Use this checklist to systematically achieve EU AI Act compliance before the August 2027 deadline.
Phase 1: Classification (Now - Q1 2025)
- Inventory all AI systems developed or deployed
- Assess scope: does each fall under AI Act definition?
- Classify risk level per Annex III criteria
- Identify any prohibited practices (Article 5)
- Assign roles: provider, deployer, distributor, importer
- Document classification decisions and rationale
Phase 2: Gap Analysis (Q1-Q2 2025)
For High-Risk Systems:
- Compare current practices to Articles 9-15 requirements
- Evaluate existing documentation against Annex IV
- Assess data quality and governance vs Article 10
- Review quality management against Annex VIII
- Check user information and instructions for use
- Document compliance gaps with priorities
Phase 3: Remediation (Q2 2025 - Q2 2026)
Implement Core Requirements:
- Establish risk management system (Article 9)
- Implement data governance practices (Article 10)
- Prepare technical documentation (Annex IV)
- Deploy event logging capabilities (Article 12)
- Design human oversight mechanisms (Article 14)
- Set up quality management system (Annex VIII)
- Establish post-market monitoring (Article 72)
Phase 4: Conformity Assessment (Q3-Q4 2026)
- Select assessment route: internal control or notified body
- Conduct conformity assessment per selected procedure
- Prepare EU declaration of conformity
- Affix CE marking on product or documentation
- Register system in EU database for high-risk AI
- Maintain conformity assessment documentation
Phase 5: Ongoing Compliance (August 2026+)
- Operate post-market monitoring systems
- Report serious incidents per Article 73
- Keep technical documentation current
- Re-assess when substantially modified
- Respond to market surveillance authority requests
- Update documentation for system changes
GPAI Model Providers (All)
Effective August 2025:
- Prepare technical documentation
- Provide information to downstream providers
- Implement copyright compliance policy
- Publish training content summary
Systemic Risk GPAI Additional (>10^25 FLOPs):
- Conduct model evaluation and adversarial testing
- Track and document serious incidents
- Implement cybersecurity protections
- Report energy consumption for training
Limited-Risk Systems
Effective August 2026:
- Disclose AI interaction to users (chatbots)
- Mark synthetic content as AI-generated (deepfakes)
- Inform individuals of emotion recognition use
- Clarify biometric categorization to affected persons
Documentation Checklist
Maintain for All High-Risk Systems:
- Technical documentation (Annex IV)
- Risk assessment and management records
- Data governance documentation
- Testing and validation reports
- Quality management system records
- Conformity assessment documentation
- EU declaration of conformity
- Post-market monitoring logs
- Incident reports and corrective actions
- Change logs for system updates
Key Takeaways
- Start classification now—foundation of all compliance work
- Remediation phase takes 6-12 months for high-risk systems
- Conformity assessment can take 2-4 months
- Documentation is evidence of compliance during inspections
- Post-market monitoring is ongoing obligation post-launch
- August 2026 deadline for new high-risk systems approaching
Frequently Asked Questions
When should I start compliance work?
Now. Classification and gap analysis take time, remediation 6-12 months, conformity assessment 2-4 months.
Can I use existing documentation?
Yes, if it covers Annex IV requirements. Supplement gaps rather than starting from scratch.
What if I miss the deadline?
You cannot legally place the system on the EU market and you risk penalties and market surveillance authority intervention.
How do I prove compliance to authorities?
Maintain technical documentation, risk records, testing reports, QMS records, and conformity assessment documentation. Inability to produce these is itself a violation.
Citations
- Regulation EU 2024/1689 Artificial Intelligence Act - European Parliament - 2024
- AI Act Implementation Roadmap - European Commission - 2024
Frequently Asked Questions
Begin now. You will need time for system classification, gap analysis, 6–12 months of remediation for high-risk systems, and 2–4 months for conformity assessment before the key 2026–2027 deadlines.
Yes, you can reuse existing documentation if it covers Annex IV requirements. Identify gaps against Annex IV and supplement what is missing rather than rebuilding everything from scratch.
If you miss the deadline, you cannot legally place or operate the non-compliant AI system on the EU market and you may face penalties and intervention from market surveillance authorities.
You demonstrate compliance by maintaining complete technical documentation, risk management records, testing and validation reports, quality management system evidence, and conformity assessment documentation that can be produced on request.
High-Risk Systems Face the Earliest Hard Deadlines
New high-risk AI systems must comply with the EU AI Act by August 2026, with additional obligations for GPAI providers starting August 2025. Back-plan from these dates, allowing at least 6–12 months for remediation and 2–4 months for conformity assessment.
Typical remediation timeline for high-risk AI systems
Source: AI Act Implementation Roadmap - European Commission - 2024
"Classification is the single most important early decision in EU AI Act compliance—every subsequent obligation flows from how you scope and categorize your systems."
— EU AI Act Compliance Guidance
References
- Regulation (EU) 2024/1689 Artificial Intelligence Act. European Parliament and Council of the European Union (2024)
- AI Act Implementation Roadmap. European Commission (2024)