EU AI Act Compliance: An Executive Checklist

EU AI Act compliance means aligning your organization's AI systems with Regulation (EU) 2024/1689, the first comprehensive law governing artificial intelligence in the European Union. Compliance is risk-based: obligations scale with how much harm a system can cause, sorted into four tiers of unacceptable, high, limited, and minimal risk. Any organization that develops, deploys, imports, or distributes AI used in the EU market falls in scope, regardless of where the company is based.

The Act entered into force on 1 August 2024 and applies on a staggered timeline. Prohibitions on unacceptable-risk practices took effect on 2 February 2025. Obligations for general-purpose AI (GPAI) models began on 2 August 2025. Most high-risk system requirements apply from 2 August 2026, with a later deadline of 2 August 2027 for AI embedded in regulated products. Executives who wait until those dates to begin will be late, because the documentation and governance work takes several quarters to complete.

Who does the EU AI Act apply to?

The Act reaches well beyond firms headquartered in the EU. Scope follows the AI system's effect inside the Union, not the provider's address. You are covered if your AI output is used in the EU, even when your servers and staff are located elsewhere.

The law assigns obligations by role, and a single company can hold more than one role across different systems:

  • Provider: develops an AI system or GPAI model, or has one developed, and places it on the EU market under its own name or trademark. Providers carry the heaviest obligations.

  • Deployer: uses an AI system under its own authority in a professional context. A bank running a third-party credit-scoring model is a deployer.

  • Importer: places an AI system from a non-EU provider onto the EU market.

  • Distributor: makes an AI system available in the supply chain without being the provider or importer.

  • Product manufacturer: integrates an AI system into a product sold under the manufacturer's name.

One point deserves attention: if a deployer substantially modifies a high-risk system, or puts its own name on it, that deployer can legally become a provider and inherit provider obligations. Assign every AI system in your organization to a role before you scope anything else.

What are the four risk categories?

The Act sorts AI by potential for harm. Your obligations depend entirely on which tier a given system falls into, so classification is the first technical task.

Risk tier: Unacceptable
What it covers: Social scoring by public authorities, manipulative or exploitative AI systems, untargeted facial recognition scraping, and most real-time remote biometric identification in public spaces.
Core obligation: Prohibited under the EU AI Act (ban effective from February 2025).

Risk tier: High
What it covers: AI used in hiring, credit, education, critical infrastructure, medical devices, law enforcement, migration, and safety components of regulated products (Annex III and certain Annex I products).
Core obligation: Must comply with a full conformity framework, including risk management, data governance, technical documentation, human oversight, and registration.

Risk tier: Limited
What it covers: Chatbots, emotion recognition systems, and AI-generated or manipulated content (such as deepfakes).
Core obligation: Transparency requirements, including informing users when they are interacting with AI or viewing AI-generated content.

Risk tier: Minimal
What it covers: Spam filters, AI in video games, inventory optimization, and most enterprise productivity tools.
Core obligation: No mandatory legal obligations, although voluntary codes of conduct are encouraged.

Most enterprise AI is minimal or limited risk. The compliance burden concentrates in high-risk uses, especially hiring, lending, and access to essential services, which together account for a large share of corporate machine-learning deployments. General-purpose AI models follow a separate set of rules, and GPAI deemed to carry systemic risk (above a compute threshold of 10^25 FLOPs) faces added duties around model evaluation, adversarial testing, and incident reporting.

What does a high-risk AI system require?

If you provide or deploy a high-risk system, the Act sets out a structured conformity regime. These requirements correspond closely to the NIST AI Risk Management Framework and ISO/IEC 42001, so an organization already running one of those standards has less new work to do. For a closer look at the functions that underpin that approach, see our explainer on the NIST AI RMF and its Govern, Map, Measure, and Manage functions.

Core provider requirements for high-risk systems:

  1. Risk management system. A continuous, documented process across the AI lifecycle that identifies, estimates, and mitigates foreseeable risks to health, safety, and fundamental rights.

  2. Data and data governance. Training, validation, and test datasets must meet quality criteria: relevant, representative, and examined for bias that could harm protected groups.

  3. Technical documentation. Detailed records demonstrating conformity, prepared before market placement and kept current. Annex IV lists the required contents.

  4. Record-keeping and logging. Automatic event logs that allow traceability of the system's functioning over its lifetime.

  5. Transparency and instructions for use. Clear information so deployers can understand and operate the system correctly.

  6. Human oversight. Measures that let designated people understand, monitor, and override the system, including a stop function.

  7. Accuracy, resilience, and cybersecurity. The Act (Article 15) sets this combined requirement: performance levels appropriate to the intended purpose, with resilience against errors and adversarial attacks.

  8. Quality management system. A documented organizational process covering compliance, including post-market monitoring.

Before a high-risk system reaches the market, the provider runs a conformity assessment, draws up an EU declaration of conformity, affixes the CE marking, and registers the system in the EU database for high-risk AI. Deployers of high-risk systems carry their own duties: human oversight, monitoring, keeping logs, and, for public bodies and some private actors, a fundamental rights impact assessment (FRIA) before first use.

How should an executive structure a compliance program?

Treat this as a governance program, not a one-time legal review. The following sequence keeps the work tractable and auditable.

  1. Build an AI inventory. List every AI system your organization develops, buys, or deploys. You cannot classify or govern what you have not catalogued. Include shadow AI that teams adopted without central approval.

  2. Assign a role to each system. Provider, deployer, importer, distributor, or manufacturer. Document where you hold multiple roles.

  3. Classify each system by risk tier. Test unacceptable, high, limited, or minimal against Annex I and Annex III. Flag GPAI use separately.

  4. Triage the high-risk and prohibited items first. Retire or remediate anything that touches a banned practice. Scope full conformity work for high-risk systems.

  5. Stand up governance. Name an accountable owner (often a cross-functional AI governance committee), define escalation paths, and adopt an AI management system aligned to ISO/IEC 42001.

  6. Close documentation and oversight gaps. Produce Annex IV technical files, logging, human-oversight procedures, and FRIAs where required.

  7. Manage the vendor chain. Obtain conformity evidence, instructions for use, and contractual commitments from third-party providers. Their gaps become your liability.

  8. Train staff on AI literacy. Article 4 requires that staff dealing with AI systems have a sufficient level of AI literacy, an obligation that has applied since February 2025.

  9. Monitor and report. Set up post-market monitoring and serious-incident reporting workflows, and review classifications as systems and the law evolve.

Assign clear ownership. In practice the work spans legal, data science, security, product, and HR, coordinated by a designated AI governance lead or chief AI officer. A common cause of failure is leaving compliance with legal alone while engineering keeps shipping models that legal never reviews.

What are the penalties for non-compliance?

The Act enforces its rules with fines scaled to the severity of the breach. They are calculated as the higher of a fixed euro amount or a percentage of worldwide annual turnover, matching the enforcement structure of GDPR.

Violation type: Prohibited (unacceptable-risk) practices

Maximum fine: Up to 35 million euros or 7% of global annual turnover

Violation type: Most other obligation breaches (high-risk, transparency, GPAI)

Maximum fine: Up to 15 million euros or 3% of global annual turnover

Violation type: Supplying incorrect or misleading information to authorities

Maximum fine: Up to 7.5 million euros or 1% of global annual turnover

Enforcement runs through national market surveillance authorities in each member state, coordinated by the new European AI Office and the European Artificial Intelligence Board. Beyond fines, regulators can order a system withdrawn from the market, which carries operational and reputational costs that often exceed the monetary penalty. For small and medium-sized enterprises, the caps are set at the lower of the two figures, a concession that does not remove the underlying duties.

How does the EU AI Act interact with other regulations?

The Act does not operate in isolation. It applies alongside existing EU law and connects to recognized governance standards, which benefits organizations with mature compliance functions.

  • GDPR. AI systems that process personal data still owe full GDPR compliance. Data-protection impact assessments and the AI Act's fundamental rights assessment cover related but distinct ground, and both can be required.

  • Sectoral product law. For AI in medical devices, machinery, or vehicles, the AI Act works with existing CE-marking regimes rather than replacing them.

  • ISO/IEC 42001. This AI management system standard gives organizations a certifiable framework that corresponds closely to the Act's quality-management and risk obligations.

  • NIST AI RMF and OECD AI Principles. Voluntary but widely adopted, these help structure risk work and demonstrate good faith to regulators. The Act also encourages codes of practice and harmonized standards that, once published, create a presumption of conformity for organizations that follow them.

The practical point: if you already run a recognized governance standard, much of the foundation is in place. Map your existing controls to the Act's requirements and close the gaps, rather than building a parallel program.

Next Steps

Use this checklist to move toward a defensible compliance posture:

  • Inventory every AI system in development, procurement, and production, including shadow AI.

  • Assign roles (provider, deployer, importer, distributor) to each system.

  • Classify each system into unacceptable, high, limited, or minimal risk, and flag GPAI use.

  • Remediate prohibited practices immediately; the ban is already in force.

  • Scope high-risk conformity work against the eight core requirements and Annex IV.

  • Stand up governance: name an accountable owner and adopt an ISO/IEC 42001-aligned management system.

  • Complete FRIAs for high-risk deployments where required.

  • Secure vendor evidence: conformity documentation and instructions for use from third-party providers.

  • Deliver AI-literacy training to staff who build or operate AI systems.

  • Stand up monitoring for post-market surveillance and serious-incident reporting.

  • Calendar the deadlines: GPAI (August 2025), high-risk (August 2026), embedded product AI (August 2027).

Frequently Asked Questions

When does the EU AI Act take full effect?

The Act entered into force on 1 August 2024 and applies in phases. Bans on unacceptable-risk practices and AI-literacy duties started 2 February 2025. GPAI model obligations began 2 August 2025. Most high-risk requirements apply from 2 August 2026, and AI embedded in regulated products has until 2 August 2027. Start the inventory and classification work now, because conformity documentation takes several quarters to assemble.

Does the EU AI Act apply to companies outside the EU?

Yes. Scope follows where the AI system's output is used, not where the company is based. A US or Asian provider whose system is placed on the EU market, or whose output is used inside the Union, falls under the Act. Non-EU providers of high-risk systems must also appoint an authorized representative established in the EU to handle compliance documentation and authority requests.

What counts as a high-risk AI system?

High-risk systems are listed in two places. Annex I covers AI that is a safety component of products already regulated under EU law, such as medical devices and machinery. Annex III lists standalone uses including hiring, credit scoring, education, critical infrastructure, law enforcement, and migration. A narrow exception applies when an Annex III system performs only a limited preparatory task and does not materially influence decisions.

What is the difference between a provider and a deployer?

A provider develops an AI system or GPAI model and places it on the EU market under its own name, carrying the bulk of the obligations. A deployer uses an AI system under its own authority in a professional setting. A company can be both. A deployer that substantially modifies a high-risk system or rebrands it as its own becomes a provider and inherits provider duties.

How much can EU AI Act fines reach?

Fines scale with the violation. Using prohibited AI practices can cost up to 35 million euros or 7% of global annual turnover, whichever is higher. Most other breaches, including high-risk and transparency failures, reach up to 15 million euros or 3% of turnover. Supplying incorrect information to authorities can cost up to 7.5 million euros or 1%. Regulators can also order systems withdrawn from the market

Next
Next

NIST AI Risk Management Framework, Explained