EU AI Act Readiness

Know where you stand before a customer, auditor, or regulator asks.

In 1 to 2 weeks, the Readiness Quick Scan maps your AI uses, classifies your real risks, and gives you a 30/60/90-day roadmap. No 200-page binder: a proportionate approach for your company size.

Scope my Quick Scan - 30 min, no commitment Get my priority index (1 min)

Operational diagnostic performed directly by a senior consultant. Not a certification, not legal advice - and we explain why that is exactly the right starting point.

View the detailed legal timeline
1 August 2024 - Done

Regulation (EU) 2024/1689 enters into force.

2 February 2025 - In force

Prohibited uses (Art. 5) are banned and the AI literacy obligation (Art. 4) applies.

2 August 2025 - In force

GPAI model provider obligations, competent authorities, and the penalty regime (except Art. 101).

2 August 2026 - To prepare

General application of the regulation and Article 50 transparency obligations (chatbots, deepfakes, AI content) are scheduled for 2 August 2026 in the published regulation. The AI literacy obligation has applied since 2 February 2025; practical supervision by national authorities starts from August 2026.

2 Dec 2026* - Conditional

In the published regulation, Article 50 transparency obligations apply from 2 August 2026. According to the AI Omnibus political agreement, certain technical transparency solutions for artificially generated content may benefit from a deadline until 2 December 2026, subject to formal adoption and publication in the OJ.

2027-2028* - Conditional

Standalone high-risk systems: postponement announced to 2 December 2027; high-risk systems embedded in regulated products: postponement announced to 2 August 2028. These dates remain conditional until the AI Omnibus is formally adopted and published in the OJ.

* Dates from the AI Omnibus political agreement of 7 May 2026, still legally conditional until the text is formally adopted and published in the Official Journal of the European Union.

Key deadlines

  1. 2 Feb 2025 Prohibited practices & AI literacy
  2. 2 Aug 2025 Governance & GPAI
  3. 2 Aug 2026 Current step General application & transparency
  4. 2027-2028* High-risk (conditional postponement)

Quick check

Should you look at the EU AI Act?

7 questions, one minute. You get an indicative priority index — not a full diagnostic.

This test does not replace a diagnostic, certification, or formal legal advice.

01 Do you already use ChatGPT, Copilot, Gemini, Claude, or an AI-powered SaaS tool?

What it is

The EU AI Act, explained simply.

Regulation (EU) 2024/1689 governs AI by risk: the more a use can affect people, the stronger the obligations. It applies according to your legal role: deployer, provider, importer, distributor, authorised representative, or product manufacturer. An SME may be concerned even when it simply uses AI tools in a professional context.

01

Unacceptable

Prohibited practices (Art. 5): harmful manipulation, social scoring, certain biometric uses, and certain emotion-recognition uses, in the cases covered by the regulation. These practices have been prohibited since 2 February 2025.

02

High risk

HR, credit, health/life insurance, education, certain biometrics, safety components of critical infrastructure… Depending on the use case, these systems may be high-risk and trigger reinforced obligations: risk management, documentation, transparency, human oversight, robustness, and cybersecurity.

03

Transparency

Chatbots, deepfakes, AI-generated or AI-modified content: certain transparency obligations may apply depending on the type of system, the company’s role, and the context of use. Article 50: application is scheduled for 2 August 2026 in the published regulation.

04

Minimal

Low-impact internal uses (text correction, spam filter…). No specific high-risk obligation under the AI Act, but AI literacy, data protection, internal rules, and contractual obligations may still apply.

Who is concerned

Even by simply using AI tools, your company may be concerned.

Your obligations depend on your role in the value chain. A single SME may combine several roles depending on its uses.

User / deployer

You use ChatGPT, Copilot, Gemini, or Claude internally (summaries, writing, support). AI literacy and documented usage rules may apply to you; transparency obligations depend on the context of use.

SaaS integrator

You integrate third-party AI into your product or processes. Depending on the context, you may act as a deployer or as a provider. Supplier due diligence, data control, and user information become key.

Provider of an AI feature

You sell an AI feature to your customers: you may be considered a provider and have to assume documentation, transparency, product compliance, and responsibility obligations depending on the risk level.

GPAI model provider

You develop or place a model on the market. Rare for an SME: using an LLM does NOT make you a GPAI provider.

Why now

The deadlines not to miss.

Some obligations already apply, others become concrete in 2026, and the high-risk timeline may be modified by the AI Omnibus. Until that text is formally adopted and published, these postponements must remain presented as conditional.

A past date does not mean “too late”

The regulation entered into force in 2024. Some obligations already apply: prohibited practices and AI literacy since 2 February 2025, and obligations relating to GPAI models since 2 August 2025. For obligations that already apply and effectively concern you, the absence of documented measures may create a non-compliance risk. Putting things in order now, while documenting the approach, remains the best protection before an inspection, an audit, or a customer request.

Regularize my situation
1 August 2024 Done

Entry into force

Regulation (EU) 2024/1689 enters into force.

2 February 2025 In force

Prohibited practices & AI literacy

Prohibited uses (Art. 5) are banned and the AI literacy obligation (Art. 4) applies.

2 August 2025 In force

Governance, GPAI & penalties

GPAI model provider obligations, competent authorities, and the penalty regime (except Art. 101).

2 August 2026 To prepare

General application & Art. 50 transparency

General application of the regulation and Article 50 transparency obligations (chatbots, deepfakes, AI content) are scheduled for 2 August 2026 in the published regulation. The AI literacy obligation has applied since 2 February 2025; practical supervision by national authorities starts from August 2026.

2 Dec 2026* Conditional

AI content watermarking

In the published regulation, Article 50 transparency obligations apply from 2 August 2026. According to the AI Omnibus political agreement, certain technical transparency solutions for artificially generated content may benefit from a deadline until 2 December 2026, subject to formal adoption and publication in the OJ.

2027-2028* Conditional

High-risk systems

Standalone high-risk systems: postponement announced to 2 December 2027; high-risk systems embedded in regulated products: postponement announced to 2 August 2028. These dates remain conditional until the AI Omnibus is formally adopted and published in the OJ.

* Dates from the AI Omnibus political agreement of 7 May 2026, still legally conditional until the text is formally adopted and published in the Official Journal of the European Union.

Consequences

Non-compliance: the real risk is not only the fine.

Article 99 caps are high, but for an SME the immediate risk is mostly commercial and operational: imposed correction, withdrawal of a use case, contractual blockage, or an individual complaint.

Caps by type of breach (Art. 99)

Prohibited practices (Art. 5) Up to €35M or 7% of worldwide annual turnover*.
Certain operator obligations, including several obligations relating to high-risk systems and Article 50 transparency Up to €15M or 3% of worldwide annual turnover*.
Incorrect or misleading information Up to €7.5M or 1% of worldwide annual turnover*.
GPAI model providers (Art. 101) Up to €15M or 3% of worldwide annual turnover*.

Beyond the fine

  • Imposed corrective measures within a deadline set by the competent authority according to the applicable procedure.
  • Restriction, withdrawal, recall, or prohibition of an AI system.
  • Forced reclassification (Art. 80) if a use is wrongly classified as “non high-risk”.
  • Formal non-compliance (Art. 83): missing documentation, declaration, or registration.
  • Commercial blockage: a customer requires an AI Act readiness pack before signing.
  • Complaint from a candidate, customer, or employee, alongside GDPR.

A fine is never automatic: the authority considers cooperation, measures already taken, harm, and proportionality. Being able to demonstrate a reasonable and traceable approach is the best protection.

SME obligations

The defensible baseline for an SME in 2026.

The goal is not a heavy dossier, but being able to demonstrate a reasonable, proportionate, and traceable approach. Here is the baseline a Quick Scan puts in place.

  1. AI use inventory / register, including SaaS tools and generic assistants.

  2. Classification of uses: prohibited / potential high-risk / transparency / minimal.

  3. Prohibited-practices screening (Article 5).

  4. AI literacy plan with evidence of training or guidance.

  5. Acceptable AI use policy, known by teams.

  6. Article 50 transparency checklist (chatbots, generated content, deepfakes).

  7. Supplier due diligence: LLM, Copilot, AI SaaS, cloud, data sent.

  8. Check whether a DPIA is required under the GDPR and, for certain high-risk AI systems, whether a fundamental-rights impact assessment is required under Article 27 of the AI Act.

  9. Human oversight rules for sensitive decisions.

  10. Incident escalation and reporting process.

  11. Documentation of classification decisions.

  12. High-risk roadmap for HR, credit, health/life insurance, health, education, and public-sector uses, taking into account both the published timeline and the still-conditional Omnibus postponements.

What you may be asked for

When the question comes, this is what you need to be able to show.

A customer requiring AI Act readiness before signing, an auditor, or an authority will ask for evidence, not intentions. The Quick Scan checks each point and identifies your gaps.

01 An up-to-date register of your AI uses, including SaaS tools and generic assistants. Checked
02 A written classification for each use. Checked
03 Documented verification that no prohibited practice is involved. Checked
04 Evidence that your teams have been made AI-literate. Checked
05 An AI use policy your teams actually know. Checked
06 Transparency compliance for chatbots and AI-generated content. Checked
07 A supplier review covering AI providers and the data you send them. Checked
08 A trace that required impact assessments have been considered. Checked
09 Human oversight rules for sensitive decisions. Checked
10 An incident reporting process. Checked
11 A written trace of classification decisions. Checked
12 A clear trajectory for potentially high-risk uses. Checked

Engagements

A three-step path. You decide at each stage.

Each step stands on its own and produces a usable deliverable. You continue only if it makes sense for you.

Step 1

30 min scoping

Free and without commitment. Your uses, company size, and likely deadlines.

Step 2

Proposal within 48 h

Fixed fee, written scope, price known before signing. No day-rate billing.

Step 3

Mission

1 to 2 weeks for a Quick Scan, directly with your teams.

Step 4

Debrief

Actionable report and 30/60/90-day roadmap, presented to management.

1 · Check

Starter Check

€1,250 excl. VAT — fixed fee.

For an SME that first wants to know whether the topic applies.

  • 60-90 min scoping interview
  • Review of 1 to 3 AI uses
  • Preliminary classification
  • 3-5 page summary note + debrief

Fully deducted from the Quick Scan if you continue within 60 days — the check costs you nothing if you move forward.

Check whether this applies
2 · Diagnose

Readiness Quick Scan

From €4,900 excl. VAT — fixed fee for an SME up to around 80 people and 5-8 AI uses. Beyond that, or in a sensitive sector: adjusted during scoping and confirmed in writing before signing.

The right starting point for most SMEs already using AI.

  • Complete inventory of AI uses
  • Analysis of 5 to 8 uses + risk classification
  • Article 50 transparency checklist and AI literacy gap check
  • Review of AI / LLM / SaaS suppliers
  • 30/60/90-day roadmap + 10-15 page report
  • 60 min management debrief

Delivered in 1 to 2 weeks. You leave with a clear view and priorities — not a binder.

Scope my Quick Scan
3 · Structure

AI Governance Extension

+ €4,600 excl. VAT, in addition to your Quick Scan — ordered upfront or after the debrief, the total is identical.

For durable governance after the diagnostic.

  • Based on your Quick Scan results
  • AI Register + Acceptable Use Policy
  • AI Literacy Plan
  • Supplier Due Diligence & Transparency checklists
  • RACI + new-use approval procedure
  • Debrief + 90 min awareness session

No penalty for deciding in two steps: Quick Scan + extension = exactly the same total as a bundled order.

Request the extension details

AI Awareness Workshop (AI Literacy Workshop)

Pragmatic session per profile, quiz, and attendance record. A documented element of your Article 4 approach — to complete with internal rules and your AI register. Can be added to any format (€950 excl. VAT as an add-on), or run as a standalone session — priced during scoping.

Discuss during scoping

SaaS Vendor Pack (SaaS / Provider Readiness Pack)

Adding an AI feature to your product? We clarify your legal role, classify the feature, prepare the system sheet, and define the product compliance roadmap. Tailored.

Discuss my product

Governance follow-up

After a Quick Scan: action follow-up, new-use review, and governance updates. Monthly or quarterly rhythm — budget defined together at debrief, according to your reality.

Discuss after my scan

Certified EU AI Act Compliance (A4Q)

Who performs the diagnostic

The Quick Scan is performed by Didier Boelens: more than thirty years in software engineering, recognized Flutter expertise since 2018, and assignments for European institutions as well as Belgian SMEs. The person you speak with is the person doing the diagnostic: no junior handoff, no subcontracting.

Discover the background

Frequently Asked Questions

What business leaders ask first.

We only use ChatGPT and Copilot. Are we really concerned?

Most likely, yes, but without drama. AI literacy already applies, and documented usage rules may be expected. For this usage profile, getting in order remains light.

Do we need a lawyer?

Not to start. Most readiness work is operational: inventory, classify, document, and train. Formal legal advice becomes relevant for higher-stakes situations.

We missed a deadline. Is it too late?

No. Regularizing now and documenting the approach remains your best protection before an inspection, audit, or customer request.

How is the Quick Scan different from a legal audit?

The Quick Scan is an operational diagnostic: it tells you where you stand, what is already in order, and what to do first. A legal audit formally validates legal positions. They are complementary.

Does GDPR already cover us?

It gives you a head start, but it does not cover the AI Act: the GDPR processing register and the AI use register are two different documents.

What happens after the Quick Scan?

You leave with a 30/60/90-day roadmap your teams can execute alone. If you want support, it is possible, but never mandatory.

Sources

Regulatory references.

Verified on 6 June 2026
What this service is not

The Quick Scan is an operational readiness diagnostic. It is not a certification, not a compliance guarantee, and not formal legal advice. Findings should be validated with your legal advisers when the risk, sector, or contract requires it.

Want to know where you stand?

Let’s schedule a short conversation. We will look at your current AI uses, likely deadlines, and the best way to start without unnecessary overhead.