Skip to content

EU AI Act readiness · factual, not alarmist

EU AI Act, classified

The EU AI Act regulates AI by risk, and high-risk is the exception, not the rule. I classify your AI systems in a way you can follow (prohibited, high-risk under Annex III, transparency-bound under Art. 50, or minimal), map the concrete obligations and build the bridge to ISO/IEC 42001 as a practical demonstration of conformity. You get a roadmap with deadlines, without the fear marketing.

Based outside the EU? The Act reaches across borders: if you place AI on the EU market or your AI output is used in the EU, you can be in scope wherever you are, see the EU AI Act for non-EU providers.

News · The European Commission has published the Code of Practice on marking AI-generated content. From 2 August 2026, chatbots, deepfakes and AI-generated text on matters of public interest must be labelled (Art. 50), using the official, freely usable EU mark.

Read the insight

When it makes sense

The EU AI Act applies directly and in stages, and even the question "are we affected?" leaves many companies uncertain, in and outside Europe alike. Rather than assuming high-risk across the board, a clean classification brings clarity. It makes sense if you:

  • use AI in your operation and don't know which risk class your systems fall into
  • run chatbots or generative AI and need to settle the transparency obligations
  • want to prove to customers or supply chains that you have your AI under control
  • need a solid roadmap with the right deadlines instead of guesswork

What you get

  • Inventory of your AI systems by intended purpose
  • Risk classification of every application
  • Comparison against the high-risk list (Annex III)
  • Review of the transparency obligations (Art. 50)
  • Obligations mapping per system
  • Prioritised roadmap with deadlines

For clarity: I provide a professional classification from an auditor's perspective, not binding legal advice. An official ISO certificate is issued exclusively by an accredited certification body, I work neutrally and without ties to any certification body.

The bridge to ISO 42001

The EU AI Act prescribes the goal, ISO/IEC 42001 supplies the structure. An AI management system (AIMS) to ISO/IEC 42001 arranges risk assessment, roles, controls and documentation so that you meet your obligations in an orderly, provable way. Not a legal free pass, but a robust, practical demonstration of conformity.

From law to practice

EU AI ActClassificationISO/IEC 42001Evidence

How it works

Three steps to the classification

01

Inventory

We capture your AI applications and their specific intended purposes, the basis for any classification. Bought-in systems count just as much as those you built yourself.

02

Classify

Each system is assigned a risk class: prohibited, high-risk (Annex III), transparency-bound (Art. 50) or minimal. High-risk is assigned only where it genuinely applies.

03

Roadmap

From the classification I derive an obligations mapping and a prioritised roadmap with the relevant deadlines, including the bridge to ISO/IEC 42001 as practical evidence.

High-risk is the exception

The EU AI Act works with a tiered risk model. Most AI applications in mid-sized companies do not fall under high-risk, what decides it is always the specific intended purpose, not the technology behind it:

  • Prohibited practices. Narrowly delimited applications that are banned (e.g. certain forms of social scoring). Already in force.
  • High-risk (Annex III). A closed list of use areas with special obligations, the exception, not the rule.
  • Transparency (Art. 50). Marking duties, for example for chatbots and AI-generated content, independent of high-risk status.
  • Minimal risk. The bulk of applications: no specific obligations under the AI Act, voluntary good practice recommended.

Want to go deeper? The AI Act high-risk self-check lets you test whether your AI really is high-risk. Which dates count is set out under the EU AI Act deadlines for companies. And on the literacy duty in force since February 2025: AI literacy under Art. 4.

Classification vs. certification

I prepare: as an ISO/IEC 42001 Senior Lead Auditor I classify your AI systems, map the obligations and make you audit-ready, neutrally and without ties to any certification body. PECB awards the Senior level only from 1,000+ documented audit hours and at least seven years of professional practice. The professional AI Act classification does not replace binding legal advice, and official certification to ISO/IEC 42001 is issued exclusively by an accredited certification body. That keeps the assessment independent and your evidence robust.

Frequently asked questions

Does the EU AI Act apply to my company if we are based outside the EU?+

Very possibly, yes. The regulation applies extraterritorially: it covers providers and deployers who place AI systems on the EU market, put them into service in the EU, or whose AI output is used in the EU, regardless of where the company itself is established. So a US, UK or Gulf-based company selling into Europe, or serving EU customers, can be squarely in scope. Whether and how it applies to you is exactly what we clarify first, instead of assuming the worst.

Is my AI system automatically a high-risk system?+

In the vast majority of cases, no. High-risk is the exception, not the rule. The EU AI Act (the Artificial Intelligence Regulation) distinguishes several classes: prohibited practices, high-risk systems (Annex III), systems with pure transparency obligations (Art. 50) and minimal-risk applications. Which class applies depends on the specific intended purpose, and that is exactly what we determine first, rather than labelling everything high-risk.

What are high-risk AI systems under Annex III?+

Annex III of the EU AI Act sets out a closed list of use areas in which AI is deemed high-risk, for example certain applications in employment and candidate selection, access to essential services, critical infrastructure or law enforcement. What matters is not the technology but the intended purpose. I map your AI applications against this list and classify them in a way you can follow and defend.

What do the transparency obligations under Art. 50 mean?+

Art. 50 requires, for certain systems, that people can tell they are interacting with an AI or that content is AI-generated, for example with chatbots or synthetically produced images, audio and text. These duties apply regardless of whether a system is high-risk. I show which of your applications are affected and how to implement the marking in practice.

How does ISO/IEC 42001 help me with the EU AI Act?+

The EU AI Act prescribes the goal, ISO/IEC 42001 supplies the structure. An AI management system (AIMS) to ISO/IEC 42001 organises risk assessment, roles, controls and documentation so that you meet your obligations in an orderly, provable way. It is not a legal free pass, but a robust, practical demonstration of conformity, and it is exactly the bridge I build.

Which deadlines do I need to watch?+

The EU AI Act applies in stages: prohibited AI practices are already banned, the duty to build AI literacy among staff (Art. 4) has applied since 2 February 2025, and from 2 August 2026 the transparency obligations under Art. 50 apply. The obligations for high-risk AI systems under Annex III were originally set for 2 August 2026, but the Digital Omnibus, confirmed by the Council on 13 May 2026, deferred them to 2 December 2027 (AI embedded in regulated products under Annex I to 2 August 2028). Which deadline counts for you depends on how your systems are classified, which we settle at the outset.

Does your classification replace legal advice or certification?+

No. I classify your AI systems from an auditor's perspective, map the obligations and build the bridge to ISO/IEC 42001. Binding legal advice remains the domain of qualified lawyers, and an official ISO certificate is issued exclusively by an accredited certification body. I work neutrally and without ties to any certification body.

Imprint and privacy policy are available in German (the German version is legally binding): Imprint, Privacy (English summary).