GovCompass
Knowledge base
Guide

First Steps: EU AI Act Compliance for Deployers

Updated: June 2026 — full revision to Validai quality standard

Introduction: Starting from Zero

Most Dutch organisations are somewhere on the spectrum between "we haven't started" and "we have a basic inventory." Very few have achieved the level of systematic compliance that the EU AI Act ultimately requires. The good news: you do not need to achieve full compliance immediately. The regulation's phased deadlines — and the proportionality principle built into the law — allow for a structured approach.

This article identifies the five most important first steps for deployers, prioritised by legal urgency and practical impact.

Step 1: Build Your AI Inventory

You cannot comply with obligations you do not know about. The first step is a systematic inventory of every AI system your organisation uses — not just the ones IT knows about, but the SaaS tools that business units procure independently, the AI features embedded in enterprise software, and the AI-enabled workflows in your operations.

A useful inventory structure:

  • System name and vendor
  • Business function (HR, finance, operations, etc.)
  • Primary use case
  • Affected categories of individuals
  • Preliminary risk classification (to be confirmed in Step 2)
  • Operational status (in use / planned / under review)

Assign this exercise to a cross-functional team that includes IT, legal, HR, and business unit representatives. The AI inventory often surfaces surprise discoveries — business units using AI tools that IT is unaware of, vendor features that have enabled AI without explicit organisational decision.

Step 2: Classify Your AI Systems

For each system in your inventory, determine its risk classification under Art. 6:

  • Prohibited (Art. 5): Immediately assess against the eight prohibitions
  • High-risk (Annex I or III): Full Art. 26 compliance obligations apply
  • GPAI systems (Art. 52–55): Transparency obligations
  • Minimal risk: No mandatory EU AI Act obligations (though voluntary codes of practice apply)

For systems where classification is uncertain: apply the conservative default. Classify as high-risk until you can substantiate a lower classification. Document your reasoning.

Step 3: Set Up AI Governance

Compliance requires accountability structures. At minimum:

  • Appoint an AI Officer (or assign the function to an existing role like the DPO or CTO)
  • Define the AI Officer's responsibilities: maintaining the inventory, overseeing classification, approving risk downgrades, liaising with supervisory authorities
  • Establish a governance process for new AI system procurement: no new high-risk AI without classification, DPIA/FRIA assessment, and sign-off
  • Create a policy document that sets out your organisation's AI governance framework

Step 4: Prioritise High-Risk Systems

Not all compliance work has equal urgency. Focus first on your high-risk AI systems in the categories that took effect earliest:

  • Art. 5 prohibited practices: compliance required since 2 February 2025
  • Art. 4 AI literacy: required since 2 February 2025
  • High-risk AI in regulated products (Annex I): deadline 2 August 2028
  • Stand-alone high-risk AI (Annex III): deadline 2 December 2027

For Annex III high-risk systems: build your compliance dossier now. The 2027 deadline appears distant but the work is substantial: FRIA, DPIA, human oversight arrangements, training documentation, log retention systems.

Step 5: Establish Supplier Relationships

For every high-risk AI system you procure: engage your supplier. Request:

  • The provider's technical documentation (summary)
  • The EU declaration of conformity (or conformity assessment status)
  • The instructions for use
  • The EU database registration number
  • Contractual commitments on incident notification, performance monitoring, and documentation updates

Suppliers who cannot or will not provide this information present a compliance risk. Document your requests and their responses.

Compliance Checklist

  1. Is there a complete AI inventory for your organisation?
  2. Has every AI system been classified against Art. 5 and Art. 6?
  3. Is there an appointed AI Officer with defined responsibilities?
  4. Is there a governance process for new AI procurement?
  5. Have you engaged suppliers of high-risk AI systems and requested compliance documentation?
  6. Is there a documented compliance roadmap for high-risk AI systems with deadlines assigned?