EU AI Act compliance checklist — full Article 11 + Annex IV pre-Aug-2-2026 sweep

Updated

30+ items across 6 sections covering Article 11 technical documentation, Article 9 risk management, Article 14 human oversight, Article 61 post-market monitoring, conformity assessment, and AIBOM emission. Use this as the pre-deadline gate.

For: AI startup providers placing high-risk systems on the EU market

Annex III high-risk classification

  • Self-classify each AI system against Annex III categories (biometric, employment, education, credit, law enforcement, migration, critical infra)critical
  • Document the classification rationale per system in your risk registercritical
  • Designate an EU representative if you are a non-EU provider with EU userscritical
  • Confirm whether self-assessment (Annex VI) or Notified Body conformity assessment (Annex VII) appliescritical

Article 11 technical documentation (Annex IV)

  • Section 1: General description (intended purpose, geographic scope, data subject categories, version)critical
  • Section 2: Detailed description of elements + development process (architecture, training methodology, validation)critical
  • Section 3: Monitoring + functioning + control (post-market monitoring, incident logging, human oversight design)critical
  • Section 4: Risk management system per Article 9 (ISO 31000-aligned)critical
  • Section 5: Description of changes through lifecycle + Article 43(4) substantial-change trackercritical
  • Section 6: List of harmonised standards applied (ISO/IEC 23053, 42001, CycloneDX 1.6)critical
  • Section 7: Declaration of conformity (signed + dated)critical

AIBOM (Article 11 machine-readable supplement)

  • Emit CycloneDX 1.6 AIBOM on every release (use /templates/aibom-cyclonedx-template)critical
  • AIBOM includes modelCard with task, architecture, datasets, performanceMetricscritical
  • Sign every AIBOM with provider's release key (DSSE/in-toto envelope)critical
  • Publish public version of AIBOM under transparency report (sensitive sections redacted)
  • Audit-bundle endpoint serves signed AIBOM + all attestations on demand

Article 14 human oversight

  • Document who can override / halt the system + howcritical
  • Audit-trail every override / halt event with operator identity + reasoncritical
  • Train designated overseers on system limits + failure modes
  • Test override procedures quarterly

Article 61 post-market monitoring

  • Monthly model-drift report against in-production datacritical
  • Incident logging per Article 62 (log within 15 days of awareness)critical
  • Annual review of risk-management system per Article 9
  • Quarterly re-evaluation of accuracy + fairness metrics
  • Public transparency report summarizing post-market findings

Conformity assessment + market placement

  • Complete chosen conformity assessment route (self or Notified Body)critical
  • Affix CE marking before placing system on EU marketcritical
  • Register the high-risk system in the EU AI database (Article 71)critical
  • Maintain technical documentation for 10 years post-market-placementcritical
  • Notify any substantial change per Article 43(4)