EU AI Act Delays: 3 Compliance Gaps Small Teams Must Fix Now

Key Takeaways

• The EU's AI Act delays could exempt many high-risk AI systems from oversight indefinitely.
• Non-retroactivity provisions mean systems launched before the new deadlines may never need to comply unless significantly altered.
• Small teams should proactively assess their AI systems for compliance with existing regulations to avoid future pitfalls.
• Engaging with industry standards and best practices can help mitigate risks associated with high-risk AI systems.
• Continuous monitoring of regulatory updates is essential for maintaining compliance and governance.

What Small Teams Should Do Before the High-Risk Rules Apply

The EU AI Act's timeline for high-risk systems means that the strictest obligations are phased in over several years — but the groundwork for compliance needs to start now. Small teams that build or use AI in any of the categories listed in Annex III of the Act (biometric identification, critical infrastructure management, educational assessment, employment screening, access to essential services, law enforcement, migration processing, or administration of justice) are operating in the high-risk tier, even if the enforcement deadline feels distant.

The practical preparation steps are straightforward:

Step 1: Classify your AI tools against Annex III. For each AI system your team uses or builds, ask whether its primary function falls into one of the eight high-risk categories. Most small teams will find that internal productivity tools (document summarisation, code generation, customer support drafts) fall outside Annex III. But any AI system that informs hiring decisions, determines eligibility for services, or processes biometric data is in scope. Document this classification now — the Act requires it, and the documentation is easier to produce before deployment than after.

Step 2: Understand the conformity assessment requirement. High-risk AI systems must pass a conformity assessment before they are placed on the market or put into service in the EU. For most systems, this is a self-assessment against the Act's harmonised standards, once those standards are published. The delay in the high-risk timeline has partly happened because those standards are still being developed by CEN-CENELEC. Keep monitoring the EU AI Office's published standards roadmap.

Step 3: Prepare your technical documentation. The Act requires high-risk system providers to maintain detailed technical documentation covering the system's intended purpose, performance metrics, training data characteristics, and risk management measures. If you are building a system that will eventually fall under high-risk rules, start maintaining this documentation as part of your development process — retrofitting it is significantly harder.

Step 4: Register your system. The EU AI Act requires high-risk systems to be registered in a publicly accessible EU database before deployment. The registration system is still being established, but the categories of information required are known. Prepare your registration data now so it can be submitted when the system opens.

The delays in implementing the high-risk rules are not a signal that compliance can be deferred indefinitely. They reflect the complexity of creating enforceable technical standards for diverse AI applications — not a reduction in the Act's eventual reach. Teams that use the delay period to document, classify, and prepare will be in a significantly stronger position than those that treat the delay as an extension of the pre-compliance window.

Preparing Vendor Contracts for High-Risk AI Compliance

One dimension of high-risk AI compliance that small teams often overlook is the contractual layer. When a team uses a third-party AI service that falls into a high-risk category, the responsibility for compliance does not automatically rest with the provider. Under the EU AI Act, the organisation that deploys the system and determines its purpose is the "deployer" — and deployers have distinct obligations.

For small teams using third-party high-risk AI systems, the minimum contractual requirements include: confirmation from the provider that the system has completed a conformity assessment, access to the technical documentation required for your own compliance record, and a process for receiving updates when the provider makes changes that could affect the system's risk classification. These requirements need to be built into the procurement process — asking for this documentation after signing a contract is substantially harder.

Review your existing AI vendor contracts against this checklist before the high-risk rules take effect.

Quick Reference: EU AI Act High-Risk Compliance Checklist

• Classify each AI system against Annex III categories
• Document the classification rationale per system
• Identify applicable conformity assessment pathway
• Begin collecting required technical documentation (training data, performance metrics, risk management)
• Review AI vendor contracts for conformity assessment evidence and technical documentation access
• Register system in EU AI Act database when the registration system opens
• Assign a responsible person for post-market monitoring obligations

How a Small SaaS Team Navigated the EU AI Act Delay Window

A B2B SaaS company with twelve people uses an AI-assisted candidate screening tool to help customers triage job applications. When the EU AI Act's high-risk timeline was extended, their first instinct was to slow down their compliance preparation. A conversation with their legal counsel produced a different conclusion.

The screening tool falls squarely in Annex III category 4 (employment and workers management). Even with the extended deadline, two things remain unchanged: the GDPR accountability obligations that apply to any automated processing of personal data, and the contractual expectation of the enterprise customers who had started asking about AI Act compliance in procurement questionnaires.

The team spent three weeks building their compliance foundation during the delay window:

Week 1: They created a one-page system description covering the model used, the data it processes, the decisions it informs, and the human review step before any output is shown to a customer. This document did not exist before.

Week 2: They updated their privacy notice to explicitly describe the AI-assisted screening tool and the data it uses. Previously, the privacy notice described the SaaS product generically without mentioning AI processing.

Week 3: They added a "human review required" gate before any screening output was displayed to a customer, and logged the gate in their audit trail. This change also satisfied a customer who had asked for human-in-the-loop confirmation.

The compliance foundation they built in three weeks was more than they expected to complete. More importantly, when the first customer procurement questionnaire arrived asking about EU AI Act compliance, they could answer it honestly and in detail — which the team attributed directly to using the delay window for preparation rather than deferral.

Summary

The recent delays in the EU's AI Act have significant implications for high-risk AI systems. Originally set to take effect by August 2026, the new provisions are now postponed to December 2027 or even August 2028. This delay aims to provide companies and regulators more time to prepare, but it raises concerns about the effectiveness of the legislation. Critics argue that by allowing existing high-risk systems to remain outside the law's purview, the EU may inadvertently weaken the regulatory framework at a crucial time.

One of the most concerning aspects of the AI Act is its non-retroactive nature. As outlined in Article 111, systems placed on the market before the new deadlines will not be subject to compliance unless they undergo significant modifications. This creates a loophole that could exempt many high-risk AI applications—such as those used in hiring or medical devices—from necessary oversight indefinitely. As a result, small teams must remain vigilant and proactive in managing their AI systems to ensure they align with evolving regulations and industry standards.

Governance Goals

• Establish Clear Compliance Metrics: Define specific benchmarks for AI compliance that can be quantitatively measured, ensuring that high-risk AI systems meet regulatory standards.
• Enhance Stakeholder Engagement: Create a framework for regular communication with stakeholders, including regulators, to foster transparency and collaboration in AI governance.
• Implement Continuous Risk Assessment: Develop a process for ongoing evaluation of AI systems to identify and mitigate risks associated with high-risk applications.
• Promote Ethical AI Development: Set guidelines that prioritize ethical considerations in the design and deployment of high-risk AI systems, ensuring alignment with societal values.
• Facilitate Training and Awareness Programs: Organize training sessions for teams involved in AI development to raise awareness about compliance requirements and ethical implications of high-risk AI systems.

Risks to Watch

• Regulatory Loopholes: The non-retroactive nature of the AI Act may allow existing high-risk systems to evade oversight indefinitely, potentially leading to unregulated applications.
• Market Manipulation: Companies may rush to deploy high-risk AI systems before the new deadlines, prioritizing speed over safety and compliance, which could result in harmful consequences.
• Public Trust Erosion: Delays in regulation could diminish public confidence in AI technologies, especially if high-risk systems are perceived as operating without adequate oversight.
• Inconsistent Standards: The introduction of sector-specific legislation may create a patchwork of regulations, complicating compliance for organizations operating across multiple industries.
• Increased Vulnerability to Abuse: Without stringent oversight, high-risk AI systems could be exploited for unethical purposes, such as discrimination in hiring or surveillance.

Controls (What to Actually Do)

1. Conduct a Compliance Audit: Review existing high-risk AI systems against the upcoming requirements of the EU AI Act to identify gaps and areas for improvement.
2. Develop a Risk Management Framework: Create a structured approach to assess and mitigate risks associated with high-risk AI systems, incorporating feedback from diverse stakeholders.
3. Implement Version Control: Establish a system to track modifications to AI systems, ensuring that any significant changes trigger a compliance review under the AI Act.
4. Engage with Legal Experts: Collaborate with legal advisors to interpret the implications of the AI Act and ensure that your organization’s practices align with evolving regulations.
5. Create an Ethical Review Board: Form a dedicated team to evaluate the ethical implications of high-risk AI systems, ensuring that development aligns with societal values and norms.

ready-to-use governance templates

Checklist (Copy/Paste)

• Review the latest updates on the EU AI Act and its implications for high-risk AI systems.
• Assess existing AI systems for compliance with the upcoming regulations.
• Develop a plan for modifying high-risk AI systems to meet regulatory standards.
• Implement risk management strategies tailored to high-risk AI applications.
• Establish a governance framework to monitor ongoing compliance and regulatory changes.
• Train team members on the requirements of the EU AI Act and its impact on operations.
• Engage with legal experts to understand the implications of non-retroactivity in the AI Act.
• Create a timeline for compliance actions leading up to the new deadlines.

Implementation Steps

1. Stay Informed: Regularly check updates from the EU regarding the AI Act and any changes to deadlines or provisions that may affect high-risk AI systems.
2. Conduct an Inventory: List all AI systems currently in use, categorizing them by risk level according to the EU AI Act's definitions.
3. Evaluate Compliance: For each high-risk AI system, assess its current compliance status and identify any necessary modifications to meet regulatory standards.
4. Develop Modification Plans: Create detailed plans for any required changes to high-risk AI systems, ensuring they align with the upcoming regulations.
5. Implement Risk Management: Establish risk management protocols that address potential risks associated with high-risk AI systems, including ethical considerations and data privacy.
6. Create a Governance Framework: Design a governance structure that includes roles and responsibilities for monitoring compliance and adapting to regulatory changes.
7. Train Staff: Organize training sessions for all relevant team members to ensure they understand the EU AI Act and its implications for their work.
8. Engage Legal Counsel: Consult with legal experts to clarify the implications of the non-retroactivity clause and how it affects your existing AI systems.

Frequently Asked Questions

Q: What defines a high-risk AI system under the EU AI Act?
A: A high-risk AI system is one that poses significant risks to health, safety, or fundamental rights. This includes AI applications in critical areas such as employment, education, and law enforcement, where the consequences of failure can be severe.

Q: How can organizations prepare for the non-retroactivity clause in the AI Act?
A: Organizations should assess their existing AI systems to determine if they fall under the high-risk category. If they do, they should plan for potential modifications to ensure compliance before the deadlines, as systems placed on the market before the new deadlines may remain exempt.

Q: What are the consequences of failing to comply with the EU AI Act?
A: Non-compliance with the EU AI Act can lead to significant penalties, including fines and restrictions on the use of AI systems. Additionally, organizations may face reputational damage and loss of trust from customers and stakeholders.

Q: Are there any specific industry standards that can help with compliance?
A: Yes, organizations can refer to standards such as the NIST AI Risk Management Framework and ISO 42001, which provide guidelines for managing risks associated with AI systems and ensuring compliance with regulatory requirements.

Q: How often should organizations review their AI systems for compliance?
A: Organizations should conduct regular reviews of their AI systems, ideally on a quarterly basis, to ensure ongoing compliance with the EU AI Act and to adapt to any regulatory changes or updates in industry standards.

References

• Tech Policy Press. (2023). EU’s AI Act Delays Let High-Risk Systems Dodge Oversight. Retrieved from https://techpolicy.press/eus-ai-act-delays-let-highrisk-systems-dodge-oversight
• OECD. (n.d.). AI Principles. Retrieved from https://oecd.ai/en/ai-principles

Related Reading

For practical governance frameworks that complement EU AI Act compliance preparation, see our guides on AI governance for small teams, the AI governance playbook, and responsible AI in culturally sensitive contexts.