Back to blog
Compliance·May 8, 2026·16 min read

The EU AI Act compliance checklist for European companies

Compliance checklist illustration for EU AI Act governance.

The EU AI Act is no longer upcoming regulation. Prohibited practices have been enforceable since February 2025. GPAI and transparency obligations apply from August 2026. High-risk AI system obligations apply from December 2027 following the AI omnibus political agreement reached on 7 May 2026.

Most European companies have not yet classified their AI systems by risk tier. Many do not have a complete inventory of the AI tools running in their environment. This checklist exists to close that gap: eight concrete steps that form a practical compliance roadmap, moving your organisation from uncertainty to a documented, audit-ready governance posture.

This is not a theoretical framework. It is a working checklist that your IT, security, legal, and compliance teams can execute against, starting this week.

→ Download the checklist as a PDF

Who does the EU AI Act apply to?

The Act's extraterritorial scope means that if your AI output is used in the EU or affects EU residents, you are likely in scope. The Act identifies three primary roles.

Providers are companies that develop AI systems or have them developed under their direction and place them on the EU market under their own name or trademark.

Deployers are organisations using AI systems under their own authority. If your company uses a third-party AI tool for recruitment screening, credit assessment, or customer service, you are a deployer and you have obligations.

Importers and distributors are entities bringing AI-enabled products into the EU market. They carry responsibility for ensuring the systems they distribute meet Act requirements.

The practical implication: even if you did not build the AI, if you deploy it in an EU context, you own compliance obligations. This catches many organisations off guard, particularly those using embedded AI features inside existing SaaS platforms.

EU AI Act risk tiers explained

Your compliance obligations are determined by which tier your AI systems fall into. Getting this classification right is the foundation of everything that follows. For a detailed breakdown of each tier, see our EU AI Act risk classification guide.

Prohibited: banned outright

AI systems deemed to pose unacceptable risk to fundamental rights are banned entirely. This has been enforceable since February 2025. No grace period applies.

Prohibited practices include AI-driven social scoring of individuals, subliminal manipulation techniques designed to distort behaviour below conscious awareness, biometric categorisation based on protected characteristics such as race, gender, or political beliefs, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), and emotion recognition systems in workplaces and educational institutions.

What to do right now: audit your current AI stack and confirm no system, including embedded features in third-party software, is performing any prohibited practice. If you find one, discontinue immediately and document the remediation. If you are unsure what AI tools are active across your organisation, start with Shadow AI detection.

High-risk: substantial obligations

High-risk AI systems are those used in contexts where failures or bias can significantly affect fundamental rights, safety, or life outcomes. This is where the majority of compliance effort sits for most organisations.

High-risk categories include biometric identification and classification, critical infrastructure management (energy, water, transport, digital infrastructure), educational assessment and student progression, employment and recruitment (hiring, performance evaluation, promotion, termination), access to essential services (credit, insurance, healthcare, housing, social benefits), law enforcement and criminal justice, border and immigration control, and administration of justice.

How to identify high-risk systems in your organisation: any AI tool that influences a decision about a person's employment, financial access, education, healthcare, or legal status is almost certainly high-risk. This includes AI features embedded inside HR platforms, CRM tools, and financial software that you may not have explicitly procured as "AI."

Limited risk: transparency requirements

AI systems that interact directly with people, such as chatbots and deepfake generators, must meet transparency obligations. Users must be informed they are interacting with AI and must understand the system's capabilities and limitations. These obligations apply from August 2, 2026.

Minimal risk: no specific obligations

The majority of AI applications, including spam filters, recommendation engines, and basic automation, fall into minimal risk. No specific EU AI Act obligations apply beyond general EU law such as GDPR and consumer protection.

Enforcement timeline

The EU AI Act does not have a single deadline. Obligations are phased across multiple dates.

February 2, 2025 (already in force): prohibited AI practices ban and AI literacy obligations.

August 2, 2025 (already in force): governance structures, GPAI model provider obligations, and the penalty framework.

August 2, 2026: transparency obligations under Article 50 (chatbots, deepfakes, emotion recognition disclosure) and the Commission's supervision and enforcement powers against GPAI model providers.

December 2, 2027: high-risk AI system obligations under Annex III, covering biometrics, critical infrastructure, education, employment, migration, asylum, border control, and justice. This date was confirmed by the AI omnibus political agreement on 7 May 2026, replacing the original August 2026 deadline.

August 2, 2028: high-risk AI systems embedded in regulated products such as medical devices, machinery, vehicles, toys, and lifts.

The December 2027 date for high-risk obligations gives organisations additional implementation runway. This is not a signal to delay. The documentation requirements alone, including fundamental rights impact assessments, training data governance records, and conformity assessment evidence, take months to build credibly.

The compliance checklist: eight steps

Step 1: discover every AI system in your environment

You cannot classify what you cannot see. Before anything else, build a complete inventory of every AI tool in use across your organisation, including sanctioned tools, embedded AI features inside existing software, and Shadow AI that employees have adopted without IT approval.

How to do it: deploy network monitoring to identify connections to AI service endpoints. Audit browser extensions across all company devices. Review expense reports and corporate credit card statements for AI service subscriptions. Survey teams across departments. Check IAM logs for OAuth connections to AI platforms.

What good looks like: a single inventory that lists every AI tool, who uses it, what data it processes, whether it was formally approved, and what risk tier it falls into. This inventory becomes the foundation for every subsequent step.

See how Grasp discovers AI tools across your organisation →

Step 2: classify each system by risk tier

With your inventory complete, classify each AI system against the Act's risk categories. This is the step that determines your compliance obligations for every tool.

How to do it: for each tool, answer four questions. Does it perform any prohibited practice? Does it operate in a high-risk category listed in Annex III? Does it interact directly with users in a way that requires transparency disclosure? If none of the above, it is minimal risk.

Common mistakes: overlooking embedded AI features inside platforms you already use. Your HR platform may have added AI-powered candidate screening. Your CRM may now include AI-generated customer insights. These are not exempt simply because they were not procured as standalone AI tools. If the feature makes or influences a decision in a high-risk category, it carries high-risk obligations.

What good looks like: every tool in your inventory has an assigned risk tier, a brief justification for the classification, and a clear owner responsible for compliance.

Step 3: conduct risk assessments for high-risk systems

For every AI system classified as high-risk, conduct a fundamental rights impact assessment. This is similar in structure to a GDPR Data Protection Impact Assessment but focused specifically on AI-related risks.

How to do it: identify the specific fundamental rights the system could affect (privacy, non-discrimination, freedom of expression, access to employment, access to services). Document the potential harms if the system fails, produces biased outputs, or is misused. Assess the likelihood and severity of each harm. Document the mitigation measures in place and any gaps that need remediation.

What good looks like: a written assessment for each high-risk system that a regulator could review and find complete. This is not a checkbox exercise. It is the core compliance document that demonstrates your organisation has identified and addressed risks before deployment, not after an incident.

Step 4: build technical documentation

High-risk AI systems require a comprehensive technical file. Think of this as the system's compliance passport: it must be complete, current, and ready for review at any time. For a detailed walkthrough of this process, see our EU AI Act conformity assessment guide.

What to include: a description of the system's intended purpose and the context in which it operates. System architecture and design logic. Training data sources, cleaning processes, and bias mitigation steps taken. Performance metrics, accuracy benchmarks, and testing results. Known limitations and conditions under which the system may underperform. Version history and change logs.

For deployers using third-party AI: you may not have built the system, but you still need documentation. Request technical documentation from your AI vendors. If they cannot provide it, that is a red flag for your risk assessment. Include vendor-provided documentation in your compliance file alongside your own deployment-specific records.

What good looks like: a living document, not a static file created once and forgotten. Technical documentation must be updated when the system changes, when new data sources are added, when vendor terms change, or when performance metrics shift.

Step 5: implement data governance for training data

If your organisation builds, fine-tunes, or customises AI models, the training data must meet specific quality and bias standards under the Act.

How to do it: audit training datasets for representativeness across the populations the system will affect. Document data sources, collection methods, and any filtering or cleaning applied. Test for statistical bias across protected characteristics. Establish processes for ongoing data quality monitoring, not just at initial training but through the system's lifecycle.

For deployers who do not train models: this step is primarily relevant for providers. However, deployers should request evidence from their AI vendors that training data governance meets Act requirements. Include this evidence in your compliance file.

Step 6: set up human oversight mechanisms

High-risk AI cannot operate as a black box. The Act requires meaningful human oversight, not just the theoretical ability to intervene but practical, documented intervention points.

How to do it: define at which points in the AI system's workflow a human reviews, validates, or overrides the output. Ensure the humans performing oversight have the training, authority, and tools to meaningfully intervene. Document the override process: what triggers it, who has authority, and how overrides are recorded.

What meaningful oversight looks like: a recruitment AI that flags candidates for human review is not sufficient if the human reviewer simply rubber-stamps every AI recommendation. Oversight must be genuine. Reviewers must have access to the AI's reasoning, the ability to disagree, and the authority to override. Document that this happens in practice, not just in policy.

Step 7: implement transparency and user disclosure

Users must be informed when they are interacting with AI or when a high-risk system is making or influencing a decision about them. These obligations apply from August 2, 2026 for limited-risk systems and from December 2, 2027 for high-risk systems.

How to do it: add clear AI disclosure to every user-facing interface where AI generates content, makes recommendations, or influences decisions. For chatbots and conversational AI, disclose at the start of the interaction. For high-risk systems, explain the logic of the AI's decision in terms the affected person can understand. Provide information about how to contest or request human review of an AI-influenced decision.

What good looks like: disclosure that is visible, understandable, and actionable. A buried footnote does not meet the standard. A clear statement at the point of interaction, with a path to human review, does.

Step 8: designate compliance roles and responsibilities

Accountability must be centralised and clear. The Act requires organisations to demonstrate that someone owns AI compliance and that responsibilities are defined across functions.

How to do it: appoint an AI compliance lead or officer with authority to make governance decisions. Define a RACI matrix covering AI governance responsibilities across IT, security, legal, compliance, HR, and business units. Establish an AI governance committee for high-risk approval decisions. Document reporting lines: who reports AI compliance status to the board, and how often.

What good looks like: a named individual or team that owns AI compliance, with documented authority, clear escalation paths, and regular reporting to leadership. If a regulator asks "who is responsible for AI governance in your organisation," there should be an immediate, specific answer.

Penalties for non-compliance

The Act's penalty framework has been in force since August 2, 2025. Fines are tiered based on the severity of the violation.

Non-compliance with prohibited practices carries fines up to €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with other requirements, including high-risk obligations, carries fines up to €15 million or 3%. Supplying incorrect information to regulators carries fines up to €7.5 million or 1.5%. SMEs and startups pay the lower figure in each tier.

Beyond financial penalties, enforcement can include operational restrictions on AI system deployment, mandatory corrective actions, and reputational damage that affects customer trust and enterprise sales.

How the EU AI Act intersects with other frameworks

The EU AI Act does not replace existing regulations. It adds a layer specifically governing AI systems, and it interacts with several frameworks your organisation likely already manages.

GDPR: if your AI system processes personal data, both GDPR and the AI Act apply. The fundamental rights impact assessment under the AI Act shares significant overlap with GDPR's Data Protection Impact Assessment. Integrate the two processes rather than running them separately.

NIS2: if your AI supports critical infrastructure or essential services, NIS2 cybersecurity governance requirements apply to your AI vendors and deployments alongside AI Act obligations.

ISO 27001 and ISO 42001: ISO 27001 covers information security management and already requires controls that extend to AI tools. ISO 42001 is the newer standard specifically for AI management systems. A well-structured AI governance framework maps directly to both standards and reduces audit effort for certification. There is no single EU AI Act compliance certification equivalent to ISO 27001 or SOC 2, but ISO 42001 certification provides the closest structured path. Organisations that hold ISO 27001 and pursue ISO 42001 will find significant overlap with EU AI Act requirements, particularly around risk management, documentation, and human oversight. For a detailed comparison, see our ISO 42001 vs ISO 27001 guide.

SOC 2: SOC 2 trust service criteria increasingly expect evidence of AI governance, particularly around data handling, vendor management, and access controls for AI systems.

From checklist to ongoing compliance strategy

A checklist gets you started. A compliance framework keeps you compliant. The difference between the two is whether your organisation treats AI governance as a one-time project or an ongoing operational strategy.

Schedule quarterly reviews of your AI inventory to catch new tools, changed risk profiles, and vendor updates. Monitor regulatory developments, particularly as the AI omnibus agreement moves through formal adoption and as national competent authorities designate enforcement bodies. Maintain your technical documentation as a living file, updated with every system change. Run annual fundamental rights impact assessments for high-risk systems, or sooner if the system's scope or data inputs change materially.

The organisations that treat AI governance as continuous operations rather than a one-time compliance project will be the ones that pass audits confidently, win enterprise contracts that require demonstrated compliance, and avoid the scramble that catches unprepared competitors.

Frequently asked questions

What does EU AI Act compliance actually involve?

EU AI Act compliance means classifying every AI system in your organisation by risk tier, meeting the corresponding obligations for each tier, documenting your governance decisions, and maintaining that posture continuously. For most organisations, the bulk of the work sits in high-risk AI system obligations: fundamental rights impact assessments, technical documentation, human oversight mechanisms, transparency disclosure, and conformity assessments. The Act does not require you to stop using AI. It requires you to govern it.

When do high-risk AI compliance obligations apply?

Following the AI omnibus political agreement on 7 May 2026, high-risk AI system obligations under Annex III apply from December 2, 2027. This covers AI used in biometrics, critical infrastructure, education, employment, essential services, law enforcement, border control, and justice. Transparency and GPAI enforcement obligations apply earlier, from August 2, 2026. Organisations should treat both dates as fixed planning milestones.

What happens if we are not compliant by the EU AI Act deadlines?

It depends on which obligations apply. Transparency and GPAI enforcement are live from August 2, 2026. Non-compliance from that date exposes organisations to enforcement action from national regulators. High-risk AI system obligations under Annex III apply from December 2, 2027 following the AI omnibus agreement. Fines across both deadlines can reach up to €35 million or 7% of annual global turnover for prohibited practices, and up to €15 million or 3% for most other breaches. Waiting for the later deadline is not a viable strategy: the documentation and governance infrastructure required for high-risk compliance takes months to build credibly.

Can we get a grace period or delay?

The AI omnibus political agreement (7 May 2026) already deferred high-risk AI obligations from August 2026 to December 2027. This is the extension. There is no indication of further delays, and transparency and GPAI obligations remain on the original August 2026 timeline. Organisations should treat both dates as fixed and use the additional runway for high-risk compliance to build documentation and governance infrastructure properly, not to defer starting.

Does the EU AI Act apply to non-EU organisations?

Yes. The Act applies if you are a provider placing AI systems on the EU market, a deployer using AI systems in the EU, or any organisation whose AI outputs affect people in the EU. This means US and other non-EU companies with EU customers, employees, or operations are in scope. For a detailed breakdown, see our EU AI Act compliance for US companies guide.

How does the EU AI Act interact with GDPR?

The two regulations are complementary. GDPR governs personal data processing, and the EU AI Act governs AI systems that may process that data. An AI system that processes personal data must comply with both. For high-risk AI, the fundamental rights impact assessment under the EU AI Act shares significant overlap with GDPR's Data Protection Impact Assessment, and organisations should integrate the two processes rather than running them separately.

Next steps

→ Download the EU AI Act Compliance Checklist as a PDF → Book a demo to see how Grasp maps your AI landscape to EU AI Act requirements automatically → Read the full EU AI Act guide for CISOs for the complete regulatory breakdown → Read the AI governance framework for implementation guidance beyond compliance

More from Grasp

AI governance as a growth enabler: why slowing down is the real risk

Most teams treat governance as the brake on AI adoption. The fastest-moving companies have learned it's the accelerator. Here's the real shift.

Ruben AltenaJun 4, 2026 · 6 min
EU AI Act compliance illustration for international companies.

EU AI Act for US companies: what you're required to do and when

The EU AI Act applies to US companies when AI reaches EU users. Learn what triggers compliance, which obligations apply, and where to start.

Ruben AltenaJun 1, 2026 · 7 min

Made in the

Netherlands

Platform
Discover
Govern
Accelerate
Solutions
Shadow AI Discovery
AI Risk Management
ISO 27001 & AI
EU AI Act
Automated Vendor Assessments
Resources
Blog
Help Center
Changelog
Company
About
Contact
Careers
Sitemap
Grasp
© 2026 Grasp — All rights reserved.