The EU AI Act Compliance Checklist
The EU AI Act is the first comprehensive law governing artificial intelligence, and its reach extends well beyond Europe. In 2026 the EU adopted its Digital Omnibus, which moved several deadlines. This guide sets out what applies, by when, and gives you a practical checklist to get ready.
Does it apply to you?
The Act applies if you provide or deploy AI systems in the EU market, or where the output of your AI is used in the EU, regardless of where your company sits. That pulls a large number of non-EU businesses into scope. If you sell into Europe, or your product is used there, assume you need to look at it.
The timeline after the Digital Omnibus
The Omnibus deferred the high-risk obligations by more than a year, but it left the transparency duties and the Act's core structure in place. Here is where things stand.
Breaches carry penalties of up to 35 million euros or 7 percent of global annual turnover, whichever is higher. The deferral is a delay, not a repeal, and existing law already applies to AI harms today.
The compliance checklist
- Inventory every AI system you build, buy, or use. Everything else depends on this.
- Classify each system by risk tier: prohibited, high-risk, limited-risk, or minimal.
- Meet transparency duties for limited-risk uses: tell people when they are dealing with an AI system and when content is AI-generated.
- Start high-risk work now, even with the 2027 date: documentation, risk management, human oversight, and data governance take time to build.
- Plan synthetic-media labelling if you generate images, audio, or video, ahead of the December 2026 date.
- Assign ownership and keep records so you can show what you did and when.
Templates for the inventory, risk, and documentation
The Extrasphere Complete Toolkit gives you the AI inventory, risk register, impact assessment, and vendor assessment that this checklist calls for, mapped to the EU AI Act. One-time $299, and it includes 12 months of update re-issues. Start free with a policy and readiness checklist.
Use the extra time, do not waste it
The deferral is runway, not a pause. The hard part of compliance is not the documentation template, it is finding every AI system in your organization, deciding which category each falls into, and keeping that inventory current as new tools ship. None of that gets easier by waiting. Start now and you have room to refine. Start late and you have weeks, not months. If you provide high-risk AI systems, the EU AI Act High-Risk Provider Pack covers the provider documentation this work calls for.
Frequently asked questions
Yes. It applies if you provide or deploy AI in the EU market, or where the output of your AI is used in the EU, regardless of where your company is based.
The 2026 Digital Omnibus deferred the high-risk obligations to December 2027 for Annex III systems and August 2028 for Annex I product-embedded systems. Transparency duties and the core rules were not deferred.
Up to 35 million euros or 7 percent of global annual turnover, whichever is higher, for the most serious breaches.
Uses such as recruitment, credit scoring, education, law enforcement, and AI that acts as a safety component of a regulated product.