TL;DR: EU AI Act compliance checklist
- The EU AI Act classifies AI systems into four risk tiers, each with different compliance requirements.
- The Act applies to organizations inside and outside the EU if their AI systems are placed on or used in the EU market.
- High-risk AI systems require controls such as risk management, technical documentation, human oversight, and continuous monitoring.
- Key enforcement deadlines run from 2025 to 2027, making early preparation essential.
- Scytale’s AI GRC platform streamlines EU AI Act compliance through automated evidence collection, continuous monitoring, and multi-framework compliance management.
Artificial intelligence is becoming a core part of how organizations build products, automate processes, and make decisions. As AI adoption accelerates, businesses are under growing pressure to demonstrate that these systems are used responsibly, transparently, and with appropriate safeguards in place.
In this article, we’ll explain what the EU AI Act is, who it applies to, how to classify your AI systems by risk level, and the steps your organization can take to achieve and maintain compliance.
What is the EU AI Act?
The EU AI Act is the world’s first comprehensive legal framework for regulating artificial intelligence.
It takes a risk-based approach, classifying AI systems into four categories: unacceptable risk, high risk, limited risk, and minimal risk. Each category carries a different level of compliance requirements, with stricter obligations applying to systems that pose greater risks to people’s rights, safety, or well-being. The regulation is designed to promote safety and fairness, improve transparency, and encourage responsible innovation.
A common misconception is that the EU AI Act only applies to European AI companies or businesses developing foundation models. In reality, its scope extends far beyond that. SaaS companies, technology providers, and enterprises that develop or embed AI into products, customer experiences, or internal operations for EU customers may all have obligations under the regulation.
For organizations serving EU customers, AI governance is no longer just a best practice. Teams need to understand which AI systems fall within scope, determine their risk classification, and implement the appropriate controls. Because compliance requirements vary depending on how AI is used, following a structured EU AI Act checklist is the most practical way to identify your obligations and implement the appropriate compliance controls.
Streamline GRC workflows with no blind spots.
Who does the EU AI Act apply to?
The EU AI Act applies based on your role, how AI is used, and whether your AI systems are placed on or used in the EU market, not on your company’s size or where it is headquartered. This means SMBs, SaaS vendors, and large enterprises can all fall within scope. The Act defines four primary roles, each with its own responsibilities:
- Providers develop AI systems or place them on the market under their own name. They are responsible for risk classification, conformity assessments, technical documentation, and ongoing compliance.
- Deployers use AI systems within their own operations. They must follow the provider’s instructions and, in some cases, complete additional monitoring, risk management, or impact assessments.
- Importers bring AI systems into the EU and must verify that providers have met the required compliance obligations.
- Distributors make AI systems available further down the supply chain and are responsible for ensuring compliance requirements continue to be met before distribution.
Two common misconceptions often lead organizations to underestimate their obligations. The first is that only companies headquartered in the EU are covered. In reality, the Act also applies to organizations outside Europe if they place AI systems on the EU market or their AI outputs are used in the EU. The second is that only businesses developing AI models are affected. Organizations that integrate AI into HR platforms, credit scoring, customer support chatbots, content generation, or other business applications may also have obligations as deployers.
The Act also distinguishes between general-purpose AI models, such as foundation models, and the specific AI applications built on top of them, with each following its own compliance requirements. Your compliance burden depends on the classification and intended use of each AI system, not the size or location of your company. Building a strong AI policy and governance program helps organizations assign ownership, document decisions, and implement the controls needed to meet their obligations under the EU AI Act.
EU AI Act risk classification: How to categorize your AI systems
The EU AI Act classifies AI systems into four risk categories based on the level of risk they pose. Understanding these categories helps determine which compliance requirements apply.
Classification is based on the AI system, not the company
Under the EU AI Act, every AI system must be assessed individually. Risk classification depends on the system’s intended purpose, how it is used, and the potential impact on people’s rights and safety, rather than the size of your organization or the AI model powering it.
This means the same foundation model can fall into different risk categories depending on its implementation. For example, a model used to filter spam emails is likely considered minimal risk, while the same model used to screen job applicants could be classified as high risk because of its impact on employment decisions.
Understand the four risk tiers
The EU AI Act groups AI systems into four categories, with compliance obligations increasing as risk increases.
| Risk tier | Typical examples | What it means |
| Unacceptable risk | Government social scoring, real-time biometric surveillance in public spaces, emotion recognition in schools or workplaces | These practices are prohibited and cannot be placed on the EU market. |
| High risk | Hiring and CV screening, credit scoring, medical devices, education admissions, law enforcement, critical infrastructure | These systems are subject to the Act’s most extensive compliance requirements. |
| Limited risk | Chatbots, AI assistants, synthetic content generators, deepfake tools | Transparency obligations apply, including informing users when they are interacting with AI or viewing AI-generated content. |
| Minimal risk | Spam filters, AI-powered games, inventory management, recommendation engines | These systems have no mandatory obligations under the Act, although voluntary codes of conduct are encouraged. |
Consider the context, not just the technology
Risk classification isn’t determined solely by what an AI system does. Regulators also consider where it is used, who is affected by its decisions, and the potential consequences if something goes wrong.
For example, an AI tool that summarizes meeting notes carries a very different level of risk from one that influences hiring decisions or determines access to financial services. Looking beyond the technology itself helps organizations classify AI systems more accurately and avoid underestimating regulatory obligations.
One organization can have multiple risk classifications
Most organizations use AI across multiple business functions, making it common to operate systems that fall into different risk categories. A company might simultaneously use a minimal-risk spam filter, a limited-risk customer support chatbot, and a high-risk recruitment tool.
Because each AI system is assessed independently, organizations should avoid assigning a single risk profile to the business as a whole. Understanding how each system is used provides a much more accurate picture of compliance obligations and makes it easier to prioritize resources where regulatory risk is highest.
AI-native GRC for how teams work today.
EU AI Act compliance checklist: Step-by-step
Complying with the EU AI Act requires more than understanding the regulation. Organizations need a structured process that identifies AI systems, assigns ownership, documents decisions, and creates evidence to demonstrate continuous compliance. Follow the checklist below to build an AI governance program that aligns with the EU AI Act’s requirements.
Step 1: Build an AI system inventory
Start by creating a complete inventory of every AI system your organization develops, deploys, or procures. For each system, record its intended purpose, data inputs, decision outputs, affected individuals, deployment status, and business owner in a central register. A complete inventory provides the foundation for risk classification, governance, and every compliance activity that follows.
Step 2: Classify each system by risk tier
Assess every AI system using the EU AI Act’s four risk categories and document the reasoning behind each classification. Document the reasoning for every classification in a signed memo to create audit evidence and simplify future reviews.
Step 3: Address prohibited AI practices immediately
Review all existing and planned AI systems against the Act’s prohibited use cases. If a system falls into an unacceptable-risk category, such as government social scoring or prohibited biometric surveillance, it cannot be placed on the EU market. These requirements have applied since February 2, 2025, so prohibited systems should be identified and removed without delay.
Step 4: Run the high-risk compliance program
If an AI system is classified as high risk under Annex III, it must meet the Act’s most extensive compliance requirements. Organizations should establish documented controls that cover the entire AI lifecycle, from development through post-market monitoring. Your compliance program should include the following core areas:
- Risk management: Establish a documented process for identifying, assessing, mitigating, and monitoring risks throughout the AI system’s lifecycle.
- Data governance: Ensure training, validation, and testing datasets are relevant, representative, accurate, and supported by documented data provenance and bias mitigation measures.
- Technical documentation: Prepare Annex IV-compliant documentation covering system design, training methodology, performance metrics, validation results, and maintain logs for 10 years after market placement.
- Human oversight: Build mechanisms that allow qualified personnel to monitor, interpret, intervene in, or override AI decisions where necessary.
- Post-market monitoring: Continuously monitor system performance after deployment and report serious incidents within the required timeframes where applicable.
Step 5: Complete the conformity assessment
Before placing a high-risk AI system on the EU market, complete the required conformity assessment. Most Annex III systems follow a self-assessment under Annex VI, while certain biometric identification systems require assessment by an independent notified body. Successful completion results in an EU Declaration of Conformity demonstrating compliance with the Act.
Step 6: Register in the EU AI database
Providers of high-risk AI systems must register both the AI system and the provider in the EU AI systems database before placing the system on the market. Registration should be built into your product release process rather than treated as a final administrative step. Completing registration before launch helps ensure compliance evidence is in place before market entry.
Step 7: Meet limited-risk transparency obligations
Limited-risk AI systems have fewer compliance requirements but must still meet transparency obligations. Users should be informed when they are interacting with AI, and AI-generated or synthetic content should be appropriately labeled using machine-readable disclosures where applicable. Building these notifications into the user experience helps satisfy the Act’s transparency requirements.
Step 8: Conduct a Fundamental Rights Impact Assessment (FRIA)
Certain deployers of high-risk AI systems, particularly those operating in public-sector or essential-services contexts, must complete a Fundamental Rights Impact Assessment before deployment. The assessment evaluates how the AI system could affect individuals’ rights and identifies appropriate safeguards to reduce those risks. Incorporating the FRIA into project approval workflows helps prevent required reviews from being overlooked.
Step 9: Appoint an EU-authorized representative
Organizations established outside the EU that place high-risk AI systems on the EU market must appoint an authorized representative located in an EU Member State. This representative serves as the primary point of contact for regulators and must have access to the documentation needed to demonstrate compliance. Making this appointment early helps avoid delays during market entry.
Step 10: Establish ongoing governance and review
EU AI Act compliance is an ongoing process rather than a one-time project. Schedule regular reviews of AI system classifications, risk assessments, technical documentation, and compliance controls, with quarterly reviews considered best practice. Reassess every AI system whenever its intended purpose, deployment environment, user population, or underlying model changes to ensure your compliance program remains accurate and up to date.
Always-on GRC. Built for modern teams.
EU AI Act compliance timeline: Key dates and deadlines
EU AI Act compliance is being introduced in phases, with different obligations taking effect over several years. Understanding these milestones helps organizations prepare for key enforcement deadlines and prioritize their compliance efforts.
August 1, 2024: The EU AI Act enters into force
The EU AI Act officially entered into force, establishing the legal framework for AI regulation across the European Union. While most obligations were not immediately enforceable, this marked the beginning of the implementation timeline.
February 2, 2025: Prohibited AI practices become enforceable
The first substantive obligations took effect on February 2, 2025. AI practices classified as unacceptable risk, including government social scoring and certain biometric surveillance activities, became prohibited across the EU. Organizations should not treat the EU AI Act as a future compliance project. These provisions are already in force and apply today.
August 2, 2025: General-purpose AI model obligations begin
Providers of general-purpose AI (GPAI) models become subject to new obligations, including maintaining technical documentation, implementing copyright compliance policies, and providing the information downstream providers need to comply with the Act. These requirements primarily affect organizations developing or supplying foundation models and other general-purpose AI technologies.
August 2, 2026: High-risk AI obligations take effect
This is the most significant enforcement milestone for many organizations. Most Annex III high-risk AI systems must comply with the Act’s full set of requirements, including conformity assessments, registration in the EU AI systems database, post-market monitoring, and Article 73 serious-incident reporting. For many SaaS companies and enterprises deploying high-risk AI, this represents the primary compliance deadline.
August 2, 2027: Annex II product requirements apply
The final major implementation phase extends obligations to high-risk AI systems embedded in Annex II regulated products, including medical devices, machinery, and other products already subject to sector-specific EU legislation. Organizations operating in these regulated industries should plan well in advance for the additional compliance requirements.
Maintain compliance beyond each deadline
Rather than preparing for a single deadline, organizations should establish a quarterly compliance cadence tied to each enforcement milestone. Many businesses also align their AI governance efforts with the EU Cyber Resilience Act to streamline documentation, product security, and regulatory compliance across multiple EU regulations.
The penalties for non-compliance are significant. Violations involving prohibited AI practices can result in fines of up to €35 million or 7% of global annual turnover, while breaches of other obligations can lead to penalties of up to €15 million or 3% of global annual turnover, whichever amount is higher.
How Scytale simplifies EU AI Act compliance
Scytale’s AI GRC platform simplifies EU AI Act compliance by bringing AI governance, evidence collection, continuous monitoring, and multi-framework compliance into a single platform. Instead of managing compliance across multiple tools, organizations can automate key processes, maintain continuous visibility, and manage the EU AI Act alongside 80+ security, privacy, and compliance frameworks.
With automated evidence collection and multi-framework cross-mapping, Scytale reduces manual work while supporting ongoing compliance across your entire GRC program. AI agents continuously review evidence, identify compliance gaps, and recommend next steps, while Scytale’s GRC experts provide practical guidance to help your team stay audit-ready and build a scalable AI governance program with confidence.
FAQs about EU AI Act compliance checklist
What is the EU AI Act and who does it apply to?
The EU AI Act is the world’s first comprehensive law regulating artificial intelligence, using a risk-based framework that classifies AI systems into four risk categories. It applies to organizations inside and outside the EU if they place AI systems on the EU market or their AI outputs are used in the EU. Providers, deployers, importers, and distributors may all have obligations under the Act depending on their role and how the AI system is used.
How do I classify my AI system under the EU AI Act risk tiers?
Classify each AI system by intended use and deployment context across four tiers: unacceptable, high, limited, or minimal risk. Review the specific use case, affected population, and decision impact, then document the reasoning in a signed memo. One company may operate systems across several tiers at the same time.
What are the main compliance requirements for high-risk AI systems?
High-risk AI systems need a formal compliance program covering risk management, data governance, technical documentation, human oversight, post-market monitoring, conformity assessment, and registration. Top AI GRC platforms like Scytale help teams organize this evidence in one place, especially when AI obligations sit beside SOC 2, ISO 42001, ISO 27001, GDPR, and SOX ITGC work.
What are the key EU AI Act enforcement deadlines in 2026?
The main 2026 milestone is August 2, 2026, when most Annex III high-risk system obligations become enforceable. Teams should remember prohibited practices already took effect earlier, on February 2, 2025. That means 2026 work should focus on high-risk readiness, not first-time scoping of banned use cases.
How does the EU AI Act relate to other frameworks like ISO 42001 and GDPR?
The EU AI Act works alongside other frameworks rather than replacing them. ISO 42001 supports AI management system governance, while GDPR still applies when AI systems process personal data. Scytale’s AI GRC platform helps teams manage those overlapping requirements together so evidence, ownership, and review cycles do not split across separate tools.