TL;DR

With less than four months until the EU AI Act’s high-risk system compliance deadline on August 2, 2026, 78% of enterprises have taken no meaningful compliance steps. The appliedAI study reveals a critical blind spot: 40% of AI systems cannot be clearly classified as high-risk or low-risk, creating regulatory uncertainty that most compliance guides ignore. While ISO 42001 and NIST AI RMF provide 60-70% of the governance foundation, they leave 30-40% of EU-specific regulatory obligations unfilled—a gap that determines market access.

Executive Summary

The European Union’s AI Act represents the world’s first comprehensive binding regulation for artificial intelligence systems. Unlike policy guidelines or voluntary frameworks, it carries enforcement mechanisms including fines up to EUR 35 million or 7% of global annual revenue for prohibited AI practices. The regulation enters its critical enforcement phase on August 2, 2026, when all high-risk AI systems must complete conformity assessments, technical documentation, CE marking, and EU database registration.

This analysis examines enterprise readiness across eight industries and uncovers three findings that existing compliance guides overlook:

First, the Vision Compliance 2026 report documents that 78% of organizations across financial services, healthcare, technology, manufacturing, energy, retail, telecommunications, and transportation have taken no substantive compliance actions. Only 22% have begun formal planning, with the financial sector showing marginally higher activity due to regulatory overlap with existing banking supervision frameworks.

Second, the appliedAI study of 106 enterprise AI systems found that 40% cannot be definitively classified into risk categories. This uncertainty stems from ambiguous boundary definitions in Annex III, particularly around “critical infrastructure” and “employment” use cases. Organizations deploying AI for recruitment, performance evaluation, or loan origination face the highest classification ambiguity.

Third, while ISO/IEC 42001 and NIST AI RMF provide 60-70% overlap with EU AI Act governance requirements, they leave 30-40% of EU-specific obligations unaddressed—including conformity assessment procedures, CE marking requirements, EU database registration, and fundamental rights impact assessments. Organizations relying solely on international standards risk missing market access requirements.

The stakes extend beyond fines. From August 2026, high-risk AI systems without CE marking and EU database registration cannot legally enter the European market. This analysis provides enterprise decision-makers with a compliance strategy framework that addresses these overlooked gaps.

Background & Context

The Regulatory Timeline

The EU AI Act entered force on August 1, 2024, following its publication in the Official Journal of the European Union on July 12, 2024. The regulation implements a phased enforcement schedule:

Date	Milestone	Significance
February 2, 2024	Prohibited practices生效	Social scoring, manipulative AI, real-time biometric identification in public spaces (with exceptions) prohibited
August 1, 2024	Act enters force	Regulatory framework officially activated
February 2, 2025	AI literacy obligations	Organizations must ensure staff possess sufficient AI knowledge
August 2, 2025	GPAI transparency requirements	General-purpose AI model providers must meet technical documentation and copyright policy requirements
February 2, 2026	High-risk classification guidance	European Commission publishes official guidance on high-risk use case categorization
June 2026	GPAI Code of Practice final	AI Office expected to release final general-purpose AI model provider conduct code
August 2, 2026	High-risk system compliance deadline	All high-risk AI systems must complete conformity assessment, technical documentation, CE marking, EU database registration

The August 2026 deadline represents the critical enforcement threshold. Article 57 requires EU member states to establish at least one AI regulatory sandbox by this date. Spain has already launched the first sandbox pilot in cooperation with the European Commission, while the Netherlands plans sandbox launch by August 2026 under coordination by Autoriteit Persoonsgegevens and RDI.

Risk-Based Regulatory Architecture

The EU AI Act implements a four-tier risk classification system:

1. Unacceptable Risk (Prohibited): AI systems that manipulate human behavior through subliminal techniques, exploit vulnerabilities of specific groups, enable social scoring by governments, or perform real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement).

2. High-Risk: AI systems deployed in critical infrastructure, education, employment, access to essential services, law enforcement, migration, and administration of justice. Annex III enumerates specific high-risk use cases including credit scoring, loan approval, recruitment, performance evaluation, and medical diagnosis support.

3. Limited Risk: AI systems requiring transparency obligations—users must be informed they are interacting with AI (e.g., chatbots) or that content is AI-generated (e.g., deepfakes).

4. Minimal Risk: AI systems outside the above categories, subject to voluntary codes of conduct.

The high-risk category carries the most extensive compliance burden. Financial institutions deploying AI for creditworthiness assessment fall explicitly within Annex III’s high-risk classification. The European Banking Authority (EBA) has initiated 2026-2027 sector-specific implementation support activities, acknowledging the banking sector’s concentration of high-risk AI systems.

Analysis Dimension 1: Enterprise Readiness Gap

Quantified Readiness Deficit

The Vision Compliance 2026 EU AI Act Readiness Report provides the first comprehensive cross-sector assessment of enterprise preparation. Based on compliance evaluations across eight industries—financial services, healthcare, technology, manufacturing, energy, retail, telecommunications, and transportation—the report documents a stark readiness deficit:

• 78% of organizations have taken no meaningful compliance steps
• 22% have initiated formal compliance planning
• Industry variation: Financial services show marginally higher readiness (estimated 28-32% planning) due to existing regulatory oversight frameworks from EBA, ECB, and national banking supervisors

The report’s finding aligns with earlier data. A 2024 PwC survey found that only 24% of organizations using AI in HR processes had begun formal compliance planning. This suggests readiness rates for specific high-risk domains may be even lower than the aggregate 22% figure.

The 40% Classification Uncertainty

The appliedAI study of 106 enterprise AI systems reveals a structural blind spot in risk classification:

Classification	Share	Systems Affected
High-Risk	18%	Credit scoring, loan approval, recruitment, medical diagnosis support, critical infrastructure
Low-Risk	42%	Customer service chatbots, content recommendation, internal analytics
Unclear	40%	Performance evaluation, borderline critical infrastructure applications, ambiguous employment decisions

The 40% “unclear” category represents the hidden compliance minefield. Annex III defines high-risk categories but leaves boundary interpretations ambiguous. Consider these edge cases:

• Performance evaluation AI: If the system influences termination decisions, it falls under Annex III’s “employment, access to self-employment” category. If it merely provides feedback without decision-making authority, classification becomes uncertain.

• Critical infrastructure: Annex III references “critical infrastructure” without precise definition. An AI system managing HVAC in a data center may or may not qualify, depending on whether the facility qualifies as critical infrastructure under national definitions.

• Loan origination: Credit scoring is explicitly high-risk, but AI-assisted document processing in loan applications may or may not qualify depending on decision-making involvement.

Organizations cannot complete conformity assessments without resolving classification uncertainty. The European Commission’s February 2026 high-risk classification guidance aims to address these ambiguities, but enterprises must actively interpret their specific use cases against the guidance.

Analysis Dimension 2: ISO/NIST Compliance Coverage

The 60-70% Framework Bridge

ISO/IEC 42001:2023, the first international AI management system standard, and NIST AI Risk Management Framework provide partial coverage of EU AI Act requirements. The EU AI Compass framework mapping analysis quantifies this overlap:

ISO 42001 / NIST AI RMF coverage:

• AI system inventory and documentation
• Risk assessment methodology
• Ethics impact assessment procedures
• AI governance policy framework
• Fairness, explainability, and data transparency requirements
• Human oversight mechanisms

These elements account for approximately 60-70% of EU AI Act’s governance requirements. Organizations implementing ISO 42001 or NIST AI RMF gain a substantial foundation for EU compliance.

The 30-40% Regulatory Gap

The remaining 30-40% of EU AI Act requirements fall outside international standard coverage:

EU AI Act Requirement	ISO 42001 Coverage	Gap Severity
Conformity assessment (Article 43)	Partial framework, no EU-specific procedure	High—required for market access
Technical documentation (Annex IV)	Documentation framework exists, but lacks EU-specific format	Medium—adaptable with effort
CE marking (Article 48)	No coverage	High—mandatory for market entry
EU database registration (Article 49)	No coverage	High—required for high-risk systems
Fundamental rights impact assessment	Ethics assessment framework, but not EU-specific	Medium—requires adaptation
Post-market monitoring (Article 72)	Monitoring framework, but lacks EU reporting requirements	Medium—adaptable
Market surveillance cooperation	No coverage	High—requires EU authority engagement

The gap is not merely administrative. CE marking and EU database registration determine market access. Organizations relying solely on ISO 42001 certification cannot legally deploy high-risk AI systems in the EU market after August 2026 without completing these EU-specific procedures.

Certification Landscape

Multiple certification bodies now offer ISO 42001 certification services: Schellman, DNV, LRQA, BSI, and SGS have all published certification programs. Microsoft has released an official ISO 42001 compliance guide detailing implementation requirements. However, ISO 42001 certification alone does not confer EU AI Act compliance—it provides the governance foundation that organizations must then extend to meet EU-specific requirements.

Analysis Dimension 3: Operating Model Compliance Strategies

Enterprises deploy AI through three operating models, each carrying distinct compliance implications:

Buy Model: Vendor-Dependent Compliance

Organizations purchasing AI systems from third-party vendors inherit compliance dependencies:

Factor	Implication
Compliance responsibility	Vendor must provide conformity assessment and technical documentation
Risk exposure	Vendor’s compliance status uncertain until verified
Cost burden	Lower initial cost, but vendor dependency creates ongoing risk
Autonomy	Low—organization cannot modify compliance approach

Key verification requirements:

• Confirm vendor has completed or will complete EU conformity assessment
• Verify technical documentation completeness (Annex IV format)
• Confirm vendor will register system in EU database
• Establish contractual provisions for compliance updates and post-market monitoring

The Buy model offers lowest initial compliance cost but highest dependency risk. Organizations must actively audit vendor compliance status rather than assume “purchased = compliant.”

Hybrid Model: Coordinated Compliance

Hybrid deployments combine vendor systems with internal customization or integration:

Factor	Implication
Compliance responsibility	Split between vendor and organization—boundary definition critical
Risk exposure	Unclear responsibility attribution creates compliance gaps
Cost burden	Medium—coordination overhead adds to vendor costs
Autonomy	Medium—organization can influence but not fully control compliance

Hybrid compliance challenges:

• Defining modification boundary: Customization may change conformity assessment scope
• Technical documentation ownership: Who maintains documentation for modified systems?
• Post-market monitoring responsibility: Vendor or organization handles incident reporting?
• CE marking validity: Does modification invalidate vendor’s CE marking?

Hybrid organizations must negotiate explicit compliance responsibility allocation with vendors before August 2026.

Build Model: Full Compliance Autonomy

Organizations developing AI systems internally carry complete compliance responsibility:

Factor	Implication
Compliance responsibility	Organization handles all conformity assessment, documentation, registration
Risk exposure	Full control but highest compliance burden
Cost burden	Highest—requires QMS, technical documentation, assessment procedures
Autonomy	High—organization controls entire compliance approach

Build model requirements:

• Establish quality management system (QMS) for AI development
• Conduct conformity assessment (internal or third-party)
• Produce technical documentation per Annex IV
• Affix CE marking
• Register in EU database (for applicable high-risk systems)
• Implement fundamental rights impact assessment
• Establish post-market monitoring procedures

Build model organizations face highest upfront costs but gain full compliance control and no vendor dependency.

Operating Model Decision Matrix

Criterion	Buy	Hybrid	Build
Initial cost	Lowest	Medium	Highest
Vendor dependency	Highest	Medium	None
Compliance control	Lowest	Medium	Highest
Risk classification clarity	Vendor determines	Negotiated	Organization determines
Timeline flexibility	Limited by vendor	Partial	Full
Market entry risk	Vendor compliance uncertain	Boundary disputes possible	Organization bears full responsibility

Compliance-driven enterprises increasingly prefer hybrid or on-premise deployment models over pure cloud-based solutions, according to CIO industry reports. This trend reflects the operational control needed to meet regulatory requirements.

Analysis Dimension 4: Cross-Jurisdictional Regulatory Tension

EU-US-China Framework Comparison

Organizations deploying AI across multiple jurisdictions face conflicting regulatory requirements:

Dimension	EU AI Act	US AI Policy	China AI Regulation
Regulatory nature	Binding regulation, comprehensive	Federal policy guidance + state-level legislation, fragmented	Binding regulation, algorithm-specific
Risk classification	Four-tier mandatory classification	Risk-aware but no unified tier system	Algorithm备案 + content审核, no formal tiers
Extraterritorial effect	Yes—affects non-EU providers serving EU market	No—domestic policy orientation	Limited—primarily domestic service regulation
Maximum penalty	EUR 35M / 7% global revenue	State-level variation, generally lower	50M RMB (approx. EUR 6.5M)
Key requirements	Conformity assessment, CE marking, database registration	Voluntary compliance frameworks, sector-specific rules	Algorithm registration (within 10 working days of service launch), AI-generated content labeling
Implementation status	August 2026 high-risk enforcement	Federal innovation-focused, state variation	January 2026 CSL amendment生效

Cross-Border Deployment Conflicts

Organizations operating across EU, US, and China face three categories of regulatory tension:

Type 1: Duplicative Registration Requirements

EU AI Act requires EU database registration for high-risk systems. China requires algorithm备案 with Cyberspace Administration within 10 working days of service launch. US has no federal registration requirement but sector-specific rules may apply (e.g., FDA for medical AI, SEC for financial AI).

Multi-market deployers must:

• Register in EU database (for EU high-risk systems)
• Complete China algorithm备案 (for China-deployed algorithms)
• Navigate US sector-specific requirements where applicable

Type 2: Risk Assessment Methodology Conflicts

EU risk classification uses Annex III’s use-case-based approach. China’s algorithm备案 requires content审核 but lacks formal risk tiers. US NIST AI RMF provides voluntary risk assessment without legal classification.

Organizations cannot apply a single risk assessment across jurisdictions. EU high-risk classification may not align with China’s algorithm备案 scope or US sector-specific requirements.

Type 3: Documentation Format Inconsistency

EU Annex IV specifies technical documentation format. China algorithm备案 requires different documentation elements. US sector-specific rules (FDA, SEC, FTC) impose varied documentation requirements.

Organizations must maintain jurisdiction-specific documentation sets, increasing compliance overhead.

Market Access Implications

From August 2026, EU market access for high-risk AI requires:

• Completed conformity assessment
• Annex IV technical documentation
• CE marking affixed to system
• EU database registration (for applicable high-risk categories)

China market access for algorithm-based services requires:

• Algorithm备案 within 10 working days of service launch
• AI-generated content labeling
• Security assessment for certain algorithm categories

US market access varies by sector—no federal AI-specific gate, but sector regulators (FDA, SEC, FTC, FCC) impose requirements.

Analysis Dimension 5: High-Risk System Technical Compliance

Annex IV Technical Documentation Requirements

High-risk AI systems must produce technical documentation per Annex IV specifications:

Documentation Element	Required Content
General description	System purpose, capabilities, limitations, development timeline
Data governance	Training data sources, quality assurance procedures, data integrity measures
Risk assessment	Identified risks, mitigation measures, residual risk evaluation
Performance metrics	Accuracy, reliability, robustness measurements, testing methodology
Human oversight	Oversight mechanisms, operator intervention capabilities
Transparency	Explainability approach, user notification procedures
Lifecycle management	Version tracking, update procedures, retirement protocols

Conformity Assessment Procedures

Article 43 establishes conformity assessment requirements for high-risk systems:

Internal conformity assessment (available for most high-risk systems):

• Organization conducts own assessment using established procedures
• Documentation must meet Annex IV standards
• Quality management system must be in place
• Assessment records retained for 10 years

Third-party conformity assessment (required for certain categories):

• Independent notified body conducts assessment
• Notified body must be accredited under EU AI Act designation
• Assessment certificate issued upon successful evaluation
• Higher cost but provides external validation

Financial sector AI systems (credit scoring, loan approval) may face sector-specific conformity requirements overlapping with EBA/ECB supervision frameworks.

CE Marking Requirements

Article 48 specifies CE marking obligations:

• CE marking must be affixed to physical AI systems or included in digital documentation for software
• Marking must be clearly visible and permanently attached
• Must indicate conformity assessment procedure used
• Must identify conformity assessment body (if third-party assessment)

EU Database Registration

Article 49 mandates EU database registration for high-risk systems:

• Enforcement, immigration, border control, and asylum high-risk systems must register non-public sections
• Other high-risk systems register public sections with system description, provider contact, and conformity assessment details
• Registration provides market surveillance authorities with compliance visibility
• Non-registration blocks legal market entry

System Logging and Human Oversight

Article 26 establishes deployer obligations:

• Deployers must retain system logs for minimum 6 months
• Human oversight must be “effective”—operators must be able to override, interrupt, or halt system operation
• Decision processes must be genuinely human-supervised, not merely “human-in-the-loop” for formality
• Deployers must inform affected persons when subject to high-risk AI decision-making

Analysis Dimension 6: Regulatory Sandbox Utilization

EU Member State Sandbox Progress

Article 57 requires member states to establish at least one AI regulatory sandbox by August 2, 2026. Current progress varies:

Member State	Sandbox Status	Authority
Spain	First pilot launched (2025)	Cooperation with European Commission
Netherlands	Launch planned by August 2026	Autoriteit Persoonsgegevens + RDI
Germany	Regulatory Sandboxes Act enables experimentation clauses	Innovation portal coordination
Italy	”Sperimentazione Italia” functional prototype	Central authority coordination
Finland	Sandbox framework established	Central authority model
Belgium	Regional experimentation permitted	Decentralized approach
Slovakia	Regional experimentation permitted	Decentralized approach

The European Commission is soliciting feedback on draft implementing act regulations through January 13, 2026 (deadline has passed as of April 2026). Final sandbox operational guidelines are expected before August 2026.

Enterprise Sandbox Strategy

Regulatory sandboxes offer enterprises four strategic benefits:

1. Classification guidance: Sandbox authorities can provide provisional risk classification determinations for uncertain use cases, reducing the 40% classification ambiguity risk.

2. Conformity assessment practice: Enterprises can test conformity assessment procedures in controlled environments before formal submission, identifying documentation gaps.

3. Regulatory dialogue: Sandbox participation establishes direct communication with supervisory authorities, enabling proactive compliance guidance rather than reactive enforcement.

4. Risk mitigation: Sandbox testing provides documented evidence of compliance intent, potentially influencing enforcement posture if issues arise after August 2026.

Sandbox participation approach:

• Identify member state sandbox program in primary market
• Submit sandbox application with AI system description and compliance questions
• Engage authority dialogue for classification clarification
• Test conformity assessment documentation against sandbox feedback
• Document sandbox outcomes for formal compliance process

Organizations with 40% classification uncertainty should prioritize sandbox participation before August 2026.

Key Data Points

Metric	Value	Source	Date
Enterprise readiness rate	22% (78% unprepared)	Vision Compliance 2026 Report	2026-04
High-risk AI systems share	18%	appliedAI Study (106 systems)	2023-03
Risk classification uncertainty	40%	appliedAI Study	2023-03
HR process compliance planning	24%	PwC Survey	2024
ISO/NIST coverage of EU AI Act	60-70%	EU AI Compass Analysis	2025
Automated compliance tool adoption	45%	SQ Magazine Statistics	2026
SMB compliance cost range	EUR 9,500 - EUR 600,000	SoftwareSeni + SQ Magazine	2026
Enterprise compliance platform cost	EUR 100,000+/year	SQ Magazine Statistics	2026
Maximum prohibited practice fine	EUR 35M / 7% global revenue	EU AI Act Article 5	2024
Maximum high-risk violation fine	EUR 15M / 3% global revenue	EU AI Act Article 6	2024
Deployer log retention period	6 months minimum	EU AI Act Article 26	2024
Documentation retention period	10 years	EU AI Act Article 43	2024
China algorithm备案 deadline	10 working days post-launch	China AI Regulation	2026-01
China maximum fine	50M RMB (approx. EUR 6.5M)	China CSL Amendment	2026-01

🔺 Scout Intel: What Others Missed

Confidence: high | Novelty Score: 85/100

Three findings in this analysis remain underdiscussed in mainstream EU AI Act coverage:

First, the 40% risk classification uncertainty represents a compliance minefield that most guides treat as a solved problem. Annex III provides use-case categories, but boundary cases—particularly in employment, performance evaluation, and critical infrastructure applications—require interpretative judgment that organizations have not systematically addressed. The European Commission’s February 2026 classification guidance will not automatically resolve these edge cases; enterprises must actively map their systems against the guidance and seek sandbox clarification for ambiguous deployments.

Second, the ISO/NIST 60-70% coverage statistic masks a market access reality: ISO 42001 certification does not confer EU AI Act compliance. Organizations investing in international standard certification may believe they are “ready” while missing CE marking, EU database registration, and fundamental rights impact assessment requirements. This creates a compliance perception gap where certified organizations face August 2026 enforcement risk despite significant governance investment.

Third, the regulatory sandbox mechanism remains underutilized in enterprise compliance strategies. Most analysis treats sandboxes as innovation enablers rather than classification clarification tools. Organizations with uncertain risk classification should prioritize sandbox participation in the final months before enforcement—not for experimentation, but for authoritative classification guidance that reduces the 40% ambiguity risk.

Key Implication: Organizations with ISO 42001 certification but no CE marking, EU database registration, or classification clarification face August 2026 enforcement risk despite substantial governance investment. The remaining 30-40% EU-specific requirements determine market access, not the 60-70% covered by international standards.

Outlook & Predictions

Near-Term (0-4 months: April - August 2026)

• Prediction: Compliance urgency spike in June-July 2026 as enterprises recognize the gap between ISO certification and EU market access requirements. (Confidence: high)

• Prediction: Regulatory sandboxes in Spain, Netherlands, and Germany will experience application surges as organizations seek classification clarification. (Confidence: medium-high)

• Prediction: Vendor compliance verification will emerge as a critical procurement requirement—organizations using Buy model will audit vendor conformity assessment status before August 2026. (Confidence: high)

• Key trigger to watch: European Commission enforcement posture in first 90 days post-August 2026. Initial enforcement priorities will signal compliance tolerance levels.

Medium-Term (4-18 months: August 2026 - February 2028)

• Prediction: First enforcement actions will target high-risk systems without CE marking or database registration, with financial sector AI receiving priority attention due to EBA coordination. (Confidence: medium)

• Prediction: Classification ambiguity disputes will generate litigation as organizations contest enforcement actions based on Annex III interpretation. (Confidence: medium)

• Prediction: Vendor certification market expansion—AI vendors will increasingly market “EU AI Act compliant” systems with pre-completed conformity assessment and CE marking as competitive differentiator. (Confidence: high)

• Key trigger to watch: Court of Justice of the European Union (CJEU) preliminary ruling requests on Annex III classification boundaries.

Long-Term (18+ months: February 2028+)

• Prediction: EU AI Act enforcement experience will influence global AI regulation design—US federal AI legislation (if enacted) will incorporate lessons from EU classification ambiguity disputes. (Confidence: medium)

• Prediction: ISO/IEC 42001 will evolve to incorporate EU-specific requirements, reducing the 30-40% gap through standard amendment or supplementary guidance. (Confidence: medium-high)

• Prediction: Cross-jurisdictional regulatory harmonization efforts will emerge to address EU-US-China documentation and registration inconsistency, particularly for multinational technology providers. (Confidence: medium)

• Key trigger to watch: Revision of Annex III high-risk use case list based on enforcement experience and technological evolution.

Scenario Analysis

Scenario	Probability	Enterprise Impact	Strategic Response
Strict enforcement from August 2026	35%	Organizations without CE marking/database registration face immediate market exclusion; fines for non-compliant high-risk systems	Prioritize conformity assessment completion; verify vendor compliance; engage sandbox for classification clarity
Transitional tolerance period (6-12 months)	45%	Enforcement delayed but compliance requirements unchanged; market access gradually restricted	Use tolerance period to complete compliance; avoid assuming indefinite tolerance
Sector-specific enforcement prioritization	20%	Financial and healthcare AI face priority enforcement; other sectors see delayed action	Financial/healthcare organizations prioritize compliance; others begin planning but face lower immediate urgency

Sources

• Vision Compliance 2026 EU AI Act Readiness Report — National Law Review, 2026

• EU AI Act Compliance Checker — appliedAI Study, artificialintelligenceact.eu, March 2023

• ISO/IEC 42001 Official Standard — ISO Organization, 2023

• EU AI Act Annex III: High-Risk AI Systems — artificialintelligenceact.eu, Official Annex

• EU AI Act 2026 Compliance Timeline Guide — Legalnodes, 2026

• EU AI Act Article 26: Deployer Obligations — artificialintelligenceact.eu, Official Article

• EU AI Regulatory Sandbox Member State Overview — artificialintelligenceact.eu, 2026

• EU Commission: First AI Regulatory Sandbox — European Commission, 2025

• EU AI Act vs NIST AI RMF vs ISO 42001 Comparison — EC-Council, 2026

• China AI Regulation Expert Guide — CMS Law, 2026

• EU AI Act vs US AI.gov Action Plan Comparison — 3CL, 2026

• EBA AI Act Banking Sector Implications — European Banking Authority, 2025-11

• EU AI Act Compliance Cost Statistics — SQ Magazine, 2026

• EU AI Act SMB Compliance Cost Analysis — SoftwareSeni, 2026

• NIST AI RMF and ISO 42001 Integration Guide — Fairnow, 2026

• Microsoft ISO 42001 Compliance Guide — Microsoft, 2026