EU AI Act Compliance Checklist for Businesses

The world's first AI law

The EU AI Act (Regulation 2024/1689) represents the most significant regulatory shift for technology companies since GDPR. With maximum fines of €35 million or 7% of global annual turnover for the most serious violations, this isn't regulation you can afford to ignore.

"The AI Act is not about regulating technology for technology's sake. It is about protecting people's rights while enabling innovation to flourish in Europe. We are creating the gold standard for AI governance worldwide."

>

— Margrethe Vestager, Executive Vice-President, European Commission

Yet despite the regulation entering into force in August 2024, surveys indicate that only 25-30% of affected businesses are actively preparing for compliance. With the first major deadline for prohibited AI practices having taken effect in February 2025 and full high-risk provisions coming in August 2026, organizations have limited time to act.

Critical deadlines

The timeline is aggressive by regulatory standards. Organizations that haven't started compliance planning are already behind. If your systems fall into high-risk categories, you need functioning compliance infrastructure operational before August 2026—which means starting now.

Risk classification

The EU AI Act's risk framework uses a four-tier pyramid that determines your compliance obligations. Understanding where your AI systems fall is the essential first step.

At the top of the pyramid sit prohibited applications—AI that the EU has determined poses unacceptable risks to fundamental rights. Social scoring systems by public authorities are banned outright. Real-time remote biometric identification in public spaces is prohibited with narrow law enforcement exceptions. AI that exploits vulnerabilities of specific groups (age, disability, social situation) or uses subliminal manipulation to cause harm cannot be deployed. Emotion recognition in workplaces and educational settings faces severe restrictions, and untargeted scraping for facial recognition databases is forbidden entirely. If you operate any of these systems, you should have discontinued them by February 2025.

High-risk AI—the second tier—is where most enterprise compliance effort will concentrate. The regulation explicitly classifies several categories as high-risk, regardless of whether organizations perceive them that way. Employment applications including CV screening, performance evaluation, task allocation algorithms, and termination decision support all qualify. Educational AI covering student assessment, admissions decisions, and learning analytics with significant impact falls under high-risk provisions. Essential services access including credit scoring, insurance pricing, emergency services allocation, and social benefits eligibility determination trigger comprehensive compliance requirements. Law enforcement tools, migration and border control systems, and critical infrastructure management round out the high-risk categories.

Limited-risk systems—the third tier—face transparency obligations rather than comprehensive compliance requirements. Chatbots, emotion recognition systems, and AI-generated content must clearly disclose their AI nature to users. This is simpler than high-risk compliance but still mandatory.

Minimal-risk applications like spam filters, inventory management, recommendation systems, and AI-enabled games face no specific regulatory obligations, though voluntary codes of conduct are encouraged.

High-risk requirements

For organizations deploying high-risk AI, the EU AI Act mandates comprehensive compliance across nine interconnected areas. Understanding these requirements in detail is essential for realistic planning.

Article 9 requires a continuous, iterative risk management system throughout the AI lifecycle. You must establish formal risk identification procedures, document both known and foreseeable risks, implement mitigation measures, test their effectiveness, address residual risks, and update assessments whenever significant changes occur. This isn't a one-time exercise but an ongoing operational requirement. Article 10 addresses data governance with strict requirements for training, validation, and testing data. Organizations must document data provenance and sources completely, ensure data is relevant, representative, and error-free, conduct formal bias examination on datasets, implement measurable data quality metrics, maintain written data governance policies, and actively address identified gaps or biases. The documentation requirements here are substantial. Article 11 requires comprehensive technical documentation before market placement. This includes general system descriptions and intended purpose, developer identification, complete design specifications and architecture documentation, algorithm descriptions explaining the logic involved, development process records, testing and validation results, documented limitations and failure modes, and maintained version history with change logs. Article 12 mandates automatic logging enabling traceability. Systems must implement automatic event logging, retain logs for minimum six months (longer for specific applications), ensure logs enable post-hoc audit by authorities, and protect log integrity and accessibility. Many existing AI deployments lack this capability entirely. Article 13 establishes transparency requirements through clear instructions and information for deployers. You must create comprehensive user documentation covering capabilities, limitations, intended purpose, use conditions, performance specifications, risk information, and human oversight requirements. Article 14 requires human oversight design enabling effective supervision. Systems must include human intervention capability, override or disabling functions, interpretable outputs, clear escalation procedures, trained oversight personnel, and documented protocols. Article 15 addresses accuracy, robustness, and cybersecurity. Organizations must define and measure accuracy metrics, test robustness against errors, implement adversarial attack resistance, apply cybersecurity protections, monitor performance continuously, and address any identified degradation. Article 17 requires a formal quality management system including written compliance strategy, design control procedures, data management policies, risk management processes, post-market monitoring plans, incident reporting procedures, communication protocols with authorities, and record-keeping systems maintained for minimum ten years.

Finally, Article 43 establishes conformity assessment requirements before placing high-risk AI on the market. Most high-risk AI follows a self-assessment path: internal conformity assessment following Annex VI procedures, EU Declaration of Conformity, CE marking, and EU database registration. Biometric AI and certain regulated products require third-party assessment by accredited Notified Bodies.

Who's affected

The industry impact is broader than many organizations realize. HR technology and recruitment face particularly significant compliance burdens. Companies deploying AI-driven recruitment—CV screening, video interview analysis, candidate assessment—must implement complete bias auditing and documentation, transparent disclosure to job candidates, human oversight mechanisms for hiring decisions, and regular accuracy and fairness testing. Major vendors including HireVue, Pymetrics, and Workday have announced dedicated compliance teams, but organizations using these tools remain responsible for their own compliance.

Financial services and credit scoring systems face similar requirements. FICO, Klarna, and traditional banks with AI lending systems must implement explainability requirements for credit decisions, comprehensive documentation of training data and model logic, consumer right to explanation and human review, and regular discrimination testing. The intersection with existing financial regulations creates additional complexity.

Healthcare and medical devices AI faces dual regulation under both the AI Act and the Medical Device Regulation, creating extended compliance timelines and more stringent third-party assessment requirements. AI radiology analysis, diagnostic support systems, and drug discovery AI must navigate both frameworks simultaneously.

The cost of failure

The penalties deliberately exceed GDPR's €20 million / 4% threshold, signaling the EU's commitment to enforcement. Proportionate limits apply for SMEs, but fines remain substantial. More importantly, non-compliance can result in mandatory withdrawal of AI systems from the EU market—an operational disruption that could dwarf any financial penalty.

Built-in compliance

Singularity AI was designed with the EU AI Act framework as a foundational requirement, not an afterthought. Our risk classification engine automatically categorizes all AI capabilities according to EU AI Act risk tiers, with clear documentation of classification rationale. Built-in safeguards prevent deployment of AI systems that would fall under prohibited categories. When functionality triggers high-risk classification, the platform displays associated compliance requirements clearly.

For Article 12 compliance, the platform provides automatic event logging for all AI decisions, tamper-proof audit records, configurable retention periods, and export capabilities for regulatory inquiries. Complete decision lineage enables post-hoc audit of any AI output—the kind of traceability that regulators will demand.

Documentation automation reduces compliance burden by approximately 70%. The platform generates technical documentation automatically, provides continuous bias and fairness monitoring with exportable reports, offers real-time risk assessment dashboards, and streamlines EU Declaration of Conformity preparation. What would take a dedicated compliance team months to produce manually becomes an automated output.

Human oversight integration addresses Article 14 from day one. Built-in override controls work for any AI decision. Escalation workflows are configurable to your organizational structure. Natural language explanations make AI decisions interpretable by non-technical reviewers. All oversight actions are logged automatically for audit purposes.

Continuous compliance monitoring includes post-market surveillance automation, real-time incident detection per Article 62, regulatory update tracking as the AI Office issues guidance, and quantified compliance scoring across all AI deployments.

Your 90-day plan

The first thirty days should focus on assessment. Complete an AI system inventory across your organization—you likely have more AI deployments than centralized records indicate. Classify each system by risk category using the framework above. Identify any prohibited AI practices requiring immediate removal. Assess documentation gaps for high-risk systems against Article 11 requirements. Engage legal counsel experienced in EU technology regulation on compliance strategy.

Days thirty-one through sixty shift to remediation. Remove or modify any prohibited AI systems if you haven't already. Begin documentation development for high-risk systems, starting with the most critical deployments. Implement human oversight mechanisms for high-risk AI. Establish quality management system foundations per Article 17. Initiate bias testing and mitigation for training datasets.

The final phase—days sixty-one through ninety—completes implementation. Finish technical documentation for all high-risk systems. Finalize conformity assessment preparations, engaging Notified Bodies if required for biometric or regulated product AI. Train relevant personnel on AI Act requirements. Establish ongoing monitoring systems. Prepare for EU database registration.

Organizations that embrace these requirements early won't just avoid penalties—they'll build the trustworthy AI systems that customers and partners increasingly demand. The EU AI Act transforms how organizations develop, deploy, and govern AI. Singularity AI makes that transformation achievable.

"This regulation puts Europe at the forefront of developing trustworthy AI. It ensures that Europeans can trust that AI will be developed and used in a way that respects their fundamental rights."

>

— Thierry Breton, European Commissioner for Internal Market

Start your compliance journey today with a platform built for EU AI Act requirements, or contact our enterprise team for a customized compliance assessment.