Skip to content
← EU AI Act
rocket-monkeys.com/eu-ai-act
As of: June 11, 2026

EU AI Act – Compliance Checklist for Companies

This checklist helps you bring your AI use in line with the EU AI Act (Regulation (EU) 2024/1689), step by step – plainly, without legalese and without scaremongering. Work through it in order, from a clear overview of your systems to ongoing monitoring. Most of it only affects a few sensitive areas, and we flag the tricky spots clearly.

  1. 1. Build an AI inventory

    List every AI system you use or offer – including hidden AI features baked into existing software that isn't even marketed as AI. For each system, note who uses it, what for, and on what data. You can't classify what you don't know about.

  2. 2. Clarify your role per system

    Determine your role for each system: provider, deployer, importer, or distributor. The obligations differ significantly, and providers carry the heaviest load. Watch out: if you repurpose a system substantially, you can become a provider yourself.

  3. 3. Assign a risk class

    Sort each system into one of the four classes: banned, high, limited, or minimal. Look especially closely at HR and recruitment, creditworthiness and credit-scoring, biometrics, and critical infrastructure – this is where you quickly land in the high-risk category (Annex III).

  4. 4. Screen for banned practices

    Make sure none of your use cases fall under the practices banned since February 2025. These include emotion recognition in the workplace and in education, social scoring, and manipulative or exploitative systems. Such applications simply aren't allowed.

  5. 5. Ensure AI literacy in your team

    Since 2 February 2025, the AI literacy duty applies: people who work with AI need to understand, question, and recognise the limits of its output. Plan and document suitable training – nobody has to become a data scientist, but basic competence is mandatory.

  6. 6. Meet your transparency obligations

    Clearly label chatbots and voice assistants as AI so people know they're not talking to a human. Also mark AI-generated or manipulated content such as deepfakes, along with synthetic text and images. Disclosure is enough – no heavy assessment process required.

  7. 7. Put human oversight in place for high-risk systems

    For high-risk systems, ensure genuine human oversight – not just on paper. A named person must be able to understand, check, and, when needed, intervene or override the AI's output. Rubber-stamping doesn't count.

  8. 8. Request or supply provider information

    As a deployer, obtain the necessary documentation and instructions for use from the provider, and operate the system as intended. As a provider, supply your deployers with exactly the information they need to run the system lawfully – their obligations build on your documentation.

  9. 9. Technical documentation, logging, and data governance (providers)

    For high-risk systems, set up a risk management process that runs across the whole lifecycle and get your data governance in order: training, validation, and test data must be relevant, representative, and as error-free as feasible. Produce the technical documentation and build in logging so the system's operation can be traced.

  10. 10. Conformity assessment before market launch (providers)

    Only place high-risk systems on the market after the required conformity assessment, and keep them conformant afterwards. Plan this into development early – much of it has to be designed in from the start rather than bolted on at the end. General-purpose AI models (GPAI) carry additional obligations that have applied since August 2025.

  11. 11. Map the deadlines into your plan

    Keep the staggered deadlines in view: bans and AI literacy since 2 February 2025, GPAI and governance since 2 August 2025, the bulk of the high-risk obligations from 2 August 2026, and AI in already-regulated products from 2 August 2027. Match your systems against these dates.

  12. 12. Define responsibilities and ongoing monitoring

    Name the people responsible for documentation, records, and regular reviews of your AI systems. The AI Act isn't a one-off project: new tools, changed purposes, and updates can shift the risk class. Handle the AI Act and GDPR together rather than as two separate projects.

Next steps: Walk through the list with your responsible owners and start with the AI inventory – it's the foundation for everything else. Not sure which risk class your applications fall into? Reach out at info@rocket-monkeys.com for a no-pressure intro call.

⚠️ Important note: This page is for information and orientation only and does not constitute legal advice. The EU AI Act is complex and how it applies depends on your specific situation. For binding assessments, please consult a lawyer specialising in IT law or your data protection officer.