EU AI Act Compliance Checklist

Why you need a compliance checklist

The EU AI Act is one of the world's most comprehensive AI regulations, with fines up to €35 million (or 7% of global annual revenue) for non-compliance. The general applicability date is August 2, 2026 — less than 18 months away for high-risk systems.

The regulation touches on classification, risk management, data governance, technical documentation, conformity assessment, monitoring, and post-market surveillance. Missing even one requirement can trigger regulatory action. A compliance checklist ensures nothing falls through the cracks.

This guide breaks down all requirements into actionable checklists, so you can track progress, assign ownership, and prioritize work. Use it alongside our classification tool and documentation generator for a complete compliance solution.

Pre-compliance checklist

Before diving into specific requirements, complete these foundational steps:

☐ Classify your AI system

Use our free classification tool or consult a compliance expert to determine: (1) Is your system high-risk under Annex III? (2) What is your role—provider, importer, distributor, or deployer? (3) Which articles apply to your system? Classification drives all downstream compliance work, so accuracy is critical.

☐ Identify your organization's role

Are you a provider (developing/placing systems on the market), importer (importing systems into the EU), distributor (reselling without modification), or deployer (using the system)? Your role determines which obligations apply. Many large tech companies play multiple roles simultaneously.

☐ Appoint an EU representative (if required)

Non-EU providers must appoint an EU-based authorized representative. Select a trustworthy legal entity and document the representation agreement. The representative must have access to all technical documentation and be available to authorities.

☐ Establish a compliance timeline and ownership

Create a project plan with clear deadlines for each requirement (risk management system, documentation, notified body review, Declaration of Conformity, CE marking). Assign ownership to specific teams (engineering, legal, compliance, quality assurance) and set milestone reviews.

High-risk AI checklist: Core compliance requirements

If your system is high-risk under Annex III, you must meet all of these requirements by August 2, 2026. Check each off as you progress:

Article 9: Risk Management System

□ Establish a risk management system that identifies, analyzes, and evaluates risks throughout the system lifecycle. □ Document risk assessment methodology (how you identify and measure risks). □ Implement risk mitigation measures for identified risks. □ Create risk management documentation (risk register, mitigation plans, residual risk assessment). □ Establish monitoring procedures to detect new or evolving risks. □ Have risk management reviewed by qualified personnel or external experts.

Article 10: Data Governance

□ Document training data (size, origin, characteristics, preprocessing, labeling methodology). □ Establish data quality standards and data governance policies. □ Implement procedures to prevent data drift and maintain data quality over time. □ Document validation and testing data (selection criteria, representativeness, limitations). □ Track data provenance and legal basis for data use (consent, contract, legitimate interest, etc.). □ Establish data retention and deletion policies. □ Monitor for bias and discrimination in training data across demographic groups.

Article 11 + Annex IV: Technical Documentation

□ Document system purpose and intended use. □ Document development process and methodology (architecture, algorithms, design choices). □ Compile comprehensive training data information. □ Document testing and validation results (performance metrics, test methodology, results across groups). □ Detail known limitations and failure modes. □ Document risk management and mitigation. □ Describe data governance practices. □ Explain human oversight mechanisms. □ Outline post-market monitoring procedures. □ Compile documentation in durable medium (PDF, DOCX) and make available to authorities.

Article 14: Human Oversight

□ Design the system to enable meaningful human oversight (outputs easily reviewable, decision paths interpretable). □ Train human operators on system capabilities and limitations. □ Establish procedures for human review of AI outputs (sampling, high-risk decisions, appeals). □ Create mechanisms for humans to override decisions and document overrides. □ Document human oversight procedures in Annex IV technical documentation. □ Monitor human operator effectiveness (are they actually reviewing? Do they understand the system?). □ Establish escalation procedures for decisions requiring senior review.

Article 17: Quality Management System

□ Establish a quality management system (QMS) covering the entire AI system lifecycle. □ Document quality procedures (testing, validation, release criteria). □ Implement change management (how updates are tested, approved, deployed). □ Define roles and responsibilities within the QMS. □ Create quality documentation (test plans, change logs, quality records). □ Establish procedures for non-conforming items (what happens if quality standards aren't met). □ Monitor and measure quality (metrics, KPIs, audit results). □ Conduct regular management review of the QMS.

Documentation checklist

By August 2, 2026, you must have all of these documents prepared:

Annex IV Technical Documentation

A comprehensive document covering all nine sections required by Annex IV: system purpose, development, training data, testing, limitations, risks, data governance, human oversight, and post-market monitoring. This is typically 20–100+ pages depending on system complexity.

Declaration of Conformity

A formal statement signed by an authorized representative confirming that your high-risk AI system complies with all applicable EU AI Act requirements. This document is required before placing the system on the market.

Risk Management Documentation

Detailed risk assessments covering identified risks, risk severity/probability ratings, mitigation measures, residual risks, and monitoring procedures. This supports Article 9 compliance and provides evidence to notified bodies.

Quality Management System Documentation

Policies, procedures, and records documenting your quality management system, including testing protocols, change management, configuration management, and quality metrics. This demonstrates Article 17 compliance.

Start your compliance journey now

With the August 2, 2026 deadline approaching, starting now gives you 18 months to address requirements systematically. Use this checklist to track progress, and prioritize items that require the most time (risk assessment, documentation, notified body engagement).

Our classification tool and documentation generators can accelerate this process. Start by classifying your system—it's free and takes 5 minutes. Then move to specific requirement areas based on your needs.