EU AI Act Compliance Checklist for Businesses: What to Do Before 2 August 2026
Responsible AI principles tell you what good looks like. The EU AI Act tells you what you are legally required to do, by when, and what it costs if you do not. Those are two different jobs, and a business that has written a thoughtful set of AI values can still be exposed on the second. This checklist is the operational half: how to find the AI systems you run, sort them by risk tier, work through conformity assessment, build the technical documentation, apply CE marking, register in the EU database, and stand up human oversight and logging before the obligations bite.
Why the Date Matters, and the Delay You Should Not Rely On
The AI Act (Regulation (EU) 2024/1689) is being switched on in stages. The bans on prohibited practices and the AI literacy duty applied from 2 February 2025. The rules for general-purpose AI models, plus governance and notified bodies, applied from 2 August 2025. The big one for most operating businesses is 2 August 2026, when the obligations for high-risk systems listed in Annex III and the transparency duties in Article 50 start to apply. Requirements for high-risk AI embedded in regulated products under Annex I follow on 2 August 2027.
There is a complication you need to understand rather than ignore. On 7 May 2026 the Council and Parliament reached a political agreement, under the Digital Omnibus package, to defer most stand-alone Annex III high-risk obligations from 2 August 2026 to 2 December 2027, with product-embedded systems pushed to 2 August 2028. That deferral is not yet law. It only takes effect once formally adopted and published in the Official Journal. Until that happens, 2 August 2026 remains the legally operative deadline. Treat the delay as breathing room you might get, not a date you can bank, and keep your plan pointed at August 2026.
Step 1: Build an Inventory of Every AI System You Use
You cannot classify what you have not listed. The first task is a complete inventory of AI systems your organisation develops, buys, embeds or relies on, including the quiet ones tucked inside HR software, customer service tools, fraud screening and marketing platforms. For each entry, record what it does, who supplied it, where its output is used, and whether any of that output reaches the EU.
While you build the list, decide your role for each system. The Act draws a sharp line between a provider, which develops a system and places it on the market under its own name, and a deployer, which uses a system under its own authority. Most businesses are deployers of tools built by others, and deployers carry a lighter set of duties. But if you fine-tune, rebrand or substantially modify a high-risk system, you can be reclassified as a provider and inherit the full obligation set, so flag those cases now.
Step 2: Classify Each System by Risk Tier
The Act sorts AI into four tiers, and your obligations follow the tier, not the technology. Run every system in your inventory through this table and write down the result and your reasoning.
| Risk tier | What it covers | What you must do |
|---|---|---|
| Prohibited (Article 5) | Social scoring, untargeted facial-image scraping, emotion recognition in workplaces and schools, certain manipulative or exploitative systems | Stop. These are banned outright and have been since February 2025 |
| High-risk (Annex III and Annex I products) | Eight areas including biometrics, critical infrastructure, education, employment and worker management, essential services, law enforcement, migration, justice | Full requirements: risk management, data governance, documentation, logging, human oversight, conformity assessment, CE marking, registration |
| Limited risk (Article 50) | Chatbots, AI that generates or manipulates content, deepfakes | Transparency: tell people they are dealing with AI and label synthetic content |
| Minimal risk | Spam filters, AI in games, most everyday productivity tools | No mandatory obligations; voluntary codes of conduct encouraged |
The high-risk tier is where the work concentrates. A system is high-risk if it is a safety component of a product covered by the EU product safety laws in Annex I, or if it falls within one of the eight Annex III use areas. There is a narrow carve-out in Article 6(3) for systems that perform only a preparatory or narrow procedural task and do not materially influence a decision, but you must document why the exemption applies. When in doubt, classify up.
Step 3: Meet the High-Risk Requirements
If you provide a high-risk system, Articles 8 to 17 set out what it has to satisfy before it goes on the market. These are the substance the rest of the checklist documents and proves. Build each one as a working capability, not a paragraph in a policy.
Risk management and data governance
Run a continuous risk management process across the whole lifecycle, identifying and mitigating reasonably foreseeable risks to health, safety and fundamental rights. Apply data governance so that training, validation and testing data are relevant, sufficiently representative and, as far as possible, free of errors, with attention to bias.
Human oversight, accuracy and security
Design the system so a person can effectively oversee it, understand its limits, intervene and stop it. Set and document appropriate levels of accuracy, robustness and cybersecurity, and make sure the people running it day to day know what those limits are.
Automatic logging
High-risk systems must log events automatically over their lifetime to a degree appropriate to their purpose. These records are what let you trace a decision, investigate an incident and show an authority what happened. Providers keep the logs they control; deployers must keep the logs the system generates under their control for an appropriate period, normally at least six months unless other law says otherwise.
Step 4: Write the Technical Documentation
For every high-risk system, the provider must draw up technical documentation before it is placed on the market and keep it current. Annex IV sets the contents: a general description of the system and its intended purpose, the development process and design choices, the data used, the risk management measures, the validation and testing carried out, and the post-market monitoring plan. This file is the evidence base. If an authority asks how your system works and why it is compliant, this is what you hand over.
Draft it as you build, not at the end. Retrofitting documentation onto a system that is already live is slow, and gaps in the record are exactly where authorities and notified bodies probe.
Step 5: Complete the Conformity Assessment
Conformity assessment is the formal check that a high-risk system meets the requirements before it goes on the market. For most Annex III systems the provider runs an internal assessment against the requirements and self-declares, based on the technical documentation and quality management process. A notified body, an accredited external assessor, is needed mainly for certain biometric systems where harmonised standards have not been applied, and for AI that is a safety component of products that already need third-party assessment under existing product law.
Where harmonised standards exist, building to them gives a presumption of conformity and is the cleanest path. The European standards bodies CEN and CENELEC are developing these under a Commission request, so check what is published for your category and align to it.
Step 6: Declaration of Conformity and CE Marking
Once the system passes conformity assessment, the provider draws up an EU declaration of conformity, a signed statement that the system meets the Act's requirements, kept for ten years and available to authorities. The provider then affixes the CE marking to the system, or to its packaging and documentation for systems provided digitally. The CE mark is the visible signal that the system may circulate in the EU market. Putting it on a non-compliant system, or on a system that never went through assessment, is itself a breach.
Step 7: Register in the EU Database
Before placing a stand-alone Annex III high-risk system on the market or putting it into service, the provider, or their authorised representative, must register themselves and the system in the EU database set up under Article 71. The point of the database is public visibility of high-risk systems operating in the Union. Public-authority deployers register their use as well. Certain law enforcement, migration and border systems sit in a secure, non-public part of the database. Keep your registration entries accurate and updated as the system changes.
Step 8: Set Up Deployer Duties and Ongoing Monitoring
If you are a deployer of a high-risk system, your duties are lighter but real. Use the system in line with the provider's instructions, assign competent human oversight, monitor its operation, keep the logs under your control, and tell the provider or authority if you spot a serious incident or a risk. Public bodies and some private operators must also carry out a fundamental rights impact assessment before deploying certain high-risk systems. Both providers and deployers run post-market monitoring and report serious incidents to the relevant national authority.
What Non-Compliance Costs
The penalties are deliberately heavy and scale with the company. Breaching the prohibited practices in Article 5 can bring fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. Breaching most other obligations, including the high-risk requirements, can bring up to EUR 15 million or 3% of turnover. Supplying incorrect, incomplete or misleading information to authorities or notified bodies can bring up to EUR 7.5 million or 1% of turnover. For SMEs and start-ups, the lower of the fixed amount or the percentage applies, which softens the blow but does not remove it.
Common Mistakes to Avoid
A handful of errors trip up businesses that otherwise have the right intent. Assuming the Act does not apply because you are outside the EU misses its extraterritorial reach over systems and output used in the Union. Treating the provisional delay as settled law, and pausing your programme, leaves you exposed if the Official Journal publication slips past 2 August 2026. Classifying everything as minimal risk to avoid the work invites a costly reassessment later. Forgetting the shadow AI inside bought software means whole systems never get classified at all. And writing a values statement while skipping the conformity assessment, CE marking and registration confuses principles with obligations, which is the one mistake this checklist exists to prevent.
Frequently Asked Questions
Does the EU AI Act apply to my business if we are based in the UK or outside the EU?
Yes, it can. The AI Act has extraterritorial reach. It applies to providers placing AI systems on the EU market and to providers and deployers based outside the EU where the output produced by the system is used in the EU. A UK or US company that sells, or whose AI output is relied on, inside the EU is in scope. Where you are headquartered matters less than where your system or its output lands.
Is the 2 August 2026 deadline still in force given the proposed delay?
As things stand, yes. On 7 May 2026 EU lawmakers reached a political agreement, under the Digital Omnibus, to defer most stand-alone Annex III high-risk obligations from 2 August 2026 to 2 December 2027. That deferral only takes legal effect once it is formally adopted and published in the Official Journal, which had not happened at the time of writing. Until then, 2 August 2026 remains the legally operative date, so plan for it rather than assume the delay.
How do I tell whether my AI system is high-risk?
Work through two questions. First, is the system a safety component of a product already covered by EU product safety law listed in Annex I? Second, does it fall into one of the eight use areas in Annex III, which include biometrics, critical infrastructure, education, employment and worker management, access to essential services, law enforcement, migration, and the administration of justice? If yes to either, treat it as high-risk unless a narrow Article 6(3) exemption clearly applies, and document why.
What is the difference between a provider and a deployer, and which am I?
A provider develops an AI system, or has one developed, and places it on the market or puts it into service under its own name. A deployer uses an AI system under its own authority in the course of its business. Most companies buying off-the-shelf AI are deployers and carry lighter duties, such as following the provider's instructions, ensuring human oversight and keeping logs. If you substantially modify a high-risk system or put your own name on it, you can become a provider and inherit the full obligation set.
What are the penalties for non-compliance?
Fines are tiered. Breaching the prohibited practices in Article 5 can cost up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. Breaching most other obligations, including the high-risk requirements, can cost up to EUR 15 million or 3% of turnover. Supplying incorrect, incomplete or misleading information to authorities or notified bodies can cost up to EUR 7.5 million or 1% of turnover. For SMEs and start-ups the lower of the fixed sum or the percentage applies.
Do I need a notified body to assess my high-risk system?
Often no. For most Annex III high-risk systems the provider can run an internal conformity assessment against the requirements and self-declare, which is the route most businesses will use. A notified body, an external accredited assessor, is required mainly for certain biometric systems where no harmonised standards have been applied, and for AI that is a safety component of products already needing third-party assessment under existing law. Check your category before assuming you can self-certify.
Moving Forward
Compliance with the AI Act is a sequence, not a single document: inventory, classify, meet the high-risk requirements, document, assess, declare and CE mark, register, then monitor. Start with the inventory and the risk classification, because everything downstream depends on knowing what you have and what tier it sits in. The provisional delay may give you more runway, but the work is the same either way, and the businesses that start now will not be scrambling if the Official Journal publication slips.
This checklist handles the external, regulatory obligations. The internal counterpart is the rulebook your own staff follow when they use AI day to day. If you have not yet set that out, our template-driven guide to writing an AI use policy for employees operationalises these duties inside the business, covering acceptable use, human oversight and the logging habits the Act expects. You can find more practical guides across the E-Business Ethics resources.
For the primary sources, the European Commission's regulatory framework on AI and the official AI Act implementation timeline are the reliable references to confirm what applies to your systems and when.
Need Help Mapping Your AI Systems to the Act?
We help compliance leads and SME owners inventory their AI, classify it by risk tier, and build the documentation, conformity assessment and registration trail the EU AI Act demands. Our consulting services take you from a list of tools to a defensible compliance position before the deadline.
Contact Us Today