As of February 2026, the EU AI Act is enforceable. The most significant AI regulation in history applies to any business that deploys AI systems affecting EU citizens, regardless of where the company is headquartered.
If you're building or deploying AI in a regulated industry, this is operational, not optional reading.
What Changed in 2026
The EU AI Act classifies AI systems into four risk tiers: unacceptable, high-risk, limited risk, and minimal risk. The provisions that matter most to regulated businesses, those governing high-risk AI, are now fully enforceable.
High-risk AI systems include those used in:
- Credit scoring and financial services: any AI influencing lending, insurance underwriting, or fraud detection
- Employment and HR: resume screening, interview analysis, performance monitoring
- Healthcare: diagnostic tools, treatment recommendations, patient triage
- Critical infrastructure: energy grid management, water treatment, transport control systems
- Law enforcement and judicial processes: predictive policing, evidence evaluation
If your AI touches any of these domains, you're operating a high-risk system under the Act.
The Compliance Requirements
High-risk AI systems must now demonstrate:
1. Risk Management Systems
A documented, continuously updated risk management process. The Act requires ongoing identification, analysis, and mitigation of risks throughout the AI system's lifecycle, not a one-time checkbox.
2. Data Governance
Training, validation, and testing datasets must meet quality criteria. You need documentation on data provenance, preprocessing decisions, and potential biases. "We used standard industry data" is no longer sufficient.
3. Technical Documentation
Complete technical documentation that enables authorities to assess compliance. This includes system architecture, design choices, training methodologies, and performance metrics.
4. Human Oversight
Meaningful human oversight: operators must be able to understand, monitor, and override AI decisions, not just sit in the loop.
5. Accuracy, Robustness, and Cybersecurity
Demonstrable testing for accuracy, resilience to errors, and security against adversarial attacks. This is where independent AI risk reviews become essential.
What This Means on the Ground
For most businesses, the gap between "we have AI" and "our AI is EU AI Act compliant" is significant. The Act doesn't just require documentation. It requires evidence.
Evidence that your model was tested for bias. Evidence that adversarial inputs were evaluated. Evidence that your risk management process is continuous, not just a launch-day formality.
AI governance is no longer aspirational. It's an obligation.
Why Independent Reviews Matter
Internal teams building AI rarely have the adversarial mindset needed to stress-test their own systems. The EU AI Act effectively mandates the kind of independent, evidence-backed assessment that offensive security engineers have been performing in cybersecurity for decades.
An independent AI risk review provides:
- Third-party validation that your risk management system is functioning
- Adversarial testing (prompt injection, data poisoning, model extraction) that internal teams often skip
- Review-ready documentation formatted for regulatory review
- Gap analysis showing exactly where your compliance falls short
The Timeline Pressure
Enforcement is live. Penalties for non-compliance can reach up to 35 million euros or 7% of global annual turnover, whichever is higher. For high-risk AI violations specifically, fines can reach 15 million euros or 3% of turnover.
Regulators have signaled that early enforcement actions will focus on companies with the highest-risk deployments and the weakest documentation. If you're in financial services, healthcare, or employment tech, you're in the first wave.
Next Steps
- Inventory your AI systems. You can't comply if you don't know what you're running.
- Classify risk levels. Determine which systems fall under high-risk categories.
- Gap assess. Identify where your current documentation and testing fall short.
- Engage independent review. Get a third-party assessment before regulators come knocking.
The organizations that treat this as an engineering problem, not just a legal one, will be the ones that navigate it successfully.
We provide independent assessments of AI systems for EU AI Act readiness. Get in touch to discuss a review.