Home / Guides / EU AI Act Compliance Checklist
EU AI Act

The EU AI Act Compliance Checklist

The EU AI Act is the first comprehensive law governing artificial intelligence, and its reach extends well beyond Europe. In 2026 the EU adopted its Digital Omnibus, which moved several deadlines. This guide sets out what applies, by when, and gives you a practical checklist to get ready.

Does it apply to you?

The Act applies if you provide or deploy AI systems in the EU market, or where the output of your AI is used in the EU, regardless of where your company sits. That pulls a large number of non-EU businesses into scope. If you sell into Europe, or your product is used there, assume you need to look at it.

The timeline after the Digital Omnibus

The Omnibus deferred the high-risk obligations by more than a year, but it left the transparency duties and the Act's core structure in place. Here is where things stand.

In force since Aug 2024
The Act entered into force, with obligations phasing in over several years.
Since Feb 2025
Prohibited AI practices are banned, and AI literacy duties began.
Since Aug 2025
Obligations for general-purpose AI models apply.
2 August 2026
Transparency obligations for deployers apply. This date was not deferred.
2 December 2026
Synthetic-content transparency for providers, such as watermarking, plus a new prohibition on non-consensual intimate imagery and CSAM generation.
2 December 2027
High-risk obligations for standalone Annex III systems, such as recruitment and credit scoring, apply. Deferred from August 2026.
2 August 2028
High-risk obligations for AI embedded in regulated products under Annex I apply.

Breaches carry penalties of up to 35 million euros or 7 percent of global annual turnover, whichever is higher. The deferral is a delay, not a repeal, and existing law already applies to AI harms today.

The compliance checklist

The starting point

Templates for the inventory, risk, and documentation

The Extrasphere Complete Toolkit gives you the AI inventory, risk register, impact assessment, and vendor assessment that this checklist calls for, mapped to the EU AI Act. One-time $299, and it includes 12 months of update re-issues. Start free with a policy and readiness checklist.

Use the extra time, do not waste it

The deferral is runway, not a pause. The hard part of compliance is not the documentation template, it is finding every AI system in your organization, deciding which category each falls into, and keeping that inventory current as new tools ship. None of that gets easier by waiting. Start now and you have room to refine. Start late and you have weeks, not months. If you provide high-risk AI systems, the EU AI Act High-Risk Provider Pack covers the provider documentation this work calls for.

Frequently asked questions

Does the EU AI Act apply to companies outside the EU?

Yes. It applies if you provide or deploy AI in the EU market, or where the output of your AI is used in the EU, regardless of where your company is based.

Did the EU delay the AI Act?

The 2026 Digital Omnibus deferred the high-risk obligations to December 2027 for Annex III systems and August 2028 for Annex I product-embedded systems. Transparency duties and the core rules were not deferred.

What are the penalties?

Up to 35 million euros or 7 percent of global annual turnover, whichever is higher, for the most serious breaches.

What counts as high-risk AI?

Uses such as recruitment, credit scoring, education, law enforcement, and AI that acts as a safety component of a regulated product.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.