On the 7^th May the EU finally agreed when the EU AI Act provisions concerning “high-risk” AI will come into force. It will be 2^nd December 2027 for stand alone systems, and 2^nd August 2028 for such systems when they’re embedded in other products. Do these requirements affect you, and if so, what should you do? The definition of “high-risk” is key here. High-risk AI systems are defined in the Annex III of the EU AI Act and include some categories that are likely to impact most SMEs as AI-adoption becomes the norm – which it rapidly is. These include systems used for assignment or evaluation of educational and vocational training – including the monitoring of behaviour of students during tests; systems used in recruitment or worker management, including those used to place targeted job advertisements, filter job applications and evaluate candidates; and systems used for biometric identification and emotion recognition.

Many businesses now use AI tools to screen CVs or conduct preliminary interviews, track employee productivity or even monitor behaviour. These tools are defined as high-risk by the Act because while increasing productivity they might inadvertently introduce bias (e.g. screening out candidates of a certain gender or ethnicity due to biased training data) into hiring decisions, violate labour rights, misinterpret context and unfairly penalise staff, or harm morale and mental health through excessive surveillance. or lack transparency (candidates don’t know why they were filtered out).

These kinds of things can have huge implications for people’s livelihoods and need to be carefully guarded against. So if your business is making or using these kinds of systems, how should you start preparing?

Here’s are six key things that will get you AI-ready for the AI Act:

1. Identify Your AI Systems and Use Cases. Begin with an inventory of any AI or automated decision systems your business uses or plans to use. Pinpoint which ones might fall under Annex III high-risk areas – especially anything in HR (hiring, HR analytics, monitoring). For each system, determine your role: are you the provider (developer) of the AI, or just a user/deployer of a third-party tool? This matters because obligations differ between the roles. Also map out where the AI is deployed – if any output or usage touches the EU, flag that too.
   
   
2. Do The Appropriate Risk Assessments. If you’re a provider a high-risk system, from August it will be mandatory to conduct an AI Risk Assessment (Conformity Assessment) before your product is launched. Treat high-risk AI systems the way you would a major compliance project. Perform an internal audit or Data Protection Impact Assessment (DPIA) with an AI twist. In fact, the EU AI Act’s conformity assessment is essentially an AI-specific impact assessment. Evaluate each high-risk system for potential harms: e.g. bias/discrimination, privacy issues, security vulnerabilities, safety risks, accuracy limitations. Document these findings and the mitigation measures in place. If you’re a deployer of high-risk system that’s made by someone else, you should do the usual supplier due diligence steps, a DPIA, and a Fundamental Rights Impact Assessment (FRIA), which is mandated under Article 27 of the Act. Many SMEs find it useful to bring in an external expert at this stage. The outcome should be a clear list of what you need to fix or improve to be compliant.
   
   
3. Improve Data Quality and Bias Mitigation. If you’re a deployer, then – dependent on the outcome of your risk assessment – you should take steps to ensure your AI’s training data and outputs are as fair and accurate as possible. This could mean retraining a model on more diverse data, removing problematic data points, or adding bias mitigation techniques. Remember, the Act specifically demands that datasets be appropriate and mostly error-free to minimize discrimination. As an SME, you may not have a huge data science team, but even basic steps like using pre-vetted data sources, open datasets from reliable institutions, or auto ML tools with bias checks can help.
   
   
4. Embed Transparency and Explainability. Whether provider or deployer, you should plan for how you will disclose AI usage and provide explanations for AI operations and outcomes, both internally and externally. Draft clear notices for those affected: e.g. adding a line in job application portals like “Note: initial screening for this role is performed by an AI system. All decisions are reviewed by our HR team.” Similarly, if employees are monitored by AI, inform them in advance and ideally get their input or address concerns (this isn’t explicitly required by the AI Act beyond an informing obligation, but it’s aligned with EU worker rights and builds trust). For explainability, consider how you will respond if someone asks “Why did the AI make this decision?” Work with your AI providers to obtain meaningful information about the system’s criteria. Some AI models can produce user-friendly explanations; if yours can, enable that feature. At minimum, be ready to explain the factors the AI considers (e.g. “Our hiring algorithm evaluates experience and skill keywords, but not personal traits like age or gender”). This also means ensuring your team understands the AI — provide training so that staff can interpret and communicate about the system’s functioning.
   
   
5. Strengthen Human Oversight and Training. Do not allow any high-risk AI to run on autopilot. Assign responsible humans (or teams) to oversee each AI system’s operation. Define their roles: e.g. an HR manager must review and sign off on all final hiring decisions, or a doctor must approve any AI-generated diagnosis. Train these personnel on how to monitor the AI and handle cases where they might need to intervene or override it. Create a SOP (Standard Operating Procedure) for intervention: when should staff question or stop the AI? Also, simulate scenarios (like a hiring AI flagging all older candidates as low-fit) to practice human override. If you find your team often has to override the AI, that’s a sign of a problem – which you should loop back into risk management and possibly retraining the model. The motto here is “human in the loop” at all times.
   
   
6. Compile Documentation and Records. Start building your compliance evidence now, piece by piece. For each high-risk AI system, create a documentation file (if you’re the provider) or implementation file (if you’re a user). Include the system’s description, purpose, how it was developed or sourced, summary of the algorithms or model used, details on training data, identified risks and mitigations (from step 2), and how you implemented the required safeguards (data governance, security measures, etc.) and maintain records of significant events going forward: when you update the model, any incidents or errors and how you addressed them, results of periodic testing, and so on.

Following these steps will put your SME on a solid path to compliance. AI doesn’t mean less work; this is a myth. It means a change in work, from doing a lot of process work to monitoring the machines that do that process work, freeing up resources to focus on scaling the bits of the business where the human touch is required and looking how at the business is evolving, and what kinds of new business lines and even whole businesses are becoming possible in the new technological landscape that’s being opened up.

EU AI Act latest news

On the 19 May, after a series of delays, the EU Commission finally published its draft guidelines for the classification of high-risk artificial intelligence systems. At the same time, it announced a public consultation. Click here for more information.

-------------------------------------------------

Need help to transform your data from a risk into an asset?

If your business is looking to get the most from its investment in AI and would welcome understanding more about how to transform your data from a risk into an asset, read our earlier blog. Get in touch if you would welcome discussing how we can help.

Using AI in HR, click here to understand your obligations under the EU AI Act.

AI services

To learn more about the AI services we offer, please visit www.aiethix.com.