EU AI Act Compliance Checklist (2026)
Compliance with the EU AI Act is a programme, not a document. This checklist turns the regulation into a sequence of concrete steps you can work through — from finding your AI systems to producing audit-ready evidence.
1. Build an AI system inventory
You cannot comply with what you haven't listed. Catalogue every AI system you build, buy or embed — including features inside larger products and models you access via API. For each, note its purpose, who provides it, and where its output is used.
2. Classify each system by risk
Sort every system into a tier: prohibited (Art. 5), high-risk (Annex III), limited-risk (Art. 50 transparency), or minimal. This single step determines almost everything that follows. See the Annex III high-risk list and run the free checker for a deterministic result.
3. Determine your role for each system
Your obligations depend on whether you're a provider, deployer, importer, distributor or GPAI provider — the duties differ completely. Rebranding or substantially modifying a high-risk system makes you its provider (Art. 25). See obligations by role.
4. Meet the obligations for high-risk systems
For each high-risk system, put in place:
- Risk management system (Art. 9)
- Data governance and bias checks (Art. 10)
- Technical documentation — Annex IV (Art. 11)
- Record-keeping / logging (Art. 12)
- Transparency and instructions for use (Art. 13)
- Human oversight (Art. 14)
- Accuracy, robustness and cybersecurity (Art. 15)
5. Handle transparency and AI literacy
Limited-risk systems (chatbots, generative content) need Article 50 transparency notices. And Article 4 — in force since 2 February 2025 — requires that staff who operate or are affected by AI have a sufficient level of AI literacy. See the AI literacy guide.
6. Produce documentation and pass conformity assessment
High-risk providers must draw up the technical file, pass the conformity assessment (Art. 43), issue the EU declaration of conformity (Art. 47), affix the CE marking (Art. 48) and register the system in the EU database (Art. 49). Deployers of certain high-risk systems must complete a Fundamental Rights Impact Assessment (Art. 27).
7. Track deadlines and monitor
Map each obligation to its date: prohibited practices + AI literacy (2 Feb 2025), GPAI (2 Aug 2025), high-risk Annex III (2 Aug 2026), product-safety high-risk (2 Aug 2027). Then run post-market monitoring (Art. 72) and report serious incidents within the Article 73 timelines. See the deadlines guide.
Frequently asked questions
Where do I start with EU AI Act compliance?
Start by inventorying your AI systems, then classify each by risk tier. Classification determines every obligation that follows, so it's the highest-leverage first step. The free risk checker gives you a deterministic starting point.
How long does EU AI Act compliance take?
Classification takes minutes, but the conformity work for a high-risk system — risk management, technical documentation, human oversight — typically takes months. That's why starting well before the 2 August 2026 deadline matters.
Free, no sign-up. Deterministic — not a chatbot.
Still have questions about how this applies to you? Talk to us — we're happy to help.