How to Assess EU AI Act Readiness With AI

Reading Regulation (EU) 2024/1689 cover to cover is not how most teams should start their EU AI Act work. The Act is long, cross-referential, and written for regulators. What you actually need first is narrower: which tier is my system in, which obligations follow from that, and what do I have to write down? A structured readiness assessment answers those three questions, and an AI tool that has the full text of the Act in front of it can produce that answer in minutes.

This is a walkthrough of how to run that assessment well — what to feed it, how to read what comes back, and where to stop trusting the machine and bring in a lawyer.

Before You Start: Gather Five Inputs

The quality of the output depends almost entirely on the quality of the description you give it. Get these five things straight before you begin:

1. What the system does. Architecture, level of autonomy, what outputs or decisions it produces, and where a human sits in the loop.
2. Intended purpose. This is the most important input. The Act classifies by purpose and context of use, so "ranks candidates for recruiters" and "suggests reply templates" land in entirely different tiers even with the same underlying model.
3. Data used. Training and input data, whether personal data or special categories are involved, and how it was collected — this feeds the Article 10 data-governance picture.
4. Deployment regions. Where the system is placed on the market or put into service.
5. Your role. Provider, deployer, importer, or distributor. The obligation set is dramatically different across these, so be honest about which one you actually are — and remember that a deployer who substantially modifies a high-risk system becomes a provider under Article 25.

Vague inputs produce a vague classification. "An AI chatbot" could be limited-risk or high-risk depending on what it decides. Spend the extra two minutes describing the purpose precisely.

Step 1: Run the Prohibited-Practice Screen First

The first thing any sensible assessment does is check Article 5. There is no point mapping obligations for a system that cannot legally exist. The screen runs through all eight prohibited practices — subliminal manipulation, social scoring, emotion recognition in workplaces and schools, untargeted facial scraping, and the rest — and flags any that apply.

If the screen comes back clean, you move on. If it flags something, that is the end of the assessment, not a remediation item. A prohibited practice carries the Act's maximum penalty and no compliance path. The right response is to change what the system does, not to document it.

Step 2: Read the Risk Classification — and Its Rationale

Next comes the tier verdict: unacceptable, high, limited, or minimal. The verdict matters, but the rationale matters more. A good assessment cites the Article that drove the decision — Annex III for a high-risk employment system, Article 50 for a chatbot, the Article 6(3) carve-out where it applies.

Read the rationale critically. If it leans on a carve-out ("not high-risk because it only performs a preparatory task"), that is a signal to slow down. The carve-outs in Article 6(3) are narrow, and the profiling exception overrides them. This is precisely the kind of call you confirm with counsel rather than accept at face value. If you want a deeper grounding in what each tier means, our breakdown of the four risk categories covers the boundaries.

Step 3: Turn the Tier Into an Obligations List

Once the tier is fixed, the assessment maps it against your role to produce a concrete obligations table. For a high-risk provider that means the full Articles 8–17 stack plus conformity assessment under Article 43. For a deployer it is mostly Article 26, plus an Article 27 fundamental-rights impact assessment if you are in the public sector or essential services. For an importer or distributor it narrows to verification duties under Articles 23 and 24.

The useful version of this list ties each obligation to its phased deadline. Annex III high-risk obligations land on 2 August 2026; GPAI duties on 2 August 2025; the prohibitions were already live in February 2025. (The compliance timeline lays out every date.) An obligation without a deadline is just trivia; an obligation with a deadline is a project plan.

Step 4: Generate the Annex IV Template

If the system is high-risk, you will need technical documentation that satisfies Annex IV's eight items:

1. General description of the system
2. Detailed description of its elements — architecture, training data, validation
3. Monitoring, functioning, and control
4. The risk management system (Article 9)
5. Changes made after the system was placed on the market
6. Harmonised standards applied
7. The EU declaration of conformity
8. The post-market monitoring plan (Article 72)

A readiness tool can hand you this as a tailored template — the eight headings with prompts specific to your system underneath each — so the documentation effort starts from a structured outline instead of a blank page. You still have to fill it in with real content about your system, but the scaffolding is the tedious part, and that is what the template removes.

Step 5: Reuse What You Already Have

If you already operate an ISO/IEC 42001 management system, do not rebuild compliance from scratch. Much of the AI Act's high-risk burden maps onto ISO 42001 evidence: Article 9 risk management aligns with Clause 6.1 and Annex A.5, Article 10 data governance with Annex A.7, and Article 17's quality management system maps closely onto the AIMS as a whole. A good assessment surfaces these mappings so you can point existing evidence at new obligations rather than duplicating work.

Where the Tool Stops and Counsel Begins

A readiness assessment is informational. It is excellent at classification, obligation mapping, and documentation scaffolding — the structured, repeatable work. It is not a substitute for legal judgment on the genuinely ambiguous calls:

• Whether an Article 6(3) carve-out actually applies to your borderline Annex III system.
• Whether fine-tuning a foundation model counts as a "substantial modification" that turns you into a provider under Article 25.
• Whether a GPAI model crosses the Article 51 systemic-risk threshold.

When the assessment flags one of these, treat the flag as a prompt to call a lawyer, not as a verdict.

Doing It in One Pass

Running all five steps by hand against the full Regulation is the work of an afternoon and a copy of the Official Journal. The EU AI Act Readiness tool compresses it: describe your system, set your role and regions, flag whether it is a GPAI model, and it returns the prohibited-practice screen, the risk classification with Article citations, the deadline-mapped obligations table, the Annex IV template, and the ISO 42001 mapping in a single report you can download. It costs 10 credits per run, so the sensible pattern is to assess each system once for a baseline, then re-run it whenever the system or its purpose changes.

Treat the output the way you would treat a strong first draft from an analyst: a real head start that you review, pressure-test, and hand the hard calls to your counsel.