Skip to content

EU AI Act Compliance Checklist: 12 Steps

A practical, step-by-step checklist for providers and deployers of high-risk AI systems. Use this to verify your compliance status before the August 2026 deadline.

Updated: March 20268 min read

This checklist covers all major obligations for high-risk AI systems under the EU AI Act. Tick off each item to track your compliance progress before the August 2026 deadline.

Step 1: Classify Your AI System

Before anything else, determine whether your AI system falls under the EU AI Act and at which risk level.

  • Check against the Annex III categories for high-risk classification
  • Check against Art. 5 prohibited practices (social scoring, subliminal manipulation, etc.)
  • Determine if your system qualifies as limited risk (chatbots, deepfakes → transparency obligations only)
  • Use our free risk check tool for an instant assessment

Step 2: Determine Your Role

Your obligations depend on whether you are a provider or deployer:

  • Provider (Art. 16): You develop or place the AI system on the market → full compliance obligations
  • Deployer (Art. 26): You use an AI system within your organisation → usage-related obligations + FRIA
  • Importer/Distributor: Additional supply chain obligations

Step 3: Risk Management System

Art. 9 requires providers to establish and maintain a continuous risk management system:

  • Identify and analyse known and foreseeable risks
  • Estimate and evaluate risks from intended use and reasonably foreseeable misuse
  • Adopt risk mitigation measures
  • Test the system to ensure residual risks are acceptable
  • Document the entire risk management process

Step 4: Data Governance

Art. 10 imposes requirements on training, validation, and testing data:

  • Data must be relevant, representative, and as free of errors as possible
  • Appropriate statistical properties for the intended purpose
  • Bias examination and mitigation, especially for special categories of personal data
  • Document data sources, collection methodology, and preprocessing

Step 5: Technical Documentation

Art. 11 + Annex IV require comprehensive technical documentation covering:

  • General system description (intended purpose, developer, version)
  • Detailed description of elements and development process
  • Information on monitoring, functioning, and control
  • Risk management system description
  • Changes throughout the system lifecycle
  • Performance metrics and testing results
  • Cybersecurity measures

Shortcut: Generate your Technical Documentation draft in minutes.

Step 6: Record-Keeping (Logging)

Art. 12 requires automatic logging of events during operation:

  • Logs must enable traceability of the AI system's functioning
  • Logs must be retained for an appropriate period
  • Deployers must keep logs at their disposal for at least 6 months (Art. 26(6))

Step 7: Transparency Information

Art. 13 requires that users understand the system:

  • Instructions for use must accompany the system
  • Include: intended purpose, level of accuracy, known limitations
  • Include: human oversight measures, maintenance requirements
  • The Transparency Notice formalises this obligation

Shortcut: Generate your Transparency Notice draft in minutes.

Step 8: Human Oversight

Art. 14 requires measures enabling human oversight:

  • Design the system so it can be effectively overseen by natural persons
  • Enable the operator to understand the system's capabilities and limitations
  • Enable the operator to correctly interpret outputs
  • Enable the operator to decide not to use the system or override/reverse outputs
  • Enable the operator to interrupt the system ("stop button")

Step 9: Fundamental Rights Impact Assessment (FRIA)

Art. 27 requires deployers of high-risk AI to conduct a FRIA:

  • Identify categories of affected natural persons
  • Assess impact on fundamental rights (non-discrimination, privacy, etc.)
  • Describe risk mitigation measures
  • Define human oversight and complaint mechanisms
  • Complete before first deployment

Shortcut: Generate your FRIA draft in minutes.

Step 10: Conformity Assessment

Art. 43 requires a conformity assessment before placing the system on the market:

  • Most high-risk systems: Internal conformity assessment (self-assessment based on Annex VI)
  • Biometric identification systems: Third-party conformity assessment by a notified body
  • Result: CE marking and EU Declaration of Conformity

Step 11: EU Database Registration

Art. 49 requires registration in the EU AI database before the system is placed on the market:

  • Providers register their high-risk AI systems
  • Deployers register their use of high-risk AI systems (for public-sector use)
  • Information must be kept up to date

Step 12: Ongoing Monitoring and AI Literacy

Compliance is not a one-time event:

  • Post-market monitoring (Art. 72): Establish a system proportionate to the nature of the AI technology
  • Serious incident reporting (Art. 73): Report to authorities without undue delay
  • AI literacy (Art. 4): Ensure staff involved with AI systems have sufficient knowledge
  • Review and update documentation when significant changes are made

Penalty Reference

Non-compliance carries significant penalties: up to €15 million or 3% of global annual turnover for high-risk violations, and up to €35 million or 7% for prohibited practices. Starting documented compliance now demonstrates good faith under Art. 99(7).

Compliance drafts

FRIA, Technical Documentation and Transparency Notice – AI-generated for your system. From €149.

Generate drafts
Check now

Ready for your EU AI Act Compliance?

Review-ready document drafts – AI-generated, tailored to your system. From €149.

Generate draftsFree risk check
EU AI Act Compliance Checklist 2026: 12 Steps to Full Compliance | AIvunera