Calmworks
Design Blueprint8 min read

Beyond the Countdown: An Operational Playbook for the EU AI Act

Legal teams have read the Act. Engineering teams have seen the risk register. The gap between them is where organisations are going to miss August 2026.

EUR 35Mmaximum penalty, or 7% of global turnover, whichever is higher
Tarek Fahmy

Why another AI Act piece

There is no shortage of legal analysis of the EU AI Act. There is a very real shortage of practical, operational guidance that an engineering manager can read on a Monday and use to run a Tuesday standup. This piece is the second kind. It is the playbook we use with clients who have accepted that August 2026 is close and want to stop reading and start shipping.

If you have not yet read the companion piece, The EU AI Act Countdown, that covers the timeline and the politics. This piece covers the work.

EUR 35Mmaximum penalty or 7% of global turnover

The Act actually asks for five capabilities. That's it.

All the anxiety in the market compresses down to five operational requirements for any high-risk AI system. Memorise these, because the rest of the Act is either definitions, carve-outs, or procedural notes.

Share of effort across six regulated-industry programmes Calmworks has run or advised on through 2025 and 2026.

1. Risk management. A continuous process, not a one-off assessment. Risks are identified, quantified, mitigated, and re-tested on a schedule. Your risk register is a living artefact, not a document.

2. Data governance. Your training, validation, and test data meet quality standards you can articulate. You can show where the data came from, how it was processed, and how bias was tested for.

3. Technical documentation. A complete record of system design, development, and performance. Annex IV of the Act lists exactly what this covers. It is long. It is also a set of things your engineering team already has in pieces across Notion, Confluence, and Slack.

4. Record keeping. Automatic logging of system operations for traceability. Inputs, outputs, confidence scores, human interventions, model versions, all retained for the duration of the system's life plus a regulator-defined period.

5. Human oversight. Meaningful human control over the system's outputs. Not a rubber-stamp dashboard. An interface that lets a trained operator understand what the AI did, why, and override it without friction.

Everything in the AI Act that matters reduces to these five capabilities. Every plan you see that claims to be "AI Act compliance" is some combination of these. If your plan is missing one, it is not a plan.

The timeline nobody wants to put on paper

The Act enforces in August 2026. That is sixteen weeks of real working time away from when this piece publishes. Here is the timeline we give clients who are starting now.

Four weeks for inventory. Two weeks for risk classification. Two weeks for the gap assessment and getting it in front of the board so you have the mandate to spend. Eight weeks of engineering work on the parts that need to be built. Then you are live.

If you are starting now, this is achievable. If you start in July, it is not.

The capability most programmes underestimate

Across the programmes we have advised, the single most underestimated capability is human oversight interface design. Most organisations interpret "human oversight" as "there is a person responsible for the AI." That is not what the Act asks. It asks for an interface that meaningfully allows that person to supervise the system's outputs.

"Meaningful" is doing a lot of work in that sentence. A meaningful oversight interface shows the operator:

  • What input the AI received
  • What output it produced
  • What confidence it had
  • What alternative outputs it considered
  • What the operator's override options are, with their consequences

None of that exists by default. All of it has to be designed, and the design is not generic. Each high-risk system needs its own oversight surface, tuned to the role of the person using it. A credit officer's override interface does not look like a radiologist's override interface.

What compliance actually costs, by company size

We have reasonably good cost data at this point from programmes we have run or costed in detail. The numbers are rough ranges, not quotes, but they calibrate expectations.

Typical AI Act compliance cost, mid-market company, one-time programme. Large enterprise roughly doubles; structured low-risk mid-market roughly halves.

Those numbers roughly double for large enterprises (EUR 800K to 1.6M) and roughly halve for well-structured mid-market companies in low-risk sectors (EUR 200-400K). They are highly sensitive to how much existing documentation and governance you can salvage, and how many high-risk systems you actually have once you count them.

The cost of not doing the programme is not in the spreadsheet, because the cost of not doing it is regulatory penalty exposure plus reputational damage plus the cost of suspending systems in-flight. That number is larger than the programme cost by at least an order of magnitude.

EUR 600Ktypical mid-market programme cost through compliance readiness

The six-gate decision pattern

The single biggest operational lever we give clients is a standard decision path from "we want to deploy a new AI system" to "it is live in production, with AI Act compliance baked in." It has six gates. Each gate has an owner and a maximum SLA.

GateOwnerPurposeMax SLA
1. Intent registeredProductSystem described, business owner named, risk class hypothesised1 day
2. Risk classifiedRisk + LegalConfirmed Annex III status, high-risk or not5 days
3. Data clearedData GovernanceData provenance, quality, bias testing signed off10 days
4. Oversight designedDesign + EngineeringOperator interface specified, approved by the role that will use it10 days
5. Documentation completeEngineeringAnnex IV artefacts present and versioned5 days
6. Go-live approvedSteering boardAll gates green, go-live scheduled5 days

Total elapsed: 36 working days for a net new high-risk system, assuming no surprises. That is ambitious. It is also the only pace that lets a typical enterprise ship more than a handful of new AI systems per year.

If your decision path for new AI systems does not fit on one page, with names and SLAs, you do not yet have an AI Act compliance operation. You have an AI Act compliance aspiration.

What to do in the next forty-five days

Because sixteen weeks is not unlimited, here is the concrete sequence for someone starting now.

Week 1 and 2: Run an inventory. Use a spreadsheet. Do not buy a platform for this. Every AI system, internal or vendor, including ones embedded in SaaS products you already pay for. Most organisations find two to three times more systems than they expected.

Week 3 and 4: Classify each system against Annex III. Most will be low-risk. The handful that are high-risk are where all your effort goes.

Week 5: Gap assessment. For each high-risk system, which of the five capabilities is missing or partial. Write it down. Put it in front of the board. Get the mandate to spend.

Week 6 onward: Execute in parallel tracks. One team on documentation, one on oversight interfaces, one on logging, one on data governance. Standard delivery discipline. Weekly demos. Ruthless cuts on scope.

The organisations that will miss August 2026 are not the ones with unusual AI systems. They are the ones that will still be in week one in late June.

The Act does not require heroics. It requires ordinary delivery discipline applied to five named capabilities, on a sixteen-week clock. Organisations that ship software already know how to do this. The failure mode is treating compliance as different from product work.

European Commission AI Act Official Journal(2024) EU AI Office Guidance(2025) OECD AI Policy Observatory(2025) Calmworks client programmes (anonymised)(2024-2026)

If you want the checklist version of this playbook, it comes with our diagnostic. One page, six gates, the five capabilities, and a readiness score. Book thirty minutes and we will walk you through it with your current state.

T
Tarek Fahmy

Strategy & Client Success

Share

Next read.

2 related
Design Blueprint6 min
$360
per user per year for Microsoft 365 Copilot enterprise add-on (Microsoft, 2026)

Before You Buy the Platform: A Build-vs-Buy Worksheet for Mid-Market AI

A worksheet you can take into a procurement meeting on Friday. Five questions, a scoring rubric, and the actual published prices for the four ways European mid-market companies are buying or building AI capability in 2026.

Read
Design Blueprint8 min
47%
of knowledge-worker time is spent on inter-tool translation

Your Tools Already Talk. You Just Can't Hear Them.

We keep being told enterprises need more data. They don't. They need the data they already have to move between the systems they already use, without a human in the middle doing the translation.

Read

Want to take this further?

Calmworks is an intelligence-first agency. Book 30 minutes and we'll show you what we'd do with this in your context.

All intelligence