Compliance
Jul 15, 2026
15 min read

EU AI Act Readiness: A 90-Day Plan That Actually Fits a Small Team

Kevin Barona
Table of content
share

Most EU AI Act readiness advice is written for companies with a legal department, a compliance department, and a working group between them.

If that is not you, this plan is. It compresses readiness into three 30-day sprints that one motivated owner with executive backing can drive. It will not make you fully compliant in 90 days. It will get you to the point where you know your exposure, your people are trained, and your remaining work is a scoped backlog instead of an anxiety.

EU flag for the EU AI Act

EU AI ACT Readiness - Before Day 1: Assign One Owner

Readiness efforts die from shared ownership. Pick one person who reports progress to leadership every two weeks. They do not need to be a lawyer. They need to be organized and empowered to ask every team what AI they use.

EU AI ACT Readiness - Days 1 to 30: See Everything

Build the AI inventory. Survey every team and list every AI system your company builds, buys, or embeds. Include vendor tools with AI features. For each entry, capture the purpose, the affected people, the data involved, and whether you act as the provider or the deployer.

Screen for the sharp edges first. Check the inventory against the prohibited practices, which have been banned since February 2025. Then flag anything touching hiring, credit, insurance, education, or essential services as potentially high risk. These flags define your risk register.

Confirm your GPAI exposure. If you provide a general-purpose model, obligations already apply and Commission enforcement begins in August 2026. If you build on someone else's model, request their technical documentation now. You will need it later and vendors respond slowly.

Deliverable at day 30: a complete inventory with draft risk classifications and a one-page exposure summary for leadership.

EU AI ACT Readiness - Days 31 to 60: Train and Govern

Run AI literacy training. This is a live legal obligation, not a nice-to-have. The Act requires that staff dealing with AI systems have a sufficient understanding of them. Keep it practical: what your specific systems do, where they fail, what employees may and may not use them for. Record attendance. Documented training is evidence; undocumented training is a rumor.

Stand up lightweight governance. You need a recurring forum where AI decisions get made and recorded. For a lean company this can be a monthly 45-minute meeting with a standing agenda: new AI systems, classification changes, incidents, vendor updates. Fold it into an existing security or risk meeting if one exists. If you are creating governance from zero, our walkthrough on building a security governance framework shows the structure, and the same skeleton carries AI governance well.

Write the two policies that matter first. An acceptable use policy for AI tools, and a procurement rule requiring AI features to be declared and reviewed before purchase. These two documents prevent most of tomorrow's inventory drift.

Deliverable at day 60: trained staff with records, a functioning governance forum, and two signed policies.

EU AI ACT Readiness - Days 61 to 90: Close Gaps and Build the Roadmap

Deep-dive the flagged systems. For anything marked potentially high risk, do a proper classification with written reasoning. For confirmed high-risk systems, gap-assess against the core requirements: risk management, data governance, documentation, logging, human oversight, and accuracy. The NIST AI Risk Management Framework is a free, well-structured reference for organizing this analysis, and it maps cleanly onto the Act's expectations.

Handle transparency quickly. Chatbot disclosures and AI-content labeling are usually days of work, not months. Knock them out inside this sprint. These obligations were not delayed by the 2026 timeline changes, so they deserve early attention.

Sequence the remaining work against the real calendar. GPAI enforcement starts August 2026. The high-risk deadline is moving from August 2026 to December 2027 under the provisional Digital Omnibus agreement, though the original date remains law until ratification. Plot your gaps against those dates and turn them into a quarter-by-quarter roadmap. If roadmapping is new territory, our guide to security roadmap creation covers how to prioritize and timeline this kind of program.

Deliverable at day 90: classified inventory, closed transparency gaps, and a dated remediation roadmap leadership has approved.

Map of europe with lights for EU AI Act readiness

What EU AI ACT Readiness Does Not Mean

Two honest clarifications, because the vendor noise around this topic is loud.

Readiness is not certification. There is no official EU AI Act certificate to buy today. Conformity assessment for high-risk systems is a defined legal process, and voluntary standards like ISO 42001 can build your management system, but anyone selling you "AI Act certified" status this week is overpromising.

Readiness is also not one-and-done. Every new AI feature, vendor, and model version can shift your classification picture. The 90-day plan builds the machine; the governance forum keeps it running. The European Commission's AI regulatory framework page is the primary source worth checking as guidance documents continue to land.

If 90 Days of Focus is the Bottleneck for the EU AI ACT 

The plan above assumes someone has roughly a third of their time free for a quarter. At many growing companies, nobody does. That is the gap Cycore fills. Through our EU AI Act readiness service we run the inventory, the classification, the training, and the roadmap with your team, compressing the calendar without cutting the rigor.

Ninety days from now, the Act's timeline will be ninety days shorter either way. The only variable is whether your exposure is mapped by then.

Weekly tips and insights on building trust.
Join leaders in building a secure, trusted brand—receive expert guidance to outpace competitors and win customers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up, you agree to our Terms and Conditions.
Are you ready to get started?
Schedule a call to see how we can help you build trust
talk to an expert