Check my compliance →
AIActComply / Blog / EU AI Act Compliance Checklist for Companies (2025–2026)

EU AI Act Compliance Checklist for Companies (2025–2026)

A practical checklist of what the EU AI Act requires, organised by obligation type and deadline. Covers Article 4, high-risk systems, transparency requirements, and the August 2026 deadline.

Published 3 March 2026

The EU AI Act creates different obligations depending on what your company does with AI. Some apply to every organisation in the EU. Others kick in only if your systems fall into specific risk categories. This checklist organises the obligations by type and flags what is already overdue.

Before you start: identify what your company does with AI

The Act draws a sharp line between providers (companies that build or develop AI systems) and deployers (companies that use AI systems in their operations). Most companies with no AI product of their own are deployers. Some are both.

Your obligations depend on which side of that line you sit on, and in some cases, on which category of risk your AI systems fall into.

Checklist: obligations that apply to every company

Article 4 — AI literacy policy

Status: overdue. Article 4 became enforceable 2 February 2025.

Risk classification

Deadline: 2 August 2026 for most deployer obligations.

Checklist: obligations for high-risk AI deployers

If any of your AI systems fall under Annex III (see the Annex III guide), the following apply from August 2026:

Usage policy (Article 26)

Technical documentation

Logging

Checklist: transparency obligations (Article 50)

These apply when users interact directly with an AI system, or when your company generates AI content that reaches users.

Note: The labelling requirement for synthetic media (deepfakes, AI-generated audio and video) applies regardless of risk classification.

Checklist: what you do NOT need to do (unless you are a provider)

If your company uses off-the-shelf AI tools but does not build or train AI systems:

However, you do need to verify that high-risk AI providers have met their obligations before deploying their systems. Practically, this means checking that the provider has a CE mark and an EU declaration of conformity for the system you are using.

Document summary

DocumentRequired forDeadline
AI Literacy PolicyAll deployersOverdue (Feb 2025)
Risk Classification MemoAll deployersAug 2026
Deployer Usage PolicyHigh-risk AI deployersAug 2026
Transparency NoticeAI-facing users or AI-generated contentAug 2026

Get all four documents generated in 30 minutes

Answer 20 questions about your company and AI systems. AIActComply classifies your risk level and generates every document you need, prefilled with your details.

Check my compliance →

What happens if you miss the August 2026 deadline

Enforcement is handled by national AI authorities, which are still being established in most member states. Financial penalties under the Act can reach €15 million or 3% of global annual turnover for deployer violations, whichever is higher.

Enforcement focus in the first years is expected to target high-risk systems in sensitive domains: employment, credit, education, and law enforcement. Companies using AI in hiring, loan assessment, or student evaluation are higher-priority targets than those using AI for internal productivity tools.

That said, the AI literacy obligation (Article 4) is broad and applies to almost every company. It is also one of the easier documents to produce, which makes non-compliance hard to justify.

Ready to get compliant?
Get all your EU AI Act documents in 30 minutes
Answer 20 questions. AIActComply generates your AI Literacy Policy, Risk Classification Memo, Usage Policy, and Transparency Notice — prefilled, in 11 EU languages. €99 one-time.
Start now →