Is this checklist legal advice?

No. It is an educational tool summarising obligations from the EU AI Act (Regulation 2024/1689) in plain English. For binding decisions consult a qualified EU lawyer, as classification often turns on specific facts.

What is a high-risk AI system?

High-risk systems are those listed in Annex III (such as recruitment, credit scoring, biometrics, education and critical infrastructure) or used as a safety component of a regulated product. They carry the heaviest obligations short of an outright ban.

Who has obligations — the provider or the deployer?

Both, but they differ. Providers build or place a system on the market and carry most documentation, conformity and quality-management duties. Deployers use a system and have human-oversight, monitoring and transparency duties.

When do the rules apply?

The AI Act entered into force in 2024 with staggered application. Prohibited-practice rules applied first, general-purpose model rules followed, and most high-risk obligations phase in over 24 to 36 months. Check the current deadline for your tier.

Does the EU AI Act apply outside Europe?

Yes, it has extraterritorial reach. If your AI system's output is used in the EU, or you place it on the EU market, the rules can apply regardless of where your company is based.

EU AI Act Compliance Checklist

Map your AI system to its EU AI Act obligations

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive law for artificial intelligence. It does not regulate the technology in the abstract — it regulates uses, sorting every system into one of four risk tiers: unacceptable (banned outright), high (heavily regulated), limited (transparency duties) and minimal (largely unregulated). The obligations you face depend almost entirely on which tier your use case falls into and whether you are the provider or the deployer.

This checklist turns the relevant articles into a concrete, tickable list so you can see exactly what applies to your situation and track your progress.

How the tiers and roles work

Risk classification is driven by purpose, not capability. The same model can be minimal-risk in one product and high-risk in another. Annex III lists the high-risk use cases — recruitment, worker management, credit and insurance scoring, biometric identification, essential public services, education, critical infrastructure and law enforcement among them. Article 5 lists the prohibited practices such as social scoring and untargeted facial-recognition scraping.

Your role matters just as much. Providers (those who develop a system or have it developed and place it on the market) carry the bulk of the duties: risk-management systems, technical documentation, data governance, conformity assessment and CE marking. Deployers (those who use a system in their own operations) have lighter but real duties: human oversight, input-data relevance, monitoring and, for some systems, transparency to affected people.

Notes and tips

If you are unsure of your tier, run the AI Risk Classifier first — a wrong tier choice makes the whole checklist misleading.
General-purpose AI (GPAI) models such as large language models have their own layer of obligations under Chapter V, including a transparency baseline and extra duties for models posing systemic risk.
Keep the copied checklist with dates in your compliance file; demonstrable process is itself a defence if a regulator asks how you assessed conformity.
The Act is enforced by national market-surveillance authorities with fines up to €35M or 7% of global turnover for prohibited practices, so do not treat the “unacceptable” tier as theoretical.