Skip to main content
EU AI Act Compliance Checklist for 2026
Compliance Guides

EU AI Act Compliance Checklist for 2026

AI Comply HQ Team17 min read

The EU AI Act is no longer on the horizon. It is law, and the clock is running. The first major enforcement deadline lands on August 2, 2026, and if you develop, deploy, or distribute AI systems anywhere in the European Union, you need a compliance roadmap before then. Not a vague intention to sort it out later. An actual plan. Waiting is not a strategy here. It is a liability with a price tag attached.

We wrote this checklist to do one thing: turn the full text of Regulation (EU) 2024/1689 into a plan you can actually work through. Startup shipping a single machine-learning model, or an enterprise juggling dozens of AI-powered products, it does not matter. You will know exactly what to do, in what order, and by when.

Understanding the EU AI Act Risk Tiers

Everything in the Act flows from one idea: risk. The EU built a risk-based regulatory framework, which is a tidy way of saying the rules scale up with the danger. Every obligation you face, from documentation to conformity assessment, hangs on where your AI system lands in the four-tier risk classification. Get the tier right and the rest of this guide falls into place. Get it wrong and you are either over-engineering paperwork you never needed or, far worse, missing duties that carry real penalties.

Prohibited Practices (Unacceptable Risk)

Some AI uses are simply off the table. Article 5 of the EU AI Act bans them outright, no licence, no exemption, no clever workaround. Here is the list:

  • Social scoring by public authorities that leads to detrimental treatment of individuals
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions)
  • Subliminal manipulation techniques that cause or are likely to cause physical or psychological harm
  • Exploitation of vulnerabilities of specific groups (age, disability, social or economic situation)
  • Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases
  • Emotion recognition in workplaces and educational institutions (with limited exceptions)
  • Biometric categorisation systems that categorise individuals based on sensitive attributes such as race, political opinions, or sexual orientation
  • Predictive policing based solely on profiling or personality traits

Land in any of these categories and there is no compliance path to walk. There is no documentation that makes a banned practice acceptable. The system had to be discontinued before February 2, 2025, the first prohibition deadline, which is already behind us. If you are still running one, you are already exposed.

High-Risk AI Systems

This is the tier where most of the real compliance work lives. Article 6 and Annex III mark out the AI systems that can do serious damage to health, safety, or fundamental rights. Think of it as anything making decisions that change the course of someone's life. It covers AI used in:

  • Critical infrastructure (energy, transport, water supply, digital infrastructure)
  • Education and vocational training (determining access, assessing students, proctoring)
  • Employment and worker management (recruitment, task allocation, performance monitoring, termination decisions)
  • Essential services (credit scoring, insurance pricing, emergency service dispatch)
  • Law enforcement (evidence evaluation, recidivism prediction, profiling)
  • Migration and border control (risk assessment, document authentication)
  • Justice and democratic processes (legal research tools that influence judicial decisions)
  • Biometric identification and categorisation (remote biometric systems)

If your system sits here, brace yourself. High-risk systems carry the heaviest compliance load by a wide margin: risk management, data governance, technical documentation, human oversight, accuracy requirements, and mandatory registration in the EU database. Steps 4 through 11 below exist almost entirely for you.

Limited Risk (Transparency Obligations)

Maybe your system talks to people but never makes a high-stakes call. You are not off the hook, you just have a lighter one. Article 50 still asks for transparency, and the theme is honesty: people deserve to know when they are dealing with a machine. That covers:

  • Chatbots and virtual assistants: users must be informed they are interacting with an AI
  • Deepfakes and AI-generated content: must be clearly labelled as artificially generated or manipulated
  • Emotion recognition systems: individuals must be informed when such a system is being applied to them
  • Biometric categorisation: individuals must be notified of the system's operation

Minimal Risk

Everything else lands here, and honestly, this is most AI in the wild. Spam filters, AI-powered video games, inventory management tools: none of it triggers a mandatory obligation under the Act. The EU still nudges you toward voluntary codes of conduct, and we think that is worth doing, but nobody is going to fine you for skipping them.

Your Complete Compliance Checklist

Here is the whole programme in twelve steps. Work them in order, because each one leans on the last. Skip ahead and you will end up redoing work, so resist the urge.

1. Inventory All AI Systems

You cannot manage what you have not mapped. So before anything else, audit every AI system your organisation develops, deploys, imports, or distributes. And we mean every one, including the ones nobody thinks to mention:

  • Internally developed models and algorithms
  • Third-party AI components embedded in your products
  • AI-powered SaaS tools used by your employees
  • Automated decision-making systems, even simple rule-based ones that incorporate machine learning

For each system, write down the business owner, the technical team responsible, the data sources it pulls from, and the populations it affects. Tedious? A little. But this inventory is the bedrock everything else is built on, and a shaky foundation cracks the whole programme.

2. Classify the Risk Tier for Each System

Inventory done, now hold each system up against the risk tiers we covered above. This is the single most consequential call you will make in the whole programme, because it sets every obligation that follows. Everything downstream is just acting on this one decision.

Start with Article 5 prohibitions. Clear of those? Then weigh the system against the Annex III high-risk categories and the conditions in Article 6(2). Watch closely for AI systems that act as safety components of products already covered by EU harmonised legislation (Article 6(1)), because those slip past people constantly.

Decide a system is clearly minimal risk and you still owe yourself a paper trail: write down the determination and the reasoning behind it. Regulators want to see that you did the analysis, not just that you happened to land on the right answer.

3. Check for Prohibited Practices

There is no room for "probably fine" here. Check every AI system against the eight categories of prohibited practices in Article 5. The moment a system touches social scoring, subliminal manipulation, exploitation of vulnerable groups, untargeted biometric scraping, emotion recognition in restricted contexts, biometric categorisation on sensitive attributes, or predictive policing, it has to be decommissioned or rebuilt from the ground up. No middle ground.

Write up your analysis for each system. And if one sits anywhere near a prohibition boundary, stop and get legal counsel before you go any further. This is not the place to guess.

4. Document Intended Purpose and Technical Specifications

Now we are into high-risk territory, and the documentation bar is high. Article 13 and Annex IV want a full written record of every high-risk AI system. At a bare minimum, that means documenting:

  • The intended purpose: what the system is designed to do, and just as importantly, what it is not designed to do
  • Technical architecture: model type, training methodology, key hyperparameters
  • Data specifications: training data sources, data preparation methods, data quality measures
  • Performance metrics: accuracy, precision, recall, fairness metrics, and the conditions under which they were measured
  • Known limitations: scenarios where the system underperforms, edge cases, known biases

None of this is optional, and it is not a write-once-and-forget job either. You keep it current for as long as the system is alive.

5. Implement a Risk Management System (High-Risk)

Risk management under the Act is not a document you file once. Article 9 mandates a continuous, looping risk management process for high-risk AI systems, one that keeps running as long as the system does. Concretely, it must:

  • Identify and analyse known and reasonably foreseeable risks
  • Estimate and evaluate risks that may emerge when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse
  • Adopt risk mitigation measures: design choices, testing protocols, operational constraints
  • Test the system to ensure measures are effective, including under real-world conditions where feasible

We will say it again because teams forget: this is not a one-time exercise. The risk management system must be updated throughout the AI system's entire lifecycle, from development through deployment and operation. Ship the model and the work continues.

6. Ensure Data Governance and Quality

Your model is only as trustworthy as the data behind it, and Article 10 takes that seriously. It sets strict requirements for the data you use to train, validate, and test high-risk AI systems. You must:

  • Implement data governance practices covering data collection, annotation, storage, and preprocessing
  • Ensure training, validation, and testing datasets are relevant, sufficiently representative, and as free of errors as possible
  • Account for the specific geographic, contextual, behavioural, or functional setting in which the system will be used
  • Address potential biases that may affect the health and safety of persons or lead to discrimination

Why sweat the data this much? Because data problems do not stay put. They compound through the pipeline. Sloppy training data breeds an unreliable system, and an unreliable system breeds non-compliance. Fix it at the source or fight it everywhere.

7. Maintain Technical Documentation

Annex IV spells out, in detail, what the technical documentation for a high-risk system has to contain. It is a long list, so here is the shape of it:

  • A general description of the AI system
  • Detailed description of elements and the development process
  • Information about monitoring, functioning, and control
  • A description of the risk management system
  • A description of changes made throughout the lifecycle
  • Performance metrics and testing results
  • Detailed description of the system's accuracy, robustness, and cybersecurity measures

Timing matters here. This documentation must be drawn up before the AI system is placed on the market or put into service, not scrambled together after a regulator asks. And like everything else, you keep it up to date throughout the system's lifetime.

8. Set Up Human Oversight Mechanisms

The Act will not let a high-risk system run entirely on its own. Article 14 requires these systems to be built so real people can effectively oversee them. A human has to stay in the loop, and in practice that means:

  • The system must have a human-machine interface that enables oversight
  • Overseers must be able to fully understand the system's capabilities and limitations
  • Overseers must be able to correctly interpret the system's outputs
  • Overseers must be able to decide not to use the system, override its output, or reverse its decisions
  • Overseers must be able to intervene or interrupt the system with a "stop" button or similar procedure

How much oversight is enough? It scales with the stakes. The riskier the system and the context it runs in, the more oversight you owe.

9. Ensure Accuracy, Robustness, and Cybersecurity

Article 15 sets the bar for how well the system has to perform and how hard it has to be to break. High-risk AI systems must reach an appropriate level of accuracy, robustness, and cybersecurity. In practice:

  • Accuracy levels must be declared and communicated to deployers
  • Systems must be resilient to errors, faults, and inconsistencies that may occur in their operating environment
  • Cybersecurity measures must protect against attempts to alter system behaviour, exploit vulnerabilities, or manipulate training data (data poisoning, adversarial attacks, model inversion)

And this is not only a job for your engineers. You must be able to prove and document these properties to regulators, on paper, when they ask.

10. Register in the EU Database (High-Risk)

Compliance is not entirely a private affair. Article 71 requires providers of high-risk AI systems to register them in the EU database before placing them on the market or putting them into service. Your registration must include:

  • The provider's name and contact details
  • A description of the system's intended purpose
  • The system's risk classification
  • The conformity assessment procedure followed
  • The member states where the system is placed on the market

Worth sitting with for a second: the EU database is public. That means your registration is visible to regulators, auditors, journalists, and anyone else who cares to look. Treat what you submit as a public statement, because it is.

11. Conduct Conformity Assessment

This is the final gate before launch. Before a high-risk AI system goes to market, providers must run a conformity assessment (Article 43). The route you take depends on the system category:

  • Most high-risk systems can use internal conformity assessment based on Annex VI procedures
  • Certain biometric systems require third-party conformity assessment by a notified body
  • Systems already covered by existing EU harmonised legislation may follow the conformity assessment procedures of that legislation

Whichever route applies, the assessment has to prove your system meets every applicable requirement in Chapter III, Section 2 of the Act. This is where steps 4 through 10 pay off: do them well and this gate is yours to pass.

12. Implement Transparency Requirements

Do not skip this one just because you dodged the high-risk tier. Article 50 applies to plenty of ordinary systems, and it asks you to be upfront:

  • AI interaction disclosure: Inform users when they are interacting with an AI system (chatbots, virtual assistants)
  • Content labelling: AI-generated text, images, audio, or video must be labelled as artificially generated in a machine-readable format
  • Deepfake disclosure: Synthetic content depicting real persons or events must be clearly disclosed
  • Emotion recognition notification: Inform individuals when emotion recognition is applied to them

Here is why this step is not an afterthought: these transparency duties apply no matter which risk tier you sit in, and they are among the first obligations to bite. Low-risk does not mean no obligations.

Key Deadlines You Cannot Miss

The Act did not switch on all at once. It entered into force on August 1, 2024, and the obligations arrive in waves on a staggered timeline. Here is the calendar you need taped to the wall:

DeadlineObligation
February 2, 2025Prohibited AI practices must cease
August 2, 2025Obligations for GPAI models take effect; governance structures must be in place
August 2, 2026Full obligations for high-risk AI systems; penalties for non-compliance enforceable
August 2, 2027Obligations for high-risk AI systems that are safety components of products under existing EU legislation

For most organisations, August 2, 2026 is the one that matters. By that date, every high-risk requirement has to be fully in place: risk management, data governance, technical documentation, human oversight, accuracy, robustness, cybersecurity, EU database registration, and conformity assessment. All of it, not most of it.

Penalties for Non-Compliance

The penalties are not symbolic, and they scale with how badly you have crossed the line. Here is what non-compliance can cost:

  • Prohibited practices: Fines up to 35 million EUR or 7% of annual worldwide turnover, whichever is higher
  • High-risk system violations: Fines up to 15 million EUR or 3% of annual worldwide turnover
  • Incorrect information to authorities: Fines up to 7.5 million EUR or 1.5% of annual worldwide turnover

SMEs and startups get some relief: the fines are capped at lower amounts proportionate to their size. Do not exhale too soon, though. Even the capped figures are large enough to put a small company out of business.

And the money is only part of it. Non-compliance also brings reputational damage, possible loss of market access, and injunctive relief that can force you to switch off a non-compliant AI system entirely. A regulator who tells you to stop shipping is a far bigger problem than a fine.

Assess Your Compliance Today

Reading a checklist is the easy part. Doing the work is where most teams stall, and we get it. Twelve steps, dozens of citations, fines hanging over the whole thing.

So we built AI Comply HQ to carry the load for you. It runs this entire compliance workflow as a guided interview that walks you through every checklist item above: risk classification, prohibited-practice screening, documentation requirements, transparency obligations. No regulatory law degree required. At the end, you get an audit-ready compliance report, the kind you would actually want to hand a regulator.

Here is how it goes:

  1. Start a compliance interview. Answer plain-language questions about your AI system (no legal expertise required)
  2. Get your risk classification. Our system maps your answers to the EU AI Act risk tiers automatically
  3. Receive your compliance report. A structured document covering every applicable requirement, with specific action items for any gaps
  4. Track your progress. Monitor compliance status across all your AI systems from a single dashboard

Worried it is a slog? It is not. The interview runs 11 sections and around 70 questions for a single AI system, but the interviewer adapts as you go and skips whatever does not apply to you. In practice, most people answer well under the full 70.

Start your free 7-day trial and complete your first compliance assessment.

The August 2, 2026 deadline is less than five months away, and it is not moving. Every day you wait is a day closer to enforcement with nothing to show for it. Start today, while you still have room to do it properly.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →