Most Spanish mid-sized businesses have already received a proposal for an “EU AI Act audit” from some consultancy. The 80-page document arrives, gets filed away, and the company remains unchanged.
The EU AI Act is not GDPR. It won’t wait three years while you organize a workshop.
Regulation (EU) 2024/1689 came into force on August 1, 2024. The deadlines are staggered. Some have already passed. Others arrive in August and October 2026. If your company uses AI systems in HR processes, credit scoring, insurance classification, public service prioritization, or any automated interaction with employees or customers — there’s something you need to do this quarter.
This post is not a summary of the Regulation. It’s a list of five concrete actions that a Spanish mid-sized business CEO can execute before October without hiring an army of consultants.
Context: What deadlines matter in 2026
The EU AI Act calendar for 2026 has three critical dates:
-
February 2026: prohibition of unacceptable risk AI practices (Article 5). This includes social scoring systems, subliminal manipulation, and exploitation of vulnerabilities. If any of this is running in your company, it should already be stopped.
-
August 2026: application of obligations for general-purpose AI (GPAI) systems with systemic impact. This mainly affects large model providers but also companies that integrate them into their own products.
-
August 2026 also: national supervisory bodies (in Spain, the AESIA — Agencia Española de Supervisión de Inteligencia Artificial) must be operational. The first formal inspections can start in autumn.
The August 2026 deadline for high-risk systems (Article 6 and Annex III) is the most likely to affect mid-sized businesses. Employee evaluation, candidate scoring, credit granting systems, insurance management, critical infrastructure.
Action 1: Inventory of AI systems with risk classification
Article 6 of the Regulation defines high-risk systems. The list is concrete. Some examples directly relevant to Spanish mid-sized businesses:
- Software for personnel selection or candidate evaluation (Annex III, point 4a)
- Employee performance management and evaluation systems (point 4b)
- Creditworthiness scoring or credit risk assessment of natural persons (point 5b)
- Systems that determine access to services or prioritize requests (point 5c)
If you use Workday, SAP SuccessFactors, HireVue, Factorial, or any tool with evaluation or scoring algorithms — you need to know if that system falls within the high-risk definition.
The practical action: create a spreadsheet with all software systems that make or influence decisions about people (employees, candidates, customers, suppliers). For each one, answer: does it use an AI or ML model? What decision does it influence? About whom? How frequently?
You don’t need a consultant to do this. You need two hours with your CTO or IT manager and access to software contracts.
Action 2: Decision Rights Map for human oversight
Article 22 establishes the right for significant decisions about people not to be made exclusively by automated systems, with the possibility of human review.
Article 14 goes further: for high-risk systems, it mandates effective human supervision. Not performative supervision. Supervision that can intervene, correct, and override the system’s decision.
The problem in most mid-sized businesses: nobody knows exactly which decisions a system makes and which a human makes based on the system’s recommendation. These are different questions with different answers.
The practical action: for each system identified in the previous step, document who has authority to override the system’s recommendation, in what timeframe, with what process. If the answer is “nobody knows” or “there’s no process,” that’s a concrete compliance gap.
A Decision Rights Map for AI is not an organizational chart. It’s a list of decisions, with their associated AI system, their human responsible owner, and the override process. It can be a 20-row table. It doesn’t need to be a methodological framework.
Action 3: Log and audit trail by AI system output
Article 12 requires high-risk systems to have automated log recording capabilities sufficient to audit their functioning. Article 13 demands transparency: accessible technical documentation.
For mid-sized businesses, the practical interpretation is this: if an AI system makes or influences a decision about a person, there must be a record of what input the system received, what output it produced, when, and what human decision followed.
This is not just legal protection. It’s operationally useful. If a rejected candidate asks why, or if an employee disputes an evaluation, the company needs to be able to reconstruct the process.
The practical action: review your contracts with software providers. Ask explicitly: does the system generate auditable logs of its outputs with timestamps? Who has access? For how long are they retained? If the provider can’t answer these questions, that’s a risk you need to document.
For internal or custom-developed systems, the obligation falls directly on your company as the deployer.
Action 4: Updated DPIA with AI Act and GDPR interaction
This is what most mid-sized businesses ignore because it requires understanding how two different regulations interact.
The EU AI Act doesn’t replace GDPR. They coexist. When an AI system processes personal data — and almost all do — both AI Act and GDPR obligations apply simultaneously.
Recital 10 of the Regulation makes it explicit that AI Act and GDPR are complementary. The Data Protection Impact Assessment (DPIA/EIPD) your company did in 2018-2019 for GDPR probably doesn’t consider current AI systems, doesn’t document the risk of algorithmic bias, and doesn’t include the specific rights under the AI Act.
The practical action: take the list of AI systems from step one and verify if each has a current DPIA that explicitly mentions AI use, bias risk, and human supervision mechanisms. If it doesn’t exist, or if the existing one is over two years old and doesn’t mention AI — update it.
This isn’t a one-morning task, but it’s a task your DPO or legal advisor can manage in weeks, not months, if they have the list of systems from step one.
Action 5: Vendor clauses in AI software contracts
This action is the most ignored and potentially the most important.
The EU AI Act distributes responsibilities between AI system providers and deployers. When you buy a high-risk system, there are obligations that fall on the provider — but there are others that fall on you as the deploying company.
Article 16 lists the provider’s obligations. Article 25 applies some of those obligations to the deployer when the provider isn’t established in the EU or when the system is substantially modified.
The practical action: for each software contract with a potential high-risk AI system, verify that it includes:
- Explicit declaration of whether the system is classified as high-risk under the Regulation
- Provider’s commitment to maintain accessible technical documentation (Article 11)
- Notification procedure if the system changes in a way that alters its risk classification
- Data sovereignty clause: where data is processed, under what jurisdiction, with what guarantees for European citizens’ data
- Access to sufficient audit logs to comply with deployer obligations
If your current contract doesn’t have these clauses, the next renewal cycle is the time to negotiate them. If the provider won’t agree to include them, that’s relevant information for the decision to renew or not.
What doesn’t protect you
A PDF of an “AI use policy” posted on the intranet isn’t compliance.
An awareness workshop about the AI Act isn’t compliance.
An 80-page audit report that describes risks but doesn’t change any process isn’t compliance.
Real compliance is: knowing what AI systems your company has, classifying them, documenting who supervises their outputs, ensuring that provider contracts cover your obligations as a deployer, and maintaining auditable logs.
These are five actions. None require an 18-month transformation program. They require time, will, and clarity about what system does what.
Next action
Start with the inventory. A spreadsheet with all software systems that use AI or ML, the decision they influence, and about whom. Two hours with your CTO. Without that, everything else is theoretical.
If you need a risk classification framework in Spanish aligned with Annex III of the Regulation, or want to review if your software contracts cover your obligations as a deployer, open a diagnosis.
Related
- AI Governance Sprint 14 days: from use case chaos to operating system
- Decision Rights Map: who decides what in an AI system
- Governance vs Compliance: why your policy decides nothing
Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.