EU AI Act

EU AI Act Compliance Checklist 2026

By Daman David Pant May 2026 11 min read

The EU AI Act is now in force. Whether you are a provider building AI systems or a deployer putting them into use, you have legal obligations that apply now or will apply within months. This checklist gives you a structured, actionable view of what you need to do, organised by role and risk tier.

How to use this checklist: First identify your role (provider, deployer, or both). Then identify the risk tier of each AI system you are responsible for. The obligations that apply to you depend on both.

Step 1: Identify Your Role

RoleDefinition
ProviderDevelops or places an AI system on the market or puts it into service, including via APIs
DeployerUses an AI system under its own authority in a professional context
ImporterPlaces on the EU market an AI system from a third country
DistributorMakes an AI system available on the EU market without modifying it

Note that one organisation can hold multiple roles simultaneously. A company that builds and deploys its own AI system is both a provider and a deployer.

Step 2: Classify Your AI Systems

Prohibited AI Practices

High-Risk System Identification

Check whether any of your systems fall into these categories:

Step 3: Provider Obligations for High-Risk Systems

Risk Management System Provider

Data Governance Provider

Technical Documentation Provider

Transparency and Instructions Provider

Human Oversight Provider

Registration and Conformity Provider

Step 4: Deployer Obligations for High-Risk Systems

Use in Accordance with Instructions Deployer

Human Oversight and Monitoring Deployer

Transparency to Affected Persons Deployer

Logging and Record-Keeping Both

Step 5: GPAI Model Obligations

If you provide a General Purpose AI (GPAI) model, additional obligations apply regardless of the downstream use case:

Key Deadlines

Feb 2025
Prohibited AI practices provisions apply. Organisations must have eliminated any prohibited practices by this date.
Aug 2025
GPAI model obligations and governance provisions apply. Providers of GPAI models must comply with transparency and documentation requirements.
Aug 2026
High-risk AI system obligations under Annex I apply (products covered by existing EU product safety legislation).
Aug 2027
Full application of all high-risk AI system obligations under Annex III. All providers and deployers of high-risk systems must be fully compliant.

Frequently Asked Questions

Who needs to comply with the EU AI Act?

Any organisation that provides or deploys AI on the EU market, or whose AI affects people in the EU, regardless of where it is based. This covers providers, deployers, importers, and distributors, and one organisation can hold several of these roles at once.

What are the key EU AI Act compliance deadlines?

Prohibited practices applied from February 2025, GPAI and governance obligations from August 2025, Annex I high-risk obligations from August 2026, and full high-risk application under Annex III from August 2027. See the deadlines section above.

What is the difference between a provider and a deployer?

A provider builds an AI system or places it on the market; a deployer uses one under its own authority in a professional context. A company that builds and uses its own system is both, and must meet both sets of obligations.

What are the penalties for non-compliance?

Penalties are tiered, up to €35 million or 7% of global annual turnover for prohibited practices, with lower caps for other breaches. Non-compliance is expensive, which is why this checklist prioritises role and risk classification first.

Test your EU AI Act knowledge

Practice AIGP exam questions on EU AI Act risk tiers, obligations, prohibited practices, and GPAI models.

Start Free Practice Quiz →

About the author: Daman David Pant, AIGP is a Principal Consultant at Infosys with 20+ years in IT, focused on AI governance, agentic AI accountability, and responsible AI. He passed the IAPP AIGP exam with a score of 475/500 and built the AIGP Playbook to make exam preparation accessible to everyone.