A Digital Colliers Report · June 2026

Building AI Europe
won't ban

The EU AI Act's high-risk rules are coming in 2027. An engineering guide to what your team has to build before then.

digitalcolliers.comAn engineering perspective, not legal advice
A Digital Colliers reportJune 2026

Building AI Europe won't ban

The EU AI Act's high-risk rules are coming in 2027. Here is what your engineering team has to get right before then.

You have probably been told you have more time. In May 2026, the EU agreed to push its high-risk AI deadline from August 2026 to December 2027. Most boards heard one word: later.

That is the most expensive word in your roadmap right now. This report explains why, and what the teams who will actually be live and legal in 2027 are building today.

About a 40 minute read 10 charts Every claim sourced
The short version

Seven things a CTO needs to know

  1. 01

    The deadline moved, but it is not relief. High-risk obligations shifted from August 2026 to December 2027, and for embedded systems to August 2028. The move is still pending formal adoption, and it happened because the compliance standards are late.

  2. 02

    AI made building software cheap, not legal. AI now writes a large share of code, but the gains are uneven and weakest on exactly the complex, high-stakes systems the Act regulates.

  3. 03

    Most AI already fails before any of this. The majority of AI initiatives never reach production or measurable value, and the causes are structural, not model-related.

  4. 04

    From 2027, in Europe, shipping is not enough. You have to ship to a legal specification or not operate at all, with fines up to €15 million or 3 percent of global turnover.

  5. 05

    Classification is an engineering decision, not a legal afterthought. Credit scoring is high-risk; fraud detection is carved out. Two adjacent models can sit on opposite sides of the line.

  6. 06

    The requirements are not about the model. Articles 9 to 15 are data governance, logging, documentation, oversight and testing. They are the same disciplines that make a system survive production.

  7. 07

    Compliance and production-readiness are nearly the same checklist. Teams that treat them as one project will be live in 2027. Teams that treat them as two will do the work twice, or not at all.

The numbers that frame it

Hover any tile for the detail and source.

01 · The deadline that moved

Where this actually stands in mid-2026

The European Union's Artificial Intelligence Act entered into force on 1 August 2024. It does not switch on all at once. It arrives in stages, and the stages are what matter to anyone shipping software.

The prohibited uses and the AI-literacy duties landed first, in February 2025. The rules for general-purpose AI models and the governance bodies followed in August 2025. The big one, the rules governing high-risk AI systems, was scheduled for 2 August 2026.

Then it moved. On 7 May 2026, the Council and the Parliament reached political agreement on a package known as the Digital Omnibus on AI. The obligations for standalone high-risk systems, the ones listed in Annex III, shift to 2 December 2027. The obligations for high-risk AI embedded in regulated products, the Annex I category, shift to 2 August 2028.

The high-risk deadline did not disappear. It moved, and on conditions that mean it could move again.

Why it moved, and why that matters

Here is the part almost no coverage leads with. As of the time of writing, that delay is not yet law. It is politically agreed and pending formal adoption. The original 2 August 2026 date technically remains on the books until the Omnibus is enacted.

And the reason for the delay is not generosity. It is that the harmonised standards meant to tell engineers how to comply were not going to be ready in time, so the EU linked the application of the rules to the availability of those standards and support tools. Read that mechanism slowly, because it is the whole story. The deadline moved because the instructions are late. The instructions being late does not make the work smaller. It makes it harder to start and the timeline less certain.

The politics behind the delay
The Digital Omnibus began as a Commission proposal in November 2025, aimed at simplifying and sequencing the Act's obligations. Parliamentary committees backed a postponement in March 2026, and the political agreement followed in May. The stated rationale across the official communications is consistent: key standards may not be finalised in time, and businesses need predictability and legal certainty rather than a deadline they cannot practically meet. The effect is a fixed new date that is nonetheless conditional, which is an unusual and revealing combination.
A deadline that moved once, because the instructions were late, is not a deadline you build a roadmap around. It is a deadline you build ahead of.
02 · The structural reset

AI made software cheap to build. It did not make it legal to ship.

Something has shifted in the economics of software, and most leadership teams have only half-understood it. The cost of producing code has fallen sharply, and it is still falling. That single change explains why a regulatory bar arriving at the end of 2027 is not an inconvenience layered on top of business as usual. It is the natural consequence of a world where building is easy and only trust is scarce.

The AI coding revolution is no longer a forecast. It is the working condition of most engineering organisations today. On GitHub's own measure, its assistant now writes close to half of the code in the files where developers use it, and across the profession around nine in ten developers work with AI tools day to day. These are not pilot-project figures. The tools behind them have reached genuine mass scale: the maker of Cursor passed €500M in annual recurring revenue with more than a million daily users by mid-2025, and has grown several times larger since.

The trajectory is steeper still. Gartner expects a large majority of engineers to be working with AI assistants by 2028, and projects that by 2030 AI will touch effectively all IT work, most of it human-augmented and a minority fully automated. Read plainly, that is a forecast in which writing software without AI becomes the exception.

The nuance that decides everything

Here is where most leaders stop reading, and where the interesting part begins. The headline gains are real, but they are wildly uneven, and the unevenness is not random. It tracks complexity with uncomfortable precision.

A GitHub and Microsoft lab study found developers completing simple, isolated tasks around 56% faster with AI assistance. A METR randomised controlled trial found something close to the opposite: experienced developers working on complex, real-world code took around 19% more time when using AI, not less. The pattern underneath is consistent. AI is strongest on the small, self-contained, well-specified problem and weakest, sometimes actively counterproductive, on the large, interconnected, high-stakes system.

Reported AI productivity effects by task type, from around 56% faster on simple isolated tasks to roughly 19% slower on complex real-world code.

This is the bridge to everything that follows. A high-risk system under the EU AI Act is, almost by definition, the complex kind. Credit decisions, diagnostic support, the control logic on a production line: these are interconnected, consequential, and governed by context that no autocomplete fully holds in its head. The very systems Europe has chosen to regulate are the ones where AI assistance helps least and can quietly hurt.

And when AI does write the code, it is not reliably safe. Independent testing in 2025 found a security vulnerability in roughly 45 percent of AI-generated code, around 2.74 times the rate in human-written code, and the larger, newer models were no safer. On a system the law requires to be accurate, robust and secure, that is not a productivity aid you can wave through. It is a liability you have to test out, which is exactly the work that does not get faster.

Cheap building floods the market

Step back and the competitive picture sharpens. A revenue-per-employee gap is opening between firms that have rebuilt around AI and those that have not. Traditional agencies sit at roughly €0.15M of revenue per employee. AI-native firms are reporting several million per employee, a gap of twenty to thirty times. That is not a productivity tweak. It is a different cost structure, and over time different cost structures decide who is left standing.

Revenue per employee: traditional agencies near €0.15M versus several million at AI-native firms, a gap of roughly twenty to thirty times.

The consequence is straightforward and unforgiving. When building is cheap and abundant, building alone stops being defensible. Anyone can stand up a plausible product. The flood raises the waterline on what actually counts as an advantage, and most of the old advantages are exactly the things that have just been commoditised.

So the real question for a regulated mid-market company is no longer can we build it. The question is whether what you build is allowed to operate and trusted to run. In a market drowning in cheap software, the scarce asset is a system that clears the bar: one a regulator will accept, an auditor will sign off, and an enterprise buyer will trust with their own liability.

AI made software cheap to build. It did not make it legal to ship. In Europe, from the end of 2027, the difference between those two things is the whole game.
03 · Why most AI never ships

The failure most teams have not priced in

Before the AI Act enters the picture at all, the base rate for AI in the enterprise is brutal. The numbers vary by who is counting, but the direction does not.

MIT's research found that the large majority of organisations saw no measurable return from their generative AI spend. S&P Global's enterprise survey found that 42 percent of companies had abandoned most of their AI initiatives, up from 17 percent a year earlier, and that organisations scrap, on average, 46 percent of their proofs of concept before they reach production.

Abandonment of AI initiatives, year on year. The trend is the wrong direction.

It is not the model. It is the operating model.

The failures are mostly not about accuracy or which foundation model was chosen. The recurring finding is that they are structural: data that was never governed, no clear owner, no path from a demo that works in a notebook to a system that runs every day under real load, with monitoring, retraining and accountability.

This matters enormously for what follows, because it means the AI Act is not asking you to add a new and alien kind of work. It is asking for exactly the disciplines whose absence already causes most AI to fail.

The last step is the one almost no one is sizing for.
Shipping AI to production was already the exception. From 2027, in Europe, you will have to ship it to a legal specification as well, or not ship it at all.
04 · What counts as high-risk

What counts as high-risk

The first decision you make about an AI system under the Act is not a model choice or a deployment target. It is a classification. The Act sorts AI into tiers, and the tier a system lands in decides how much engineering it must carry, how much documentation it must produce, and in the worst case whether it is legal to operate at all. Most systems are not high-risk. That is precisely why getting the classification right matters: the obligations are heavy, and they attach to a minority of systems that you have to identify deliberately.

At the top sits the unacceptable tier. These uses are prohibited outright, and they carry the heaviest penalties in the Act, up to €35M or 7 per cent of global turnover. Below the prohibited tier sit the obligations this report is built around. The high-risk tier carries real engineering duties, with non-compliance penalised up to €15M or 3 per cent. Lower still, the bulk of deployed AI is minimal or limited risk and mostly faces transparency duties. SMEs face the lower of the two figures rather than the higher.

The four tiers of the Act. Prohibited at the apex, then high-risk, then the broad base of limited and minimal-risk systems that most products fall into.

The two routes into high-risk

A system becomes high-risk by one of two routes. The first is the Annex III route: the system operates in one of eight named areas where the Act judges the stakes to society high enough to warrant the full regime. The second is the Annex I route, where the AI is a safety component of a product already regulated by EU law. Mid-market teams tend to fixate on the first route and miss the second, which is where embedded and industrial software quietly qualifies.

The eight Annex III areas are the ones to read carefully, because several of them describe software that ordinary companies build without thinking of it as regulated AI.

1Biometrics: identification, categorisation, emotion recognition
2Critical infrastructure: safety for energy, water, traffic
3Education: admission, scoring, proctoring
4Employment: hiring, evaluation, promotion, termination
5Essential services: creditworthiness, benefits, insurance pricing
6Law enforcement: risk assessment, evidence evaluation
7Migration and border control
8Justice and democratic processes

Four of these catch mid-market companies far more often than the rest. Employment is the most common trap: a model that ranks candidates or feeds a performance review is high-risk, even if a human signs the final decision. Essential services is the one regulated lenders, insurers, and fintechs run into. Biometrics sweeps in access control and call-centre analytics that were never pitched as biometric AI. Critical infrastructure catches the control logic an industrial team may not even file under machine learning.

The line that catches engineers out

Here is the distinction that derails more architecture reviews than any other. Creditworthiness scoring is explicitly high-risk. Fraud detection is explicitly carved out of that category. Two models that, from the inside, can look almost identical: both ingest transaction and identity features, both score an individual, both feed a decision with money attached. Yet they fall on opposite sides of the line.

High-risk
Creditworthiness scoring

Inherits the full weight of Articles 9 to 15.

Carved out
Fraud detection

Same feature store, opposite side of the line.

Classification is an engineering decision made on day one, not a legal afterthought. It sets your architecture and scope before the first model is trained.

This is why classification cannot be deferred to a legal review near launch. The tier a system sits in determines its architecture: whether you need a logging subsystem that retains records for the system's lifetime, whether a human-oversight interface is a hard requirement, how much of your data pipeline has to be documented. Those are decisions that shape the first sprint, not the last.

The cost of misclassifying runs in both directions. Classify too aggressively and you over-build controls the system never needed. Classify too loosely and you ship something you are not legally permitted to operate. The first error wastes engineering effort. The second can pull a live product offline. A serious classification step on day one is the cheapest insurance against either.

05 · The engineering bar

Articles 9 to 15 as a backlog

Once a system lands inside the high-risk category, the question stops being legal and starts being architectural. Articles 9 to 15 are where the EU AI Act tells you, in the language of obligations, what your system has to be able to do. This is the part no law firm writes for you, because it is not law any more. It is a backlog.

Counsel can tell you whether you are in scope. What they cannot do is turn the seven articles that follow into pull requests, test gates, data pipelines, and logging schemas. That translation is engineering work, and it is the most underestimated part of the entire compliance effort. Teams read “risk management system” and picture a document. The law means a process that runs for the life of the product.

Art
What the law requires
What you build

The useful reframing is this: each article maps to something your platform either already does well or does badly today. Open any one for the evidence an assessor will want, the pitfall that sinks most teams, and what good actually looks like.

The pattern underneath

Read the seven articles together and the central point becomes hard to miss. None of these are model problems. Nothing in Articles 9 to 15 is solved by a better architecture, a larger model, or a cleverer loss function. They are operating-model problems: how you version data, how you log decisions, how you document what you built, how you gate a release, who can stop the system. The regulation is auditing the organisation around the model.

This is also the reassuring part. The disciplines the AI Act demands are the same disciplines that make any system survive contact with production: traceable data, reproducible builds, honest documentation, real observability, tested failure modes, a human who can pull the cord. A team that already operates this way is most of the way to conformity and did not realise it.

For high-risk AI, compliance and production-readiness are very nearly the same checklist. The regulation just writes it down and makes it non-optional.
06 · Conformity and standards

Conformity, standards and who is responsible

Building a system that satisfies the engineering requirements is necessary, but it is not the whole job. Meeting Articles 9 to 15 tells you the system is sound. It does not, on its own, let you put that system on the European market. Before a high-risk system reaches a single customer, it has to pass a conformity assessment, carry a declaration of conformity and CE marking, and be registered in an EU database.

A conformity assessment is the act of demonstrating, with evidence, that the system meets the requirements. It is not a meeting or a sign-off. It is a body of documented proof: your risk management records, your data governance decisions, your logging design, your technical documentation, all assembled into a case that a competent reader could follow and believe. For many Annex III systems, that assessment is an internal self-assessment. For some routes it involves a notified body, an independent third party. The route changes the cost, the timeline and the people in the room, so it is one of the first things to establish, not the last.

The harmonised-standards gap

Harmonised standards are the bridge between the regulation's prose and an engineer's working day. The law says a system must be robust, or its data sufficiently representative; a harmonised standard translates that into something concrete and testable. Meeting the relevant standards grants a presumption of conformity. That presumption is valuable, and it is the reason everyone is watching for these standards to land.

They are late. That is not a footnote to the timeline; it is the headline. As of the end of 2025, not a single AI harmonised standard had been published in the Official Journal. The first, prEN 18286, had only reached public enquiry. The bodies meant to assess conformity are no readier: in early 2026 only around three of the twenty-seven member states had fully designated their authorities, and there had been no completed enforcement cases at all.

The trap, dressed as relief

A team hears that the standards are not finished and concludes the substantive work can wait. It cannot, and it does not need to. Governed, representative data; meaningful human oversight; logging that captures what the system did and why; documentation a stranger could follow. None of that is waiting on a standards body. Build to the substance first and a late standard becomes a reconciliation exercise. Wait for the standard and it becomes a starting gun, fired with less runway than you had today.

Waiting for the standards is the trap. The substance the standards will formalise is knowable now, so building to it first turns a late standard into a reconciliation, not a restart.

Provider versus deployer

None of this lands correctly until you know which role you are playing, because the regulation assigns obligations to roles, not to companies. The provider develops a high-risk system, or puts its name on one and places it on the market, and carries the heaviest load. The deployer uses such a system in the course of its work, and carries its own lighter but real set of duties. For a mid-market company the split is rarely clean, and the line can move under you.

Self-assessment versus notified body
Under internal self-assessment, the provider examines its own conformity, compiles the technical documentation, and draws up the declaration on its own responsibility. No outside party signs off, which makes the integrity of your evidence the only thing standing behind the claim. A notified body route inserts an accredited, independent organisation that examines the system, its documentation, and in some cases the provider's underlying processes. It is slower and more involved. The practical point is the same either way: the documentation has to be real, complete and defensible.

Conformity does not end at launch

A high-risk system carries post-market monitoring obligations and serious-incident reporting duties. Conformity is a continuous state, not a stamp you collect once. The logging you designed in is what makes monitoring tractable. The risk management process you stood up is what turns an incident into a documented change rather than a scramble. The companies that will build AI Europe does not ban are the ones that design for the day after launch, not just the day of it.

07 · Two roadmaps

Six quarters, one deadline

Follow two mid-market companies from mid-2026 to the end of 2027. Both build a high-risk system. One reads the delay as time bought. One reads it as time to build. The systems are the same on day one. They are not the same by December 2027.

The Builders
The Reprieve Trap

The gap between the two lines was never about talent or budget. It was about when the work started, and whether the team understood that the work was the same work they should have been doing to ship at all.

08 · Four industries

Where the rules bite hardest

Four sectors carry most of the weight of the high-risk regime, because the systems in question touch money, health, physical safety and a person's livelihood. They are also the areas where Digital Colliers has put production systems into the field. The fourth is the one that catches companies who would never describe themselves as an AI business.

Financial servicesAnnex IIIDecember 2027

Creditworthiness scoring

The Act draws a line through the middle of a typical financial-services stack. Systems that assess creditworthiness for natural persons are high-risk under Annex III. Fraud detection is carved out. Both frequently share the same feature store and model-serving layer, so clean classification is an engineering problem before it is a legal one: credit-scoring components clearly bounded, independently logged and governed, while fraud services sit on the other side of a documented wall.

The heavier obligations land on data governance and human oversight, because a credit model shapes whether someone gets a mortgage, a loan, a second chance. These are not bolt-on controls. They are constraints on how the system is built from the first commit.

99.9%
uptime
65%
better fraud detection
70%
fewer false positives

A European payments platform built and run by Digital Colliers.

HealthcareAnnex IAugust 2028

Clinical decision support

Where an AI system functions as a safety component of a regulated medical device, it falls under the Annex I product-safety route, with obligations applying from August 2028. The later date reads like breathing room. It is not. Clinical validation and documentation cycles are the longest of any sector here, and they cannot be compressed by adding engineers at the end.

In this setting, documentation and record-keeping stop being a compliance overhead and become an instrument of patient safety. A system that cannot explain why it surfaced a recommendation is not merely non-compliant, it is unsafe to deploy near a patient. Done well, the same rigour that satisfies a regulator tends to produce a better product.

40%
less administrative load
35%
shorter patient wait times

A digital healthcare platform delivered by Digital Colliers.

ManufacturingAnnex IAugust 2028

AI as a machinery safety component

On the factory floor, an AI model that acts as a safety component of machinery enters scope through the Annex I product route, again from August 2028. Here the abstract obligations acquire a physical edge. Accuracy and robustness are no longer dashboard metrics, they are the difference between a machine that stops when it should and one that does not.

Logging takes on a parallel weight: the trace that lets an investigator reconstruct what the system saw, inferred and commanded in the seconds before something went wrong. The commercial case and the safety case point the same way. The robustness work that keeps a line from failing is the same work that keeps it running.

~€2M
annual savings
32%
less downtime
18%
gain in OEE

A manufacturing engagement delivered by Digital Colliers.

Employment & HRAnnex IIIDecember 2027

Hiring and evaluation

This is the card to read twice, because it catches companies who do not think of themselves as AI businesses at all. Under Annex III, AI used in employment is high-risk: anything that screens CVs, ranks or filters candidates, or supports decisions about promotion, task allocation or termination. You can manufacture industrial components or sell financial software and still be in scope, not because of what you build, but because of how you hire and manage people.

Almost every mid-market company has one of these somewhere. It is rarely built in-house. It arrives bundled inside an applicant-tracking system or an HR-suite module, switched on by a team that never thought of it as artificial intelligence. The vendor may be the provider, but the deployer carries real obligations of its own, around human oversight, monitoring and the rights of the people it assesses.

The honest first step is unglamorous: inventory every place AI touches a hiring, evaluation or workforce decision, including the tools nobody calls AI. You may be in scope even if your product has nothing to do with AI, and the time to find out is now, not when the obligations are already live.

09 · The price of waiting

What non-compliance actually costs

The penalties under the AI Act are tiered, and they are set as the higher of a fixed sum or a percentage of global annual turnover, which is what makes them a board-level number rather than a line item.

Maximum fines by breach, the higher of the sum or the percentage of global turnover. SMEs face the lower of the two.

For high-risk non-compliance specifically, the ceiling is €15 million or 3 percent of global annual turnover. But the fine is rarely the whole cost. The deeper exposure is market access: a high-risk system that is not conformant cannot legally be placed on or kept on the European market. For a company whose product depends on that system, the real penalty is the revenue that stops, not the fine that arrives.

And there is the cost the scenario already showed. A team that starts late pays for a rushed retrofit, for the features it has to freeze while it does the remediation, and for the reputational damage of pulling or pausing a product. That is how a compliance failure becomes one of the multi-million-euro write-offs that the failure data counts.

The fine is the smallest part of the bill. The expensive part is the revenue that stops when a system can no longer legally operate.
10 · The 2027-ready team

What a 2027-ready team looks like

Here is the conclusion the whole of this report has been building toward. For high-risk AI, the work to comply and the work to ship are the same work. Classification, data governance, human oversight, logging, documentation and post-market monitoring are not a regulatory tax bolted onto a finished system. They are the system. A team that builds them in by default produces software that is both shippable and defensible.

So before talking about maturity ladders or market forces, here is the operating test. A team is ready for the high-risk regime when it can answer yes to all of the following, for systems it has already built.

It classified the system honestly and early, before a line of model code was written, and can show why it landed inside or outside Annex III.

It started with the data, not the model, and can describe the provenance, governance and known limitations of every dataset.

It designed human oversight, logging and documentation into the architecture from the first sprint, rather than discovering after launch that the system cannot be paused, queried or explained.

It did not wait for the harmonised standards to be final before building to the obligations already legible in the text.

It kept one team across design and operation, so the people who made the consequential decisions are still present to defend them.

Every item on that list is an operating-model property, not a deliverable. You cannot buy any of them in the final quarter before a deadline. They are either how the team works or they are absent.

A maturity ladder, reframed for compliance

It helps to place teams on a ladder. The industry has converged on a roughly seven-level model in which the value an organisation extracts rises from around 1x at basic, ad hoc use to around 20x at autonomous, governed operations, with the curve accelerating sharply from about level four upward. Read through a compliance lens, the high-risk regime effectively prices the bottom of the ladder out of the regulated verticals. The defensible position is high: governed, observable and repeatable. The accelerating value curve and the compliance curve point the same way.

Adapted AI maturity ladder: realised value rises from roughly 1x at ad hoc use to around 20x at governed, autonomous operations. The same discipline that lifts value also produces the audit trail the high-risk rules require.

The market and the talent reality

None of this is happening in a quiet market. The market for AI consulting and services is projected to grow from roughly €16B in 2024 toward more than €250B by 2033, at around a 36% compound annual rate on the most bullish estimates. Around 88% of organisations already use AI regularly in at least one function, yet only about 39% report any measurable impact on profit, so the question for most boards is no longer whether to use AI but whether they can govern and capture value from what they already run.

The AI consulting and services market is projected to grow from roughly €16B in 2024 toward more than €250B by 2033, at around a 36% compound annual rate. Demand is abundant; the scarce input is engineers who can ship regulated-grade systems.

The scarce skill is not the one most of the market is chasing. It is not prompting, not building a clever demo, not standing up a model behind an API. The scarce skill is shipping governed systems that survive both an audit and a production incident: systems with provenance you can trace, oversight that actually works, logs that reconstruct what happened, and documentation written by the people who made the decisions.

When building software is cheap, the scarce thing is a team that can ship something allowed to operate and trusted to run.

Build or buy

That leaves a genuine decision. Building this capability in-house is possible, and for some organisations it is right. But it is slow, it competes for exactly the engineers the whole market has just decided are the only ones worth hiring, and it asks a team to learn the governed-delivery discipline on the same systems a regulator may later examine. That is an expensive place to learn.

The evidence leans the same way. The same 2025 research that found most AI delivers no measurable return also found that AI capabilities bought from or built with a partner succeeded roughly twice as often as those built purely in-house. Partnering is not the timid option on this kind of work. It is the one with the better track record, on one condition: that the partner already ships and operates regulated-grade systems, with the same team across design and operation.

This is the model Digital Colliers builds inside. We ship and operate AI systems with one team across design and operation, in financial services, healthcare and manufacturing, the same verticals the high-risk rules govern most closely. The discipline this report describes is not a checklist we hand over at the end; it is how the systems are built, so that the evidence a conformity assessment needs already exists by the time anyone asks for it.

Teams that have worked with Digital Colliers
Ricoh T-Systems Checkout.com Agicap Lemlist
11 · An 18-month sequence

What to do, in order, starting now

The order matters more than the speed. Most teams that fail do the easy parts first and leave the long poles until there is no time. This is the sequence the Builders followed.

Now

Classify everything

Map every AI system to Annex III and the product rules. Decide what is in scope before you decide anything else. This is days of work and it changes every estimate that follows.

Months 1 to 6

Fix the data

Lineage, versioning, representativeness and bias analysis for every high-risk system. Start here because it takes the longest and everything else assumes it.

Months 4 to 10

Design oversight and logging in

While the system is still malleable, build human oversight, intervention points and tamper-evident logging into the architecture, not on top of it.

Months 8 to 14

Automate documentation and testing

Generate technical documentation from the pipeline. Run accuracy, robustness and security tests as release gates so conformity is continuous, not a one-off.

Months 12 to 18

Close against the standards

As the harmonised standards land, reconcile your evidence against them. If you started with the substance, this is an adjustment. If you waited, this is where you discover you are out of time.

You cannot compress the data work into the final quarter. Everything that can be done late, can wait. Data cannot, which is exactly why it goes first.
12 · Your readiness

Where do your systems land?

The hardest part of the AI Act is not the reading. It is the honest answer to two questions: which of our systems are high-risk, and how far is each one from the Article 9 to 15 bar today. That is the conversation worth having before December 2027 turns from a date into a problem.

Talk to the team that ships regulated AI

Digital Colliers builds and runs regulated-grade AI systems in financial services, healthcare and manufacturing.

Method and sources

How this was put together

This report is an engineering perspective on the EU AI Act, written for technology and operations leaders, not legal advice. Legal claims were checked against official EU sources in June 2026. Macro statistics on AI adoption, productivity and the software market are drawn from third-party research. Digital Colliers project outcomes are presented anonymously and are project metrics, not industry benchmarks. Some monetary figures originally reported in US dollars are shown in euros for consistency.

    Free report

    Get the PDF

    The full report as a PDF. Leave your email and it is yours.

    We will email you about it. No spam.