The EU AI Act is the world’s first comprehensive regulation of artificial intelligence, and its central obligations take effect from August 2026. Most DACH companies are unprepared — not out of negligence, but because the requirements sit awkwardly between law, engineering, and operations. Our AI Act consulting works in exactly that overlap: we classify your AI systems, produce the required documentation, train your teams under Article 4, and build the governance process you will run after the audit.
The AI Act has been in force since August 2024 and is enforced in stages. Prohibited practices are already banned, the obligations for general-purpose AI have applied since August 2025, and the extensive requirements for high-risk systems are enforced from August 2026. The fines are substantial — up to 35 million euros or seven percent of global annual turnover for the most serious breaches. This is not a topic to push to the last minute, especially as classification and documentation can take months.
Swiss companies are affected too, often indirectly. Anyone offering AI systems in the EU market, whose output is used in the EU, or who is embedded as a supplier in EU value chains falls under the AI Act — regardless of company location. Switzerland is a third country, but market access effectively binds many Swiss SMEs in. Ignoring this risks not only fines but the loss of EU customers who require compliance from their suppliers.
The AI Act works with a risk-based approach and four tiers: prohibited practices, high-risk systems, limited-risk systems (transparency obligations), and minimal risk. The obligations differ dramatically by tier — a high-risk system under Annex III needs technical documentation, risk management, data governance, human oversight, and a conformity assessment, while a minimal-risk system is practically unrestricted. Correct classification is therefore the decisive first step: it determines what you have to do at all.
This classification is not trivial. Many systems do not obviously fall into one category, and the Annex III list of high-risk use cases — from recruiting through creditworthiness to critical infrastructure — requires a close examination of the specific use. We carry out this classification in a structured way and document the reasoning so that it holds up to an audit.
One of the first tangible obligations is Article 4: providers and deployers of AI systems must ensure their staff have sufficient AI literacy. This is not a formality but requires a documented training programme tailored to the roles in the company — developers need different knowledge than management or the staff who operate AI systems day to day. We build this programme and document its delivery, so the obligation is demonstrably met.
The difference between our consulting and a classic compliance opinion lies in the deliverable. An opinion describes the state at a point in time and ages out as soon as the system changes. We deliver operational infrastructure: the technical documentation for high-risk systems, the workflows for human oversight, the processes for ongoing risk management, and the dashboards with which you maintain compliance after the audit. Compliance is not a project with an end date but an operating state.
Here our dual role pays off: with AI Risk Check we operate our own SaaS product that automates exactly this classification and documentation. We therefore know the requirements not only from the regulation but from the daily operation of a compliance tool. This experience flows directly into the consulting.
The AI Act does not stand alone. As soon as an AI system processes personal data — which is almost always the case — the GDPR applies in parallel, and in Switzerland the revFADP. Both regimes interlock: the AI Act’s data-governance obligations overlap with the GDPR principles, automated decisions touch GDPR Article 22, and the documentation duties complement each other. We treat the AI Act and data protection as one connected compliance field, not as two separate projects.
The AI Act’s fines are the most visible but not the only consequence of non-compliance. Up to 35 million euros or seven percent of global annual turnover are on the table for the most serious breaches — a figure even large companies must take seriously. Alongside this is market risk: EU customers increasingly require compliance evidence from their suppliers, and an unclassified or undocumented AI system becomes an exclusion criterion in tenders. Third is the reputational risk, harder to quantify but real in B2B. Compliance is therefore not only obligation but market access.
If a system falls into the high-risk category under Annex III — for instance in recruiting, creditworthiness, critical infrastructure, or education — an extensive set of obligations arises. It needs a risk-management system across the whole lifecycle, data governance that checks training and input data for quality and bias, technical documentation under Annex IV, logging of system activity, transparent information for deployers, human oversight, and a degree of accuracy, robustness, and cybersecurity. That sounds like a lot, and it is — but worked through in a structured way it is manageable. We guide through each of these points and prioritise by deadline and risk, so the most urgent comes first.
There is a widespread temptation to push compliance topics to just before the deadline. With the AI Act that is risky, because the preparatory steps take time: a complete AI inventory, correct classification, building the documentation, and training the teams are tasks of months, not weeks. Anyone in 2026 who only begins when enforcement bites is too late. The cheap moment is now, while there is still room to work through the steps in an orderly way and without time pressure. Early compliance is also cheaper than late, because it fits into the normal development rhythm rather than displacing everything else as an emergency project.
Why Innopulse for AI Act compliance AI Act compliance lies in the no-man’s-land between law, engineering, and operations — and that is exactly where most advisers are weak. Pure lawyers do not understand the technical reality, pure developers not the regulatory one. Innopulse lives in this overlap: we are engineers with a deep understanding of the regulatory requirements, and with AI Risk Check we operate our own SaaS product that automates exactly this classification and documentation. We therefore know the AI Act not only from the regulation but from the daily operation of a compliance tool for hundreds of companies. This dual perspective means for you: we deliver no theoretical opinions but operational infrastructure that holds up in the audit and that you can operate afterward. We translate between your legal department and your engineering team because we speak both languages. And we treat the AI Act and the GDPR as one connected field, not as separate silos. For a DACH company that needs clarity and implementation rather than paper before the August 2026 enforcement, this combination of regulatory depth and engineering practice is rare to find.
The August 2026 enforcement is drawing closer, and classifying your systems takes time. The cheapest first step is a conversation about your specific use of AI and the question of which obligations follow from it. Write to info@innopulse.io — in a first conversation we give you clarity on what you need to do.