EU AI Act Compliance Checklist for Developers (2026)

Why the August 2026 Deadline Matters

The EU AI Act entered into force on 1 August 2024, but its most critical provisions — those governing high-risk AI systems — became enforceable from August 2026. For developers and engineering teams building AI products deployed in the European Union, this means the clock has run out. Non-compliance now carries fines of up to €35 million or 7% of global annual turnover for violations involving prohibited AI practices, and up to €15 million or 3% for high-risk system failures.

This checklist is structured in the same order regulators will use when assessing your system. Work through each section and use Governer's free AI compliance scanner to automate the technical parts.

Step 1: Classify Your AI System by Risk Tier

The EU AI Act divides AI systems into four risk tiers. Your obligations — and fines — depend entirely on which tier applies:

• Unacceptable Risk (Prohibited): Real-time remote biometric identification in public spaces, social scoring systems, subliminal manipulation. These are banned outright under Article 5. If your system falls here, you must cease operations.
• High Risk (Annex III): AI used in critical infrastructure, education, employment, essential services, law enforcement, migration, or justice. These systems face the full weight of the Act.
• Limited Risk: Chatbots, deepfakes, and emotion recognition tools. Must meet specific transparency obligations (Article 50).
• Minimal Risk: Spam filters, recommendation systems with no significant impact. No specific obligations — but voluntary codes of conduct are encouraged.

Checklist item:Document your system's intended purpose, deployment context, and affected user groups. Map this against Annex III and Article 5 using a risk classification matrix.

Step 2: High-Risk System Obligations (Annex III Systems)

If your system is classified high-risk, you must satisfy all of the following before deployment:

2a. Risk Management System (Article 9)

Implement a documented, iterative risk management process covering: identification of known and reasonably foreseeable risks, estimation of risks in intended and foreseeable misuse scenarios, evaluation of post-market data, and adoption of suitable risk mitigation measures.

Checklist items:

• ☐ Risk management plan documented and version-controlled
• ☐ Risk register maintained, reviewed at least quarterly
• ☐ Residual risks documented and accepted by a named risk owner

2b. Data Governance (Article 10)

Training, validation, and testing datasets must meet quality criteria. You must document data collection methodology, data preparation operations, and known limitations or biases. Particular caution is required for special category data under GDPR.

• ☐ Dataset cards or model cards exist per dataset
• ☐ Bias assessment documented for demographic subgroups
• ☐ Data retention policy aligned with GDPR Article 5(1)(e)

2c. Technical Documentation (Article 11 + Annex IV)

Annex IV specifies exactly what your technical documentation must contain: system purpose, training methodology, performance metrics, architecture diagrams, and post-market monitoring plan — all kept up to date and available to market surveillance authorities on request.

• ☐ Annex IV documentation completed and stored securely
• ☐ Architecture diagram current and version-controlled
• ☐ Performance benchmarks on representative test datasets recorded

2d. Automatic Logging (Article 12)

High-risk AI systems must automatically log events throughout their operation. Logs must be retained for the period appropriate to intended purpose (minimum 6 months for most systems, and at least 1 year where the system makes decisions affecting individuals).

• ☐ Event logging enabled at inference time
• ☐ Logs are tamper-evident and access-controlled
• ☐ Log retention period documented and enforced via policy

2e. Transparency & User Information (Article 13)

• ☐ Instructions for use delivered to deployers in plain language
• ☐ System's capabilities and limitations disclosed
• ☐ Contact details of the provider included

2f. Human Oversight (Article 14)

• ☐ Override/stop mechanism accessible to humans at all times
• ☐ Output monitoring mechanism implemented
• ☐ Training provided to human overseers

2g. Accuracy, Robustness & Cybersecurity (Article 15)

• ☐ Accuracy metrics documented and meet baseline thresholds
• ☐ Adversarial robustness tested
• ☐ Penetration testing completed within the last 12 months

Step 3: Conformity Assessment & CE Marking

For most high-risk AI systems listed in Annex III, providers can conduct an internal conformity assessment (self-assessment). However, systems in Annex III categories 1 (biometric identification) and 6 (law enforcement) require third-party conformity assessment by a notified body.

• ☐ Determine whether self-assessment or notified body applies
• ☐ Complete conformity assessment and generate declaration of conformity
• ☐ Affix CE marking where required
• ☐ Register system in the EU AI Act database (Article 71)

Step 4: Post-Market Monitoring (Article 72)

Compliance does not end at deployment. You must operate a post-market monitoring system that actively collects and analyses data on system performance throughout its lifetime.

• ☐ Post-market monitoring plan documented
• ☐ Serious incident reporting procedure in place (24-hour notification to national authority)
• ☐ Feedback loops from deployers to provider established

Step 5: Scanning Your Codebase Automatically

The above steps are necessary but difficult to maintain manually across a growing codebase. Governer's EU AI Act compliance scanner automates the technical checks: it scans your repository for missing logging hooks, transparency disclosures, human oversight mechanisms, and documentation artefacts — then maps every violation directly to the relevant Article.

Run pip install governer in your project and execute governer scan --framework eu-ai-act to generate your compliance report in under 60 seconds.

Quick-Reference Checklist Summary

Conclusion

EU AI Act compliance is a continuous engineering discipline, not a one-time legal exercise. The developers and teams who treat compliance as part of their CI/CD pipeline — scanning with every merge, maintaining living documentation, and resolving violations before they ship — will be the ones that reach the August 2026 deadline without scrambling. Use this checklist as your living reference, automate what you can, and run your first scan on Governer today.