EU AI Act Compliance
Checklist for Businesses

You cannot comply with what you have not identified. Most companies underestimate how many AI tools they are already using. This phase is about discovery, not judgment.

• Inventory every AI system your company uses, builds, or resells. Include third-party tools, APIs, and embedded features.
• For each system, record: purpose, data inputs, decision outputs, and whether humans are in the loop.
• Determine your role: are you a provider, deployer, importer, or distributor for each system?
• Flag any system that makes or materially influences decisions about people. These are your high-risk candidates.
• Check if any system falls under prohibited practices (social scoring, biometric identification in public spaces, emotion recognition in workplaces).

The AI Act sorts systems into four buckets: prohibited, high-risk, limited risk, and minimal risk. Your obligations scale with the bucket. Getting this wrong means over-investing or under-protecting.

• Review Annex III of the AI Act against your inventory. High-risk categories include credit scoring, insurance pricing, recruitment, and legal document analysis.
• Check Annex I: if your system is already regulated under EU product safety law and uses AI, it is high-risk.
• Document the classification rationale for each system. Regulators will ask for this.
• Identify any general-purpose AI model you develop or fine-tune. These have separate transparency and systemic risk obligations.
• Reclassify after any major update or new use case. Risk classification is not a one-time exercise.

High-risk systems need a paper trail: risk management systems, data governance, technical documentation, record-keeping, and human oversight protocols. Limited-risk systems need transparency disclosures. Start with the heavy lifting.

• Assign a responsible person or team for AI compliance. Solo founders often delegate this to their CTO or external counsel.
• Draft a risk management plan for each high-risk system. Cover identification, evaluation, mitigation, and monitoring.
• Document your training, validation, and testing datasets. The Act requires you to show data quality, representativeness, and bias mitigation.
• Write technical documentation that covers system architecture, performance metrics, known limitations, and intended use cases.
• Design human oversight mechanisms. For high-risk systems, a human must be able to understand, intervene, and override.
• Create logging and monitoring protocols. You need to track operational events, especially anomalies and errors.

High-risk AI systems must pass conformity assessments before they go live. This is not a box-ticking exercise: it is a structured test of whether your system does what you claim, safely and fairly.

• Run pre-deployment testing that covers accuracy, robustness, fairness, and cybersecurity. Document results.
• Conduct a bias audit on protected characteristics relevant to your use case. Finance and legal have specific fairness expectations.
• Prepare an EU declaration of conformity. This is your signed statement that the system meets the Act's requirements.
• Register the system in the EU database for high-risk AI systems. You cannot deploy until this is done.
• For biometric or safety-critical systems, involve a notified body for third-party assessment.
• Set up post-market monitoring. Plan periodic reviews, incident reporting, and retraining triggers.