The EU AI Act enters enforcement for high-risk AI systems in August 2026. With penalties reaching up to 35 million EUR or 7% of global annual turnover, this is not regulation you can afford to approach reactively.
But the regulation itself spans over 100 pages, with dozens of articles, annexes, and cross-references. For most organisations, the challenge is not awareness — it is knowing where to start.
This checklist distils the EU AI Act into seven actionable workstreams. Each represents a concrete area of work with specific article references, sub-requirements, and practical guidance. Whether you are at the beginning of your compliance journey or looking to validate your current approach, this guide provides a structured starting point.
Step 1: Inventory Your AI Systems
You cannot govern what you do not know about.
The foundation of EU AI Act compliance is a comprehensive inventory of every AI system your organisation develops, deploys, or uses. This is not limited to the models your data science team built. It includes every third-party AI service, every API integration, every AI-assisted tool in your technology stack.
Sub-requirements
- Catalogue all AI systems — Include internally developed models, third-party APIs (e.g., OpenAI, cloud ML services), embedded AI in SaaS tools, and AI components in vendor products.
- Document the purpose and scope of each system — What decisions does it make or support? What data does it process? Who are the affected persons?
- Identify the provider vs. deployer role — Under the EU AI Act, providers (developers) and deployers (users) have different obligations. Your role determines your compliance requirements.
- Map data flows — Understand what data enters each AI system, where it is processed, and what outputs it produces. This feeds directly into GDPR compliance obligations.
- Establish an AI system register — Article 49 requires registration of high-risk AI systems in the EU database. Your internal inventory should be structured to support this requirement.
Practical Guidance
Start with a cross-functional survey. IT, procurement, data science, and business units all deploy AI systems — often independently. Shadow AI is as significant a risk as shadow IT was a decade ago. A platform like littledata.ai provides structured AI system registration with fields mapped directly to EU AI Act requirements.
Step 2: Classify Risk Levels
Your risk classification determines your entire compliance burden.
The EU AI Act establishes four risk tiers: Prohibited, High-Risk, Limited Risk, and Minimal Risk. Accurate classification is critical because it determines which requirements apply to each of your AI systems.
Sub-requirements
- Screen for prohibited practices (Article 5) — Social scoring, subliminal manipulation, exploitation of vulnerabilities, real-time biometric identification in public spaces (with exceptions). If any of your AI systems fall here, they must be discontinued.
- Assess against Annex III high-risk categories — Biometric systems, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. High-risk classification triggers the full set of Articles 6-15 requirements.
- Evaluate Annex I high-risk systems — AI systems that are safety components of products covered by existing EU harmonisation legislation (medical devices, machinery, aviation, automotive, etc.).
- Apply the Article 6(3) exception — A high-risk AI system may be exempt if it does not pose a significant risk of harm, does not materially influence decision-making, or is intended for a narrow procedural task. Document your reasoning if you apply this exception.
- Classify remaining systems — Systems with transparency obligations (chatbots, deepfakes, emotion recognition) fall under Limited Risk. Everything else is Minimal Risk with voluntary codes of conduct.
Practical Guidance
Classification is not a one-time exercise. New AI systems must be classified before deployment, and existing classifications should be reviewed when a system’s purpose or scope changes. LittleData’s platform provides automated risk classification workflows with article-by-article mapping, ensuring consistent classification across your portfolio.
Step 3: Assess Gaps Against Articles 6-15
These are the core technical requirements for high-risk AI systems.
For every AI system classified as high-risk, you must assess your current state against the detailed requirements in Articles 6 through 15. This gap assessment reveals where you need to invest effort.
Key Articles to Assess
- Article 9 — Risk Management System — A documented, iterative risk management system throughout the AI system’s lifecycle. This must identify and analyse known and foreseeable risks, estimate and evaluate risks, and adopt suitable risk management measures.
- Article 10 — Data and Data Governance — Training, validation, and testing datasets must meet quality criteria. Bias examination, data representativeness, and data governance measures must be documented.
- Article 11 — Technical Documentation (Annex IV) — Comprehensive technical documentation that allows authorities to assess compliance. This includes system descriptions, design specifications, monitoring capabilities, and performance metrics.
- Article 12 — Record-Keeping — Automatic logging of events throughout the AI system’s operation. Logs must enable monitoring, traceability, and post-market surveillance.
- Article 13 — Transparency and Information — AI systems must be sufficiently transparent for deployers to interpret outputs and use the system appropriately.
- Article 14 — Human Oversight — Measures that enable human oversight of the AI system, including the ability to understand, monitor, intervene, and override.
- Article 15 — Accuracy, Robustness, and Cybersecurity — Technical robustness measures including resilience against adversarial attacks and system errors.
Practical Guidance
A gap assessment should produce a clear picture of where you stand today, what work is required, and how to prioritise. Each article has specific sub-requirements and conformity assessment criteria. LittleData’s platform provides article-by-article gap analysis with readiness scoring and evidence management.
Step 4: Train Your Teams (Article 4)
AI literacy is not optional. It is a legal requirement.
Article 4 of the EU AI Act requires that providers and deployers ensure their staff have a sufficient level of AI literacy. This applies to everyone who develops, deploys, or oversees AI systems — not just technical teams.
Sub-requirements
- Identify roles that require AI literacy — Developers, deployers, compliance officers, risk managers, ethics board members, incident responders, senior leadership with AI oversight responsibilities.
- Deliver role-appropriate training — A compliance officer needs different training than an ML engineer. A data protection officer needs different competencies than an AI ethics lead. One-size-fits-all training does not meet the requirement.
- Assess and certify competency — Training must be assessed, not just delivered. Documented evidence of competency assessment is essential for audit readiness.
- Maintain recertification schedules — AI literacy is not a one-time event. As the technology and regulatory landscape evolve, teams need ongoing education with regular recertification.
- Track completion and coverage — You need visibility into which roles have completed training, which certifications are current, and where gaps exist.
Practical Guidance
LittleData’s platform includes 56 training materials across 10 structured courses, covering AI Literacy, Regulatory Compliance, Ethics, Risk Management, Incident Response, and Technical Security. Each course is mapped to specific regulatory requirements, with role-based learning paths for 12 governance roles. Quiz assessments generate auditable evidence of competency.
Step 5: Document Everything (Article 11, Annex IV)
Documentation that survives an audit. Not documentation that checks a box.
Article 11 requires technical documentation drawn up before a high-risk AI system is placed on the market or put into service. Annex IV specifies the required content in detail.
Sub-requirements
- System description — Intended purpose, developer identity, system version, hardware/software requirements, and interaction with other systems.
- Design specifications — Model architecture, algorithmic choices, key design decisions, and the rationale behind them.
- Data documentation — Training, validation, and testing data descriptions. Data collection methods, data characteristics, labelling procedures, and data cleaning operations.
- Performance metrics — Accuracy, robustness, cybersecurity measures, and the metrics used to evaluate them. Performance across relevant subgroups.
- Model cards — Standardised documentation of model capabilities, limitations, intended use, and known failure modes.
- Testing records — Records of all testing conducted, including adversarial testing, with results, dates, and methodology.
- Change management — Documentation must be kept up to date throughout the system’s lifecycle. Material changes require documentation updates.
Practical Guidance
Documentation is the area where most organisations underestimate the effort required. Technical documentation per Annex IV is substantial, and maintaining it across multiple AI systems requires a systematic approach. Spreadsheets and shared drives do not scale. A purpose-built platform with structured documentation templates and version control is essential.
Step 6: Build Human Oversight (Article 14)
Meaningful oversight, not checkbox oversight.
Article 14 requires that high-risk AI systems be designed and developed so that they can be effectively overseen by natural persons. This is not about having a human nominally “in the loop” — it is about ensuring that human overseers can genuinely understand, monitor, and intervene.
Sub-requirements
- Understand system capabilities and limitations — Overseers must be able to properly understand the system, including its tendency to produce errors, known biases, and the level of accuracy in specific contexts.
- Monitor system operation — Real-time visibility into the system’s behaviour, including anomaly detection and drift monitoring. The LittleData platform provides continuous risk scoring across observability, adversarial, privacy, and DLP dimensions.
- Interpret outputs correctly — Overseers must be able to interpret AI system outputs in context. This requires transparency measures, explainability tools, and appropriate training.
- Intervene and override — The ability to decide not to use the AI system, to override its output, or to stop the system entirely. These interventions must be technically possible and organisationally supported.
- Escalation procedures — Clear procedures for escalating concerns, reporting malfunctions, and triggering incident response when human oversight identifies problems.
Practical Guidance
Meaningful human oversight requires both technical infrastructure (monitoring dashboards, alerting systems, override mechanisms) and organisational infrastructure (trained personnel, escalation procedures, authority to intervene). Neither alone is sufficient.
Step 7: Test Adversarial Robustness (Article 15)
Red team your AI systems. Before someone else does.
Article 15 requires that high-risk AI systems achieve an appropriate level of accuracy, robustness, and cybersecurity. This includes specific requirements for resilience against adversarial attacks and system errors.
Sub-requirements
- Adversarial robustness testing — Test against all five attack categories: evasion, extraction, poisoning, injection, and inference. Read our comprehensive guide to AI red teaming for details on each category.
- Error resilience — Test system behaviour under error conditions, unexpected inputs, edge cases, and degraded operating conditions.
- Cybersecurity measures — Protect the AI system against unauthorized access, data manipulation, and exploitation of vulnerabilities. This goes beyond traditional IT security to cover AI-specific attack vectors.
- Redundancy and fallback — Technical redundancy solutions and fallback plans for when the AI system fails or produces unreliable outputs.
- Ongoing testing — Robustness testing is not a one-time activity. As threat landscapes evolve and models are updated, testing must be repeated.
Practical Guidance
Adversarial robustness testing requires specialised expertise at the intersection of machine learning and offensive security. Most traditional penetration testing firms lack the ML depth to test AI-specific attack vectors. Most AI companies lack the adversarial security methodology. LittleData’s AI red team combines both skill sets.
From Checklist to Continuous Compliance
Each of these seven steps is a workstream, not a task. Each has sub-requirements that require planning, execution, evidence collection, and ongoing monitoring. And the EU AI Act is not a one-time compliance exercise — it requires continuous governance throughout the lifecycle of every high-risk AI system.
Tracking all of this in spreadsheets does not scale. Hiring a consultancy for a point-in-time assessment produces a report that is stale within months. What you need is a system that provides continuous visibility into your compliance posture across every requirement, every AI system, and every framework.
That is exactly what we built.
How LittleData Supports Each Step
| Step | Platform Capability |
|---|---|
| 1. Inventory | AI system registration with structured metadata |
| 2. Classification | Automated risk classification workflows |
| 3. Gap Assessment | Article-by-article readiness scoring |
| 4. Training | 56 materials, 10 courses, role-based learning paths |
| 5. Documentation | Evidence management and audit trail |
| 6. Human Oversight | Real-time risk scoring and monitoring dashboards |
| 7. Adversarial Testing | Red team services with platform-integrated findings |
Start Your EU AI Act Compliance Journey
August 2026 is approaching. If your compliance programme is not underway, you are already behind. LittleData provides the platform and the expertise to move from checklist to continuous compliance — with article-by-article tracking, gap analysis, training delivery, risk scoring, and evidence management in a single platform.
Explore the platform: littledata.ai
Learn more about our AI governance services: littledata.com/ai-risk-platform
Get in touch: littledata.com/contact
