EU AI Act Compliance Checklist: Step-by-Step Assessment

A practical step-by-step EU AI Act compliance checklist. Assess your AI systems against scope, risk classification, prohibited practices, GPAI obligations, and high-risk AI requirements. Updated for 2026 omnibus deadlines.

How to assess your EU AI Act compliance: 10 steps

This checklist is designed for legal, compliance, and technology teams conducting an initial AI Act assessment. Work through the steps in sequence — each builds on the previous.

The checklist applies to all organisations that develop, deploy, import, or distribute AI systems in the EU. It covers all risk tiers, from prohibited practice checks through full high-risk conformity.

Step 1 — Build your AI inventory

Start here: without a complete AI inventory, nothing else is possible. Create a register of every AI system your organisation touches:

AI systems you develop and sell or license (you are the provider)
AI systems you purchase or license and use internally (you are the deployer)
AI systems embedded in products you manufacture or import
AI systems accessed via API from third parties (cloud AI, foundation model APIs)

For each: document the system name, function, data inputs and outputs, use context, decision impact, and affected population. Flag systems where you are uncertain of classification — these need legal review.

Step 2 — Check prohibited practices first

Priority check: are any systems already illegal? Assess each system against Art. 5 before any risk tier classification. If any system:

Uses subliminal or subconscious manipulation techniques
Exploits specific group vulnerabilities (children, elderly, disadvantaged)
Performs social scoring (public bodies only)
Conducts real-time biometric identification in public spaces (law enforcement)
Performs emotion recognition in workplace or education contexts
Categorises individuals by biometric data to infer sensitive characteristics
Generates NCII or CSAM

→ Decommission or fundamentally redesign immediately. These prohibitions apply since 2 February 2025.

Step 3 — GPAI model check

If your organisation develops and releases a foundation model or large-scale AI model, GPAI obligations under Chapter 5 apply. Check:

Is the model trained with self-supervision at significant scale?
Is it capable of performing a wide range of tasks?
Is it made available to other developers or users (not purely internal)?

If yes → GPAI provider obligations since 2 August 2025. If training compute exceeds 10²⁵ FLOPs → systemic risk obligations.

Steps 4–10 — High-risk AI compliance programme

For each system not excluded by Step 2 and not covered by Step 3, classify against Annex III and Annex I. Then follow Steps 4–10 as a programme track, targeting the 2 December 2027 deadline for Annex III systems and 2 August 2028 for Annex I embedded systems.

Do not wait until 2027. A realistic compliance programme for one high-risk AI system takes 12–24 months. Begin the gap assessment and QMS design in 2026 to avoid a last-minute crunch — and to avoid the capacity bottleneck at notified bodies as December 2027 approaches.

Cross-regulation mapping

If your organisation is also subject to DORA or NIS2, your AI Act compliance programme can be integrated with existing ICT risk management, incident response, and third-party governance frameworks. See our AI Act vs DORA vs NIS2 convergence guide → for dual-mapping templates.

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

How do I know if my AI system is in scope of the EU AI Act?

Your AI system is in scope if it is an AI system under Art. 3(1) — a machine-based system that infers outputs such as predictions, recommendations, decisions, or content — and it is placed on the EU market or used in the EU. Purely research models not deployed externally are out of scope.

What is the first step in an EU AI Act compliance assessment?

The first step is AI system inventory: catalogue all AI systems your organisation develops, deploys, imports, or distributes. For each system, document what it does, who the provider is, how it is used, and the affected population. Without a complete inventory, risk classification cannot begin.

How long does AI Act compliance take for a high-risk AI system?

For a standalone Annex III high-risk AI system, a realistic compliance programme takes 12–24 months: 3–6 months for gap assessment and QMS design, 6–12 months for technical documentation, data governance, and conformity assessment, and 3–6 months for EU database registration and CE marking. Start no later than early 2026 to meet the December 2027 deadline.