Home ›
Blog › EU AI Act Compliance Checklist
EU AI Act
EU AI Act Compliance Checklist 2026
By Daman David Pant
May 2026
11 min read
The EU AI Act is now in force. Whether you are a provider building AI systems or a deployer putting them into use, you have legal obligations that apply now or will apply within months. This checklist gives you a structured, actionable view of what you need to do, organised by role and risk tier.
How to use this checklist: First identify your role (provider, deployer, or both). Then identify the risk tier of each AI system you are responsible for. The obligations that apply to you depend on both.
Step 1: Identify Your Role
| Role | Definition |
| Provider | Develops or places an AI system on the market or puts it into service, including via APIs |
| Deployer | Uses an AI system under its own authority in a professional context |
| Importer | Places on the EU market an AI system from a third country |
| Distributor | Makes an AI system available on the EU market without modifying it |
Note that one organisation can hold multiple roles simultaneously. A company that builds and deploys its own AI system is both a provider and a deployer.
Step 2: Classify Your AI Systems
Prohibited AI Practices
- Confirm none of your systems use subliminal manipulation techniques
- Confirm none exploit vulnerabilities of specific groups (age, disability)
- Confirm no real-time remote biometric identification in public spaces (except narrow law enforcement exceptions)
- Confirm no social scoring by public authorities for general purposes
- Confirm no AI-based profiling to predict criminal offences
- Confirm no untargeted scraping of facial images for recognition databases
- Confirm no emotion recognition in workplace or educational settings
High-Risk System Identification
Check whether any of your systems fall into these categories:
- Biometric identification or categorisation of natural persons
- Management and operation of critical infrastructure
- Education and vocational training (access, evaluation, assessment)
- Employment, worker management, and access to self-employment
- Access to essential private and public services (credit scoring, benefits)
- Law enforcement, migration, asylum, or border control
- Administration of justice and democratic processes
- Safety components of products covered by EU product safety legislation
Step 3: Provider Obligations for High-Risk Systems
Risk Management System Provider
- Establish a documented risk management system for the AI system
- Identify and analyse known and reasonably foreseeable risks
- Estimate and evaluate risks that may emerge in normal use and reasonably foreseeable misuse
- Adopt risk mitigation measures and document them
- Review and update the risk management system post-deployment
Data Governance Provider
- Apply data governance practices covering design choices, data collection, and preparation
- Ensure training, validation, and testing datasets meet quality criteria
- Document the origin, scope, and characteristics of datasets used
- Implement measures to detect and address biases in datasets
- Ensure datasets are relevant, representative, and free from errors where possible
Technical Documentation Provider
- Prepare technical documentation before placing the system on the market (Article 11)
- Include general description of the AI system and its intended purpose
- Document system components, algorithms, and logic
- Include training methodologies and datasets used
- Document validation and testing procedures and results
- Keep documentation updated throughout the system lifecycle
Transparency and Instructions Provider
- Provide instructions for use to deployers in a clear, understandable format
- Include information on the intended purpose, performance, and limitations
- Disclose the level of accuracy, robustness, and cybersecurity
- Describe human oversight measures required
- Provide information on foreseeable misuse and risks
Human Oversight Provider
- Design the system to allow human oversight during operation
- Enable operators to understand and monitor system outputs
- Include ability to override, interrupt, or shut down the system
- Ensure outputs are interpretable by the natural persons responsible
Registration and Conformity Provider
- Register the high-risk AI system in the EU database before placing on the market
- Complete the required conformity assessment procedure
- Draw up an EU declaration of conformity
- Affix the CE marking where applicable
- Appoint an authorised representative in the EU if established outside the EU
Step 4: Deployer Obligations for High-Risk Systems
Use in Accordance with Instructions Deployer
- Use the AI system only for its intended purpose as documented by the provider
- Follow the instructions for use provided by the provider
- Do not modify the system in ways that alter its risk profile without re-assessment
Human Oversight and Monitoring Deployer
- Assign human oversight to natural persons with competence, authority, and resources
- Monitor system operation for risks and unexpected outputs
- Inform the provider if you detect a serious incident or malfunctioning
- Suspend or recall the system if it presents unacceptable risk
Transparency to Affected Persons Deployer
- Inform natural persons when they are subject to a high-risk AI system decision
- Provide information on the logic involved and significance of the output where required
- Conduct a Fundamental Rights Impact Assessment (FRIA) for public body deployments
Logging and Record-Keeping Both
- Retain logs generated by the high-risk AI system for a minimum of 6 months
- Make logs available to competent authorities upon request
- Document post-market monitoring findings
Step 5: GPAI Model Obligations
If you provide a General Purpose AI (GPAI) model, additional obligations apply regardless of the downstream use case:
- Prepare and maintain technical documentation
- Make available information for downstream providers integrating your model
- Comply with copyright law and publish a summary of training data
- If the model has systemic risk (above 10^25 FLOPs training threshold): conduct adversarial testing, report serious incidents to the EU AI Office, and implement cybersecurity measures
Key Deadlines
Feb 2025
Prohibited AI practices provisions apply. Organisations must have eliminated any prohibited practices by this date.
Aug 2025
GPAI model obligations and governance provisions apply. Providers of GPAI models must comply with transparency and documentation requirements.
Aug 2026
High-risk AI system obligations under Annex I apply (products covered by existing EU product safety legislation).
Aug 2027
Full application of all high-risk AI system obligations under Annex III. All providers and deployers of high-risk systems must be fully compliant.
Frequently Asked Questions
Who needs to comply with the EU AI Act?
Any organisation that provides or deploys AI on the EU market, or whose AI affects people in the EU, regardless of where it is based. This covers providers, deployers, importers, and distributors, and one organisation can hold several of these roles at once.
What are the key EU AI Act compliance deadlines?
Prohibited practices applied from February 2025, GPAI and governance obligations from August 2025, Annex I high-risk obligations from August 2026, and full high-risk application under Annex III from August 2027. See the deadlines section above.
What is the difference between a provider and a deployer?
A provider builds an AI system or places it on the market; a deployer uses one under its own authority in a professional context. A company that builds and uses its own system is both, and must meet both sets of obligations.
What are the penalties for non-compliance?
Penalties are tiered, up to €35 million or 7% of global annual turnover for prohibited practices, with lower caps for other breaches. Non-compliance is expensive, which is why this checklist prioritises role and risk classification first.
Test your EU AI Act knowledge
Practice AIGP exam questions on EU AI Act risk tiers, obligations, prohibited practices, and GPAI models.
Start Free Practice Quiz →
About the author: Daman David Pant, AIGP is a Principal Consultant at Infosys with 20+ years in IT, focused on AI governance, agentic AI accountability, and responsible AI. He passed the IAPP AIGP exam with a score of 475/500 and built the AIGP Playbook to make exam preparation accessible to everyone.