Eight weeks to 2 August 2026
Your portfolio will be asked where it stands.
The EU AI Act applies from 2 August 2026. The Article 5 prohibitions and the general-purpose AI rules are already in force. LPs, acquirers, customers, regulators and cyber insurers are not waiting for the later dates to start asking.
The Act is already live. The next date is the one your portfolio is being measured against.
Article 5 prohibitions live. Banned AI practices already apply.
General-purpose AI model rules apply to providers.
The Act applies broadly, including transparency obligations.
Eight weeks awayHigh-risk obligation dates, moved under the Omnibus.
The high-risk obligation dates have moved to 2 December 2027 and 2 August 2028 under the Omnibus. That extension applies to the obligations, not to the questions. LPs, acquirers, customers, regulators and cyber insurers are asking now.
Three things have to be settled first
Before any portfolio company can answer those questions, three things have to be settled. Get them right and the rest of the compliance programme has a foundation.
Scoping the estate
What in the AI estate is in scope of the Act, and what sits outside it entirely.
Placing the company in the value chain
Whether the company sits as provider, deployer, importer or distributor, and whether any contractual arrangement or substantial modification flips that role.
Classifying the uses
Which AI uses and procured tools fall into the high-risk category, which are transparency only, and which sit outside the regime.
The rest of the compliance programme has a foundation. Obligations land on the correct entity, in the correct way.
The obligations land on the wrong entity, in the wrong way, often through a supplier contract no one read with the Act in mind.
Attercop runs the scoping
We map the AI estate against the Act, work the value-chain and contractual position company by company, classify the uses against Annex I and Annex III, and hand you the position paper you need to put in front of investors, customers, auditors and your board.
Start before the next due diligence questionnaire arrives →EU Data Act: Implications for AI
Most internal AI use sits outside it. Where it does apply, the design choices are made now.
The Data Act is not an AI law, but it reaches AI through the data that feeds it, the providers that host it and the tools that automate it. Three questions decide whether it applies to a given AI build:
Does the AI train on or otherwise use data from connected products? IoT devices, vehicles, industrial machinery, health and agricultural equipment all produce data caught by the Act. That changes who can use it, what can be built with it and which providers can receive it.
Is the AI offered to EU clients as a product or service, rather than used internally to deliver your own work? Moving from user to provider engages obligations on switching, portability and egress, and reshapes the commercial position with EU customers.
Are automated data-sharing tools or smart contracts being built for others? Internal-only tools sit outside. Anything productised for others carries a conformity obligation.
Where the Act applies, the decisions are architectural and made during design, not retrofitted afterwards. Attercop scopes the exposure and supports proportionate governance where it bites.
Scope the exposure →Start before the next due diligence questionnaire arrives
We scope your portfolio against the EU AI Act and the EU Data Act, and hand you the position you need for investors, customers, auditors and your board.
Book a scoping conversation →