The EU AI Act creates different obligations depending on what your company does with AI. Some apply to every organisation in the EU. Others kick in only if your systems fall into specific risk categories. This checklist organises the obligations by type and flags what is already overdue.
Before you start: identify what your company does with AI
The Act draws a sharp line between providers (companies that build or develop AI systems) and deployers (companies that use AI systems in their operations). Most companies with no AI product of their own are deployers. Some are both.
Your obligations depend on which side of that line you sit on, and in some cases, on which category of risk your AI systems fall into.
Checklist: obligations that apply to every company
Article 4 — AI literacy policy
- Identify all AI systems your staff use or operate on your behalf
- Map which roles interact with those systems
- Define training or literacy requirements by role
- Assign responsibility for maintaining and updating the policy
- Set a review schedule (at minimum: annually, and when new systems are introduced)
- Document the policy and make it accessible to affected staff
Status: overdue. Article 4 became enforceable 2 February 2025.
Risk classification
- For each AI system in use, assess which risk tier it falls into: prohibited, high-risk (Annex III), limited risk, or minimal risk
- Document the classification and the reasoning behind it
- Identify whether any Article 6(3) exceptions apply to high-risk classifications
- Record which obligations flow from each system’s classification
Deadline: 2 August 2026 for most deployer obligations.
Checklist: obligations for high-risk AI deployers
If any of your AI systems fall under Annex III (see the Annex III guide), the following apply from August 2026:
Usage policy (Article 26)
- Define permitted and prohibited uses of the system
- Specify human oversight requirements: who reviews outputs, when, and how
- Set data input standards (what data can and cannot feed the system)
- Establish an incident reporting procedure for serious malfunctions
- Name the person responsible for monitoring the system’s performance
Technical documentation
- Document the system’s intended purpose and deployment context
- Record the provider, version, and any customisation applied
- Note data sources used for training or fine-tuning, where known
- Describe the human oversight mechanism in place
Logging
- Confirm the system generates logs of its operation (many commercial tools do this automatically)
- Define how long logs are retained
- Ensure logs can be retrieved if requested by an authority
Checklist: transparency obligations (Article 50)
These apply when users interact directly with an AI system, or when your company generates AI content that reaches users.
- Inform users they are interacting with an AI system (chatbots, virtual assistants, automated advisors)
- Label AI-generated content that could be mistaken for human-created content
- Provide a mechanism for users to raise concerns or complaints
- Describe what rights users have in relation to AI-assisted decisions that affect them
Note: The labelling requirement for synthetic media (deepfakes, AI-generated audio and video) applies regardless of risk classification.
Checklist: what you do NOT need to do (unless you are a provider)
If your company uses off-the-shelf AI tools but does not build or train AI systems:
- You do not need to register your AI systems in the EU database (that is the provider’s obligation)
- You do not need to conduct conformity assessments (provider obligation)
- You do not need CE marking for the AI component (provider obligation)
However, you do need to verify that high-risk AI providers have met their obligations before deploying their systems. Practically, this means checking that the provider has a CE mark and an EU declaration of conformity for the system you are using.
Document summary
| Document | Required for | Deadline |
|---|---|---|
| AI Literacy Policy | All deployers | Overdue (Feb 2025) |
| Risk Classification Memo | All deployers | Aug 2026 |
| Deployer Usage Policy | High-risk AI deployers | Aug 2026 |
| Transparency Notice | AI-facing users or AI-generated content | Aug 2026 |
Get all four documents generated in 30 minutes
Answer 20 questions about your company and AI systems. AIActComply classifies your risk level and generates every document you need, prefilled with your details.
Check my compliance →What happens if you miss the August 2026 deadline
Enforcement is handled by national AI authorities, which are still being established in most member states. Financial penalties under the Act can reach €15 million or 3% of global annual turnover for deployer violations, whichever is higher.
Enforcement focus in the first years is expected to target high-risk systems in sensitive domains: employment, credit, education, and law enforcement. Companies using AI in hiring, loan assessment, or student evaluation are higher-priority targets than those using AI for internal productivity tools.
That said, the AI literacy obligation (Article 4) is broad and applies to almost every company. It is also one of the easier documents to produce, which makes non-compliance hard to justify.