hydrus
EU AI Act

EU AI Act compliance timeline for enterprises

A practical timeline for enterprise AI teams preparing for phased EU AI Act obligations, from prohibited-practice screening through high-risk system evidence.

AI Governance7 minUpdated 2026-06-22

The EU AI Act is not a single deadline. It is a phased operating model for AI governance. For most enterprises, the useful question is not "When does the Act apply?" but "Which controls must be real first?"

Start with inventory. If the organization does not know which AI systems are used, who owns them, where vendors are embedded, and which workflows touch people, it cannot reliably apply the Act. The inventory should include internal models, third-party AI features, copilots, decision-support tools, customer-facing automation, and AI agents. Every record should carry at least an owner, intended purpose, geography, user group, affected population, vendor, data source, and lifecycle status.

The next layer is prohibited-practice screening. Article 5 obligations are the earliest and least forgiving because they apply to practices that should not proceed at all. Enterprises should screen every AI use case for unacceptable-risk patterns before procurement, deployment, or expansion. That review should be preserved even when the answer is "not prohibited," because auditors and regulators will ask how the conclusion was reached.

After that, classify for high-risk status. Annex III is where many enterprise systems become operationally sensitive: hiring, worker management, education, access to essential services, critical infrastructure, law enforcement-adjacent workflows, migration, justice, and democratic processes. A high-risk classification should trigger a control package: risk management, data governance, human oversight, logging, accuracy and robustness evidence, technical documentation, and post-market monitoring.

For deployers, the hidden work is not the policy document. It is evidence continuity. Systems change, prompts change, vendors release new features, new data becomes available, and teams expand the use case. A once-a-year spreadsheet will not hold. The defensible pattern is a living inventory, a dated classification record, control ownership, sign-off workflow, and evidence that updates as systems change.

Hydrus is designed around that operating model. Teams register systems, classify risk, screen prohibited practices, generate documentation, map controls to EU AI Act, NIST AI RMF, ISO/IEC 42001, and AIUC-1, and maintain audit evidence in one place.

Practical enterprise sequence:

  1. Build or import the AI inventory.
  2. Screen for Article 5 prohibited practices.
  3. Classify Annex III and other high-risk indicators.
  4. Assign owners for every system and control.
  5. Generate technical documentation for higher-risk systems.
  6. Run FRIAs where deployment context requires them.
  7. Establish post-market monitoring and incident review.
  8. Keep board, risk, legal, and compliance reporting current.

The biggest mistake is waiting for a final deadline before building the evidence model. The second biggest is treating EU AI Act compliance as a legal memo instead of an operational workflow.

This guide is educational and not legal advice. Confirm obligations with counsel for your role, geography, and use cases.

Sources