Artifact GuideEU

EU AI Act Compliance

A practical structure for assigning EU AI Act duties across providers, deployers, importers, distributors, GPAI model providers, and high-risk AI system owners.

Use it to organise risk classification, conformity evidence, technical documentation, FRIA records, transparency notices, post-market monitoring, and serious-incident handling.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
12

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

EU AI Act compliance is not a single checklist. A useful program first identifies the regulated role and risk tier, then attaches the right evidence to the product, model, deployment, supply-chain handoff, and monitoring process. The same AI capability can create provider duties for one organisation, deployer duties for another, and importer or distributor verification duties for a market channel.

Section 1

Build the compliance register around roles and risk tiers

Start every record with the AI asset, intended purpose, EU market or use facts, operator role, and risk classification. The AI Act separates high-risk AI system duties from GPAI model duties and from transparency duties for certain AI systems, so the register should not collapse those categories into one generic control.

For high-risk AI systems, keep a role column for provider, authorised representative, importer, distributor, deployer, product manufacturer, and any third party supplying tools, services, components, or processes for integration. Article 25 can move provider obligations to a distributor, importer, deployer, or other third party when they rebrand the system, substantially modify it, or change the intended purpose so that it becomes high-risk.

  • Provider record: intended purpose, high-risk basis, Article 8-15 requirement mapping, quality management owner, conformity route, EU declaration of conformity, CE marking, registration status, and post-market monitoring plan.
  • Deployer record: instructions for use, human oversight assignment, input-data control, operational monitoring, log retention, worker or affected-person notices where applicable, Article 49 registration where the deployer is a public authority or acting on its behalf, and FRIA status where Article 27 applies.
  • Importer record: verification that the provider completed conformity assessment, drew up technical documentation, supplied CE marking, EU declaration of conformity, instructions for use, and appointed an authorised representative where required.
  • Distributor record: verification of CE marking, EU declaration of conformity, instructions for use, provider and importer identification details, storage or transport controls, and corrective-action escalation if non-conformity or risk appears.
  • GPAI record: model provider, model release and distribution method, Article 53 documentation, downstream information package, copyright policy, public training-content summary, systemic-risk classification review, and AI Office notification status where relevant.
Sources for this answer
Regulation (EU) 2024/1689, Articles 16-26
Supports the division of duties among providers, authorised representatives, importers, distributors, deployers, and value-chain actors for high-risk AI systems.
AI Act Service Desk - Article 49 registration
Supports provider and public-authority deployer registration controls for covered Annex III high-risk AI systems.
Section 2

Turn high-risk obligations into evidence families

For high-risk AI systems, the provider evidence file should demonstrate the Section 2 requirements: risk management, data governance, technical documentation, record-keeping, deployer-facing information, human oversight, accuracy, robustness, and cybersecurity. These are product and lifecycle controls, not only policy statements.

A deployer file should prove that the system is used according to the provider's instructions, that oversight is assigned to people with competence, training, authority, and support, and that monitoring feeds provider and authority escalation when risk or a serious incident appears.

  • Risk management evidence: known and reasonably foreseeable risks, misuse analysis, residual-risk acceptance, mitigation controls, testing metrics, vulnerable-group consideration, and post-market data feeding back into the risk file.
  • Data evidence: training, validation, and testing data provenance, preparation, assumptions, suitability, representativeness, bias examination, mitigation actions, and data gaps that may block compliance.
  • Transparency-to-deployer evidence: instructions for use, intended purpose, performance limitations, expected accuracy, robustness and cybersecurity metrics, human oversight measures, input specifications, and log collection guidance.
  • Oversight evidence: assigned overseers, training records, ability to interpret outputs, automation-bias controls, override or stop procedures, and documented use restrictions.
  • Security and reliability evidence: accuracy declarations, robustness tests, cybersecurity controls for data poisoning, model poisoning, adversarial examples, confidentiality attacks, and model flaws where relevant.
Sources for this answer
Regulation (EU) 2024/1689, Articles 8-15
Supports the required evidence families for high-risk AI systems: risk management, data governance, documentation, logs, information to deployers, oversight, accuracy, robustness, and cybersecurity.
Section 3

Select the conformity route before release or substantial modification

Article 43 makes conformity assessment route selection a release gate for high-risk AI systems. Some Annex III point 1 systems can use internal control when harmonised standards or common specifications are fully applied; otherwise the notified-body route in Annex VII is used. Annex III points 2 to 8 use internal control unless the Regulation is amended to require notified-body involvement.

High-risk AI systems covered by Union harmonisation legislation listed in Annex I, Section A follow the conformity assessment procedure under that sector law, while the AI Act Section 2 requirements become part of that assessment. A new conformity assessment is required after a substantial modification to a high-risk AI system.

  • Conformity route record: Annex basis, applied harmonised standards or common specifications, internal-control or notified-body route, notified-body identity where applicable, certificate status, and re-assessment trigger.
  • Release gate: technical documentation complete, quality management records available, EU declaration of conformity drafted, CE marking plan approved, registration obligation checked, and post-market monitoring plan attached.
  • Change gate: intended-purpose changes, substantial modifications, rebranding, product integrations, or learning-system changes reviewed against Article 25 and Article 43 before shipping.
Sources for this answer
Regulation (EU) 2024/1689, Article 43 and Annexes VI-VII
Supports conformity assessment route selection, notified-body involvement, sector-law handling, and new assessment after substantial modification.
AI Act Service Desk - Article 49 registration
Supports adding registration status as a release gate for covered high-risk AI systems and public-authority deployments.
Section 4

Keep technical documentation usable by authorities and notified bodies

Article 11 requires technical documentation before a high-risk AI system is placed on the market or put into service and requires it to be kept up to date. Annex IV turns that into a concrete file: system description, development process, data, architecture, oversight, validation, cybersecurity, risk management, standards, declaration of conformity, and post-market monitoring.

The documentation should be versioned with the system. It must be clear enough for national competent authorities and notified bodies to assess compliance, and it should also support internal release decisions, incident investigations, and customer assurance.

  • System identity: name, version, provider, intended purpose, forms of release, hardware or software interactions, user interface, and deployer instructions.
  • Development record: design choices, model or algorithm logic, assumptions, optimisation goals, training and testing methods, third-party tools or pre-trained systems, and architecture.
  • Validation record: validation and testing procedures, test data characteristics, metrics for accuracy and robustness, discriminatory-impact testing where relevant, signed test logs, and test reports.
  • Control record: human oversight measures, input data specifications, risk management system, cybersecurity controls, lifecycle changes, standards or common specifications, EU declaration of conformity, and post-market monitoring plan.
Sources for this answer
Regulation (EU) 2024/1689, Article 11 and Annex IV
Supports the required structure and purpose of technical documentation for high-risk AI systems.
Section 5

Handle FRIA, transparency, and GPAI as separate workstreams

A fundamental rights impact assessment is not required for every deployment. Article 27 applies before deployment to deployers that are bodies governed by public law, private entities providing public services, and deployers of high-risk AI systems referred to in Annex III points 5(b) and 5(c), except high-risk systems intended for the area listed in Annex III point 2. The assessment covers the deployer process, use period and frequency, affected people and groups, specific risks, human oversight, and measures for risk materialisation, including governance and complaint mechanisms.

Article 50 transparency controls should be tracked separately from high-risk status. They cover direct interaction with natural persons, marking synthetic audio, image, video, or text outputs where applicable, notices for emotion recognition or biometric categorisation, deepfake disclosures, and disclosure for AI-generated public-interest text unless a stated exception applies.

GPAI model provider duties are another separate track. Article 53 requires model technical documentation, downstream information, a copyright policy, and a public summary of training content. Systemic-risk GPAI duties add model evaluation, adversarial testing, systemic-risk assessment and mitigation, serious-incident tracking and reporting, and cybersecurity protection.

  • FRIA output: process description, use period and frequency, affected persons and groups, risk analysis, oversight implementation, risk-response measures, notification record, and DPIA cross-reference where applicable.
  • Transparency output: interaction notice text, synthetic-content marking approach, deepfake or public-interest text disclosure, accessibility check, first-interaction or first-exposure timing, and exception rationale if used.
  • GPAI output: Annex XI model documentation, Annex XII downstream integration information, public training-content summary, copyright policy, Code of Practice or alternative compliance evidence, systemic-risk notification review, and AI Office submission evidence where relevant.
Sources for this answer
AI Act Service Desk - Article 27 FRIA
Supports the scope and required content of fundamental rights impact assessments for covered high-risk deployments.
Regulation (EU) 2024/1689, Article 50
Supports transparency controls for direct AI interaction, synthetic output marking, emotion recognition or biometric categorisation notices, deepfakes, and AI-generated public-interest text.
European Commission - GPAI provider guidelines
Supports maintaining a dedicated GPAI provider workstream and using Commission guidance to assess whether GPAI obligations apply.
Section 6

Prove monitoring, corrective action, and incident readiness

Post-market monitoring is a provider duty for high-risk AI systems. Article 72 requires a documented system that actively and systematically collects, documents, and analyses performance data throughout the system lifetime so the provider can evaluate continuing compliance with the high-risk requirements.

Incident evidence should connect deployer monitoring, provider investigation, market surveillance reporting, and corrective action. Article 73 requires providers of high-risk AI systems placed on the Union market to report serious incidents to the market surveillance authority of the Member State where the incident occurred, with shorter maximum reporting periods for widespread infringements, certain serious incidents, and deaths.

What is the minimum structure for an EU AI Act compliance register?

Use separate rows for each AI system or GPAI model and include intended purpose, EU market or use facts, role, risk tier, high-risk or GPAI basis, required evidence, conformity route, transparency notice status, monitoring owner, incident escalation path, source citation, and reassessment trigger.

Who owns EU AI Act compliance when a company only buys or deploys an AI system?

A buyer may still have deployer duties for high-risk use, including using the system according to instructions, assigning competent human oversight, monitoring operation, keeping logs under its control, informing workers or affected natural persons where required, and escalating risks or serious incidents. The buyer can also become a provider if it rebrands, substantially modifies, or changes the intended purpose in a way covered by Article 25.

What evidence should be ready before releasing a high-risk AI system in the EU?

The provider should have the Article 8-15 requirement evidence, Article 11 and Annex IV technical documentation, quality management records, conformity assessment evidence, EU declaration of conformity, CE marking evidence, registration record where required, deployer instructions, post-market monitoring plan, and serious-incident reporting procedure.

  • Monitoring inputs: performance logs, deployer reports, customer support signals, complaints, model or data drift findings, interaction with other AI systems, and evidence of continuing compliance.
  • Provider response: causal-link assessment, risk assessment, corrective action, withdrawal, disabling, recall, distributor and deployer notifications, authority communications, and notified-body communications where applicable.
  • Serious-incident record: date of awareness, incident category, affected Member State, causal-link analysis, initial report, complete report, investigation file, corrective measures, authority acknowledgements, and preservation notes before altering the system.
  • GPAI systemic-risk incident record: Article 55 serious-incident tracking and reporting evidence, AI Office submission evidence, and corrective-measure documentation.
Sources for this answer
Regulation (EU) 2024/1689, Articles 72-73
Supports post-market monitoring, serious-incident reporting, investigation, corrective action, and reporting-period controls for high-risk AI systems.
European Commission - AI Act serious incident template for GPAI models with systemic risk
Supports the GPAI systemic-risk incident-reporting workstream and the Commission reporting template for serious incidents involving GPAI models with systemic risk.
Recommended next step

Structure your AI Act compliance program by role, risk tier, and evidence

Sorena can help convert AI system and GPAI model inventories into role-specific obligations, source-linked evidence requests, conformity gates, FRIA records, monitoring controls, and incident workflows.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about AI Act roles, high-risk duties, GPAI model obligations, transparency, and incident evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your EU AI Act compliance register, evidence gaps, conformity assessment gates, and monitoring workflow with Sorena.

Explore next step
Primary sources

References and citations

AI Act Service Desk - Article 27 FRIA
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Supports the scope and required content of fundamental rights impact assessments for covered high-risk deployments.
"Fundamental rights impact assessment for high-risk AI systems"
AI Act Service Desk - Article 49 registration
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Supports adding registration status as a release gate for covered high-risk AI systems and public-authority deployments.
"register themselves and their system in the EU database"
European Commission - GPAI provider guidelines
digital-strategy.ec.europa.eu
Referenced sections
  • Supports maintaining a dedicated GPAI provider workstream and using Commission guidance to assess whether GPAI obligations apply.
"clarify the scope of the obligations for providers of general-purpose AI models"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Primary legal text supporting operator roles, high-risk requirements, conformity assessment, technical documentation, transparency obligations, GPAI obligations, post-market monitoring, and serious-incident reporting.
"laying down harmonised rules on artificial intelligence"
Regulation (EU) 2024/1689, Article 50
eur-lex.europa.eu
Referenced sections
  • Supports transparency controls for direct AI interaction, synthetic output marking, emotion recognition or biometric categorisation notices, deepfakes, and AI-generated public-interest text.
"Transparency obligations for providers and deployers of certain AI systems"
Regulation (EU) 2024/1689, Articles 16-26
eur-lex.europa.eu
Referenced sections
  • Supports the division of duties among providers, authorised representatives, importers, distributors, deployers, and value-chain actors for high-risk AI systems.
"Obligations of providers and deployers of high-risk AI systems and other parties"
Regulation (EU) 2024/1689, Articles 72-73
eur-lex.europa.eu
Referenced sections
  • Supports post-market monitoring, serious-incident reporting, investigation, corrective action, and reporting-period controls for high-risk AI systems.
"Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems"
Regulation (EU) 2024/1689, Articles 8-15
eur-lex.europa.eu
Referenced sections
  • Supports the required evidence families for high-risk AI systems: risk management, data governance, documentation, logs, information to deployers, oversight, accuracy, robustness, and cybersecurity.
"Requirements for high-risk AI systems"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.