August 2 Is Coming: A 60-Day Sprint to EU AI Act High-Risk Compliance

August 2 Is Coming: A 60-Day Sprint to EU AI Act High-Risk Compliance

A practical, deadline-driven checklist for UK SMEs and their IT providers to assess exposure to EU AI Act high-risk rules before penalties of up to 7% of global turnover apply.

Tony Brown
By Tony Brown ·

A recruitment firm in Leicester recently asked us a simple question: "We use an AI tool to screen CVs, but we're in the UK and we sell to UK clients. The EU AI Act doesn't touch us, right?"

Wrong. Some of their clients have offices in Dublin and Frankfurt, and the screening results feed decisions about people in those locations. That single thread of EU exposure pulls the whole business into scope. And the clock is ticking.

A calendar marked with a red deadline date next to a laptop and stacked compliance documents on a desk

The EU AI Act is being switched on in stages. The next big milestone lands on 2 August 2025, when the rules governing general-purpose AI models and the governance, penalty, and notification machinery come into force. If you supply, deploy, or build AI that touches the EU market, the next 60 days are when you find out whether you have a problem — and start fixing it before the penalties bite.

Why a UK SME should care

Brexit didn't put a wall around the AI Act. Like GDPR before it, the regulation reaches across borders. It applies if you place an AI system on the EU market, if you're established in the EU, or if the output of your AI system is used in the EU — even when your business sits entirely in Nottingham.

That last point catches more firms than people expect. If your software's recommendations, scores, or classifications are used by someone in an EU member state, you can be on the hook.

The penalties are not symbolic. Breaching the rules on prohibited AI practices can cost up to €35 million or 7% of global annual turnover, whichever is higher. Other breaches sit at €15 million or 3%. For an SME turning over a few million pounds, a 7% penalty is the difference between a good year and closing the doors.

First, work out if you're actually high-risk

Not every AI system is high-risk. Most aren't. The Act sorts systems into four buckets: prohibited, high-risk, limited-risk, and minimal-risk. The deadline pressure mostly concerns the first two.

Prohibited practices were already banned from February 2025. These include social scoring, certain biometric categorisation, and manipulative systems that exploit vulnerabilities. If you're running anything in this territory, stop now.

High-risk is where most compliance effort goes. A system is generally high-risk if it's used in areas like:

  • Recruitment and worker management (CV screening, performance monitoring, promotion decisions)
  • Access to education or vocational training
  • Creditworthiness and credit scoring
  • Essential private and public services, including insurance
  • Critical infrastructure
  • Biometric identification

That Leicester recruitment example? Squarely high-risk, because hiring decisions affect people's livelihoods.

If none of your AI touches these areas, your obligations are lighter — mostly transparency requirements, like telling people they're interacting with a chatbot. But you still need to prove you've checked, which brings us to the inventory.

The 60-day checklist

Here's the practical sequence we're running with clients. Treat it as a sprint, not a project plan. The aim over the next two months is to know your exposure and have the paperwork started.

Week 1–2: Build an AI system inventory

You cannot comply with rules about systems you can't name. Most SMEs underestimate how much AI is already in their stack, because so much of it arrived quietly inside other products.

List every AI system in use, including:

  • Tools you built or commissioned
  • AI features baked into SaaS products (your CRM's lead scoring, your HR platform's screening, your helpdesk's auto-routing)
  • Anything staff have adopted informally — the shadow AI problem, where someone's been pasting customer data into a free chatbot

For each one, record what it does, what data goes in, what decisions come out, who uses the output, and whether any of that touches the EU. This single document is the foundation for everything else.

Week 3–4: Classify and assess

Run each inventoried system through the risk buckets. For anything that looks high-risk, you need to understand your role. Are you a provider (you make or rebrand the system) or a deployer (you use someone else's)? The obligations differ, and providers carry the heavier load.

If you're a deployer of a high-risk system, much of the conformity work falls on the provider — but you still have duties around human oversight, monitoring, and keeping logs. Don't assume the vendor has it covered. Ask them directly, in writing, whether their product meets AI Act high-risk requirements and request their documentation.

Week 5–6: Start the documentation

High-risk systems demand a technical file: a description of the system, its intended purpose, the data used to train and test it, risk management measures, and human oversight arrangements. You also need to log incidents and keep records.

You will not finish this in two weeks. The point is to start, identify the gaps, and put owners against each one. A half-built file with a clear plan is defensible. An empty drawer is not.

Week 7–8: Plug into your wider reporting stack

This is where the deadline gets genuinely awkward, because the AI Act doesn't arrive alone.

The triple-reporting stack: NIS2, DORA, and the AI Act

Three EU regimes now overlap, and an SME unlucky enough to be caught by all three faces a tangle of separate but related reporting duties.

  • NIS2 is the network and information security directive. It widens the net of "important" and "essential" entities and demands incident reporting, often within tight windows — an early warning inside 24 hours for significant incidents.
  • DORA (the Digital Operational Resilience Act) targets financial services and their IT suppliers, with strict rules on resilience testing, third-party risk, and incident classification.
  • The AI Act adds its own serious-incident reporting for high-risk systems.

The trap is treating these as three projects. A single ransomware attack on an AI-driven credit system at a fintech could, in theory, trigger reporting under all three. If your incident response process only knows about one regime, you'll miss deadlines on the others.

The smarter approach is one incident response framework that maps each event to every regime it touches, with the right clocks and the right recipients built in. Define your reporting thresholds once. Know who notifies whom, and how fast. Rehearse it before you need it.

For most SMEs, this is the part where an IT provider earns its keep — joining the dots between security monitoring, supplier contracts, and the legal duties that sit on top.

What to do this week

If you do nothing else before August, do this:

  1. Start the AI inventory. One spreadsheet, every system, including the shadow AI.
  2. Flag anything in recruitment, credit, insurance, or biometrics as a probable high-risk candidate.
  3. Write to your AI vendors and ask them to confirm their AI Act status and share documentation.
  4. Check your EU exposure — not just where you're based, but where your outputs land.

Sixty days is enough to know where you stand. It is not enough to fix everything, so spend it well. The firms that get caught out in August won't be the ones who found a problem early — they'll be the ones who never looked.

If you're not sure where your AI sits, or how the three reporting regimes apply to your business, that's exactly the conversation to have now, while there's still runway. Get in touch and we'll help you build the inventory and the response framework before the deadline does it for you.

Request a no obligation callback