The EU AI Act: Practitioners Implementation Guide

The EU AI Act (Regulation (EU) 2024/1689) requires every provider of a high-risk AI system to produce, maintain, and defend a comprehensive technical documentation package before the system may be placed on the EU market. The full high-risk framework becomes enforceable on 2 August 2026. The penalties for non-compliance reach EUR 15 million or 3 per cent of global annual turnover.

This guide is the technical reference for meeting that obligation. It translates every material requirement of the Act into concrete engineering practices, governance processes, and organisational structures, anchored on a single central artefact: the aisdp.

Eighteen interconnected domains across twenty-one sections address the complete lifecycle of a high-risk AI system. The guide covers risk assessment and the Fundamental Rights Impact Assessment; model selection including the GPAI provider boundary; data governance and GDPR alignment; system architecture; version control across six artefact types; CI/CD pipelines with governance gates; cybersecurity with cross-regulatory mapping to NIS2, the Cyber Resilience Act, and DORA; conformity assessment under Annex VI; certification outputs and the legal consequences of signing the Declaration of Conformity; regulator interaction and EU database registration; post-market monitoring through to system end-of-life and decommissioning; operational oversight with a six-level pyramid; a seven-phase delivery process; and five advanced compliance domains covering GPAI integration, RAG-specific compliance, agentic AI, multi-model governance, and cost modelling.

Each domain section follows a three-layer structure: the regulatory requirement sets out what the Act mandates, the recommended engineering approach provides the technical implementation, and compensating controls offer procedural alternatives for organisations at different maturity levels. Readers should treat the engineering approach as the target state and the compensating controls as interim measures for organisations building capability.

Two complete worked examples trace the full aisdp preparation cycle from classification through conformity assessment: TalentLens Pro, a classical ML recruitment screening system, and MediAssist AI, an LLM-based RAG clinical decision support system. The worked examples apply every domain in the guide to a realistic system, demonstrating how abstract guidance translates into concrete documentation decisions. The Deployer and Operator Handbook provides a standalone reference for organisations that use, rather than build, high-risk AI systems.

Compliance investment ranges from hundreds of thousands to low single-digit millions of euros depending on organisational size and system count. First-year costs span approximately EUR 350,000 for a small organisation with a single high-risk system to EUR 2,900,000 for a large organisation with twenty-five systems. Annual ongoing costs range from EUR 155,000 to EUR 1,800,000. These figures are a fraction of the enforcement exposure they are designed to avoid: a single Article 99(3) fine at 3 per cent of turnover for a mid-sized organisation would exceed a decade of compliance programme costs.

Organisations that begin systematic aisdp preparation now, using the seven-phase delivery process as a starting framework, will reach the August 2026 deadline with a compliance posture that can withstand regulatory scrutiny. The preparation timeline for a medium-complexity system spans approximately twenty to twenty-eight weeks. Organisations that delay will find this timeline leaves insufficient margin for the remediation cycles that first-time assessments invariably require.