All Articles
Governance

EU AI Act in 90 Days: A Prep Playbook for Vendors Selling into Europe

The EU AI Act's high-risk rules go live in August 2026. Vendors with European customers — wherever you are headquartered — have one quarter to get audit-ready. Here is the 90-day plan we run with enterprise clients.

HarmonyX Research April 15, 2026 · 8 min read
EU AI Act in 90 Days: A Prep Playbook for Vendors Selling into Europe
On this page

    Do you sell to a European customer, even through a partner who resells your tech? Then the EU AI Act's high-risk rules apply to you starting August 2026. For most non-EU vendors, that leaves about 90 working days. You move from "aware of the law" to "have evidence ready for an auditor."

    The downside is real, not theoretical. Fines hit the higher of €35M or 7% of global revenue. EU customers are already writing compliance clauses into renewal contracts. Below is the playbook we run with clients in Bangkok, Singapore, and Jakarta.

    Days 1–30: Inventory and Risk Classification

    First, find out what you actually have. List every AI system you ship to EU customers. Include models embedded inside SaaS features and any third-party APIs you resell. Then sort each one into the Act's four risk tiers: prohibited, high-risk, limited-risk, or minimal-risk. Most B2B analytics, HR screening, credit scoring, and critical-infrastructure tools land in high-risk.

    • Build an AI system register. For each system, record the owner, what it does, where the training data came from, and which countries it ships to.
    • Map each system to a category in Annex III (the Act's list of high-risk uses), or confirm it is limited-risk.
    • Flag any feature using emotion recognition, biometric categorisation, or real-time remote ID. These are often banned outright.

    Days 31–60: Technical and Governance Controls

    Now you build the evidence. High-risk systems need seven streams of proof: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy plus robustness plus cybersecurity. Treat each stream as an engineering epic, not a policy PDF.

    • Stand up a model registry. Track lineage, versions, and where each training dataset came from.
    • Wire drift, bias, and performance monitoring directly into your production telemetry.
    • Add human-in-the-loop checkpoints — a person who must review or approve — on every high-stakes decision path.
    • Set up incident response. You must report serious incidents within 15 days.

    Days 61–90: Conformity, Contracts, and Proof

    The last month is packaging. You produce the technical file. You run an internal conformity assessment — a structured self-check against the Act. You draft the EU declaration of conformity. Where required, you register the system in the EU database. In parallel, update your DPAs and MSAs so responsibilities between provider, deployer, and distributor are spelled out. EU customers will ask.

    The vendors who win the next two years will treat AI Act conformity as a product feature — not a legal chore.

    Our AI Observability and Governance Suite automates most of this work: model registry, lineage, drift and bias monitoring, policy-as-code guardrails, and audit-ready exports. If you are 90 days out and still at the inventory stage, get in touch. We run compressed readiness sprints with vendor teams every month.

    Link copied