The EU AI Act entered into force on 1 August 2024. Its most consequential provisions — the full obligations for high-risk AI systems — apply from 2 August 2026. That sounds like a comfortable runway. It isn't. Risk classification, conformity assessments, and technical documentation for a complex AI system can take six to twelve months to complete properly. The companies that start in June 2026 will not be compliant by August.
This is a practical checklist. It covers what the Act requires, how to assess your exposure, and what you need to have in place before the deadline.
Step 1: Determine whether the Act applies to you at all
The AI Act applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or used in the EU. It does not only apply to EU companies. A US SaaS company whose product is used by EU customers falls within scope.
"AI system" is defined broadly: a machine-based system designed to operate with varying levels of autonomy that infers, from inputs, how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments.
If your product contains any system matching that description and it is available in the EU, the Act likely applies to you in some capacity.
Step 2: Classify your AI systems by risk tier
The Act establishes four risk tiers:
- Unacceptable risk — Prohibited entirely. Examples: social scoring by public authorities, real-time biometric identification in public spaces (with narrow exceptions), subliminal manipulation techniques.
- High risk — Subject to the full compliance obligations described below. Includes AI used in: biometric identification, critical infrastructure, educational assessment, employment decisions, essential service access (credit scoring, insurance), law enforcement, migration decisions, and administration of justice.
- Limited risk — Subject to transparency obligations only. Chatbots must disclose they are AI. Deepfake content must be labelled.
- Minimal risk — No specific obligations. Most general-purpose software with basic AI features falls here.
The critical question for most companies is whether their system falls within Annex III of the Act, which defines the high-risk categories. If you're using AI to make or significantly influence decisions about people — in hiring, lending, insurance, education, or access to public services — you almost certainly do.
Step 3: If you are a high-risk provider, build your compliance file
For high-risk AI systems, the Act requires providers to establish, implement, document, and maintain:
A risk management system — Continuous throughout the system's lifecycle. Must identify and analyse risks, implement risk mitigation measures, and test the system against those measures. This is an ongoing process, not a point-in-time assessment.
Data governance measures — Training, validation, and testing datasets must be governed by practices addressing relevance, representativeness, and freedom from errors. Bias testing is not optional.
Technical documentation — Before placing the system on the market. Must include: system purpose and intended use, performance metrics, training methodology, known limitations and risks, post-market monitoring plan. This documentation must be kept up to date throughout the system's lifecycle.
Record-keeping and logging — Automatic logging of events during system operation to the extent technically feasible. Logs must be retained for at least six months.
Transparency and user information — Clear instructions for use, capabilities and limitations, intended purpose, performance expectations, and circumstances under which the system should not be used.
Human oversight — Design the system so that natural persons can understand its outputs, monitor its operation, and intervene or override when necessary. This is not a disclaimer — it's an architectural requirement.
Accuracy, robustness, and cybersecurity — Performance must be documented and the system must be resilient against adversarial inputs.
Step 4: Conformity assessment and CE marking
For most high-risk AI systems, providers can conduct a conformity assessment internally (self-assessment against the requirements above, documented in the technical file). For certain categories — biometric identification systems, AI used in critical infrastructure, AI in law enforcement — a third-party notified body must conduct the assessment.
Following a successful conformity assessment, the system receives CE marking and must be registered in the EU database of high-risk AI systems.
Step 5: GPAI model obligations (if applicable)
General-purpose AI models — such as large language models — are subject to a separate set of obligations, regardless of risk tier. From March 2025, GPAI model providers must:
- Prepare technical documentation and make it available to downstream providers
- Comply with EU copyright law and maintain a copyright policy
- Publish a sufficiently detailed summary of training data
Models with systemic risk (over 10^25 FLOPs training compute) face additional obligations including adversarial testing, incident reporting, and cybersecurity measures.
Step 6: What deployers must do
If you are a deployer — you use a high-risk AI system built by someone else but you deploy it for end users — you have your own obligations:
- Implement human oversight measures
- Monitor the system's operation and report serious incidents to the provider
- Conduct a data protection impact assessment if the system processes personal data
- Inform affected individuals that they are subject to a high-risk AI system's decision where required
Timeline check
If you haven't started: begin risk classification now. Assessing whether your systems fall within Annex III categories takes time, especially if your legal and product teams need to align on the interpretation.
If you're in high-risk categories: technical documentation and risk management systems take the longest to build properly. Start there, and plan for six to nine months of effort for a complex system.
If you're GPAI scope: the March 2025 obligations are already in effect. If you haven't yet addressed copyright compliance and training data documentation, you are already late.