EU AI Act Checklist
Last reviewed: 2026-06-23
1. Define The AI System
| Checklist item | Evidence |
|---|---|
| System name | Product or internal system name. |
| Owner | Product, engineering, legal, or business owner. |
| Purpose | What the system is intended to do. |
| Users | Employees, customers, consumers, candidates, admins. |
| Inputs | Prompts, files, customer data, logs, vendor data. |
| Outputs | Recommendation, generated text, score, ranking, decision support. |
| Deployment status | Planned, beta, live, internal-only, customer-facing. |
2. Identify Your Role
Start with the provider vs deployer checklist to separate development, branding, third-party use, and operational control signals.
3. Screen Risk Signals
Use the risk classification checklist to organize purpose, affected users, output use, transparency, oversight, and sensitive-context evidence.
4. Organize Technical Documentation
Use the technical documentation template to assemble system purpose, data, controls, vendor evidence, logging, and change-management notes.
5. Check Privacy And Chatbot Evidence
If the system includes a chatbot or AI support flow, review the GDPR chatbot checklist for privacy notice, retention, vendor, cookie, and user-rights evidence.
6. Prepare A Review Packet
| Packet item | Owner |
|---|---|
| AI system inventory | Product or engineering. |
| Role notes | Product/legal. |
| Risk screening answers | Product/legal/compliance. |
| Vendor documents | Operations/security. |
| Privacy evidence | Legal/privacy. |
| UI disclosure screenshots | Product/design. |
| Human oversight process | Operations. |
| Gap list | Project owner. |
What This Checklist Does Not Cover
- Every obligation for every AI system.
- Final legal classification.
- Conformity assessment.
- Compliance certification.
- Security, privacy, or model-risk review.
- Safe-to-launch decision.
FAQ
What is the first thing to do for EU AI Act readiness?
Define the AI system being assessed: name, owner, purpose, users, inputs, outputs, and deployment status.
Is this checklist enough for high-risk AI?
No. It is a starting checklist for evidence readiness and review preparation, not a full high-risk assessment.
How often should we re-check?
Re-check after material changes to the model, vendor, purpose, user group, data flow, oversight process, or UI disclosure.
Use the existing ActCheck assessment flow from the homepage.
Related Pages
- EU AI Act self-assessment
- Provider vs deployer checklist
- Risk classification checklist
- Technical documentation template
- GDPR chatbot checklist