Get notified when this article is updated

Important: This checklist is an informational guide based on the EU AI Act as published. It does not constitute legal advice. For your specific situation, a full assessment provides article-mapped classification and a prioritized remediation plan.

Step 1 — Identify Your AI Systems

List every AI system your company develops, deploys, or uses— Art. 3

Determine for each system: are you the provider, deployer, or importer?— Art. 3

Identify which systems use a GPAI model as underlying layer— Art. 3(63)

Flag any system that makes or assists in decisions about people— Art. 6

Step 2 — Check for Prohibited Practices

No subliminal manipulation techniques that harm users— Art. 5(1)(a)

No exploitation of vulnerabilities of specific groups— Art. 5(1)(b)

No social scoring by public authorities— Art. 5(1)(c)

No criminal risk assessment based solely on profiling or personality traits— Art. 5(1)(d)

No untargeted scraping of facial images from internet or CCTV— Art. 5(1)(e)

No emotion recognition in workplace or educational institutions— Art. 5(1)(f)

No biometric categorisation inferring sensitive attributes (race, religion, etc.)— Art. 5(1)(g)

No real-time remote biometric identification in public spaces (with narrow exceptions)— Art. 5(1)(h)

Step 3 — Classify Each System

Check if any system is a safety component of an Annex I product— Art. 6(1)

Check if any system falls under the 8 Annex III domains— Art. 6(2)

Determine if Article 6(3) exemption applies (narrow procedural task, no significant harm)— Art. 6(3)

Document classification reasoning — even for non-high-risk systems— Art. 6

Step 4 — If High-Risk: Core Obligations

Implement a risk management system (documented, continuous, iterative)— Art. 9

Establish data governance — training data quality, bias assessment— Art. 10

Prepare technical documentation before market placement— Art. 11

Implement automatic logging of operations (tamper-proof)— Art. 12

Provide clear instructions for use to deployers— Art. 13

Implement human oversight mechanisms— Art. 14

Ensure accuracy, robustness, and cybersecurity— Art. 15

Step 5 — Transparency Obligations (All Systems)

Inform users when they interact with an AI system (chatbots, voice assistants)— Art. 50(1)

Mark AI-generated text, audio, image, or video in machine-readable format— Art. 50(2)

For emotion recognition or biometric categorisation: inform exposed persons— Art. 50(3)

Disclose deepfakes as artificially generated or manipulated— Art. 50(4)

Step 6 — Governance & Documentation

Appoint internal AI compliance owner (DPO or dedicated role)— Art. 26

Create and maintain an AI inventory — all systems, classification, risk level

Establish incident reporting procedure (within 15 days of awareness; 2 days for widespread infringements or critical infrastructure disruption; 10 days in case of death)— Art. 73

Update GDPR records of processing activities to include AI systems— GDPR Art. 30

Conduct DPIA for high-risk AI systems that process personal data— GDPR Art. 35

Review supplier contracts — ensure AI vendors provide necessary compliance info— Art. 25

This checklist gives you the structure. The SPRINKLING free diagnostic gives you the specific classification for your systems — 9 questions, article by article.

Free diagnostic — instant See full report

Sources

[1]
EUR-Lex (July 12, 2024) — Regulation (EU) 2024/1689 — Artificial Intelligence Act (full text) eur-lex.europa.eu/eli
[2]
EU AI Act — Article 5 — Prohibited AI Practices artificialintelligenceact.eu/article
[3]
EU AI Act — Article 6 — Classification Rules for High-Risk AI Systems artificialintelligenceact.eu/article
[4]
EU AI Act — Article 50 — Transparency Obligations artificialintelligenceact.eu/article
[5]
EU AI Act — Article 73 — Reporting of Serious Incidents artificialintelligenceact.eu/article
[6]
EU AI Act — Annex III — High-Risk AI Systems Referred to in Article 6(2) artificialintelligenceact.eu/annex
[7]
EU AI Act — Articles 9–15 — Requirements for High-Risk AI Systems artificialintelligenceact.eu/article
[8]
EU AI Act — Implementation Timeline artificialintelligenceact.eu/implementation-timeline

ALREADY ENFORCEABLE105 days

Art. 5 prohibitions and GPAI rules apply today. Transparency follows in 105 days. The question is not when — it’s whether you’ve documented your position.

Free Diagnostic — 9 questions See pricing →

Step 2 — Check for Prohibited Practices

No subliminal manipulation techniques that harm users— Art. 5(1)(a)

No exploitation of vulnerabilities of specific groups— Art. 5(1)(b)

No social scoring by public authorities— Art. 5(1)(c)

No criminal risk assessment based solely on profiling or personality traits— Art. 5(1)(d)

No untargeted scraping of facial images from internet or CCTV— Art. 5(1)(e)

No emotion recognition in workplace or educational institutions— Art. 5(1)(f)

No biometric categorisation inferring sensitive attributes (race, religion, etc.)— Art. 5(1)(g)

No real-time remote biometric identification in public spaces (with narrow exceptions)— Art. 5(1)(h)

Step 3 — Classify Each System

Check if any system is a safety component of an Annex I product— Art. 6(1)

Check if any system falls under the 8 Annex III domains— Art. 6(2)

Determine if Article 6(3) exemption applies (narrow procedural task, no significant harm)— Art. 6(3)

Document classification reasoning — even for non-high-risk systems— Art. 6

Step 4 — If High-Risk: Core Obligations

Implement a risk management system (documented, continuous, iterative)— Art. 9

Establish data governance — training data quality, bias assessment— Art. 10

Prepare technical documentation before market placement— Art. 11

Implement automatic logging of operations (tamper-proof)— Art. 12

Provide clear instructions for use to deployers— Art. 13

Implement human oversight mechanisms— Art. 14

Ensure accuracy, robustness, and cybersecurity— Art. 15

Step 5 — Transparency Obligations (All Systems)

Inform users when they interact with an AI system (chatbots, voice assistants)— Art. 50(1)

Mark AI-generated text, audio, image, or video in machine-readable format— Art. 50(2)

For emotion recognition or biometric categorisation: inform exposed persons— Art. 50(3)

Disclose deepfakes as artificially generated or manipulated— Art. 50(4)

Step 6 — Governance & Documentation

Appoint internal AI compliance owner (DPO or dedicated role)— Art. 26

Create and maintain an AI inventory — all systems, classification, risk level

Establish incident reporting procedure (within 15 days of awareness; 2 days for widespread infringements or critical infrastructure disruption; 10 days in case of death)— Art. 73

Update GDPR records of processing activities to include AI systems— GDPR Art. 30

Conduct DPIA for high-risk AI systems that process personal data— GDPR Art. 35

Review supplier contracts — ensure AI vendors provide necessary compliance info— Art. 25

Sources

[1]

EUR-Lex (July 12, 2024) — Regulation (EU) 2024/1689 — Artificial Intelligence Act (full text) eur-lex.europa.eu/eli

[2]

EU AI Act — Article 5 — Prohibited AI Practices artificialintelligenceact.eu/article

[3]

EU AI Act — Article 6 — Classification Rules for High-Risk AI Systems artificialintelligenceact.eu/article

[4]

EU AI Act — Article 50 — Transparency Obligations artificialintelligenceact.eu/article

[5]

EU AI Act — Article 73 — Reporting of Serious Incidents artificialintelligenceact.eu/article

[6]

EU AI Act — Annex III — High-Risk AI Systems Referred to in Article 6(2) artificialintelligenceact.eu/annex

[7]

EU AI Act — Articles 9–15 — Requirements for High-Risk AI Systems artificialintelligenceact.eu/article

[8]

EU AI Act — Implementation Timeline artificialintelligenceact.eu/implementation-timeline

EU AI Act Compliance Checklist for SMEs — 2026 Edition

Step 1 — Identify Your AI Systems

Step 2 — Check for Prohibited Practices

Step 3 — Classify Each System

Step 4 — If High-Risk: Core Obligations

Step 5 — Transparency Obligations (All Systems)

Step 6 — Governance & Documentation

Sources

EU AI Act Compliance Checklist for SMEs — 2026 Edition

Step 1 — Identify Your AI Systems

Step 2 — Check for Prohibited Practices

Step 3 — Classify Each System

Step 4 — If High-Risk: Core Obligations

Step 5 — Transparency Obligations (All Systems)

Step 6 — Governance & Documentation

Sources