Compliance checklistEU

EU AI Act Checklist

Classify each AI system or model before choosing controls: scope, operator role, prohibited-practice screen, high-risk status, GPAI duties, transparency notices, monitoring, and incident handling.

Use this as an evidence checklist for product, legal, model-risk, engineering, privacy, security, procurement, and compliance teams working from official EU sources.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 17, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 17, 2026
Overview

This EU AI Act checklist helps teams move from an AI inventory to specific compliance work. Start with scope and operator role, then branch by risk class: prohibited practices stop deployment, high-risk systems need technical and governance evidence, GPAI models need model documentation and copyright/training-content records, and certain AI systems need user-facing transparency measures.

Section 1

1. Scope and operator role

Create one checklist row per AI system, general-purpose AI model, or downstream product integration. The row should state whether the activity involves placing on the EU market, putting into service, using the system in the EU, or using output in the EU.

Record the operator role before assigning obligations. The AI Act distinguishes providers, deployers, importers, distributors, authorised representatives, product manufacturers, downstream providers, and affected persons. A company can hold more than one role for the same AI value chain.

  • System or model identity: product name, version, intended purpose, deployment context, EU market or EU-use trigger, and whether the item is an AI system, general-purpose AI model, or both.
  • Role evidence: provider or deployer analysis, importer or distributor involvement, authorised representative need for non-EU providers, and any downstream provider integrating a GPAI model.
  • Out-of-scope checks: purely personal non-professional deployer use, scientific research and development before market placement or service entry, military, defence, or national-security-only uses, and open-source AI systems or models only where the AI Act exclusion actually applies.
  • Adjacent-law personal data, privacy, consumer protection, product safety, labour, sectoral, and fundamental-rights rules can still apply even when the AI Act checklist row is low-risk or out of scope.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Supports the scope check, operator-role definitions, and exclusions that determine whether a checklist row needs AI Act controls.
European Commission - AI Act regulatory framework
Explains the AI Act as a risk-based framework for AI developers and deployers and provides the public Commission overview used to orient the checklist.
Section 2

2. Risk classification checklist

Classify the checklist row before drafting controls. If a practice is prohibited, the practical answer is to stop, redesign, or escalate before deployment. If the system is high-risk, move to the high-risk evidence section. If it is limited-risk, check transparency obligations. If it is minimal-risk, keep the classification record and monitor for changes in purpose, data, users, or integration.

For Annex III systems, do not rely only on the sector label. Record the intended purpose, whether the system materially influences decision-making, whether profiling of natural persons is performed, and whether a narrow-task or preparatory-task exception is being claimed.

  • Prohibited-practice screen: manipulation or deception causing significant harm, exploitation of vulnerabilities, social scoring, criminal-risk assessment based solely on profiling or personality traits, untargeted facial-image scraping, workplace or education emotion inference except medical or safety uses, sensitive biometric categorisation, and law-enforcement real-time remote biometric identification outside the listed strict exceptions.
  • High-risk route A: the AI system is a product, or safety component of a product, covered by listed Union harmonisation legislation and the product requires third-party conformity assessment.
  • High-risk route B: the AI system falls within Annex III areas such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration or border control, or administration of justice and democratic processes.
  • Annex III exception record: if the provider concludes the system is not high-risk, keep the Article 6(3) reasoning before market placement or service entry and prepare for EU database registration under Article 49(2).
  • GPAI model route: decide whether the item is a general-purpose AI model, whether open-source exemptions apply, and whether systemic-risk classification or notification duties are triggered.
  • Transparency route: identify direct human interaction, synthetic audio/image/video/text generation, emotion recognition, biometric categorisation, deepfake generation, or AI-generated public-interest text.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for prohibited practices, Article 6 high-risk classification rules, Annex III high-risk areas, GPAI systemic-risk classification, and Article 50 transparency triggers.
European Commission - AI Act regulatory framework
Supports the four-level risk framing used in the checklist: unacceptable, high, limited, and minimal or no risk.
Section 3

3. High-risk AI system evidence

For each high-risk AI system, collect evidence before placing it on the market or putting it into service. The evidence pack should show that the provider can demonstrate compliance to a competent authority or notified body, and that deployers have the information needed to use and monitor the system appropriately.

When the system is already subject to sectoral product legislation, note whether AI Act evidence can be integrated into the existing product compliance, quality, or post-market files instead of creating a duplicate set.

  • Risk management: lifecycle process for known and reasonably foreseeable risks to health, safety, and fundamental rights; reasonably foreseeable misuse; residual-risk acceptability; testing; and vulnerable-group impacts.
  • Data governance: data origin, collection, preparation, assumptions, availability, suitability, bias examination, mitigation measures, and data gaps for training, validation, and testing data sets.
  • Technical documentation: intended purpose, versions, interfaces, development methods, design choices, architecture, data requirements, human-oversight measures, validation and testing, cybersecurity, standards used, EU declaration of conformity, and post-market monitoring plan.
  • Logging and records: automatic event logging where required, provider logs under Article 19 where under provider control, technical documentation, quality-management documentation, notified-body documents where applicable, and the EU declaration of conformity retained for 10 years.
  • Human oversight and instructions: deployer-facing information on capabilities, limitations, accuracy, robustness, cybersecurity, foreseeable risks, input data, interpretation of outputs, oversight measures, maintenance, and log collection.
  • Conformity and market access: relevant conformity assessment under Article 43, EU declaration of conformity, CE marking, Article 49 registration where applicable, and new conformity assessment after substantial modification.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Supports the high-risk evidence checklist from Articles 9 to 19, Articles 43, 47, 48, 49, and Annex IV.
European Commission - AI Act regulatory framework
Summarizes practical provider steps for high-risk AI systems, including conformity assessment, registration, declaration of conformity, and CE marking.
Section 4

4. GPAI model obligations

For general-purpose AI models, keep a model-level record separate from downstream AI system records. Downstream teams need enough information to understand capabilities and limitations, while providers need their own technical documentation, copyright-policy evidence, and public training-content summary where Article 53 applies.

For GPAI models with systemic risk, add systemic-risk evaluation, mitigation, cybersecurity, and serious-incident records. Do not treat a downstream application review as a substitute for model-provider obligations.

  • All GPAI providers: technical documentation covering training and testing process, evaluation results, and Annex XI content appropriate to model size and risk profile.
  • Downstream documentation: information for providers integrating the model so they can understand capabilities and limitations and meet their own AI Act obligations.
  • Copyright and training-content evidence: copyright-policy record and public summary of training content using the AI Office template where applicable.
  • Open-source check: document whether the free and open-source licence conditions apply and whether the model is excluded from specific obligations; do not apply that exception to GPAI models with systemic risk.
  • Systemic-risk screen: record training compute or Commission designation indicators, notification status, model-evaluation evidence, adversarial testing, systemic-risk mitigation, serious-incident process, and cybersecurity protection for the model and physical infrastructure.
  • Representative check: non-EU GPAI providers should record whether an EU authorised representative mandate is required and retained.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for GPAI definitions, Article 51 systemic-risk classification, Article 53 provider obligations, Article 54 representative obligations, Article 55 systemic-risk obligations, and Annex XI/XII documentation.
European Commission - GPAI provider guidelines
Commission guidance source for interpreting GPAI provider scope, significant modifications, open-source exemptions, and enforcement timeline context.
European Commission - Public summary of GPAI training content template
Supports the checklist item requiring a public summary of content used to train GPAI models under Article 53(1)(d).
Section 5

5. Transparency obligations

Run transparency checks for both high-risk and non-high-risk AI systems. Article 50 duties are triggered by specific interactions and content types, so the checklist should identify the user-facing moment when information, marking, or disclosure must appear.

Keep the implementation evidence close to the product artifact: screenshots, UI copy, API fields, machine-readable marking approach, accessibility review, and the release version in which the notice or marker ships.

  • Direct interaction: inform natural persons that they are interacting with an AI system unless that is obvious to a reasonably well-informed, observant, and circumspect person in the context.
  • Synthetic content: providers of AI systems that generate synthetic audio, image, video, or text content should record the machine-readable marking and detectability method, plus limits where the system is only assistive editing or does not substantially alter input semantics.
  • Emotion recognition and biometric categorisation: deployers should inform exposed natural persons of the system operation and align personal-data processing with applicable data-protection law.
  • Deepfakes: deployers should disclose artificially generated or manipulated image, audio, or video content constituting a deepfake, while accounting for the specific artistic, creative, satirical, fictional, analogous-work, and law-enforcement exceptions in the legal text.
  • Public-interest text: deployers should disclose AI-generated or manipulated text published to inform the public on matters of public interest unless the law-enforcement or human-review/editorial-responsibility exception applies.
  • Notice quality: provide the information clearly, distinguishably, accessibly, and no later than the first interaction or exposure.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for Article 50 transparency duties for direct interaction, synthetic content, emotion recognition, biometric categorisation, deepfakes, and public-interest text.
European Commission - Code of Practice on AI-generated content
Commission page explaining the Article 50 marking and labelling workstreams for AI-generated or manipulated content.
Section 6

6. Post-market monitoring and incident records

Close each checklist row only after it names the records that will be updated after release. High-risk systems need a documented post-market monitoring system and plan; deployers also need a path to inform providers and authorities when operation shows risk or a serious incident occurs.

Incident playbooks should separate high-risk AI system reporting from GPAI systemic-risk reporting, because the recipients and templates can differ.

  • Post-market plan: active and systematic collection, documentation, and analysis of performance data throughout the high-risk AI system lifetime, including deployer-provided data and other sources where relevant.
  • Deployer monitoring: instructions-based monitoring, provider and authority escalation where use may present a risk, suspension of use where required, and serious-incident notification escalation.
  • High-risk serious incidents: provider report to market surveillance authorities where the incident occurred; report immediately after causal link or reasonable likelihood is established and within the Article 73 outer deadlines.
  • Investigation record: incident timeline, causal-link analysis, risk assessment, corrective actions, authority and notified-body cooperation, and a control to avoid altering the system in a way that could affect later evaluation before informing competent authorities.
  • GPAI systemic-risk incident record: tracking, documentation, reporting to the AI Office and, where appropriate, national competent authorities, plus possible corrective measures.
  • Retention cross-check: keep technical documentation, quality-management documentation, EU declaration of conformity, authorised-representative documentation where applicable, and incident or monitoring evidence in the owning compliance repository.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Primary source for Article 72 post-market monitoring, Article 73 high-risk serious-incident reporting, deployer monitoring duties, and Article 55 GPAI systemic-risk incident duties.
European Commission - AI Act serious incident template for GPAI systemic-risk models
Commission source for the reporting template and operational context for serious incidents involving GPAI models with systemic risk.
Section 7

7. Evidence table fields to keep

Use these fields for the AI Act inventory and evidence table. They are designed to make each row reviewable while keeping confidential preparation artifacts and non-public company materials separate from published evidence references.

Reopen the row when the intended purpose changes, a GPAI model or supplier changes, the system enters a new Annex III use case, a transparency trigger is added, a serious incident occurs, or a competent authority, notified body, customer, or internal approver requests new evidence.

  • Inventory fields: AI system or model name, version, owner, intended purpose, EU trigger, operator role, users, affected persons, data categories, supplier or model dependency, and release status.
  • Classification fields: prohibited-practice result, high-risk route, Annex III area, Article 6(3) exception reasoning if used, GPAI status, systemic-risk status, Article 50 transparency trigger, and final classification approver.
  • Control fields: required obligation set, implementation artifact, evidence owner, approving function, due milestone, release blocker, and reassessment trigger.
  • Evidence fields: source URL, source-supported claim, policy or procedure link, technical documentation link, test or validation report, data-governance record, human-oversight record, UI notice or marker, conformity artifact, post-market plan, and incident record.
  • Authority-facing fields: EU database registration status where applicable, notified-body involvement, market surveillance authority contact path, AI Office contact path for GPAI matters, and confidentiality or trade-secret handling note.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Supports the evidence fields by requiring documentation, logging, conformity, registration, transparency, post-market, incident, and authority-cooperation records across the relevant AI Act provisions.
European Commission - AI Act regulatory framework
Supports the checklist structure by summarizing how providers, deployers, authorities, and post-market responsibilities interact after high-risk AI systems are on the market.
Recommended next step

Keep classification, controls, and evidence in one reviewable record

Use the cited sources listed here to verify obligations and the supporting evidence requirements.

Research workflow
Open Research Copilot for EU AI Act

Verify the following areas from the cited sources: EU AI Act classification, high-risk controls, GPAI duties, transparency notices, and incident records using the cited sources on this page.

Explore next step
Talk to Sorena
Review EU AI Act checklist implementation

Review your AI inventory, role mapping, high-risk evidence, GPAI model records, transparency notices, and post-market monitoring gaps with Sorena.

Explore next step
Primary sources

References and citations

European Commission - AI Act regulatory framework
digital-strategy.ec.europa.eu
Referenced sections
  • Supports the checklist structure by summarizing how providers, deployers, authorities, and post-market responsibilities interact after high-risk AI systems are on the market.
"providers have a post-market monitoring system in place"
European Commission - GPAI provider guidelines
digital-strategy.ec.europa.eu
Referenced sections
  • Commission guidance source for interpreting GPAI provider scope, significant modifications, open-source exemptions, and enforcement timeline context.
"only those making significant modifications need to comply"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Supports the evidence fields by requiring documentation, logging, conformity, registration, transparency, post-market, incident, and authority-cooperation records across the relevant AI Act provisions.
"provide that authority all the information and documentation necessary to demonstrate the conformity"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.