EU AI Act compliance checklist
- Six steps: inventory, role, classification, controls, documentation, and ongoing review.
- The AI inventory is the backbone; you cannot govern what you have not listed.
- High-risk systems need the full control set plus conformity assessment and registration.
- Compliance is continuous, so build a process that keeps classifications and evidence current.
- Current as of June 2026. This is general information, not legal advice.
1. Build an AI inventory
You cannot govern what you have not listed. Catalogue every AI system you develop, provide, deploy, or embed, including third-party tools and internal automation. For each, record what it does, who owns it, what data it uses, and where it is used. This inventory is the backbone of everything that follows.
2. Determine your role for each system
For every system, decide whether you are the provider, deployer, importer, or distributor. Your obligations flow from this. You may hold different roles for different systems, and a deployer who substantially modifies a high-risk system can become a provider.
3. Classify each system by risk
Map each system to the four tiers: prohibited, high, limited, or minimal. Pay closest attention to the Annex III high-risk categories (such as hiring, credit, and biometrics) and to any prohibited uses, which must stop. Document the reasoning behind each classification.
4. Apply the required controls
For high-risk systems, put in place the core controls: a risk management system, data governance, human oversight, logging, and measures for accuracy, robustness, and cybersecurity. For limited-risk systems, implement the transparency duties, such as disclosing AI interaction and labelling AI-generated content.
5. Produce the documentation and assessment
Prepare the technical documentation, instructions for deployers, and, for high-risk systems, complete the conformity assessment, draw up the EU declaration of conformity, affix CE marking where applicable, and register in the EU database. Deployers may also need a fundamental rights impact assessment.
6. Keep it current
Compliance is not a one-time event. AI systems change, and so do their risk profiles. Establish a process to review classifications, refresh documentation, monitor systems in operation, and capture incidents. When a regulation or a system changes, the affected records should be flagged and reviewed.
Turning the checklist into a system
The checklist is straightforward to state and harder to maintain across a growing estate of AI systems, especially when documentation and evidence are scattered across spreadsheets and folders. The organisations that stay ready treat the checklist as a continuous operating model with a single record per system, so that the inventory, classification, controls, and evidence stay connected and current rather than drifting apart.
Key terms
- AI inventory
- The catalogue of every AI system an organisation develops, deploys, or embeds, with ownership and context.
- Classification
- Assigning each AI system to one of the Act's four risk tiers based on its purpose and use.
- Controls
- The technical and organisational measures that satisfy the Act's requirements for a given system.
- Documentation
- The records that evidence compliance, including the technical file and instructions for use.
- Conformity assessment
- The formal check that a high-risk system meets the Act before it is placed on the EU market.