EU AI Act Compliance Checklist

Establish, implement, document and maintain a risk management system throughout the AI lifecycle. Must identify and analyse known and foreseeable risks, estimate and evaluate risks that may emerge, and adopt risk management measures.

Training, validation and testing data must meet quality criteria. Must address relevant design choices, data collection processes, data preparation operations, and examination for biases.

Prepare comprehensive technical documentation before placing on market. Must include general description, detailed description of elements and development process, monitoring/functioning/control information, and validation/testing details.

Automatically log events throughout the lifecycle. Logs must enable monitoring of operation, facilitate post-market monitoring, and support investigation of incidents.

Ensure AI system is sufficiently transparent. Provide instructions for use including identity of provider, system capabilities and limitations, performance metrics, known risks, and human oversight measures.

Design and develop systems to allow effective human oversight. Humans must be able to fully understand capabilities and limitations, monitor operation, interpret outputs, and override/interrupt/stop the system.

Achieve appropriate levels of accuracy, robustness, and cybersecurity. Must be resilient to errors, faults, inconsistencies, and adversarial attacks.

Conduct conformity assessment before placing on market. Most high-risk AI systems require internal conformity assessment; some require third-party assessment (biometrics, critical infrastructure).

Draw up written EU declaration of conformity for each high-risk AI system. Must contain information in Annex V and be updated as necessary.

Affix CE marking to high-risk AI systems or their documentation to indicate compliance with the regulation.

Register high-risk AI system in the EU database before placing on market. Deployers of certain high-risk AI systems must also register.

Establish and document a post-market monitoring system. Collect, document, and analyse data on performance throughout the lifetime of the system.

Providers of high-risk AI systems must implement a quality management system covering strategy, design, development, testing, post-market monitoring, and documentation.

Keep technical documentation and quality management records for at least 10 years after the AI system is placed on the market or put into service.

Take immediate corrective actions for non-compliant AI systems and inform distributors and deployers. Report serious incidents to relevant market surveillance authorities.

Cooperate with competent national authorities upon request. Provide all necessary information and documentation to demonstrate conformity with the regulation.

Deployers must use AI systems in accordance with instructions, assign human oversight to competent persons, monitor operation, and report incidents to the provider.

Deployers of certain high-risk AI systems must conduct a fundamental rights impact assessment before deployment. Register assessment results in the EU database.

Providers of general-purpose AI models must draw up and maintain technical documentation including training process, data used, evaluation results, and energy consumption.

Provide information and documentation to downstream providers to enable compliance. Must include capabilities, limitations, and integration guidance.

Establish a policy to comply with EU copyright law, including reservations of rights by rightsholders under Article 4(3) of Directive 2019/790.

Publish a sufficiently detailed summary of the content used for training the GPAI model, in accordance with templates provided by the AI Office.

Providers of GPAI models with systemic risk must conduct adversarial testing to identify and mitigate systemic risks at EU level.

Report serious incidents and possible corrective measures to the AI Office without undue delay after becoming aware of them.

Users interacting with AI chatbots must be informed they are interacting with an AI system, unless it is obvious from context.

AI-generated or manipulated image, audio or video content (deepfakes) must be disclosed as artificially generated or manipulated.

Users must be informed when they are subject to emotion recognition or biometric categorisation systems.