Where do you start when complying with the AI Act?

With the inventory: the list of AI systems your company uses or develops and what each is for. Everything else is decided on that list, because Regulation (EU) 2024/1689 classifies systems by risk (prohibited, high-risk, or subject to transparency obligations) and what is required of you depends on that category (arts. 5, 6 and 50).

Does every company that uses AI have to set up a quality management system?

No. The documented quality management system of Article 17 is required by the Regulation of providers of high-risk systems, and its scope is proportionate to the size of the organisation (art. 17(2)). If your case is not high-risk, the obligations are different —often transparency ones—. Which case is yours depends on the prior classification.

From when must the AI Act be complied with?

The prohibitions are enforceable from 2 February 2025; most of the high-risk regime from 2 August 2026 (art. 113). There is a deferral of part of the high-risk regime, agreed provisionally but not yet formally adopted: it is worth verifying the timetable before planning around it.

Comply with the AI Act, step by step

Complying with the European artificial intelligence regulation sounds like a task for a law firm: dense, expensive and remote. For a company that simply uses AI in its operation, the practical question is simpler: what do I have to do, in what order, without having to become an expert in the regulation? It is worth knowing, because compliance is not a single last-minute act, but a sequence. These are the steps, from first to last.

Step 1 — Know what AI you have, and which category it falls into

You cannot comply with what you have not inventoried. The first step is not legal: it is to make the list of the AI systems your company uses or develops, and what each is for. Everything else is decided on that list, because the European AI Act (Source: Regulation (EU) 2024/1689, EUR-Lex, 2024) does not treat all systems alike: it classifies them by risk —prohibited, high-risk, or subject to transparency obligations— and what is required of you depends on that category (Source: Regulation (EU) 2024/1689, art. 6 and annex III, EUR-Lex, 2024).

Saying "mine is not high-risk" does not exempt you from the work: if your system falls within one of the annex III categories, you must be able to document in writing why it is not, before placing it on the market (art. 6(4)). And if the system profiles individuals, it is high-risk in any case. How to place each system in its category we explain in Is your AI «high-risk»? How to tell without being a lawyer. Until this step is settled, the others are premature.

Step 2 — If it is high-risk, set up the system the law asks for

For high-risk systems, the Regulation does not ask for good intentions: it asks for a quality management system documented in writing (art. 17). Translated, it is the set of procedures that demonstrate you control your AI. The law lists thirteen aspects; the ones a board recognises at once are (Source: Regulation (EU) 2024/1689, art. 17(1), EUR-Lex, 2024):

Data management (f): how the data that feeds the system enters, is labelled, stored and filtered — written down, not in someone's head.
Risk management (g): a living record of what can go wrong and what you do to prevent it.
Post-market monitoring (h) and serious-incident reporting (i): what happens when the system is already in production and something fails — how it is detected and who is notified.
Record-keeping and documentation (k): the trail an auditor or a regulator will ask for. If it does not exist, it does not matter that the system works well.
Accountability (m): who answers for what, with names.

One nuance matters, and it dispels the panic: art. 17(2) states that the application is proportionate to the size of the organisation. For an SME it does not mean the same documentary burden as for a multinational (Source: Regulation (EU) 2024/1689, art. 17(2), EUR-Lex, 2024). What it costs not to have this system —the bands of fines— we set out in Fines under the AI Act; here it is enough to know that the Article 17 system is, precisely, what is looked at.

Step 3 — Place yourself on the timetable

The Regulation does not all apply on the same day. It arrives in stages, and that allows it to be treated as a programme of milestones, not a single date (Source: Regulation (EU) 2024/1689, art. 113, EUR-Lex, 2024):

From 2 February 2025, the prohibitions and the AI-literacy obligation are enforceable.
From 2 August 2025, the obligations on general-purpose models and the penalties chapter apply, among others.
2 August 2026 is the general date of application, which includes most of the high-risk regime.

A note of honesty: there is a deferral of part of the high-risk regime under discussion at European level, agreed provisionally but not yet formally adopted (Source: Council of the EU, 2026). Until it is confirmed, the dates in force are those above. The practical consequence does not change: the work in step 2 takes months, so the timetable is planned backwards from the date that applies to you.

Step 4 — Lean on the official guides

There is no need to start from scratch or invent the documentation. As a result of its regulatory sandbox, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) published in December 2025 a package of fifteen guides supporting compliance with the Regulation for high-risk systems, with checklists on risk management, data governance, transparency and cybersecurity, among others (Source: La Moncloa, 2025). They are the national practical standard and a good mould for any internal policy. Who AESIA is and what role it plays we explain in AESIA: what it is and what it asks of your company.

Compliance is putting things in order, not becoming a lawyer

Seen in a row, the four steps have something in common: none is a last-minute legal trick. They are order. Knowing what AI systems you have, which category each falls into, with what procedures you control them and with what documentation you sustain it. That same base is what answers the regulator when it asks —not a PDF signed for the inspection, but the architecture of your system, ordered so that anyone can check what it does.

That is why in our method the inventory and the classification are the first thing put in writing, and the management system is built on that base, not added at the end. Compliance, seen this way, is not about becoming an expert in the regulation: it is about putting things in order and leaving the trail. Whoever has it does not fear the inspection, because they can point to the evidence.