The implementation roadmap, in 6 phases.

A pragmatic roadmap, inspired by GDPR and ISO 27001 programmes: each phase produces concrete deliverables and sets up the next one. Plan for 6 to 18 months depending on your exposure, iterating in PDCA mode (Plan-Do-Check-Act).

Framing & governance

AI Act compliance is a company-wide programme, not an IT project. Secure an executive sponsor, appoint an AI Act lead (often close to the DPO or the CISO), build a cross-functional team (legal, IT, business, procurement, HR) and have an AI policy adopted: permitted, controlled and prohibited uses. Launch AI literacy without delay (Art. 4, applicable since February 2025): general awareness plus role-specific training.

Deliverables: programme mandate, approved AI policy, RACI matrix, training plan, steering dashboard.

Inventory & mapping

You cannot comply with what you do not know. Identify all AI systems: applications developed in-house, SaaS with AI features, models embedded in products, unofficial uses (shadow AI). Useful sources: business interviews, contract and spend reviews, CMDB, network scans. For each system, qualify the organisation's role (provider, deployer, importer, distributor) - it determines your obligations.

Deliverables: AI system register (owner, purpose, data, supplier, role), intake process for every new system, integration into procurement.

Risk classification

Screen every system, in this order: (1) prohibited practice (Art. 5)? Stop immediately. (2) High risk (Annex I or III)? Check the Art. 6(3) filter and document the analysis. (3) Transparency obligation (Art. 50)? (4) Otherwise, minimal risk. Use a decision tree validated by legal and escalate borderline cases for arbitration. The outcome drives the entire action plan.

Deliverables: register enriched with the classification, Art. 6(3) analysis records, prioritised list of high-risk systems, any shutdown decisions.

Gap analysis & action plan

For each high-risk system (and each transparency obligation), compare the current state with the requirements applicable to your role: Art. 9 to 15 on the provider side, Art. 26-27 on the deployer side, Art. 50 for transparency. Also assess supplier dependencies: documentation available? usable instructions for use? contractual clauses? Prioritise by regulatory deadline, business criticality and effort.

Deliverables: gap matrix per system, prioritised and budgeted action plan, roadmap aligned with the post-omnibus deadlines (February 2025, August 2025, August 2026 for Art. 50, December 2027 and August 2028 for high risk).

Compliance implementation

Execute the plan: AI risk management process (Art. 9, supported by ISO/IEC 23894 or the NIST AI RMF), data governance and bias testing (Art. 10), technical documentation (Annex IV) and logging (Art. 12), tooled and trained human oversight (Art. 14), FRIA and DPIA where required, transparency notices and content marking, AI contractual clauses with suppliers, conformity assessment and CE marking if you are a provider. Start with a pilot scope - one flagship high-risk system - then industrialise.

Deliverables: compliance files per system, FRIA/DPIA, oversight procedures, amended contracts, EU declarations of conformity where applicable.

Continuous monitoring & improvement

Compliance has to be maintained: post-market monitoring (Art. 72) with performance and drift indicators, a serious incident reporting process (Art. 73) tested through exercises, periodic supplier reviews, regulatory watch (delegated acts, harmonised standards, AI Office guidelines), internal audits and management review. This is the Check-Act loop of the PDCA - ideally carried by a management system compliant with ISO/IEC 42001.

Deliverables: monitoring dashboard, tested incident procedure, audit programme, continuous improvement plan, periodic training refreshers.

Milestones vs regulatory deadlines

DeadlineWhat becomes enforceableYou should already have…
2 February 2025Prohibited practices, AI literacyArt. 5 screening done, awareness launched (phases 0-2)
2 August 2025GPAI, governance, penaltiesGPAI supplier clauses, register up to date (phases 1-3)
2 August 2026Transparency (Art. 50), regulatory sandboxesInformation of individuals and content marking in place (phase 4 under way)
2 December 2027 (omnibus)Annex III high risk; pre-existing GPAI models compliant since August 2027High-risk systems compliant, FRIAs completed (phase 4 completed)
2 August 2028 (omnibus)High risk embedded in regulated products (Annex I)Regulated products covered, continuous monitoring operational (phase 5)

Mapping to your existing frameworks

PhaseISO/IEC 42001 (AIMS)Equivalent GDPR reflex
0 - FramingContext, leadership, policy (§4-5)DPO appointment, data policy
1 - InventoryPlanning, system inventory (§6)Record of processing activities (Art. 30)
2 - ClassificationAI impact assessment (§6.1.4, ISO 42005)DPIA criteria
3 - GapsObjectives and planning (§6.2)Compliance plan
4 - ComplianceSupport and operations (§7-8)Privacy by design, Art. 28 contracts
5 - Continuous monitoringPerformance evaluation, improvement (§9-10)Audits, breach management

Target organisation: committees, teams and skills

AI Act compliance is a team sport. Here are the most suitable bodies and roles, their mission and the skills required to fulfil it - to be sized to your organisation's scale and maturity (the self-assessment generates the recommendation tailored to your profile).

Body / roleMissionKey skillsCadence
Executive sponsor
Executive role
Champion the programme at executive level: arbitrate, allocate resources, remove blockers, hold final accountability. Visible leadership; understanding of regulatory and business stakes; budget arbitration; change management. Monthly review
AI governance committee
Cross-functional committee
Decide permitted uses, approve classifications and go-lives, track indicators, incidents and the action plan. Risk management and compliance; AI architecture; business-user representation; ethics and fundamental rights; documented decision-making. Monthly to quarterly
AI Act lead
Pivotal role (AI compliance lead)
Run compliance day to day: register, classifications, FRIAs, committee preparation, action plan tracking. Deep AI Act knowledge; risk management (ISO 23894, EBIOS RM); cross-team project management; AI/ML technical basics; teaching skills. Permanent
DPO & legal
Compliance/legal team
Join up GDPR and AI Act (DPIA + FRIA), validate the classification tree, negotiate AI contract clauses. GDPR and DPIAs; FRIA methodology (Art. 27); contract law; EU regulatory watch. On every classification, FRIA, contract
CISO & security team
Security team
Own robustness and cybersecurity (Art. 15): testing, hardening, AI incidents wired into the SOC, drills. Offensive ML security (adversarial, data poisoning); incident response; ISO 27001/27005; AI pipeline architecture. Before every go-live + continuous
Data & AI team
Technical team
Implement the technical requirements: data (Art. 10), bias testing, documentation (Annex IV), logs, drift. ML engineering and MLOps; bias statistics; data quality and lineage; explainability (XAI); model cards. Continuous (model lifecycle)
Business system owners
Correspondent network
Declare uses, apply instructions for use, provide day-to-day human oversight, escalate incidents. Knowledge of the business process; training on the overseen system; alertness to automation bias; escalation reflex. Ongoing + half-yearly review
Procurement & vendor management
Support function
Make procurement the control point: AI Act clause, collection of documentation and instructions, register intake, supplier reviews. Regulatory contracting; supplier due diligence; per-role obligations (provider, deployer, importer). On every contract + annual review
HR & training
Support function
Roll out AI literacy (Art. 4) by population, track training, organise worker information (Art. 26). Instructional design; labour law and employee-representative relations; change management. Annual plan + on every deployment
Internal audit
Third line of defence
Independent assurance: register completeness, control effectiveness, readiness for authority inspections. Audit methodology (ISO 19011); ISO/IEC 42001; sampling and effectiveness testing; executive-level reporting. Annual audit + action plan follow-up
Sizing for your organisation

SME: pool the roles (the AI Act lead can be the DPO or the CISO; the AI committee can be a quarterly slot of the extended management team) - what matters is that every mission has a named owner. Mid-size: an AI Act lead dedicated at least half-time, a separate AI committee, correspondents in every department. Large organisation: dedicated bodies per entity/BU with group-level consolidation, a multidisciplinary AI compliance team, integration into the three lines of defence.

Success factors

A visible executive sponsor · build on what exists (GDPR, ISO 27001) rather than creating a silo · a pilot before industrialising · procurement and legal on board from phase 0 · measure progress (that is exactly what the maturity self-assessment is for).