Sommaire
Recevez une notification quand cet article est mis à jour
Step 1 — Identify Your AI Systems
- List every AI system your company develops, deploys, or usesArt. 3
- Determine for each system: are you the provider, deployer, or importer?Art. 3
- Identify which systems use a GPAI model as underlying layerArt. 3(63)
- Flag any system that makes or assists in decisions about peopleArt. 6
Step 2 — Check for Prohibited Practices
- No subliminal manipulation techniques that harm usersArt. 5(1)(a)
- No exploitation of vulnerabilities of specific groupsArt. 5(1)(b)
- No social scoring by public authoritiesArt. 5(1)(c)
- No criminal risk assessment based solely on profiling or personality traitsArt. 5(1)(d)
- No untargeted scraping of facial images from internet or CCTVArt. 5(1)(e)
- No emotion recognition in workplace or educational institutionsArt. 5(1)(f)
- No biometric categorisation inferring sensitive attributes (race, religion, etc.)Art. 5(1)(g)
- No real-time remote biometric identification in public spaces (with narrow exceptions)Art. 5(1)(h)
Step 3 — Classify Each System
- Check if any system is a safety component of an Annex I productArt. 6(1)
- Check if any system falls under the 8 Annex III domainsArt. 6(2)
- Determine if Article 6(3) exemption applies (narrow procedural task, no significant harm)Art. 6(3)
- Document classification reasoning, even for non-high-risk systemsArt. 6
Step 4 — If High-Risk: Core Obligations
- Implement a risk management system (documented, continuous, iterative)Art. 9
- Establish data governance: training data quality, bias assessmentArt. 10
- Prepare technical documentation before market placementArt. 11
- Implement automatic logging of operations (tamper-proof)Art. 12
- Provide clear instructions for use to deployersArt. 13
- Implement human oversight mechanismsArt. 14
- Ensure accuracy, robustness, and cybersecurityArt. 15
- Register in EU AI Act database before deploymentArt. 49
Step 5 — Transparency Obligations (All Systems)
- Inform users when they interact with an AI system (chatbots, voice assistants)Art. 50(1)
- Mark AI-generated text, audio, image, or video in machine-readable formatArt. 50(2)
- For emotion recognition or biometric categorisation: inform exposed personsArt. 50(3)
- Disclose deepfakes as artificially generated or manipulatedArt. 50(4)
Step 6 — Governance & Documentation
- Appoint internal AI compliance owner (DPO or dedicated role)Art. 26
- Create and maintain an AI inventory: all systems, classification, risk level
- Establish incident reporting procedure (within 15 days of awareness; 2 days for widespread infringements or critical infrastructure disruption; 10 days in case of death)Art. 73
- Update GDPR records of processing activities to include AI systemsGDPR Art. 30
- Conduct DPIA for high-risk AI systems that process personal dataGDPR Art. 35
- Review supplier contracts: ensure AI vendors provide necessary compliance infoArt. 25
This checklist gives you the structure. The SPRINKLING free diagnostic gives you the specific classification for your systems: 9 questions, article by article.
Sources
- [1]EUR-Lex (July 12, 2024) — Regulation (EU) 2024/1689 — Artificial Intelligence Act (full text) eur-lex.europa.eu/eli
- [2]
- [3]EU AI Act — Article 6 — Classification Rules for High-Risk AI Systems artificialintelligenceact.eu/article
- [4]
- [5]
- [6]EU AI Act — Annex III — High-Risk AI Systems Referred to in Article 6(2) artificialintelligenceact.eu/annex
- [7]EU AI Act — Articles 9–15 — Requirements for High-Risk AI Systems artificialintelligenceact.eu/article
- [8]
DÉJÀ EN VIGUEUR
Les interdictions Art. 5 et les règles GPAI s’appliquent aujourd’hui. Article 50 transparence contraignant le 2 août 2026. Annexe III haut risque contraignant le 2 décembre 2027 (post-Omnibus). La question n’est pas quand : c’est si vous avez documenté votre position.