Thiago Vieira - Cybertech Acceleration Send a message
Thiago Vieira - Cybertech Acceleration Home
Crypto forensics Cyber forensics Digital forensics porto Digital forensics portugal
Send a message
Compliance laboratory checking AI system with EU documents and code screens

In my work as a cybersecurity keynote speaker, I get many questions from US companies about artificial intelligence and its growing web of regulations. The new EU AI Act is on everyone’s mind. In this article, I will walk through the conformity assessment process for high-risk AI systems as US businesses look ahead to 2026, when the rules become binding across the European Union. My goal is to make these requirements practical, clear, and actionable—just as I do during my presentations and consulting engagements at Thiago Vieira.

Understanding the EU AI Act's scope and timeline

The EU AI Act, adopted in 2024, brings the world’s first broad legal framework for artificial intelligence. Its reach spans all companies, including those outside Europe, if their AI touches users, markets, or services within the EU. The extraterritorial approach means that US-based developers and deployers of AI need to prepare, especially when their products or models fit the “high-risk” category.

The rollout happens in stages:

  • 2024: General provisions and definitions available. Providers get their first real glimpse of obligations.
  • 2025: Prohibitions on specific AI practices take effect.
  • 2026: High-risk AI systems must meet conformity assessment requirements, which include new rules for notified bodies and harmonised standards.

From 2026, any relevant AI system in scope must be compliant before being placed on the EU market or put into service. The countdown has begun.

High-risk AI systems: Who is affected?

In my experience, confusion often centers on what counts as “high-risk.” The EU’s list includes AI used for critical infrastructure, biometric identification, education, employment, law enforcement, border control, and management of essential private/public services. If your AI supports recruitment, credit scoring, medical devices, or certain government services, you should treat your application as high-risk.

AI that supports decision-making impacting people’s rights, safety, or access to services typically qualifies as high-risk.

A friend working at a recruitment startup recently asked me: does a CV-scanning tool used by EU clients count? Yes, and US companies like that must follow the Act’s conformity pathway, or risk being excluded—and fined—if they operate in Europe.

Business team analyzing documents and digital screens showing AI conformity flowchart

Key conformity assessment requirements for high-risk AI

US companies must document and demonstrate how their AI aligns with all EU rules. It’s not just a box-ticking exercise, but a multi-step, living process. Based on my research and client conversations, these stand out as the major pillars:

  • Technical documentation: Thorough, updated “blueprint” describing your model’s logic, training data, design choices, and limitations.
  • Risk management system: Processes to identify, analyze, and address risks posed by your system before and after market launch.
  • Human oversight: Clear methods to ensure a person can intervene or monitor outputs—required for nearly every high-risk use case.
  • Data quality checks: Controls to address bias, errors, and security in both the dataset and the algorithm.
  • Transparency and instructions: Detailed guidance for users on system function, limitations, and potential risks.
  • Post-market monitoring: Continuous evaluation and correction of risks based on real-world results.

Not sure where to start? Reviewing these with an independent consultant, like I do through my security workshops, can help identify and plug gaps efficiently.

Conformity assessment routes: Internal vs third-party checks

For high-risk AI, the EU sets two main pathways, called “modules,” for achieving compliance and CE marking:

  1. Internal control (self-assessment): Used when your AI follows all applicable harmonised standards published by the EU. You prepare full technical documentation and maintain it for at least 10 years. No notified body involvement is required if standards are strictly followed.
  2. Third-party assessment: If you do not (or cannot) apply harmonised standards completely, or if your AI is in certain critical categories, you must bring in a notified body for independent conformity review. They check your system, ask questions, review documents, and issue a certificate of conformity if approved.

I find most US companies land in the second category, simply because harmonised standards are still in development for many AI scenarios—or their tool is cutting edge, with no direct standard yet.

Self-assessment is allowed only when strictly all published harmonised standards are applied.

The role of harmonised standards

These EU-developed standards make it easier for companies to prove compliance. If your system follows new harmonised technical standards for AI, many detailed checks become more straightforward. In several workshops this year, I’ve noticed that waiting for standards can cause paralysis for US firms. My recommendation:

  • Start gap analysis now, using the latest drafts or close equivalents.
  • Monitor their publication and adjust technical documentation as updates become official EU standards.
  • Work with experts who are tracking the development of standards closely (my specialty).

The closer your processes are to these standards, the fewer surprises you’ll face during an assessment.

Understanding notified bodies

Notified bodies are independent organizations designated by EU countries to review, audit, and approve high-risk AI systems for conformity. Their role is similar to what you might know from medical device or product safety certification. Notified bodies can request in-depth documentation, code audits, and technical demonstrations. Engaging with a notified body, especially as a non-EU provider, means your preparation must be both detailed and accessible.

Before their involvement, companies should:

  • Complete risk management and technical documentation.
  • Conduct thorough internal audits.
  • Prepare a robust post-market monitoring strategy.

With proper preparation, the review process can go smoothly and result in your product’s CE mark—a non-negotiable entry point into the EU market from 2026 forward.

Abstract visualization of AI standards with EU elements and data flows

What US providers and deployers must do next

In discussions with US technology leaders, I’ve found the extraterritorial effect of the EU AI Act often comes as a shock. Here are the minimum immediate steps I recommend:

  • Identify all AI offerings touching EU users or the EU market.
  • Screen them against the list of high-risk categories in the Act.
  • Begin documentation now—even if your AI is already live in Europe.
  • Map which harmonised standards are available for your technology and keep up with regulatory updates.
  • Consult experts who understand both US and EU compliance logic, such as the guidance offered through my insights and articles.

For many, an initial technical gap analysis against the Act’s checklist, as outlined in recent guides on risk resilience, is the fastest way to spot where extra work is needed.

What makes expert guidance the best choice

Through my security lectures and consulting, I focus on actionable, practical steps without legal jargon, helping teams simplify complex rules. I combine experience from real-world incidents and preparation for notified body reviews, which saves my clients time and repeated rework.

By using the resources collected at my knowledge base, US companies can find dedicated strategies tailored to their AI solutions, industry, and existing risk controls. No generic templates—I prefer a safer, case-specific approach, which is what regulators prefer as well.

Action beats uncertainty. Start your conformity preparation before the deadline.

Conclusion: Readiness for 2026 and beyond

The EU AI Act’s conformity assessment rules signal a big change for US high-risk AI providers and deployers. By starting compliance now—analyzing obligations, documenting systems, and connecting with harmonised standards—you place your organization ahead of the 2026 wave. My own journey teaching and guiding teams around these laws has shown me that early preparation makes the biggest difference for market entry and resilience.

If your company wants tailored workshops, security insights, or hands-on support readying AI for EU review, the expertise and practical tools I offer at Thiago Vieira are at your service. Connect with me to prepare your AI with confidence and ensure that your place in the EU market is secure, legal, and trusted.

Frequently asked questions

What is the EU AI Act conformity assessment?

The EU AI Act conformity assessment is a process where providers of high-risk AI systems prove that their products meet all legal, technical, and safety requirements before they are marketed or used in the EU. This can involve internal checks (using harmonised standards) or an independent review by a notified body, depending on your AI’s risk category and the availability of standards.

How to know if my AI is high-risk?

Your AI is considered high-risk under the EU Act if it is used in settings like critical infrastructure, biometric security, recruiting, credit assessments, medical devices, law enforcement, or similar scenarios where automated decisions can deeply affect people or society. Reviewing the official high-risk list and comparing it to your AI's purposes is the best first step. If you have doubts, consulting an expert with EU knowledge is highly recommended.

What are harmonised standards for AI systems?

Harmonised standards for AI systems are technical documents created by European standards organizations and approved by the European Commission that help providers ensure their AI complies with all required safety, transparency, and risk management obligations. Following these standards makes passing the conformity assessment smoother and helps reduce the risk of errors or oversights.

Who are notified bodies for conformity checks?

Notified bodies are independent organizations or assessment firms authorized by EU member states to verify high-risk AI compliance through audits, reviews, and certification procedures. They are listed on the European Commission’s NANDO database and are necessary for certain conformity routes when full reliance on harmonised standards is not possible.

When do new requirements start in 2026?

The main technical, documentation, and conformity assessment rules for high-risk AI providers begin to apply in 2026. From then, any non-compliant system may not be placed on the EU market or put into new service, and non-compliance risks significant financial penalties and market exclusion. Preparing well before this date is strongly suggested for US companies with EU customers or users.

Share this article

Reach out

Send a message
Thiago Vieira

About the Author

Thiago Vieira

Angel investor | TEDx Speaker | Court-appointed Deepfake Forensics Expert | Lawyer

Recommended Posts