ON TIME TECHNOLOGY
Innovating Tomorrow’s Solutions
Home
Services
Projects
AI Act
Blog
Careers
Contact
Investor Inquiry
EU AI ACT · COMPLIANCE GUIDE · 2026

EU AI Act Compliance Guide for developers, startups and SMEs

A practical 2026 guide to the EU Artificial Intelligence Act — written for engineering teams, product managers and founders shipping AI systems in Ireland and the wider European Union. Risk categories, high-risk requirements, timeline, penalties and a downloadable compliance checklist.
Download the AI Act checklist
Talk to our team
On this page
1. What is the EU AI Act?
2. Risk Categories
3. High-Risk Requirements
4. Compliance Timeline
5. Penalties
6. Compliance Checklist
7. How OTT helps
8. FAQ
1. What is the EU AI Act?
The first horizontal AI regulation in the world.
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the first comprehensive legal framework for artificial intelligence in the world. It entered into force in August 2024 and applies progressively until August 2027. The Act establishes a risk-based approach to AI governance, balancing innovation with the protection of fundamental rights, health, safety and democracy.
Its scope is wide: it applies to providers placing AI systems on the EU market, to deployers using them inside the EU, to importers and distributors, and even to providers located outside the EU when the output of their AI system is used within the Union. For Irish and UK software houses serving European customers, this means the AI Act is effectively unavoidable.
The Act is implemented at national level by competent authorities. In Ireland, the supervisory framework is being built around existing market-surveillance authorities, with dedicated AI sandboxes to support SMEs and startups testing innovative systems before placing them on the market.
2. The four risk categories
Not all AI is regulated the same way.
The AI Act adopts a risk-based approach. Instead of regulating AI as a technology, it regulates specific uses of AI systems and classifies them into four tiers. Knowing which tier your system belongs to is the single most important compliance decision you will make.
Unacceptable Risk
Prohibited practices: social scoring, manipulative subliminal AI, untargeted facial-recognition scraping, real-time biometric ID in public spaces (with narrow exceptions).
High Risk
Annex III & safety components: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes.
Limited Risk
Transparency obligations: chatbots, emotion recognition, deepfakes, AI-generated content disclosure to end users.
Minimal Risk
Most AI uses (spam filters, AI in video games, productivity assistants) — voluntary codes of conduct.
3. Requirements for high-risk AI systems
What you must demonstrate before placing the system on the market.
If your AI system falls under Annex III (e.g. biometrics, employment, education, critical infrastructure, justice, migration) or operates as a safety component of a regulated product, it is classified as high-risk. Before placing it on the market, you must implement a full conformity-assessment process and meet the following six requirement areas.
Risk Management System
Continuous, iterative process across the AI lifecycle: identify, analyse, evaluate and mitigate reasonably foreseeable risks. Document residual risks.
Data Governance
Training, validation and testing datasets must be relevant, representative and free of errors. Bias examination is mandatory, with data-quality criteria documented.
Technical Documentation
Comprehensive file covering system architecture, training methodology, validation, monitoring plan and conformity assessment — ready to share with national authorities.
Transparency & Logging
Automated event logging for traceability. Users must be informed when they interact with an AI system; outputs must be marked as AI-generated where applicable.
Human Oversight
AI systems must be designed so that natural persons can effectively oversee operation, interpret outputs, and intervene or override decisions.
Accuracy, Robustness, Cybersecurity
Demonstrate adequate accuracy levels, resilience to errors and adversarial attacks, and document cybersecurity measures throughout the lifecycle.
4. Compliance timeline
What kicks in, and when.
The AI Act applies progressively through 2027. Use this timeline to plan your roadmap. Note that the prohibited practices have already been enforceable since February 2025 — do not assume you still have time on those.
Aug 2024
AI Act enters into force
Feb 2025
Prohibited practices apply
Aug 2025
Rules on GPAI models apply
Aug 2026
High-risk requirements apply
Aug 2027
Full applicability — all provisions in force
5. Penalties for non-compliance
Maximum exposure and SME caps.
The Act introduces severe administrative fines, calibrated by category of violation and capped for SMEs. As of 2026, providers and deployers should treat these as serious business risk, not theoretical exposure.
€35M / 7%
Prohibited AI practices (whichever is higher of fixed amount or % of global annual turnover).
€15M / 3%
Breach of high-risk system requirements or obligations on providers / deployers.
€7.5M / 1%
Supply of incorrect, incomplete or misleading information to competent authorities.
6. Compliance Checklist for engineering teams
Ten practical steps to start this week.
1
Inventory every AI system, model or third-party API your product uses.
2
Classify each system against the four AI Act risk tiers.
3
For high-risk systems, set up a written risk-management process.
4
Document the training, validation and test datasets (with bias examination).
5
Implement automated logging of system events for traceability.
6
Define a human-oversight model — who can intervene, override, audit.
7
Prepare a technical-documentation file aligned with Annex IV.
8
Plan a conformity-assessment procedure (internal or notified body).
9
Build post-market monitoring and incident-reporting workflows.
10
Update terms of service & user-facing transparency disclosures.
Download as PDF
7. How On Time Technology helps
Compliance as engineering, not paperwork.
On Time Technology is an Irish-registered IT company based in Dublin. We have built AI-native platforms in production — including NoMoreFakeNews (real-time disinformation detection), Freety (AI-driven commodity trading) and special-projects R&D — which gives us a working understanding of where AI Act obligations meet day-to-day engineering reality.
We support clients across three workstreams: classification & gap analysis (mapping each AI system against AI Act obligations), compliance engineering (risk-management, logging, oversight, provenance signals integrated into the codebase) and documentation & assessment (building the Annex IV technical file and supporting the conformity assessment process).
8. Frequently asked questions
The questions our clients ask most.
What is the EU AI Act and who does it apply to?
The EU AI Act is the European Union’s comprehensive regulation on artificial intelligence, in force since 2024 and gradually applicable through 2026–2027. It applies to providers, deployers, importers and distributors of AI systems that are placed on the EU market or whose output is used inside the EU — regardless of where the company is based.
Does the EU AI Act apply to startups in Ireland?
Yes. Irish startups developing or deploying AI systems in the EU must comply with the AI Act. Ireland’s designated competent authority will supervise enforcement. SMEs benefit from proportional obligations and access to AI sandboxes, but high-risk systems still require full conformity assessment.
What is a "high-risk" AI system under the Act?
High-risk AI systems are those listed in Annex III (e.g. biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice, democratic processes) or those used as safety components of regulated products. They must meet strict requirements: risk management, data governance, technical documentation, transparency, human oversight, accuracy and cybersecurity.
What are the penalties for non-compliance with the AI Act?
Penalties scale by severity: up to €35M or 7% of global annual turnover for prohibited AI uses, up to €15M or 3% for breach of high-risk requirements, and up to €7.5M or 1% for providing incorrect information to authorities. SMEs benefit from proportionate caps.
When does the EU AI Act fully apply?
The Act entered into force in August 2024. Prohibited AI practices became applicable in February 2025; rules on general-purpose AI models from August 2025; high-risk AI system requirements (Annex III) apply by August 2026; full applicability across all categories is reached by August 2027.
How can On Time Technology help with EU AI Act compliance?
We help organisations classify their AI systems, map obligations, set up risk-management and post-market monitoring processes, prepare technical documentation, integrate provenance and transparency signals into products, and design human-oversight workflows. Our experience building AI-native platforms (NoMoreFakeNews, Freety) means we ship compliance as engineering, not paperwork.
READY TO START?
Turn the AI Act into a competitive advantage.
We help organisations move from regulatory anxiety to a clean, audit-ready AI compliance posture — with engineering, not paperwork.
Book a consultation
Read more on the blog
ON TIME TECHNOLOGY LTD
Irish IT company based in Dublin, specialising in Software Design, Development and R&D. Building the digital infrastructure of tomorrow.
Company
About
Contact
Investor Inquiry
Blog
Careers
Resources
Services
Software Design
Software Development
R&D
AI Act Compliance
Special Projects
Special Projects
NoMoreFakeNews
Custodiy
Freety
© 2026 On Time Technology Ltd. All rights reserved.
The Black Church, St Mary’s Place, Dublin D07 P4AX — Ireland