[00]

Resource 03 · AI Act · Regulation (EU) 2024/1689

_

The AI Act isn't a one-time task: how to keep it current without redoing everything

The AI Act isn't a one-time task: how to keep it current without redoing everything

By Alejandro Rios Calera, CTO

Alejandro Rios Calera is CTO and co-founder of The AI Business, where he leads the technical implementation of EU AI Act compliance in real-world AI projects.

Reading time: 6 min · The AI Business · July 2026

The real cost of compliance isn't in creating it — it's in maintaining it. AESIA's guidance changes, your team adopts a new tool, a vendor updates its model… and your training and policies go stale. Unless you design them to change.

The cost nobody budgets for

The cost nobody budgets for

Most companies that tackle the AI Act make the same design mistake: they treat compliance as a project with an end date. The inventory is done, the policy is drafted, the training is launched… and then it's filed away. Six months later, the team is using three tools that aren't in the inventory, the policy doesn't mention the new sales copilot, and the training talks about model versions that no longer exist.

The problem is that the regulation treats AI literacy as an ongoing competence — and your company, even if it doesn't plan for it, is continuously changing tools. Compliance that isn't updated isn't compliance: it's an old snapshot.

Producing the initial training has a visible cost and gets budgeted. What doesn't get budgeted is the lifecycle: every regulatory change, every new tool, every redesigned process forces you to touch content. If each update means rebuilding materials from scratch — re-recording videos, re-laying out PDFs, re-scheduling sessions — maintenance ends up costing more than the initial production. And then the worst happens: people stop updating it.

Out-of-date training is worse than inconvenient: in an inspection, it shows that the compliance system existed but stopped working.

When the rules require you to update

When the rules require you to update

There are three triggers that turn updating into a requirement, not an option:

· The rules or their guidance change. The AI Act applies in phases and its implementation guidance is published progressively. Each new guideline from the Commission or AESIA can affect what your training must cover.

· Your systems change. You add a tool, a vendor updates its model, a department adopts a new copilot. The inventory — and the training tied to it — must reflect that.

· Your processes change. If you redesign how AI-assisted decisions are approved (hiring, credit, customer service), the usage policy and the training for the roles involved fall out of date.

Designing for change: 4 principles

Designing for change: 4 principles

[01] A single source of truth

Inventory, policies, and training should hang off the same foundation. If the inventory lives in an IT spreadsheet, the policy in a legal PDF, and the training in an HR LMS, every change has to be replicated three times — and one always gets forgotten.

[02] Modular content

Structure the training in modules tied to systems and roles, not as a monolithic "AI course." When a tool changes, you update its module — not the whole course.

[03] Automatic traceability

Completion records should generate themselves. If updating a module means chasing signatures or redoing attendance lists by hand, the system will die of friction. Audit evidence has to be a byproduct of use, not extra work.

[04] Review on a calendar, not on good intentions

Set a review cycle — quarterly for the inventory, annual for the full plan — with a named owner. "We'll review it when something comes up" means "we won't review it."

How we build it

How we build it

At The AI Business we don't hand over a report and leave: we build the compliance system inside your operation. The 72-hour diagnosis leaves the inventory and risk classification as a living foundation; the roadmap ties each fix to the legal deadlines; and the training is designed modular, by role, with automatic records — ready to be updated when the rules change or you do.

We meet GDPR and the AI Act by contract. That's only possible if compliance is designed to last.

Frequently asked questions

Frequently asked questions

How often does AI training have to be updated?

At a minimum, an annual review of the full plan — and immediate update of the affected module when a new system is added, an existing one changes, or a relevant regulatory guideline is published.

Is a generic LMS good enough for this?

It works as a distribution channel, but it doesn't solve the problem: the connection between inventory, policies, and content. That architecture has to be designed — it's process-engineering work, not platform work.

What if my company doesn't have anything set up yet?

Even better: you can build it right from the start instead of inheriting a static system. The first step is knowing what AI you use and what it exposes you to — exactly what the 72-hour diagnosis solves.

Sources: Regulation (EU) 2024/1689 (official text) · artificialintelligenceact.eu · AESIA (aesia.es). This content is informational and does not constitute legal advice.

Build compliance that won't expire in six months.

Build compliance that won't expire in six months.

AI Act exposure diagnosis in 72 hours: inventory, risk classification, your exposure in euros, and the plan to close it. No obligation.

1 vídeo · 3 guías · 20 min de lectura

Miami · Spain · Dubai

GDPR · BY CONTRACT

EU AI ACT · BY CONTRACT

Miami · Spain · Dubai

Miami · Spain · Dubai