Guide
EU AI Act compliance checklist
Updated June 16, 2026 · By Max Langley, AI Audits EU
EU AI Act compliance starts with classification and ends with ongoing monitoring. Classify each AI system by risk tier, confirm whether you are a provider or a deployer, then work through the obligations that attach to that tier. The checklist below covers the high-risk path in full, plus the lighter duties for limited-risk systems and general-purpose AI models.
Step 1: classify and scope
- ✓ Inventory every AI system you provide or deploy.
- ✓ Assign each system a risk tier: prohibited, high-risk, limited-risk, or minimal-risk.
- ✓ Confirm your role for each system: provider, deployer, importer, or distributor.
- ✓ Record the reasoning if you decide an Annex III system is not high-risk.
Step 2: high-risk obligations
If a system is high-risk, you need all of the following in place:
- ✓ A documented risk management system across the system's lifecycle.
- ✓ Data governance: relevant, representative training, validation, and test data.
- ✓ Technical documentation that demonstrates conformity.
- ✓ Automatic logging of events over the system's lifetime.
- ✓ Transparency and clear instructions for use for deployers.
- ✓ Human oversight built into the design.
- ✓ Accuracy, robustness, and cybersecurity appropriate to the use.
- ✓ A quality management system covering the above.
Step 3: place it on the market
- ✓ Complete the conformity assessment, by internal control or a notified body.
- ✓ Draw up the EU declaration of conformity.
- ✓ Affix CE marking.
- ✓ Register the system in the EU database before it goes live.
Step 4: after launch and lighter tiers
Keep documentation current, run post-market monitoring, and report serious incidents. Re-run the conformity assessment after any substantial modification. For limited-risk systems, disclose AI interaction and label deepfakes and synthetic media. For general-purpose AI models, keep technical documentation, publish a training-content summary, and maintain a copyright policy, with extra duties for models that carry systemic risk. AI-literacy duties for staff apply regardless of tier.
What is on an EU AI Act compliance checklist?
Classify your system, confirm your role as provider or deployer, and if the system is high-risk set up a risk management system, data governance, technical documentation, logging, transparency, human oversight, and accuracy, robustness, and cybersecurity controls. Then complete a conformity assessment, issue an EU declaration of conformity, affix CE marking, register in the EU database, and run post-market monitoring.
What if my system is not high-risk?
Limited-risk systems still face transparency duties. You must tell people when they are interacting with an AI system, and label AI-generated or manipulated audio, image, video, and text such as deepfakes. Minimal-risk systems carry no specific obligations, though AI-literacy duties for staff apply across the board.
Do general-purpose AI models have their own checklist?
Yes. Providers of general-purpose AI models must keep technical documentation, publish a summary of training content, and put a copyright policy in place. Models judged to carry systemic risk face extra duties around evaluation, incident reporting, and cybersecurity.
How often do I repeat this?
Compliance is continuous. You keep documentation current, monitor the system after launch, and run a fresh conformity assessment after any substantial modification to the system. Treat the checklist as a living programme, not a one-time exercise.
Sources
- Regulation (EU) 2024/1689 (the AI Act), Chapters II to V, EUR-Lex, eur-lex.europa.eu.
- European Commission, Regulatory framework on artificial intelligence, digital-strategy.ec.europa.eu.
Want this checked against your system?
A readiness assessment turns this checklist into a gap report scoped to what you actually run, so you know exactly what applies and what is missing.
This checklist is general information, not legal advice. Confirm your obligations with qualified counsel.