EU AI Act Compliance Checklist for Developers: The 2026 Guide
Reviewed: June 4, 2026
The EU AI Act is no longer a future concern β it’s enforceable law. As of August 2024’s initial provisions and with full enforcement rolling through 2026, every team building or deploying AI systems that touch EU users must comply. This guide provides an actionable, developer-focused checklist.
Understanding the Risk Tiers
The EU AI Act classifies AI systems into four risk categories:
π« Unacceptable Risk (Banned)
- Social scoring by governments
- Real-time biometric identification in public spaces (with narrow exceptions)
- Emotion recognition in workplaces and schools
- Subliminal manipulation techniques
- Untargeted facial recognition scraping from the internet
β οΈ High Risk (Strict Compliance Required)
- AI in critical infrastructure (transport, energy, water)
- AI in education and vocational training
- AI in employment and worker management (CV screening, performance evaluation)
- AI in law enforcement and border control
- AI in justice and democratic processes
- Biometric identification and categorization
β‘ Limited Risk (Transparency Obligations)
- Chatbots (must disclose they’re AI)
- Deepfakes (must be labeled)
- Emotion recognition systems
β Minimal Risk (No Specific Requirements)
- AI-enabled video games
- Spam filters
li>Most internal business tools
The Compliance Checklist
Step 1: Classify Your AI System
Questions to answer:
βββ Is your system used in a high-risk domain? β HIGH RISK
βββ Does it interact with users? β Check transparency obligations
βββ Is it a general-purpose AI model? β Check GPAI obligations
βββ Is it purely internal with no user impact? β Likely MINIMAL RISK
Step 2: Risk Management System (High Risk)
- [ ] Establish a continuous risk management process throughout the AI system’s lifecycle
- [ ] Identify and analyze known and reasonably foreseeable risks
- [ ] Estimate and evaluate risks that may emerge when the system is used as intended
- [ ] Implement risk mitigation measures with defined residual risk acceptance
<li][ ] Test the system to identify risks that emerge during deployment
Step 3: Data and Data Governance (High Risk)
- [ ] Training, validation, and testing datasets must be relevant, representative, and error-free
- [ ] Datasets must account for the specific geographic, contextual, and behavioral factors of the deployment context
- [ ] Examine possible biases in data, especially for protected characteristics
- [ ] Document data provenance β where did the data come from, who curated it, what transformations were applied
li>[ ] Label data according to documented protocols
Step 4: Technical Documentation (High Risk)
- [ ] Maintain comprehensive technical documentation before market placement
- [ ] Document the system’s capabilities, limitations, and performance metrics
- [ ] Include architecture diagrams, algorithms used, and design choices
- [ ] Document the risk management measures implemented
- [ ] Specify the human oversight measures built into the system
Step 5: Record-Keeping and Logging
- [ ] Implement automatic logging of each AI system operation
- [ ] Logs must include: timestamp, input data, output, human override (if any)
- [ ] Retain logs for at least 6 months (longer for high-risk systems)
- [ ] Logs must enable traceability of the AI system’s decision-making process
Step 6: Transparency and User Information
- [ ] Users must be informed when interacting with an AI system (chatbots)
- [ ] AI-generated content (images, text, video) must be labeled as AI-generated
- [ ] Provide clear information about the system’s capabilities and limitations
li>[ ] Users must be able to understand why they received a specific output
Step 7: Human Oversight (High Risk)
- [ ] Design systems so they can be effectively overseen by natural persons
- [ ] Enable intervention: ability to stop, reverse, or override AI decisions
- [ ] Provide human overseers with the information needed to interpret system outputs
li[] ] Identify and mitigate automation bias in human overseers
Step 8: Accuracy, Robustness, and Cybersecurity
- [ ] Ensure appropriate accuracy levels (declare metrics and confidence intervals)
- [ ] Make systems resilient against attacks (adversarial, prompt injection, data poisoning)
- [ ] Implement fallback plans for system failures
li>[ ] Regular penetration testing for AI components
Step 9: Conformity Assessment
- [ ] Complete internal conformity assessment for most high-risk systems
- [ ] Engage a notified body for biometric identification systems
- [ ] Prepare the EU Declaration of Conformity
li>[ ] Register the system in the EU database for high-risk AI systems
Step 10: Post-Market Monitoring
- [ ] Implement a post-market monitoring plan
- [ ] Collect and analyze performance data from real-world use
- [ ] Update the system based on monitoring findings
li>[ ] Report serious incidents and malfunctions to market surveillance authorities
For General-Purpose AI Models (GPAI)
If you’re deploying models like GPT-4, Claude, Llama, or similar:
- [ ] Document the model’s training process, including data used (even publicly available data)
- [ ] Comply with the EU’s Copyright Directive for training data
- [ ] Provide a detailed summary of training content (per the published template)
- [ ] For models with systemic risk: conduct model evaluations, track and report serious incidents, implement cybersecurity protections
Key Deadlines in 2026
- February 2, 2025: Prohibitions on unacceptable-risk AI systems are enforceable
- August 2, 2025: General-purpose AI model obligations apply
- August 2, 2026: Full high-risk system obligations apply
- August 2, 2027: AI systems in regulated products (machinery, medical devices) must comply
Practical Implementation Tips
- Start with classification. Most developer tools fall in minimal or limited risk. Don’t over-engineer compliance for low-risk systems.
- Automate logging. Build logging into your AI pipeline from day one. Retroactive logging is nearly impossible.
- Use templates. The EU provides technical documentation templates. Use them.
- Design for human oversight. Every high-risk AI decision should have a clear path to human review.
- Version everything. Model versions, dataset versions, configuration β all must be tracked for conformity assessment.
Compliance Tools in 2026
- Arize AI: Monitoring and observability for production LLM systems
- Credo AI: Enterprise AI governance platform
- Holistic AI: Risk assessment and audit tools
- Open-source: Weights & Biases for experiment tracking (supports compliance documentation)
- Langfuse: Open-source LLM observability with logging built for compliance
Conclusion
The EU AI Act isn’t about stifling innovation β it’s about building trustworthy AI systems. The teams that treat compliance as a design requirement from day one will build better products and avoid costly retrofitting. Start with classification, implement logging, and build human oversight into your architecture.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Consult with legal professionals for your specific compliance requirements.
Last updated: May 27, 2026