There are two kinds of writing about the EU AI Act. Law firm briefings, which are accurate, thorough, and unreadable past the second page. And LinkedIn content, which is readable and wrong. This is an attempt at a third kind: what a delivery consultant actually needs to hold in their head to scope work, advise clients, and not become the person who signed off the thing that got fined.

The usual caveat, sincerely meant: this is orientation, not legal advice. Dates and detail move, member state enforcement is still finding its shape, and anything high risk deserves proper counsel. Verify the current timeline against the official sources before you put it in a deliverable. What follows is the practitioner's map.

The five things worth holding in your head

First, it's a risk pyramid, not a blanket rule. The Act sorts AI uses into tiers. A handful of practices are banned outright and have been since early 2025: social scoring, manipulative systems targeting vulnerabilities, scraping faces off the internet for recognition databases, emotion recognition at work and school, and similar. Then a narrow band of high risk uses carries the heavy obligations. Below that, limited risk systems mostly owe transparency (telling people they're talking to a machine), and everything else, which is most business AI, owes very little under this law specifically. The single most valuable thing you can do in a client meeting is place their use case on that pyramid, calmly, because most executives have absorbed the headlines and assume everything is high risk. Most of it isn't.

Second, high risk is about what the system decides, not how clever it is. The high risk list is essentially a list of decisions that seriously affect people's lives: hiring and firing, credit, insurance pricing, education access, essential services, law enforcement, migration, critical infrastructure. A staggeringly capable model summarising meeting notes is not high risk. A mediocre spreadsheet macro that screens job applicants is. If your engagement touches employment, lending, insurance or the public sector, assume the high risk conversation is coming and have it early, because the obligations (risk management systems, data governance, technical documentation, human oversight, logging, conformity assessment, registration) are a genuine workstream with a genuine budget line, not a paragraph in the appendix.

Third, the deadline that matters is now. The obligations landed in stages: bans in early 2025, general purpose AI model duties later that year, and the main high risk obligations reaching application through 2026 into 2027 depending on category. Which means the comfortable era of "we'll deal with it when it's enforceable" is ending as you read this. Clients who deferred are now doing compliance retrofits, which are to built in compliance what dental surgery is to brushing. For consultants this is, bluntly, a market. The retrofit engagements are real, urgent, and paid accordingly.

Fourth, your client probably has a role in the supply chain, and it matters which one. The Act mostly regulates providers (who build or substantially modify systems) and deployers (who use them). Most of your clients are deployers, whose duties are comparatively manageable: use the system as intended, ensure human oversight, keep logs, feed incident reports upstream. But here's the trap worth billing to find: a deployer who fine tunes a model, rebrands a system, or modifies it substantially can slide into being a provider, inheriting the full obligation stack, usually without anyone in the building noticing the moment it happened. If your engagement includes fine tuning or white labelling, that role question belongs in scoping, in writing.

Fifth, it applies to your US clients too. Like GDPR before it, the Act reaches any system whose outputs are used in the EU, wherever the company sits. American mid market firms are discovering this at roughly the rate their European customers start asking questions in procurement. If you consult for US companies selling into Europe, you are already an EU AI Act consultant, whether or not it's on your LinkedIn.

What this means for your engagements, concretely

Put a classification step in every discovery. One structured hour: what does the system decide, about whom, used where, built and modified by whom. Document the conclusion even when the answer is "minimal risk, no obligations", because that piece of paper is worth a great deal the day a regulator, customer or board member asks who checked.

Write the role allocation into the SOW. If you're building or substantially modifying, be honest about where provider duties land. If you're implementing a vendor's system, the contract should say what compliance evidence flows down from that vendor and what happens if it doesn't (vendors overpromise conformity paperwork at exactly the rate you'd expect).

And treat governance as deliverable work, not overhead. Risk registers, oversight procedures, logging design, incident response: these are billable artefacts clients now need, and the consultants who can produce them fluently are charging governance rates, which our data has consistently shown sitting at the top of the market. The compliance conversation, done well, is not the boring part of AI consulting. It's the moat. Anyone can demo a model. Fewer people can make it deployable by a regulated European enterprise, and the fee gap between those two skills is widening every quarter.

The EU AI Act Compliance Checklist walks the full five step journey from classification through registration and post market monitoring, and the AI Governance & Risk Framework is the document set your InfoSec and legal reviewers are hoping you'll show up with. Somebody in every AI engagement has to be the adult. It pays better than you'd think.