The 2026 EU AI Act Compliance Checklist: What You Actually Need to Do Before August 2

If you're a European SME with AI in your product or operations, August 2, 2026 is the date that matters. That's when the EU AI Act enters full enforcement. Companies that haven't done the work face fines up to €35 million or 7% of global revenue.

Most checklists online for the EU AI Act are written for enterprises with dedicated compliance teams and €100K+ to spend. They're not wrong, just not realistic for a 30-person startup or a fintech with three engineers and a part-time COO.

This is the version of the checklist for everyone else. It's the actual sequence of work an SME needs to do to be properly compliant by August 2. It's bounded. It's doable. It assumes you have limited time and budget.

Let me walk you through it.

Phase 1: Discovery and classification (Weeks 1-2)

Before you do anything else, you need to know what you have. Most SMEs have more AI systems than they realize.

Step 1: Inventory all AI systems in your business

Map every AI system, including ones you don't think of as "AI features." Common categories to check:

Customer-facing AI:

• Chatbots and customer support automation
• Recommendation engines
• Personalization systems
• Search and ranking
• Pricing optimization
• Content moderation

Internal AI:

• Recruitment and screening tools
• Performance evaluation systems
• Fraud detection
• Lead scoring and sales prospecting
• Marketing copy generation
• Code review and development tools
• Document automation
• Translation tools

Third-party AI services:

• Anything your team uses via SaaS that involves AI (Notion AI, Linear AI, Copilot, etc.)
• AI features in CRMs, ERPs, and other operational tools
• Foundation model APIs you call directly (OpenAI, Anthropic, etc.)

For each one, capture:

• Name and description (one paragraph)
• Who built it (you or a third party)
• What data it processes
• Who's affected by its outputs
• Whether it's deployed or in development

The output of this step is a single document, typically a spreadsheet, listing every AI system in your business. For most SMEs this will be 5-15 systems, not 1.

Step 2: Classify each system by risk tier

For each AI system, determine its risk classification:

• Prohibited (banned outright)
• High-risk (full documentation obligations)
• Limited-risk (transparency obligations)
• Minimal-risk (no specific obligations)

The classification depends on:

• Whether it falls under Article 5 prohibited practices
• Whether it falls under Annex I (safety components of regulated products)
• Whether it falls under Annex III (the eight high-risk areas)
• Whether the Article 6(3) exemption applies (rare due to the profiling clause)
• Whether it interacts with humans or generates content (limited-risk)

A free classifier walks you through this in 5 minutes per system. Or you can use the framework from our classification guide. Either way, document the classification reasoning for each system.

Step 3: Determine your provider vs deployer status for each system

For systems you built: you're the provider. Most obligations sit with you.

For systems you bought: you're the deployer. Fewer obligations, focused on use and oversight.

For systems you modified significantly: you may be both. The fine-tuning, rebranding, or significant adaptation of someone else's AI can make you a co-provider.

Document this for each system. It affects which obligations apply.

Phase 2: Foundation documents (Weeks 3-5)

For every high-risk system, four core documents are required. Work on these in parallel.

Step 4: Risk Management Plan (Article 9)

This documents how you identify, evaluate, and mitigate risks throughout the AI system's lifecycle. Required content:

• Identification of risks the system creates
• Assessment of severity and likelihood
• Mitigation measures for each risk
• Acceptance criteria (when is residual risk acceptable)
• Process for ongoing review and updates
• Roles and responsibilities

For most AI systems, common risks to address include: discriminatory outcomes, accuracy failures, privacy violations, misuse scenarios, adversarial attacks, and unintended consequences from model drift.

Length: typically 8-15 pages per system. Should be substantive, not a template.

Step 5: Data Governance Framework (Article 10)

This documents how you handle training, validation, and testing data. Required content:

• Data sourcing and provenance
• Lawful basis for processing personal data
• Quality assurance procedures
• Bias detection methodology and findings
• Gap analysis for data representation
• Data minimization measures
• Storage, retention, and deletion procedures

The bias detection piece is where many companies are weakest. The Act explicitly requires documented testing across protected characteristics where applicable.

Length: typically 10-20 pages.

Step 6: Technical Documentation (Article 11 + Annex IV)

This is the longest document. Annex IV provides a detailed template. Required content includes:

• General description of the AI system
• Intended purpose and out-of-scope uses
• Technical architecture
• Training methodology
• Model performance metrics across demographic groups
• Known limitations
• Risk mitigation measures
• Validation procedures
• Data governance setup
• Cybersecurity measures
• Post-market monitoring plan summary
• User information and instructions

Length: typically 20-40 pages per system. This is where most of the documentation work goes.

Step 7: Human Oversight Protocol (Article 14)

This documents how humans monitor, intervene in, and override AI decisions. Required content:

• Identification of oversight roles
• Training requirements for oversight personnel
• Specific intervention capabilities
• Monitoring of whether oversight is meaningful (not just rubber-stamping)
• Escalation paths
• Override and shutdown procedures

For high-risk systems in HR, credit, or healthcare, this document is particularly scrutinized.

Length: typically 5-10 pages.

Phase 3: Operational artifacts (Weeks 6-8)

The foundation documents establish your compliance posture. The operational artifacts make it live.

Step 8: Transparency Notice (Article 13)

Public-facing or user-facing documentation that informs users about the AI system. Required content:

• What the AI does
• Its capabilities and limitations
• How to interpret outputs
• Uses it should not be used for
• Risks users should be aware of
• Contact info for questions

For customer-facing AI, this often becomes part of your terms of service or a separate AI transparency page on your site.

Step 9: Information to Affected Persons (Article 26)

When AI is used to make decisions affecting individuals (employment, credit, services), those individuals have rights. You need templates for:

• Informing them they're subject to AI-assisted decisions
• Explaining the logic of the decision (in general terms)
• Their right to request human review
• Their right to contest the decision

If you're a deployer using someone else's AI, you typically handle this. If you're a provider, you may give your customers the tools to handle it.

Step 10: Post-Market Monitoring Plan (Article 72)

This documents how you'll monitor system performance after deployment. Required content:

• What metrics you'll track
• How frequently you'll review them
• What thresholds trigger investigation
• How you'll detect drift or degradation
• Reporting procedures for serious incidents

You don't just need a plan. You need the actual monitoring infrastructure. This is often the longest operational lift because it requires building (or integrating with) systems that capture performance data over time.

Step 11: Record-keeping infrastructure (Article 12)

High-risk systems must automatically log significant events. Required logging includes:

• System inputs and outputs (without storing all data forever)
• Decision points
• Anomalies and errors
• Human overrides
• System configuration changes

The logging system itself needs to be tamper-evident and accessible for audit. Most cloud platforms (AWS CloudTrail, Azure Monitor, GCP Cloud Logging) can do this, but you need to configure them properly for AI Act purposes.

Step 12: Conformity Assessment (Article 43)

Before deploying a high-risk AI system to the EU market, you need to complete a conformity assessment. For most AI systems, this is an internal self-assessment based on your documentation.

For specific categories (biometric identification, certain critical infrastructure), it requires a third-party assessment body. For most SMEs in HR tech, fintech, EdTech, the internal self-assessment is sufficient.

Document the assessment results and the date.

Step 13: EU Database Registration (Article 49)

High-risk AI systems must be registered in the EU database before market placement. The database isn't fully live yet, but registration will be required by August 2, 2026. Watch for the EU AI Office's announcements on registration procedures.

The registration includes basic system info, intended purpose, provider details, and conformity assessment status.

Phase 4: Process integration (Weeks 9-10)

The documents and infrastructure are foundational, but compliance has to live in your operations.

Step 14: Internal training

Everyone who interacts with the high-risk AI system in their role needs training. This includes:

• The team building or modifying the AI
• Anyone doing human oversight
• Anyone interpreting outputs for decisions
• Anyone handling customer or affected-person inquiries
• Anyone responsible for monitoring or audit

Training should cover what the AI Act requires, what your specific obligations are, how to handle issues, and how to escalate. Document who was trained and when.

Step 15: Change management process

AI systems aren't static. Models get retrained. Features get added. Datasets get updated. Your compliance can't be a one-time exercise.

Build a process where:

• Any significant change to an AI system triggers a compliance review
• Risk assessments get updated
• Documentation gets re-verified
• Monitoring metrics get adjusted
• Affected stakeholders get notified

This is usually integrated into your existing software development process (review gates in product specs, security reviews, etc.).

Step 16: Quarterly compliance review

Set a recurring quarterly review of your compliance posture:

• Are all AI systems still correctly classified?
• Have any new systems been added that need classification?
• Are documents still current?
• Are monitoring systems flagging anything?
• Have any new EU AI Office guidelines affected your obligations?
• Are obligations being met operationally, not just on paper?

This becomes part of your operating cadence.

Step 17: Vendor management

If you use third-party AI services, you need agreements that support your compliance:

• Vendor's compliance documentation accessible to you
• Their post-market monitoring shared with you
• Your right to audit their system in case of incidents
• Notice provisions if their system changes materially
• Allocation of responsibilities if both of you have obligations

Review your vendor contracts before August 2.

Phase 5: Specific situations to address

Some specific scenarios warrant their own checks.

Step 18: General-purpose AI usage

If you're using GPT-4, Claude, Llama, Gemini, or any foundation model, special provisions apply:

• If you're just using it via API without significant modification, you're typically a deployer
• If you're fine-tuning it on your own data, you may inherit provider obligations
• If you're building products on top of it for resale, you're typically a provider
• Specific GPAI obligations under Articles 51-55 may apply

Document your GPAI relationships and obligations.

Step 19: Prohibited practices check

Even outside Annex III high-risk territory, certain practices are banned under Article 5:

• Subliminal manipulation causing harm
• Exploiting vulnerabilities
• Social scoring
• Predictive policing based on profiling
• Untargeted facial image scraping
• Emotion recognition in workplace or education
• Biometric categorization for sensitive attributes
• Real-time remote biometric identification in public spaces

Verify none of your AI features fall here. If they do, you have until February 2, 2026 (the earlier deadline for prohibited practices) to remove them.

Step 20: Limited-risk transparency

If your AI interacts with humans (chatbots) or generates synthetic content (text, images, audio, video), Article 50 transparency applies:

• Users informed they're interacting with AI
• AI-generated content labeled as such (machine-readable format)
• Deepfakes labeled clearly

For most SaaS products with chatbots or AI-generated content features, this is straightforward to implement. But it needs to be done.

Timing: when each phase should happen

For an SME starting in May 2026, here's the realistic timeline:

Month	Focus	Deliverables
May	Discovery, classification, foundation documents start	Inventory complete, classifications done, Risk Management Plans drafted
June	Foundation documents finished, operational artifacts started	Data Governance, Technical Documentation, Human Oversight Protocols complete
July	Operational artifacts finished, process integration	Transparency Notices, Post-Market Monitoring, Record-keeping, internal training
August 2	Enforcement begins	Conformity Assessment complete, EU Database registration done, full compliance posture documented

A company starting in May has comfortable margin. A company starting in July is doing this badly under pressure. A company starting in August is already late.

The total work estimate

For an SME with 3-5 AI systems:

• Phase 1 (Discovery and classification): 10-20 hours
• Phase 2 (Foundation documents): 40-80 hours
• Phase 3 (Operational artifacts): 30-60 hours
• Phase 4 (Process integration): 20-40 hours
• Phase 5 (Specific situations): 10-20 hours

Total: 110-220 hours of focused work, typically spread across 8-12 weeks and split between compliance, product, and engineering team members.

Doing this without tooling means typing all documents from scratch, which inflates these numbers significantly. ActScope's Pro tier generates the foundation documents automatically based on your system descriptions, which cuts the documentation work roughly in half.

What to do this week

If you're starting today, do these things in order:

1. Today: Inventory your AI systems. Make the spreadsheet. Take 1-2 hours and get it done.

2. This week: Classify each system. Use a structured framework (the ActScope free classifier or the checklist in our classification guide).

3. Next week: Start the foundation documents for high-risk systems. Risk Management Plan first.

4. This month: Get all foundation documents drafted. Even if rough.

5. June: Polish documents, build operational infrastructure (monitoring, logging, training).

6. July: Process integration, internal training, final reviews.

7. By August 2: Conformity Assessment complete, EU database registration submitted, full compliance posture ready.

The companies that handle this calmly are starting now. The ones who wait until July will be paying double-rate consultants and skipping crucial steps because they ran out of time.

Start your classification →

If you want help with the foundation documents, ActScope's Pro tier generates Risk Management Plans, Data Governance Frameworks, Technical Documentation, and the rest based on your specific AI systems. It cuts the documentation work roughly in half. €69/month, cancellable anytime.

---

Common questions

Can we use the same documentation for multiple AI systems? For some elements (data governance frameworks, monitoring infrastructure, training programs), you can share documentation across systems. For others (technical documentation, risk management plans), each system needs its own. The Act requires system-specific documentation where the systems are functionally distinct.

What if we miss the August 2 deadline? Enforcement begins August 2, 2026. Companies that aren't compliant face risk of fines if a complaint is filed or an audit happens. Realistic enforcement priority will focus first on prohibited practices, then on egregious high-risk non-compliance. But "we'll probably be fine" is not a strategy.

Do we need to do this for AI we use that's developed elsewhere? Yes, as a deployer. Your obligations are smaller than a provider's but they exist. Focus on use, human oversight, information to affected persons, and ensuring your vendor is meeting their obligations.

What about open-source AI models? Open-source models have specific provisions. If you're a provider of an open-source GPAI model, some obligations are reduced. If you're using open-source AI as a deployer, your obligations are similar to using commercial AI. The open-source nature doesn't exempt downstream users.

Should we do this work ourselves or hire consultants? For SMEs with 1-5 AI systems and reasonably straightforward use cases, self-serve compliance tooling is usually appropriate. For complex situations (regulated industries, novel use cases, high-stakes applications), legal counsel and specialist consultants add value. Most SMEs land in the self-serve category with optional legal review at key milestones.

What about ongoing compliance after August 2? Compliance is ongoing, not one-time. Quarterly reviews, post-market monitoring, change management, and responding to new EU AI Office guidance are all continuous work. Plan for roughly 10-20% of the initial setup effort per quarter as maintenance.

---

Run the free classifier to start your compliance work →

Related guides:

• Is My AI System High-Risk Under the EU AI Act?
• The EU AI Act for HR Tech: A Vertical Guide
• Article 6(3) Exemption: When Annex III Doesn't Mean High-Risk
• EU AI Act vs GDPR: How They Overlap and Where They Don't