Regulatory compliance

Compliance with the AI Act, the EU AI Regulation

The EU Artificial Intelligence Regulation, the AI Act, is the first comprehensive AI law in the world, and it is mandatory. We help you find out whether it affects you, classify your systems by risk level and meet the obligations that apply to you, within the deadline.

Get in touch See compliance

Lead auditors for ISO 42001 and ISO 27001 (CISA, CISSP, CISM), with experience in AI governance.

The timeline

A law that is already in motion

The AI Act entered into force in 2024 and applies in phases. Some obligations already apply, others arrive soon. And there is a reform under way that moves the deadlines for high-risk systems, so it is worth looking at your case calmly and with someone who follows the news closely.

Status as of June 2026

Since Feb 2025

Prohibited practices

The bans on unacceptable AI uses and the AI literacy obligations for your staff already apply.

Since Aug 2025

General purpose

The governance rules and obligations for general-purpose AI models already apply.

Aug 2026

Bulk of the law

Most of the remaining obligations arrive, among them transparency: warning that it is AI and labelling the content it generates.

The nearest one

High risk is under review: a European reform, the Omnibus, proposes delaying the obligations for high-risk systems beyond 2026. The agreement is provisional and will only take effect once it is officially published; until then, the original timeline remains in force.

The consequence for you: waiting for the dates to settle is a risk. The inventory and classification of your systems can be done now, and they are the basis for complying when the time comes, whether or not the deadlines move.

The approach

The law classifies by risk level

The AI Act does not treat all artificial intelligence the same. It classifies each system according to the risk it poses to people, and the higher the risk, the stricter the obligations. Knowing which level each of your systems falls into is the first step.

Unacceptable

Prohibited

Uses banned for breaching fundamental rights. They cannot be used, without exception.

High

Very demanding

AI in sensitive areas such as employment, biometrics or education. Strict obligations for management, documentation and oversight.

Limited

Transparency

AI that interacts with people or generates content. It must warn that it is AI and label what it produces.

Minimal

No obligations

Most AI applications. No specific requirements, beyond good practices.

Most of the effort is concentrated on high-risk systems. That is why the first thing we do is classify: so you dedicate resources only where the law truly requires it.

Who it binds

Does the AI Act affect you?

The law allocates obligations according to your role with each AI system. A single organization can be several things at once, depending on the system in question.

ProviderYou develop or place AI on the market

DeployerYou use third-party AI in your activity

ImporterYou bring AI from outside the EU to the market

The split matters because the obligations are not the same for whoever makes the AI as for whoever only uses it. The applicability analysis clarifies what you are and what falls to you in each case.

Service

What compliance includes

AI systems inventory: which artificial intelligence you use or develop, your own or third-party, and for what.

Risk classification: which level each system falls into, which is what determines the obligations that apply to you.

Obligations analysis by role: what falls to you as provider, deployer or importer of each system.

Compliance plan with deadlines: what to do and when, taking into account the phased timeline and how it evolves.

Risk management and documentation of high-risk systems: what the law requires you to demonstrate.

Support with ISO 42001: if you wish, we build a certifiable AI management system on top of the compliance work.

Method

How we work

Inventory

We identify all the AI systems you use or develop, your own or third-party.

Classification

We determine the risk level of each one and your role, to know which obligations apply.

Compliance plan

A roadmap prioritized by risk and deadline, focused on what the law truly requires.

Implementation

Risk management, documentation and evidence, with ISO 42001 support if you want it.

Synergies

The AI Act and ISO 42001, the law and the method

The AI Act is the law, what you are obliged to comply with. ISO 42001 is the certifiable standard that helps you demonstrate it with an orderly management system. They are not the same and the standard does not replace the law for high-risk systems, but it covers a good part of their governance, so setting up both at once saves you work: what you document for one serves the other. And when it is time to check that this AI really holds up, our AI and LLM pentest comes in, attacking it the way a real adversary would.

What sets us apart: we are lead auditors for ISO 42001 and ISO 27001, so we understand the law and the method as a single system. We help you comply with the AI Act and, if you wish, certify it with ISO 42001, without duplicating the effort.

ISO 42001 implementation → ISO 27001 consulting → Data protection → Sondriva, SOC with AI →

Questions

Frequently asked questions

What is the AI Act?+

It is the EU Artificial Intelligence Regulation, the first comprehensive AI law in the world. It entered into force in 2024 and is mandatory. It classifies AI systems according to the risk they pose to people and imposes proportional obligations: the higher the risk, the stricter they are. It applies in phases over several years.

Since when is it mandatory?+

It already is in part. Prohibited practices and AI literacy have applied since February 2025, and the rules for general-purpose models since August 2025. Most of the remaining obligations, including transparency, arrive in August 2026. Those for high-risk systems are under review due to a European reform that could delay them, but until it is officially published the original timeline remains in force.

How do I know if my systems are high-risk?+

High risk is defined above all by use: AI in sensitive areas such as employment (recruitment, evaluation), biometrics, education, critical infrastructure or certain regulated products. The classification has nuances, which is why the inventory and the analysis of each system are the first step: they separate what is high-risk, with strict obligations, from what is not.

Does it affect me if I only use third-party AI?+

It can affect you, yes. The law distinguishes between whoever develops the AI (provider) and whoever uses it (deployer), and both have obligations, although different ones. If you use third-party AI in sensitive areas, such as recruitment tools, you have responsibilities of your own. The applicability analysis clarifies what role you have and what falls to you.

How does it relate to ISO 42001?+

The AI Act is the mandatory law; ISO 42001 is the certifiable standard that helps you demonstrate that you govern your AI rigorously. The standard covers a good part of the governance the AI Act requires, so implementing it leaves much of the path done, although it is not enough on its own for high risk. Setting up both at once saves work.

What happens if I do not comply?+

The AI Act penalties are high: they can reach several million euros or a percentage of annual turnover, and they are greater the more serious the infringement, with the highest amounts for prohibited uses. Beyond the fine, using AI in sensitive areas without complying is a reputational and legal risk worth closing in time.

Where do you provide the service?+

Across all of Spain. Much of the compliance work is documentary and analytical, so we work with you wherever you are. If you prefer proximity, we are in Tudela, Navarra.

Direct channel

Shall we talk?

Tell us what artificial intelligence you use or develop. In a first conversation we tell you whether the AI Act affects you, which risk level your systems fall into and where to start.

Get in touch