What to Check Before You Trade in the EU

A practical guide to auditing your AI before it reaches the European market

Before an AI product or service crosses into the European market, the sensible question is not “are we compliant?” but “how do we know?” The EU AI Act rewards businesses that can show their working and penalises those that cannot, and the only reliable way to find out where you stand is to look, systematically, and before a regulator or a customer does it for you. That exercise is the AI audit.

This article explains what an AI audit involves, why it matters specifically for trading in the EU, and how to approach it in a way that produces something useful rather than a drawer full of paper. It is written for businesses based outside the EU as much as inside it, because the Act’s reach extends well beyond Europe’s borders.

Why an audit, and why before you trade

The EU AI Act applies extraterritorially. You do not need an office in the EU to fall within it: placing an AI system on the EU market, or having its outputs used in the EU, can be enough. For a UK or US business, that means the Act is not somebody else’s problem the moment your product is reachable from, or used by people in, the Union.

The Act is also built around evidence. Its obligations, risk management, data governance, technical documentation, human oversight, and for many systems a formal conformity assessment, are things you must be able to demonstrate, not merely assert. An audit is how you establish, while you still have time to fix things, whether that evidence exists. Doing it before you trade is the difference between an orderly remediation plan and a scramble after a system is already live and the exposure is real.

The Act does not just ask whether your AI is safe. It asks whether you can prove it -and an audit is how you find out before someone else does.

⚠  Mind the timeline and do not bank on a delay The Act’s obligations are phased. Prohibited practices have applied since February 2025 and general-purpose AI model obligations since August 2025. The most demanding wave, the full set of obligations for high-risk systems, is due to apply from 2 August 2026. A proposal emerged in late 2025 to postpone parts of the high-risk regime, but as matters stand it has not been enacted into law. The prudent course is to plan against the existing 2 August 2026 date and treat any delay as a bonus, not a basis for slowing down. Confirm the current position before relying on any timeline.

The foundation: what kind of operator are you?

Almost every obligation under the Act turns on two questions, and your audit should answer them first, because everything else depends on the answers.

Your role in the chain

The Act distinguishes between the provider of an AI system (broadly, the party that develops it or has it developed and places it on the market under their name) and the deployer who uses it. Providers carry the heavier set of obligations. The trap for businesses building on someone else’s technology is that the line is easy to cross without noticing: if you fine-tune, substantially modify, or put your own brand on a third-party system, you may become the provider in the eyes of the Act and inherit the provider’s duties. There are also other roles, importer, distributor, each with their own obligations. Your audit must pin down, for every system, which hat you are wearing.

The risk tier of each system

The Act sorts AI by risk. A small number of uses are prohibited outright. A defined set of “high-risk” uses, including AI in areas such as recruitment, education, access to essential services, and certain safety components — attract the full weight of the obligations. Most other systems face only light transparency duties, and many face none of substance. General-purpose AI models sit in their own category with bespoke rules. Misclassifying a system is the costliest mistake available, because it sets the entire compliance burden either too low (leaving you exposed) or needlessly high (wasting effort). Classification decisions, especially the borderline ones, should be reasoned and written down.

What an AI audit actually examines

With role and risk established, the audit works through the substance. For a system that turns out to be high-risk, the core areas map onto the Act’s central provider obligations; for lower-risk systems the exercise is lighter but the discipline is the same. The themes below are what a thorough audit checks.

• Inventory and shadow AI. Do you actually know every AI system in use, including features embedded in third-party tools and any quiet experiments inside the business? You cannot audit what you have not found, and undiscovered systems are where risk hides.
• Risk management. Is there a genuine, maintained process for identifying and mitigating the risks each high-risk system poses across its lifecycle, not a one-off document, but something that lives and is reviewed?
• Data governance. Can you account for the data used to train, validate and test the system: where it came from, its quality and relevance, and what was done to examine it for bias? Where personal data is involved, this dovetails with your data-protection obligations and any impact assessment.
• Technical documentation and record-keeping. Is there documentation sufficient to show how the system works and that it meets the requirements, and does the system log its activity so that its operation can be traced?
• Transparency. Are users given the information and instructions they need? Where people interact with AI, or where content is AI-generated, are the necessary disclosures and markings in place?
• Human oversight. Can a competent person actually understand, monitor and, where needed, override the system? Oversight that exists only on paper, a rubber-stamp, will not satisfy the requirement.
• Accuracy, robustness and cybersecurity. Does the system perform as claimed, behave predictably under stress, and resist tampering, to a standard appropriate to its use?
• Conformity assessment and registration. For high-risk systems, has the required conformity assessment been done, the declaration of conformity drawn up, the CE marking applied where relevant, and the system registered in the EU database before going to market?
• The EU representative. If you are a provider established outside the EU, have you appointed an authorised representative in the Union where the Act requires one?
• Third-party components. Where your system relies on someone else’s model, can you obtain the documentation and assurances you need from them, and have you tested those assurances rather than taking them on trust?
• Post-market monitoring. Once a system is live, is there a process to watch how it behaves in the real world and to report serious incidents as required?

How to run the audit well

An audit is only as valuable as the action it drives. A few principles separate a useful exercise from a box-ticking one.

1. Start with the inventory and the classification, because they scope everything else. Time spent here is never wasted.
2. Bring the right people together. A meaningful AI audit is not purely a legal exercise; it needs the engineers who built or integrated the system, the people who use it, and the business owner accountable for it, alongside legal and compliance.
3. Measure against a recognised framework. Mapping your controls to a standard such as the NIST AI Risk Management Framework or ISO/IEC 42001 gives the audit structure and gives you a defensible reference point. Where harmonised European standards exist for a requirement, developing to them brings a presumption of conformity.
4. Write down the gaps and own them. The output should be a clear-eyed list of where you fall short, each gap assigned an owner, a remediation step and a deadline, prioritised by risk, with the high-risk systems and the August 2026 obligations first.
5. Keep the evidence. The audit itself, and the documentation it relies on, is part of your compliance story. The ability to show that you looked, found problems and fixed them is exactly what regulators expect to see.
6. Treat it as recurring. AI systems change, the law is still settling, and harmonised standards and guidance are still emerging. An audit is a habit, not a single event; revisit it as systems evolve and at sensible intervals.

What good looks like at the end

A well-run AI audit leaves you with four things: a complete inventory of your AI, a defensible classification of each system, an honest gap analysis with a prioritised remediation plan, and a body of evidence that the whole exercise happened. Together these are not merely a compliance artefact. They are what lets you trade in the EU with confidence, answer a customer’s due-diligence questionnaire without alarm, and respond to a regulator from a position of preparation rather than panic.

The businesses that struggle with the AI Act are rarely those whose technology is unsafe. More often they are those who never looked closely enough to know. An audit, done before you trade, is how you avoid being one of them.

How we can help

360 Business Law help businesses audit their AI for EU readiness, establishing roles and classifications, running the gap analysis against the Act’s obligations and recognised standards, advising on conformity, registration and the appointment of an EU representative, and turning the findings into a remediation plan that can actually be delivered. If you are preparing to trade AI in the EU, or are already doing so and want the comfort of knowing where you stand, we would be glad to help.

This article is general information current as of June 2026 and does not constitute legal advice. The EU AI Act is being implemented in phases and aspects of its timeline and supporting standards remain in flux; please obtain tailored advice before acting. To discuss an AI audit for your business, contact Robert Taylor, CEO & General Counsel, at r.taylor@360businesslaw.com.