Decision guide · Compliance
How to implement the EU AI Act by 2 August 2026
EU AI Act implementation does not fail on the legal text, it fails on the inventory and classification of your own AI systems. Anyone who has to demonstrate compliance by 2 August 2026 does not need a legal workshop, they need a structured decision per system: is it high-risk under Annex III? Which obligations apply? Who is provider, who is deployer? The answers are documentable in an audit-proof way, in one decision memo per system that consolidates Art. 9 risk management, Art. 10 data quality and Art. 11 technical documentation in a single artefact.
TL;DR
The AI Act fails on a missing AI inventory, not on the legal text. One documented decision per system.
Who owns this decision
CISO or AI-Governance-Lead as decision owner, Data Protection Officer, Legal, business owner of the AI system and CIO as approver.
Key criteria to weight
System inventory and classification
Which AI systems are in use or planned? Without a complete inventory no obligations apply, but neither does evidence.
High-risk assessment under Annex III
8 application domains plus product safety (Annex I). The mapping is binary and decides 80% of follow-on obligations.
Role: Provider vs. Deployer
Providers (developers/importers) carry the full obligations under Art. 16, deployers significantly less. Role mapping is not negotiable.
Risk-management framework
Art. 9 requires lifecycle risk management. Existing ISO 31000 or NIST AI RMF processes can plug into it.
Data quality and data governance
Art. 10 requires representative, low-error training, validation and test data plus documented bias testing.
Human oversight and transparency
Art. 14 requires meaningful human control. That is a design decision, not retrofit documentation.
Step-by-step decision flow
- 1
Build the AI inventory
Capture every AI system: in-house, purchased, running as shadow IT in business units. Without this inventory, no further step is defensible.
- 2
Classify each system
Prohibited practice (Art. 5), high-risk (Annex III), GPAI (Chapter V), limited/minimal risk. Classification is the central switch.
- 3
Assign roles and responsibilities
Provider, Deployer, Importer, Distributor. Per system. For purchased systems: adjust contractual clauses.
- 4
Set up the obligations matrix
Art. 9 (risk management), Art. 10 (data), Art. 11 (documentation), Art. 12 (logging), Art. 14 (oversight), Art. 15 (robustness). Per system: which apply.
- 5
Gap analysis and prioritisation
Which systems must be fully compliant by 2.8.2026, which fall under existing-systems grace period until 2027, which will be paused or decommissioned?
- 6
One decision memo per high-risk system
Decision on continued operation, adjustment or shutdown. Each memo is independently audit-ready and survives a market-surveillance review.
Anonymised memo excerpt
HR-Tech-Unternehmen, 90 Mitarbeiter, Hochrisiko-System Bewerber-Screening (Anhang III Nr. 4)
Readiness score
68
- Trigger
- Auslieferung des AI-gestützten Bewerber-Screenings an einen ersten Enterprise-Kunden in DE. Frist 2. August 2026 für Compliance, plus Provider-Pflichten nach Art. 16.
- Top criteria (weights)
- Art. 9 Risikomanagement-System dokumentiert20%
- Art. 10 Datenqualität und Bias-Prüfung20%
- Art. 14 Menschliche Aufsicht im Produkt-Design15%
- Art. 11 Technische Dokumentation lebenszyklusweit15%
- Art. 12 Logging und Nachvollziehbarkeit15%
- Konformitätsbewertung und CE-Kennzeichnung15%
- Shortlist
- Eigenständige Compliance-Initiative mit DecisionOS-Memos pro System
- Outsourcing der Konformitätsbewertung an Beratung
- Aufgabe der Hochrisiko-Klassifizierung durch Re-Design
- Decision
- Eigenständige Compliance mit DecisionOS-Memo pro System, Konformitätsbewertung intern plus benannte Stelle für CE.
- Rationale
- Re-Design würde das Produkt unwirtschaftlich machen. Reines Outsourcing erzeugt zu viel Abhängigkeit. Inhouse-Compliance mit strukturiertem Decision-Trail erfüllt Provider-Pflichten und ermöglicht Skalierung auf Folge-Systeme.
- Residual risks
- Bias-Test-Set noch nicht vollständig branchenspezifisch validiert
- Logging-Implementierung in Phase 2, derzeit Datenbank-Audit-Trail nur
Compliance note
The AI Act overlaps with GDPR (Art. 22 automated decisions), NIS2 (Art. 21 security requirements), DORA and product-law requirements. For financial services entities: DORA adds documentation requirements for AI-supported ICT services. For biometric systems: GDPR Art. 9 special categories. The decision memo consolidates these obligations per system.
Common pitfalls
- !Building the AI inventory without business units, shadow IT systematically missing.
- !Adopting the vendor's classification instead of running your own.
- !Trying to delegate provider obligations even though the company materially modifies the system.
- !Treating Art. 10 data-quality testing as a one-off check instead of a lifecycle activity.
- !Treating human oversight as a checkbox instead of a design decision.
FAQ
When does the EU AI Act have to be implemented?
The central deadline for high-risk AI systems is 2 August 2026, when Art. 6 ff. fully apply. Prohibited practices (Art. 5) have been in force since 2 February 2025, GPAI obligations since 2 August 2025. Existing systems have a transition period until 2 August 2027; new systems are immediately in scope.
Which AI systems are high-risk under the AI Act?
Annex III defines 8 categories: biometric identification, critical infrastructure, education, employment (recruiter screening!), essential services, law enforcement, migration, justice. AI systems are also high-risk when they are a safety component of a product covered by EU product-safety law (Annex I).
What does Art. 9 of the AI Act actually require from a CISO?
A risk-management system across the full lifecycle: identification, assessment, mitigation. Plus: data quality (Art. 10), technical documentation (Art. 11), logging (Art. 12), human oversight (Art. 14), robustness/cybersecurity (Art. 15). Each obligation is a documented decision, which is exactly where a decision memo fits.
Related decision guides
Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
Compliance
How to reach DORA readiness as a financial entity
Compliance
ISO 27001:2022 recertification: a structured migration and renewal guide
Security
How to choose an EDR or XDR platform in 2026
Security
How to choose an IAM, IGA and PAM stack
Related comparisons
DecisionOS vs OneTrust
OneTrust manages privacy and risk continuously. DecisionOS produces the decision inside.
DecisionOS vs. ChatGPT, Claude, Gemini & Co. für strukturierte Enterprise-Entscheidungen
Generische LLMs erforschen. DecisionOS entscheidet und dokumentiert auditfähig.
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
Relevant industries
Versicherungen
Versicherer entscheiden unter DORA + Solvency II + VAIT gleichzeitig. Ein Memo-Format für alle drei.
Gesundheitswesen
Gesundheitswesen: KRITIS + NIS2 + B3S + DSGVO Art. 9. DecisionOS macht das Memo prüfbar.
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.
Pharma & Life Sciences
Pharma IT is regulated IT. Validation (CSV/CSA) and audit trail are not optional. The decision memo is the mandatory front-end documentation.
Automotive & Suppliers
Automotive = TISAX + UNECE R155/R156 + ISO 21434 + NIS2. The decision memo is the only format that maps all four in parallel.