On 2 August 2026, the EU AI Act becomes fully applicable for high-risk AI systems — and it also affects Swiss companies that supply the EU market. The regulation classifies AI systems into four risk levels, requires extensive documentation and technical standards, and threatens fines of up to EUR 35 million or 7% of global annual turnover. From our work with over 130 Swiss companies, we know that many vastly underestimate the effort involved. This guide gives you everything you need for compliance.
What is the EU AI Act? Background and Significance
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law regulating artificial intelligence. Having entered into force on 1 August 2024, it becomes applicable in stages. The key dates:
| Date | Milestone | Affected Systems |
|---|---|---|
| 2 Feb 2025 | Prohibitions in force | Unacceptable risk (social scoring, manipulative AI) |
| 2 Aug 2025 | GPAI obligations | General Purpose AI (ChatGPT, Claude, Gemini, etc.) |
| 2 Aug 2026 | Core obligations | High-risk AI systems (Article 6(2)) |
| 2 Aug 2027 | Full application | All AI systems including Article 6(1) |
"The EU AI Act is not just a European regulation — it sets the global standard for AI governance. Swiss companies that supply the EU market must act now."
— ARES, Cybersecurity Agent at mazdek
The regulation follows a risk-based approach: the higher the risk an AI system poses to health, safety and fundamental rights, the stricter the requirements. Swiss companies are already familiar with this principle from medical device regulation (MDR) and the Machinery Regulation.
The Four Risk Levels: Where Does Your AI System Stand?
The EU AI Act categorises AI systems into four risk categories. Correct classification is the first and most important step — it determines all your compliance obligations. As a specialised AI agency in Switzerland, we at mazdek have already carried out dozens of classifications:
Level 1: Unacceptable Risk — Prohibited
These AI systems have been prohibited in the EU since 2 February 2025:
- Social scoring: Evaluating individuals based on social behaviour
- Manipulative AI: Systems that use subliminal techniques to influence behaviour
- Real-time biometric surveillance: In public spaces (with exceptions for law enforcement)
- Emotion recognition: In the workplace and educational institutions
- Predictive policing: Based on individual characteristics
Level 2: High Risk — Strict Regulation
The most extensive requirements apply to high-risk AI systems. These include:
- Human resources: AI for application screening, performance evaluation, promotions
- Creditworthiness: Automated credit scoring and assessment
- Medicine: AI-assisted diagnostics and treatment recommendations
- Critical infrastructure: Energy, water, transport
- Education: Automated examination scoring, access control
- Justice: Risk assessment in criminal law, judicial decision support
Level 3: Limited Risk — Transparency Obligations
Specific labelling requirements apply to chatbots, deepfakes and AI-generated content. Users must always be informed that they are interacting with AI.
Level 4: Minimal Risk — Voluntary
Spam filters, recommendation algorithms and AI in video games are not subject to specific obligations. Voluntary codes of conduct are recommended.
Why Swiss Companies Are Affected
Switzerland is not an EU member — yet most Swiss technology companies are affected by the EU AI Act. The reason: extraterritorial scope. The AI Act applies to:
- Providers: Any company that places an AI system on the EU market — regardless of where the company is based
- Deployers: Companies that use AI systems within the EU
- Output in the EU: When the results of an AI system are used in the EU
In practice, this means: if a Zurich-based FinTech startup develops an AI-based credit assessment that is used by a German bank, the Swiss company must comply with the high-risk requirements of the EU AI Act.
Additionally, the Swiss Data Protection Act (nDSG), in force since September 2023, complements the EU AI Act at the national level. And the planned Swiss AI regulatory framework, currently being developed by the Federal Council, is expected to be closely aligned with the EU AI Act.
The 7 Compliance Requirements for High-Risk AI
For high-risk AI systems, the EU AI Act mandates seven core compliance measures. Having completed over 40 compliance projects, we at mazdek have developed the following framework:
1. Risk Management System (Article 9)
A continuous, documented risk management process across the entire lifecycle of the AI system. Our ARES Cybersecurity Agent implements automated risk assessments that bridge regulatory requirements with technical reality.
2. Data Governance (Article 10)
Training, validation and test data must meet defined quality criteria: representativeness, accuracy, completeness. Our ORACLE Data Agent ensures data quality and documents the entire data pipeline.
3. Technical Documentation (Article 11)
Comprehensive documentation before placing on the market: system description, development process, performance metrics, risk assessments. NABU, our Documentation Agent, automatically generates AI-Act-compliant documentation.
4. Record-Keeping (Article 12)
Automatic logging of all relevant decisions and system events — traceable and tamper-proof. Our ARGUS Guardian monitors these logs 24/7.
5. Transparency (Article 13)
Deployers must be able to understand how the AI system works. Instructions for use must be clear and comprehensible. This also covers the explainability of AI decisions.
6. Human Oversight (Article 14)
High-risk AI systems must be designed so that humans can effectively oversee them. This means: intervention capabilities, stop mechanisms and the ability to override AI decisions.
7. Accuracy, Robustness and Cybersecurity (Article 15)
AI systems must demonstrate an appropriate level of accuracy, robustness and cybersecurity. Our NANNA QA Agent tests AI systems across all three dimensions — from accuracy metrics to adversarial attacks.
Fines: What Happens in Case of Non-Compliance?
The EU AI Act provides for a tiered penalty system modelled on the GDPR — but significantly higher:
| Violation | Fine (Maximum) | Calculation |
|---|---|---|
| Prohibited AI practices | EUR 35 million | or 7% of global annual turnover |
| High-risk violations | EUR 15 million | or 3% of global annual turnover |
| False information | EUR 7.5 million | or 1% of global annual turnover |
Reduced caps apply for SMEs and startups — whichever amount is lower. But even a fine of EUR 7.5 million can be existentially threatening for a mid-sized company.
For comparison: the highest GDPR fine was EUR 1.2 billion (Meta, 2023). Experts expect the EU AI Act enforcement to be equally aggressive.
Step by Step: How to Become Compliant
Based on our experience at mazdek, we recommend the following 6-stage plan:
Step 1: Create an AI Inventory (Weeks 1-2)
Catalogue all AI systems in your company — including those you did not develop yourself. Many companies use AI systems in SaaS tools without realising it. Our PROMETHEUS Agent analyses your entire system landscape and identifies AI components automatically.
Step 2: Conduct Risk Classification (Weeks 2-4)
Classify each identified AI system into one of the four risk levels. Use the official EU checklist or our automated AI Act Compliance Checker — developed by our ARES Agent.
Step 3: Gap Analysis (Weeks 4-6)
Compare the current state with the requirements. Where is documentation missing? Where are logging mechanisms lacking? Where is human oversight insufficient?
Step 4: Technical Implementation (Weeks 6-16)
Implement the missing technical measures: risk management system, monitoring, logging, human-in-the-loop processes. This is where mazdek deploys a team of specialised agents:
- ARES: Security audit and penetration testing
- NABU: Technical documentation to AI Act standards
- NANNA: Quality assurance and testing
- ARGUS: Continuous monitoring (24/7)
- ORACLE: Data governance and quality assurance
Step 5: Conformity Assessment (Weeks 16-20)
For most high-risk systems, an internal conformity assessment (self-assessment) is sufficient. Certain systems (biometric identification, critical infrastructure) require assessment by a notified body.
Step 6: CE Marking and EU Database (Weeks 20-22)
After successful conformity assessment: apply the CE marking and register the system in the EU database for high-risk AI.
Case Study: Swiss FinTech Achieves AI Act Compliance
A Swiss FinTech company (85 employees, based in Zug) develops an AI-based credit scoring system used by banks in Germany, Austria and France.
Initial Situation
- AI system for automated credit assessment (high-risk under Annex III)
- No AI-Act-compliant documentation in place
- No formal risk management system
- Logging only rudimentarily implemented
- Estimated internal effort: 12+ months with 3 full-time employees
Our Solution
mazdek deployed a team of 5 specialised AI agents:
| Agent | Task | Result |
|---|---|---|
| ARES | Risk assessment and security audit | 42 risks identified, 38 resolved |
| NABU | Technical documentation | 280 pages of AI-Act-compliant docs |
| NANNA | Testing and validation | Test coverage from 28% to 94% |
| ARGUS | Set up monitoring system | 24/7 logging and alerting |
| ORACLE | Data governance | Data pipeline fully documented |
Results After 14 Weeks
| Metric | Before | After |
|---|---|---|
| AI Act compliance | 12% | 100% |
| Documentation scope | 23 pages | 280 pages |
| Risks identified/resolved | 0 | 42/38 |
| Test coverage | 28% | 94% |
| Project duration | 12+ months (estimated) | 14 weeks |
| Cost | CHF 380,000 (internal estimate) | CHF 67,000 |
Swiss Data Protection vs. EU AI Act: The Double Burden
Swiss companies face a dual regulatory challenge:
| Aspect | Swiss nDSG | EU GDPR | EU AI Act |
|---|---|---|---|
| Focus | Personal data | Personal data | AI systems |
| Scope | Switzerland | EU/EEA + extraterritorial | EU/EEA + extraterritorial |
| Maximum fine | CHF 250,000 (personal) | EUR 20m / 4% turnover | EUR 35m / 7% turnover |
| Risk assessment | DPIA (for high risk) | DPIA (for high risk) | Mandatory for all high-risk AI |
| Documentation | Processing register | Processing register | Comprehensive technical docs |
The decisive advantage: companies that are already GDPR-compliant have a solid foundation for AI Act compliance. Our experience shows that approximately 30-40% of GDPR measures are directly transferable to the AI Act.
General Purpose AI: What Does It Mean for ChatGPT, Claude and Co.?
Since 2 August 2025, specific obligations have applied to providers of General Purpose AI (GPAI) — that is, large language models such as ChatGPT, Claude, Gemini and Llama. These obligations primarily affect the providers (OpenAI, Anthropic, Google, Meta), but they also have implications for companies that use these models:
- Transparency obligations: Providers must disclose which training data was used and comply with EU copyright law
- Systemic risk assessment: Models with significant reach must pass additional safety tests
- Downstream responsibility: If you integrate a GPAI model into a high-risk system, you bear full compliance responsibility as the provider
For Swiss companies, this means: if you use OpenAI or Anthropic APIs in your product, you must ensure that your application is compliant overall — even if the underlying model is already GPAI-compliant. At mazdek, we use the mazdekClaw orchestration system, which integrates AI-Act-compliant guardrails directly into the AI pipeline.
Compliance Checklist: 10 Immediate Actions
Start today with these measures — regardless of whether your system is classified as high-risk:
- Create an AI inventory: Catalogue all AI systems in the company
- Risk classification: Assign each system to a risk level
- Appoint responsible persons: Define an AI Compliance Officer or team
- Start documentation: Begin technical documentation for high-risk systems
- Implement logging: Automatic recording of all AI decisions
- Human-in-the-loop: Define and implement human oversight processes
- Bias testing: Test AI systems for discrimination and bias
- Data protection synergies: Review existing GDPR measures for AI Act relevance
- Plan training: Inform employees about AI Act obligations
- Create a timeline: Define a realistic compliance roadmap with milestones
What Does AI Act Compliance Cost?
Costs depend heavily on the complexity and number of your AI systems:
| Company Size | Typical AI Systems | Traditional | With mazdek |
|---|---|---|---|
| SME (10-50 employees) | 1-3 systems | CHF 80,000-150,000 | From CHF 5,000 |
| Mid-market (50-250 employees) | 3-10 systems | CHF 200,000-500,000 | From CHF 25,000 |
| Enterprise (250+ employees) | 10+ systems | CHF 500,000-2,000,000 | From CHF 50,000 |
mazdek offers EU AI Act Compliance from CHF 5,000. Our AI-powered agents automate large parts of the documentation, testing and monitoring — reducing costs by up to 70% compared to traditional consulting approaches.
Conclusion: Act Now — 2 August 2026 Is Approaching Faster Than You Think
The EU AI Act is not a distant prospect — the deadline for high-risk systems is less than 4 months away. The key takeaways:
- Extraterritorial scope: Swiss companies are affected if they supply the EU market
- Hefty fines: Up to EUR 35 million or 7% of annual turnover
- Phased introduction: Most obligations apply from August 2026
- Double burden: Swiss nDSG + EU GDPR + EU AI Act require a coordinated strategy
- AI accelerates compliance: mazdek's specialised agents reduce effort and costs by up to 70%
The good news: with the right partner, AI Act compliance is not a mammoth project. mazdek combines Swiss precision with AI-powered efficiency — so you can focus on your core business while our 19 agents ensure compliance.
