, with contributions from Martin Folke Vasehus (Attorney and COO) and Stine Mangor Tornmark (Attorney and VP Services & Legal Product). It reflects Cerivo's legal expertise across GDPR, NIS2, and AI Act compliance — and the practical experience of helping hundreds of Nordic organizations navigate regulatory complexity.

‍

Why AI Act compliance matters now

The prohibited AI rules have been in force since February 2025. General-purpose AI model obligations apply from August 2025. High-risk AI deadlines run through 2027 and 2028. Fines reach up to 7% of global annual turnover for the most serious violations. More importantly: Organizations that can demonstrate responsible, lawful AI use will be better positioned to build trust with customers, regulators, employees, and partners.

‍

FAQ

Does the AI Act apply to my company if we're outside the EU?

Yes. The AI Act has extraterritorial scope — it applies to any organization whose AI systems affect people in the EU, regardless of where the company is based.

What's the difference between a provider and a deployer under the AI Act?

A provider develops or places an AI system on the market. A deployer uses an AI system in a professional context. Most organizations are deployers — using tools like ChatGPT, Microsoft Copilot, or AI-powered HR or recruitment software.

Is using ChatGPT or Microsoft Copilot covered by the AI Act?

Yes. These are general-purpose AI (GPAI) systems. Using them in a professional context makes your organization a deployer with obligations under the AI Act, including transparency requirements and — depending on how they're used — potentially more.

What AI is prohibited under the EU AI Act?

Eight categories are banned, including social scoring, AI that manipulates people through subliminal techniques, real-time biometric identification in public spaces (with narrow exceptions), emotion recognition in workplaces, and systems that exploit vulnerable individuals.

How does the AI Act relate to GDPR?

They operate in parallel. Many AI systems process personal data, which triggers GDPR obligations on top of AI Act requirements. The good news: compliance work overlaps — a DPIA required under GDPR also satisfies part of your AI Act documentation obligations.

When do I need to comply?

It depends on your AI system type. Prohibited AI rules: in force since February 2, 2025. GPAI obligations: August 2, 2025. High-risk AI (Annex III): December 2, 2027. High-risk AI in safety-critical products (Annex I): August 2, 2028.

‍