The implementation roadmap, in 6 phases.
A pragmatic roadmap, inspired by GDPR and ISO 27001 programmes: each phase produces concrete deliverables and sets up the next one. Plan for 6 to 18 months depending on your exposure, iterating in PDCA mode (Plan-Do-Check-Act).
Framing & governance
AI Act compliance is a company-wide programme, not an IT project. Secure an executive sponsor, appoint an AI Act lead (often close to the DPO or the CISO), build a cross-functional team (legal, IT, business, procurement, HR) and have an AI policy adopted: permitted, controlled and prohibited uses. Launch AI literacy without delay (Art. 4, applicable since February 2025): general awareness plus role-specific training.
Deliverables: programme mandate, approved AI policy, RACI matrix, training plan, steering dashboard.
Inventory & mapping
You cannot comply with what you do not know. Identify all AI systems: applications developed in-house, SaaS with AI features, models embedded in products, unofficial uses (shadow AI). Useful sources: business interviews, contract and spend reviews, CMDB, network scans. For each system, qualify the organisation's role (provider, deployer, importer, distributor) - it determines your obligations.
Deliverables: AI system register (owner, purpose, data, supplier, role), intake process for every new system, integration into procurement.
Risk classification
Screen every system, in this order: (1) prohibited practice (Art. 5)? Stop immediately. (2) High risk (Annex I or III)? Check the Art. 6(3) filter and document the analysis. (3) Transparency obligation (Art. 50)? (4) Otherwise, minimal risk. Use a decision tree validated by legal and escalate borderline cases for arbitration. The outcome drives the entire action plan.
Deliverables: register enriched with the classification, Art. 6(3) analysis records, prioritised list of high-risk systems, any shutdown decisions.
Gap analysis & action plan
For each high-risk system (and each transparency obligation), compare the current state with the requirements applicable to your role: Art. 9 to 15 on the provider side, Art. 26-27 on the deployer side, Art. 50 for transparency. Also assess supplier dependencies: documentation available? usable instructions for use? contractual clauses? Prioritise by regulatory deadline, business criticality and effort.
Deliverables: gap matrix per system, prioritised and budgeted action plan, roadmap aligned with the post-omnibus deadlines (February 2025, August 2025, August 2026 for Art. 50, December 2027 and August 2028 for high risk).
Compliance implementation
Execute the plan: AI risk management process (Art. 9, supported by ISO/IEC 23894 or the NIST AI RMF), data governance and bias testing (Art. 10), technical documentation (Annex IV) and logging (Art. 12), tooled and trained human oversight (Art. 14), FRIA and DPIA where required, transparency notices and content marking, AI contractual clauses with suppliers, conformity assessment and CE marking if you are a provider. Start with a pilot scope - one flagship high-risk system - then industrialise.
Deliverables: compliance files per system, FRIA/DPIA, oversight procedures, amended contracts, EU declarations of conformity where applicable.
Continuous monitoring & improvement
Compliance has to be maintained: post-market monitoring (Art. 72) with performance and drift indicators, a serious incident reporting process (Art. 73) tested through exercises, periodic supplier reviews, regulatory watch (delegated acts, harmonised standards, AI Office guidelines), internal audits and management review. This is the Check-Act loop of the PDCA - ideally carried by a management system compliant with ISO/IEC 42001.
Deliverables: monitoring dashboard, tested incident procedure, audit programme, continuous improvement plan, periodic training refreshers.
Milestones vs regulatory deadlines
| Deadline | What becomes enforceable | You should already have… |
|---|---|---|
| 2 February 2025 ✅ | Prohibited practices, AI literacy | Art. 5 screening done, awareness launched (phases 0-2) |
| 2 August 2025 ✅ | GPAI, governance, penalties | GPAI supplier clauses, register up to date (phases 1-3) |
| 2 August 2026 | Transparency (Art. 50), regulatory sandboxes | Information of individuals and content marking in place (phase 4 under way) |
| 2 December 2027 (omnibus) | Annex III high risk; pre-existing GPAI models compliant since August 2027 | High-risk systems compliant, FRIAs completed (phase 4 completed) |
| 2 August 2028 (omnibus) | High risk embedded in regulated products (Annex I) | Regulated products covered, continuous monitoring operational (phase 5) |
Mapping to your existing frameworks
| Phase | ISO/IEC 42001 (AIMS) | Equivalent GDPR reflex |
|---|---|---|
| 0 - Framing | Context, leadership, policy (§4-5) | DPO appointment, data policy |
| 1 - Inventory | Planning, system inventory (§6) | Record of processing activities (Art. 30) |
| 2 - Classification | AI impact assessment (§6.1.4, ISO 42005) | DPIA criteria |
| 3 - Gaps | Objectives and planning (§6.2) | Compliance plan |
| 4 - Compliance | Support and operations (§7-8) | Privacy by design, Art. 28 contracts |
| 5 - Continuous monitoring | Performance evaluation, improvement (§9-10) | Audits, breach management |
Target organisation: committees, teams and skills
AI Act compliance is a team sport. Here are the most suitable bodies and roles, their mission and the skills required to fulfil it - to be sized to your organisation's scale and maturity (the self-assessment generates the recommendation tailored to your profile).
| Body / role | Mission | Key skills | Cadence |
|---|---|---|---|
| Executive sponsor Executive role |
Champion the programme at executive level: arbitrate, allocate resources, remove blockers, hold final accountability. | Visible leadership; understanding of regulatory and business stakes; budget arbitration; change management. | Monthly review |
| AI governance committee Cross-functional committee |
Decide permitted uses, approve classifications and go-lives, track indicators, incidents and the action plan. | Risk management and compliance; AI architecture; business-user representation; ethics and fundamental rights; documented decision-making. | Monthly to quarterly |
| AI Act lead Pivotal role (AI compliance lead) |
Run compliance day to day: register, classifications, FRIAs, committee preparation, action plan tracking. | Deep AI Act knowledge; risk management (ISO 23894, EBIOS RM); cross-team project management; AI/ML technical basics; teaching skills. | Permanent |
| DPO & legal Compliance/legal team |
Join up GDPR and AI Act (DPIA + FRIA), validate the classification tree, negotiate AI contract clauses. | GDPR and DPIAs; FRIA methodology (Art. 27); contract law; EU regulatory watch. | On every classification, FRIA, contract |
| CISO & security team Security team |
Own robustness and cybersecurity (Art. 15): testing, hardening, AI incidents wired into the SOC, drills. | Offensive ML security (adversarial, data poisoning); incident response; ISO 27001/27005; AI pipeline architecture. | Before every go-live + continuous |
| Data & AI team Technical team |
Implement the technical requirements: data (Art. 10), bias testing, documentation (Annex IV), logs, drift. | ML engineering and MLOps; bias statistics; data quality and lineage; explainability (XAI); model cards. | Continuous (model lifecycle) |
| Business system owners Correspondent network |
Declare uses, apply instructions for use, provide day-to-day human oversight, escalate incidents. | Knowledge of the business process; training on the overseen system; alertness to automation bias; escalation reflex. | Ongoing + half-yearly review |
| Procurement & vendor management Support function |
Make procurement the control point: AI Act clause, collection of documentation and instructions, register intake, supplier reviews. | Regulatory contracting; supplier due diligence; per-role obligations (provider, deployer, importer). | On every contract + annual review |
| HR & training Support function |
Roll out AI literacy (Art. 4) by population, track training, organise worker information (Art. 26). | Instructional design; labour law and employee-representative relations; change management. | Annual plan + on every deployment |
| Internal audit Third line of defence |
Independent assurance: register completeness, control effectiveness, readiness for authority inspections. | Audit methodology (ISO 19011); ISO/IEC 42001; sampling and effectiveness testing; executive-level reporting. | Annual audit + action plan follow-up |
SME: pool the roles (the AI Act lead can be the DPO or the CISO; the AI committee can be a quarterly slot of the extended management team) - what matters is that every mission has a named owner. Mid-size: an AI Act lead dedicated at least half-time, a separate AI committee, correspondents in every department. Large organisation: dedicated bodies per entity/BU with group-level consolidation, a multidisciplinary AI compliance team, integration into the three lines of defence.
A visible executive sponsor · build on what exists (GDPR, ISO 27001) rather than creating a silo · a pilot before industrialising · procurement and legal on board from phase 0 · measure progress (that is exactly what the maturity self-assessment is for).