AI Compliance Checklist 2026
Is Your Business Ready for the EU AI Act?
The EU AI Act is in force. Prohibited practices apply now. High Risk AI obligations apply from August 2026. Use this checklist to understand exactly what you need to do, in what order, based on your AI systems' risk classification.
Quick Answer: Is your business ready?
Most businesses using AI for internal productivity, marketing, or customer service (chatbots, recommendation engines, spam filters) are Minimal or Limited Risk. They need transparency disclosures but no conformity assessment. Businesses using AI in hiring, lending, healthcare, education, or law enforcement must treat their systems as High Risk — requiring full Annex IV documentation and conformity assessment before August 2026 deployment.
The 7-Phase AI Compliance Checklist
Work through each phase in order. Phases 1–2 apply to all AI systems. Phases 3–6 depend on your risk classification.
AI System Inventory
- List every AI system your organisation uses or develops
- Document the purpose, data inputs, and outputs of each system
- Identify the AI supplier or developer for third-party tools
- Determine whether you are a Provider (developer) or Deployer (user) under the EU AI Act
- Flag any AI systems used in safety-critical, biometric, healthcare, finance, or employment contexts
Risk Classification
- Check Article 5: does any system engage in prohibited practices (social scoring, subliminal manipulation, real-time biometric surveillance)?
- Check Annex III: does any system fall in the eight High Risk categories (healthcare, employment, credit, education, law enforcement, border control, critical infrastructure, justice)?
- Check for Limited Risk: do any systems interact with users in a way that requires transparency disclosures (chatbots, generative AI, emotion recognition)?
- Document the risk classification for each AI system with reasoning
- Re-classify any system where use has expanded since initial deployment
Transparency Obligations (Limited Risk)
- Disclose to users when they are interacting with a chatbot or AI system — "Powered by AI" or similar
- Label AI-generated content, images, audio, and video (deepfakes) as synthetic
- Ensure generative AI outputs that could be mistaken for real events include clear watermarking or labelling
- Allow users to opt out of AI interaction where a human alternative exists
High-Risk AI — Technical Documentation (Annex IV)
- Document the general description: intended purpose, version history, and overview of AI logic
- Document training data: sources, selection criteria, data governance measures, and known limitations
- Document the algorithmic logic: model architecture, design choices, and performance optimisation
- Document risk management system: identified risks, risk mitigation measures, and residual risks
- Document accuracy, robustness, and cybersecurity measures, with supporting metrics
- Prepare instructions for use: intended users, intended purpose, and known misuse scenarios
- Document human oversight mechanisms: how operators can monitor, intervene, and override the system
- Create and maintain a post-market monitoring plan
Quality Management System
- Implement a Quality Management System (QMS) covering your AI development lifecycle
- Define a strategy for regulatory compliance including planned updates and monitoring
- Establish data governance and management practices per Article 10
- Implement logging capabilities to enable audit of system events at appropriate granularity
- Put in place corrective action and incident response processes
Conformity Assessment and Registration
- Choose conformity assessment route: self-assessment (most systems) or Notified Body (biometrics, critical infrastructure)
- Complete the conformity assessment and prepare the Declaration of Conformity
- Affix the CE marking to the AI system and its documentation
- Register the system in the EU database for high-risk AI systems at ec.europa.eu/AI-database
- For General Purpose AI (GPAI) models: conduct adversarial testing and provide model documentation to downstream providers
Ongoing Obligations
- Monitor post-market performance and log incidents involving the AI system
- Report serious incidents and near-misses to the relevant market surveillance authority within 15 business days
- Update technical documentation and Declaration of Conformity for any material system change
- Train all staff interacting with High Risk AI systems on their obligations and oversight procedures
- Conduct an annual internal AI Act compliance review
- Monitor EU AI Office guidance and delegated acts for updates to Annex III and III definitions
EU AI Act Enforcement Timeline
| Date | What Applies | Risk Level |
|---|---|---|
| 2 Feb 2025 | Prohibited AI practices (Article 5) — social scoring, subliminal manipulation, most real-time biometrics | Prohibited |
| 2 Aug 2025 | GPAI model obligations — technical documentation, copyright compliance, training data summaries | GPAI |
| 2 Aug 2025 | Transparency obligations — chatbot disclosure, AI-content labelling | Limited Risk |
| 2 Aug 2026 | Full High Risk AI obligations — all new systems placed on the EU market | High Risk |
| 2 Aug 2027 | High Risk AI obligations extended to systems already on the market before Aug 2024 | High Risk (legacy) |
| 2 Aug 2030 | High Risk AI in safety components of products (e.g. medical devices) if they were already on the market | High Risk (legacy products) |
AI Compliance FAQ
When does the EU AI Act apply to my business?
Prohibited AI practices (Article 5) applied from 2 February 2025. Transparency obligations for Limited Risk AI apply from 2 August 2025. High Risk AI obligations for systems already on the market before August 2024 apply from 2 August 2027. New High Risk systems placed on the market from 2 August 2026 must comply from that date. GPAI model obligations apply from 2 August 2025.
Does the EU AI Act apply to UK businesses after Brexit?
The EU AI Act applies to any AI system placed on the EU market or put into service in the EU, regardless of where the provider or deployer is based. If you sell to or deploy AI for EU customers, the Act applies to you. The UK has its own AI regulation framework (AI Principles + sector-specific rules) but it is separate from the EU Act.
What is a GPAI model and what obligations apply?
General Purpose AI (GPAI) models are large AI models trained on broad data that can be adapted for many tasks — including foundation models and large language models like GPT-4 and Claude. GPAI model providers must produce technical documentation, comply with EU copyright law, and publish training data summaries. Systemic-risk GPAI models (>10^25 FLOPs) face additional obligations including adversarial testing.
Can I use an AI vendor's compliance documentation for my own compliance?
Partially. If your vendor provides an AI system and you deploy it, you are a Deployer and can rely on the vendor's technical documentation. But as a Deployer you still have obligations: you must use the system within its intended purpose, implement human oversight, monitor performance, and not materially modify the system in a way that changes its risk classification.
What is the penalty for non-compliance with the EU AI Act?
Fines are tiered: prohibited AI practices — up to €35 million or 7% of global annual turnover; High Risk AI non-compliance — up to €15 million or 3% of global turnover; providing incorrect information to authorities — up to €7.5 million or 1.5% of global turnover. SMEs and startups face lower caps. These are maximum penalties; authorities will consider proportionality.
Run Your AI Compliance Assessment
GeraCompliance classifies your AI systems, generates your Annex IV technical documentation, and gives you a prioritised compliance roadmap. Takes 20 minutes.