AI 8 min read

EU AI Act: Practical Compliance Checklist 2026

The EU AI Act takes effect in stages. Learn about risk classes, documentation requirements, deadlines and a concrete checklist for enterprise AI deployment.

EU AI Act: Practical Compliance Checklist 2026

Since February 2025, the European Union is setting standards for AI regulation. The EU AI Act is already partially in force, with additional rules rolling out in stages through August 2026. For companies in the German-speaking region, action is required. This article shows you which deadlines matter, how AI systems fall into risk categories, and how to proceed concretely.

The EU AI Act Timeline

The EU AI Act does not take effect all at once, but in phases. This matters for planning within your organization.

Since February 2025, systems with unacceptable risk are banned. These include technologies for social scoring, targeted behavior manipulation, or biometric real-time identification without cause. If you operate such systems, you must discontinue them immediately.

In August 2025, rules for General Purpose AI (GPAI) take effect. This covers large language models like ChatGPT, Claude, and other foundation models. Providers of such systems must document risks and inform users starting August 2025. For users of GPAI tools, this also means increased transparency obligations.

In August 2026, finally, the complete regulation of high-risk AI systems comes into force. These are applications in critical areas like recruitment, creditworthiness assessment, access to public services, or real-time facial recognition. By then, a legally sound operation must be established.

The Risk Classification System

The EU AI Act categorizes AI systems into four risk tiers. This classification is crucial for determining what requirements apply to you.

Unacceptable risk systems may not be operated. These include behavior manipulation, government social scoring, and biometric real-time surveillance without concrete cause. If you currently use such technologies, you must shut them down.

High-risk systems require comprehensive documentation, risk analysis, and monitoring. These typically include AI models for hiring decisions, creditworthiness checks, and access to critical infrastructure. For high-risk AI, you must build monitoring systems, document training data, and maintain technical documentation.

Limited-risk systems include chatbots and similar interactive AI tools. These require transparent disclosure to users. You must make clear that interaction is with AI.

Minimal-risk systems encompass all other AI. These require only minimal requirements, often limited to training data documentation.

What You Must Do Now

The coming months are critical. A few simple steps build a solid foundation.

Inventory all AI systems in your organization. This sounds tedious but is necessary. List which internal tools use AI, which external tools you have licensed, and which AI models you have trained yourself. A simple spreadsheet is enough to start: system name, function, provider, launch date.

Then classify each system by the four-class schema. For each system, ask: could this system influence a critical decision (high-risk)? Or is it a chatbot for customer support (limited-risk)? This classification determines your next steps.

Assign responsibility. AI governance requires ownership. Who is the point person for data protection, technical documentation, and monitoring? In mid-sized companies, one person per category often suffices. The point is that clear responsibility exists.

For high-risk systems, establish logging and monitoring. You must document how the system is used, what decisions it makes, and what failures occur. This is not optional, but a regulatory requirement.

Prepare technical documentation. For high-risk AI, the Act requires a technical file with training data, performance metrics, known failures, and mitigation strategies. This can start internally and become formalized later.

Documentation Requirements in Practice

High-risk systems require comprehensive documentation. This is not bureaucracy for its own sake, but anchored in the practical safety of such systems.

Technical documentation must include the following points: training data (which data was used, dataset size, quality checks), performance metrics (accuracy, bias, false positives, false negatives), known limitations (when the system becomes unreliable), test reports (independent verification of performance), and implementation protocol (how the system was moved to production).

Users of high-risk systems require instructions for use. This sounds technical but is necessary for regulatory compliance. These instructions explain what functions the system has, what limitations exist, and how humans can review faulty decisions.

Monitoring and auditing must be ongoing. You must document how often a system leads to faulty decisions, which inputs trigger problematic outputs, and how users monitor the system. Automation tools can help reduce manual work.

A Practical Logging Example

For high-risk systems, structured logging is non-negotiable. Here is a simple Python example showing how to document systematically:

import json
import datetime
from pathlib import Path

class AISystemLogger:
    def __init__(self, system_name, log_file="ai_system_log.json"):
        self.system_name = system_name
        self.log_file = log_file
    
    def log_decision(self, input_data, prediction, confidence, user_id, override=False):
        """Logs an AI decision with context."""
        entry = {
            "timestamp": datetime.datetime.utcnow().isoformat(),
            "system": self.system_name,
            "input_hash": hash(json.dumps(input_data, sort_keys=True)),
            "prediction": prediction,
            "confidence": confidence,
            "user_id": user_id,
            "manual_override": override
        }
        
        # Append to log file
        with open(self.log_file, "a") as f:
            f.write(json.dumps(entry) + "\n")
    
    def generate_audit_report(self, start_date, end_date):
        """Generates an audit report for a period."""
        with open(self.log_file, "r") as f:
            entries = [json.loads(line) for line in f]
        
        filtered = [
            e for e in entries 
            if start_date <= e["timestamp"] <= end_date
        ]
        
        overrides = sum(1 for e in filtered if e["manual_override"])
        avg_confidence = sum(e["confidence"] for e in filtered) / len(filtered)
        
        return {
            "period": f"{start_date} to {end_date}",
            "total_decisions": len(filtered),
            "manual_overrides": overrides,
            "average_confidence": avg_confidence
        }

logger = AISystemLogger("recruitment_ai")
logger.log_decision(
    input_data={"education": "engineering", "experience_years": 5},
    prediction="qualified",
    confidence=0.87,
    user_id="recruiter_1",
    override=False
)

This pattern systematically documents which decisions are made and with what confidence. Auditors and authorities can then verify whether the system operates correctly.

Avoiding Common Mistakes

In practice, we see similar mistakes in EU AI Act implementation repeatedly.

Many companies underestimate what is high-risk. An automatic CV screening tool for recruitment is immediately high-risk. A chatbot on your website is not. This distinction is not trivial but can be made with clear guidance.

A second common mistake is incomplete documentation. Startups especially tend to defer technical documentation. This is risky, as documentation is part of regulatory requirements. You must have it before a high-risk system goes live.

A third point: companies often ignore that external tools also require documentation. If you use a SaaS recruiting tool that is AI-based, you must require from the provider that they supply technical documentation. This is an important part of your compliance strategy.

Ongoing monitoring is also frequently overlooked. Many companies document AI correctly but fail to monitor it continuously. This becomes a serious problem when discovered too late.

Your Next Steps

The EU AI Act is not abstract regulation. It is concrete and effective. For companies that act now, implementation becomes manageable. Here is a clear roadmap.

Over the next two weeks: create an inventory list of all AI systems in your organization. This is the foundation for everything else.

Over the next month: classify these systems by risk category. Mark high-risk systems separately.

Over the next three months: for high-risk systems, begin logging and auditing. Choose a pilot, such as a recruiting tool, and implement systematic monitoring.

By August 2026: finish documentation for all high-risk systems. This is not optional, but a regulatory requirement.

Related articles on AI governance are our pieces on AI governance for agentic AI and AI strategy for mid-market. There we show how to safely deploy autonomous AI agents in practice and how to anchor AI strategically in mid-market companies.

Frequently Asked Questions

What is the difference between high-risk and limited-risk?

High-risk systems make decisions in critical areas like applications, loans, or access to services. They can directly influence the lives or opportunities of people. Limited-risk systems are typically interactive systems like chatbots that do not make critical individual decisions. For high-risk systems, you need technical documentation and monitoring. For limited-risk systems, transparency about AI use is sufficient.

Do I need to document external AI tools?

Yes. If you use an external AI tool that is relevant to high-risk areas, you must require technical documentation from the provider. This is your responsibility as a user. When procuring, ensure that the provider supplies this documentation. Many SaaS providers have incorporated this into their contracts by now.

How often must I audit?

This depends on frequency of use. If a high-risk system makes hundreds of decisions daily, conduct monthly audits. For less frequent use, quarterly checks suffice. The rule is you must be able to demonstrate that the system operates reliably.

Can I just ignore the EU AI Act if my customers are not in the EU?

No. The EU AI Act applies to any organization that deploys or offers AI systems in the EU. Even if your customers are not in the EU, your employees or data processing may be affected by the regulation. Moreover, it is likely only a matter of time before other regions enact similar rules. Proactive compliance creates long-term competitive advantages.

What are the costs of compliance?

This varies greatly depending on scope. For small companies with one or two high-risk systems, internal resources and an external audit often suffice, costing 5,000 to 10,000 euros. Larger companies with more complex systems invest 50,000 to 200,000 euros for a complete compliance infrastructure. Avoiding fines and liability is priceless.

Do you have questions about implementing the EU AI Act in your organization? We help with compliance strategy, documentation, and technical implementation. Contact our AI consulting team.

#eu-ai-act #compliance #ai-governance #sme #regulation
Share:
Sergej Bardin

Sergej Bardin

CEO – AI Strategy & IT Consulting

Helping mid-sized companies adopt AI and shape their cloud strategy. Focus on practical decisions over hype.

AI StrategyMCPRAGMulti-CloudIT ConsultingMid-Market
LinkedIn
Book a Meeting →