Establish foundational understanding of the EU AI Act scope, definitions, and applicability to the organization's AI systems. Art. 1-4.

• Applicability Assessment

  Determine whether the organization is subject to the EU AI Act as a provider, deployer, importer, distributor, or product manufacturer.

• AI System Definition & Inventory

  Identify and document all systems that qualify as 'AI systems' under the EU AI Act definition.

Ensure the organization does not develop, deploy, or use AI systems that are prohibited under Art. 5 of the EU AI Act.

• Prohibited Practices Screening

  Screen all AI systems against the prohibited practices list in Art. 5 and ensure none are in use.

• Biometric & Surveillance Controls

  Implement controls to prevent unauthorized use of biometric identification and emotion recognition AI systems.

Classify AI systems as high-risk or non-high-risk according to Annex III and Art. 6 criteria.

• High-Risk Classification

  Systematically assess each AI system against Annex III and Art. 6 to determine if it qualifies as high-risk.

• Risk Management System

  Establish and maintain a continuous risk management system for each high-risk AI system per Art. 9.

• Data Governance

  Implement data governance practices for training, validation, and testing datasets of high-risk AI systems per Art. 10.

• Technical Documentation

  Prepare and maintain comprehensive technical documentation for each high-risk AI system per Art. 11 and Annex IV.

• Record Keeping & Logging

  Implement automatic logging capabilities for high-risk AI systems to enable post-deployment monitoring per Art. 12.

• Transparency & Instructions for Use

  Ensure high-risk AI systems are transparent and provide adequate instructions for use to deployers per Art. 13.

• Human Oversight

  Design and implement human oversight measures for high-risk AI systems per Art. 14.

• Accuracy, Robustness & Cybersecurity

  Ensure high-risk AI systems achieve appropriate levels of accuracy, robustness, and cybersecurity per Art. 15.

Fulfill all obligations imposed on providers (Art. 16-23) and deployers (Art. 26) of high-risk AI systems.

• Provider Obligations

  Implement all provider obligations for high-risk AI systems including quality management, conformity assessment, registration, and post-market monitoring.

• Quality Management System

  Establish and maintain a Quality Management System (QMS) covering the full AI system lifecycle per Art. 17.

• Conformity Assessment

  Conduct conformity assessments for high-risk AI systems before market placement per Art. 43.

• Deployer Obligations

  Fulfill all deployer obligations for high-risk AI systems per Art. 26.

• Post-Market Monitoring

  Establish a post-market monitoring system for high-risk AI systems per Art. 72.

• Serious Incident Reporting

  Establish incident reporting processes to notify competent authorities of serious incidents per Art. 73.

Comply with obligations for providers of General Purpose AI models and systems under Art. 51-56.

• GPAI Classification

  Determine whether the organization develops or fine-tunes models that qualify as General Purpose AI (GPAI) models.

• GPAI Provider Obligations

  Fulfill all GPAI model provider obligations including technical documentation, copyright policy, and downstream provider information per Art. 53.

• Systemic Risk GPAI Controls

  Implement additional controls for GPAI models with systemic risk per Art. 55.

Fulfill transparency obligations for limited-risk AI systems including chatbots, deepfakes, and emotion recognition per Art. 50.

• Chatbot & Synthetic Media Disclosure

  Implement disclosure mechanisms for AI-generated or AI-manipulated content and AI interaction systems per Art. 50.

• AI Interaction Transparency

  Ensure users are meaningfully informed when interacting with AI systems in contexts that could affect their decisions or rights.

Understand and engage with the EU AI Act governance structure including national authorities, the EU AI Office, and the AI Board.

• National Competent Authority Engagement

  Identify the relevant national competent authority(ies) and understand notification and cooperation obligations.

• Regulatory Sandbox Participation

  Evaluate participation in AI regulatory sandboxes to test innovative AI systems under regulatory supervision per Art. 57-63.

Register high-risk AI systems in the EU AI public database per Art. 71 and maintain accurate registration information.

• EU Database Registration

  Register all applicable high-risk AI systems in the EU AI public database before market placement per Art. 71.

Understand enforcement mechanisms, penalty structures, and implement compliance monitoring to avoid infringements.

• Penalty Awareness & Compliance Monitoring

  Understand the penalty structure and implement ongoing compliance monitoring to prevent and detect infringements.

• Internal AI Compliance Program

  Establish a formal internal AI compliance program with clear ownership, processes, and reporting.

Engage with EU AI Act codes of practice, harmonized standards, and common specifications to demonstrate compliance.

• Harmonized Standards Adoption

  Monitor and adopt relevant harmonized standards to benefit from the presumption of conformity.

• Code of Practice Participation

  Participate in or adopt relevant codes of practice developed under Art. 95 for GPAI models and other AI domains.