Skip to content

AI Act compliance - classification, an AI register and documentation

The AI Act requires organisations to bring order to how they use AI systems: from inventory and risk classification, through documentation and an AI register, to human oversight, access control and an audit trail.

What your organisation gains

Audit readiness grounded in facts

The organisation receives a map of its AI systems, a risk classification, and a plan for closing gaps. Compliance can then be demonstrated through documentation, a register and controls, rather than through declaration alone.

Informed decisions for the board

Each AI system has an assigned risk category, business owner, compliance status and required actions. The board can see which solutions require urgent attention and which can be planned into the roadmap.

Reduced regulatory risk

The AI Act provides for penalties for the most serious breaches. Early classification of systems and remediation of gaps help reduce the regulatory, operational and reputational risk associated with uncontrolled AI use.

Consistency with GDPR, NIS2 and DORA

Requirements relating to data, access control, security, documentation and oversight often overlap with other compliance programmes. This is why we treat the AI Act as part of a broader governance system, not as a separate project detached from GDPR, NIS2 or DORA.

What we deliver on this project

AI systems inventory

We identify AI systems, AI components and model use cases within the organisation - both solutions built in-house, those purchased from vendors, and AI features embedded in existing enterprise applications.

AI Act risk classification

We assign AI systems to the appropriate risk categories: minimal, limited, high or unacceptable. We analyse the system’s purpose, its users, the data involved, its impact on individuals, and the organisation’s role in the chain of responsibility.

Gap analysis against obligations

We compare the current state with the requirements for the given risk category. We check documentation, human oversight, data quality, transparency, cybersecurity, usage logging, monitoring and access control rules.

AI register and system cards

We create an AI systems register and system cards describing the purpose, owner, vendor, data, model, risk category, users, controls, compliance status and required actions.

Documentation for audit and control

We prepare a structured documentation package: system classification, risk description, ownership decisions, assigned controls, an audit trail, a remediation plan, and the status of actions. The documentation helps the organisation demonstrate what has been assessed, on what basis, and what decisions were made.

Policies, roles and human oversight

We define AI usage policies, roles and responsibilities, rules for approving new systems, human-oversight mechanisms, and escalation paths for decisions or recommendations supported by AI.

How we deliver projects in this area

We start with a workshop and inventory. We establish which AI systems operate within the organisation, who uses them, who supplies them, what data they work on, and which decisions or processes they support.

We then classify the systems by risk category and carry out a gap analysis against the obligations arising from the AI Act. The output is an AI register, a list of gaps, action priorities and a remediation plan.

We typically deliver the basic compliance framework within a 4-week horizon. Further gap closure is planned in stages - depending on the number of systems, risk categories, documentation availability and security requirements. Interpretations with binding legal effect are confirmed with the client’s legal adviser.

Technology stack

AI Act - Regulation (EU) 2024/1689NIST AI RMFISO/IEC 42001OWASP LLM Top 10UiPath AI Trust LayerGDPRNIS2DORAISO 27001

The team’s experience in AI, cybersecurity and regulatory compliance confirms SNOK’s readiness to support organisations in preparing for AI Act requirements.

Where we have delivered similar solutions

Financial sector company

Inventory and classification of AI systems, preparation of an AI register and compliance documentation for AI Act and DORA requirements.

Essential services operator

AI Act gap analysis integrated with the NIS2 programme. The project allowed a single compliance programme to be run instead of separate, disconnected initiatives.

Corporate group

Preparation of AI usage policies, ownership roles and human-oversight rules for AI assistants used across subsidiary companies.

FAQ - AI Act compliance

When does the AI Act come into effect? +

The AI Act entered into force in 2024, but its provisions apply in stages. Some obligations already apply, and further requirements come into effect at subsequent dates. In practice, the first step is not preparing full documentation for every system, but rather inventory, risk classification and a prioritised action plan.

Does the AI Act apply to my organisation? +

If the organisation supplies, deploys or uses AI systems, it most often does. The scope of obligations depends on the organisation’s role, the system’s risk category, the purpose of the solution, and the data the system works on. Most business use cases will require at least classification and basic documentation.

What penalties apply for non-compliance? +

The AI Act provides for substantial penalties for the most serious breaches, including the use of prohibited practices. The final amount depends on the type of breach, its scale, the severity of the case, the size of the organisation, and the role the organisation plays with respect to the given AI system.

Does SNOK provide a binding legal interpretation? +

No. SNOK provides classification, risk assessment, an AI register and technical-organisational documentation. Interpretations with binding legal effect require confirmation by a legal adviser. We work with the client’s legal team on this.

Get in touch