EU AI Act Compliance Checklist for Companies

The EU AI Act compliance program is not a single project. It is a structured series of assessments, documentation requirements, and operational controls that must be built and maintained. This checklist walks through each step.

Is your business affected?

Before building a compliance program, confirm whether and how the EU AI Act applies to you.

The Act applies if you are a provider (you develop AI systems and place them on the market or into service in the EU) or a deployer (you use AI systems in a professional context that affects EU residents). It applies regardless of where your company is based.

Check these conditions:

• Do you offer products or services to EU residents that involve AI?
• Do you use AI tools in business processes that affect EU customers or employees?
• Do you develop or sell AI systems to EU customers?
• Do you use AI in HR, credit, customer service, or other functions affecting EU residents?

If any answer is yes, the Act applies to you. The question then becomes which risk category your AI systems fall into.

Step 1: AI system inventory

You cannot comply with a regulation you cannot apply to specific systems. The inventory is the first and most essential step.

Inventory checklist:

• List every AI system your organization uses or provides that could affect EU residents
• Include vendor-provided AI tools and AI features embedded in enterprise software
• Document each system’s: name, business purpose, outputs, decision influence, data inputs, and geographic scope
• Identify the system’s developer or provider
• Record when each system was deployed or last significantly updated

Common inventory gaps to watch for:

• AI features within software platforms (CRM, HR, finance) that were not purchased as AI products
• AI used by subsidiaries or business units without central IT awareness
• AI tools used by individual employees or teams on a self-service basis

Step 2: Risk classification

Classify each inventoried system according to the Act’s risk categories.

Classification checklist:

• Review each system against the prohibited AI categories. Any match requires immediate remediation.
• Review each system against the Annex III high-risk categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice
• For systems in Annex I (safety components for regulated products under existing EU law), apply high-risk classification
• For systems that do not fall into high-risk categories, assess whether limited-risk transparency requirements apply (chatbots, deepfake generation, AI-generated content)
• Assign a risk classification to each system and document the rationale

High-risk classification triggers to check specifically:

• Any AI used in hiring, recruitment, or employee management decisions
• Any AI used in credit scoring, insurance risk assessment, or financial underwriting
• Any AI used in education access or performance evaluation
• Any AI that processes biometric data for identification purposes

Step 3: High-risk system compliance requirements

For each system classified as high-risk, assess compliance against all seven requirement categories.

Risk management system:

• A documented risk management process exists for this system
• Risks have been identified, evaluated, and mitigated before deployment
• The risk management process is iterative and updated as the system evolves
• Residual risks are documented and accepted by an appropriate authority

Data governance:

• Training, validation, and testing datasets are documented
• Data provenance is recorded and verifiable
• Data quality criteria are documented and verified
• Datasets comply with GDPR and relevant data protection requirements

Technical documentation:

• Comprehensive technical documentation exists covering system design, purpose, capabilities, and limitations
• Documentation is maintained and updated as the system changes
• Documentation is accessible to competent authorities upon request

Automatic logging:

• The system generates automatic operational logs
• Logs record sufficient information to enable retrospective monitoring
• Log retention periods are defined and implemented

Transparency to users:

• Users receive clear information about what the AI system does
• Users are informed of the system’s capabilities and limitations
• Users are informed of the human oversight measures in place
• Instructions for use are documented and provided to deployers (for providers)

Human oversight:

• The system can be effectively monitored by human overseers
• Human overseers can understand the system’s behavior and reasoning
• Humans can intervene, override, or halt the system when necessary
• Overseers have been trained on their responsibilities and the system’s known failure modes

Accuracy, robustness, and cybersecurity:

• Accuracy performance is measured and documented
• Robustness against errors and inconsistencies is tested and documented
• Cybersecurity measures protect the system against known AI-specific threats

Step 4: Documentation and transparency requirements

For limited-risk AI systems, the primary requirement is transparency.

Limited-risk checklist:

• Chatbots and conversational AI disclose their AI nature at the start of interactions
• Deepfake content is labeled as artificially generated
• AI-generated text published for public purposes is disclosed where feasible

Conformity assessment (for providers of high-risk systems):

• A conformity assessment has been completed before EU market placement
• The assessment method (self-assessment or third-party) is appropriate for the system’s category
• The conformity assessment is documented and retained

EU AI database registration (for providers and some deployers):

• High-risk AI systems have been registered in the EU AI database before deployment

Step 5: Ongoing monitoring

Compliance with the EU AI Act is not a one-time exercise. These ongoing requirements apply after deployment.

Ongoing monitoring checklist:

• Post-market monitoring system is in place to collect and analyze operational data
• Serious incidents and near-misses are reported to the relevant national market surveillance authority
• The risk management system is reviewed and updated when the system changes
• Technical documentation is updated when the system changes significantly
• Human oversight effectiveness is periodically reviewed
• New AI system deployments are classified and assessed before going live

For a plain-language overview of the Act’s requirements and structure, see EU AI Act explained. For the broader AI governance program this compliance effort sits within, see AI governance and ethics guide.

Frequently asked questions

Can small businesses handle EU AI Act compliance without external help?

Small businesses with limited AI use and no high-risk AI systems can manage compliance with moderate internal effort. The inventory and classification steps are achievable for any business. High-risk AI system compliance requires more specialized knowledge, particularly around conformity assessments and technical documentation standards, and often benefits from external expertise.

What happens if we discover we have an unregistered high-risk AI system already deployed?

Begin the compliance program immediately. Document the system, conduct the risk management process, create the required documentation, and complete the conformity assessment. The Act does not provide a retrospective safe harbor, but demonstrating active remediation is materially better than doing nothing. Engage legal counsel on your specific situation.

Do we need separate compliance programs for GDPR and the EU AI Act?

The programs overlap significantly around data governance and privacy requirements, but they are distinct. GDPR compliance is a prerequisite for EU AI Act compliance for any AI system processing personal data, but the AI Act adds requirements that GDPR does not address: risk management systems, technical documentation, automatic logging, human oversight, and conformity assessments. Note: The programs should be coordinated, not duplicated.

Ready to work through your EU AI Act compliance program?

You have the checklist. Now it needs to be applied to your specific AI systems with the documentation, ownership, and monitoring that real compliance requires.

Path one: start with an audit. An AI audit maps your AI systems against EU AI Act requirements and produces a compliance gap assessment with a prioritized remediation plan.

Path two: work with Phos AI Labs. If you want expert help implementing a complete EU AI Act compliance program, Phos AI Labs is a CCA-F certified Claude implementation partner. Thirty minutes, no deck. Start here.