AskAjay.ai | Methodology Tool
Methodology Tool

EU AI Act
Compliance Template

Article-by-Article Compliance Checklist with Evidence Tracking. A structured, auditable template that maps every obligation in the EU AI Act to your AI systems, evidence base, and remediation plan.

By Ajay Pundhir AskAjay.ai Version 1.1 · Updated 2026-05-03

Canonical reference: The EU AI Act Strategic Guide for Business Leaders

How to Use This Template

Who Should Complete This Legal, Compliance, AI Governance Teams
Time Required 4 – 8 hours (initial) | 1 – 2 hours (quarterly update)
What You'll Need AI systems inventory, technical documentation, data processing records, vendor contracts
Output Gap analysis with prioritized remediation plan and evidence register
  1. Complete the Organization Profile to establish your regulatory scope and baseline context.
  2. Classify every AI system using the Risk Classification Checklist (Section 4). This determines which obligations apply.
  3. Work through each obligation section in order of deadline urgency: Prohibited Practices (Feb 2025), GPAI (Aug 2025), High-Risk (Aug 2026).
  4. For each requirement, assess current status, document evidence, identify gaps, assign remediation owners and deadlines.
  5. Complete the Gap Analysis Summary and Penalty Exposure Calculator to build the business case for remediation investment.
  6. Review quarterly — the regulatory landscape is evolving. Update assessments as guidance, codes of practice, and enforcement precedents emerge.
Key Compliance Dates
Feb 2, 2025 — Prohibited practices enforcement (in force now).
Aug 2, 2025 — GPAI obligations + governance body establishment.
Aug 2, 2026 — Full high-risk system requirements.
Aug 2, 2027 — Additional high-risk systems listed in Annex I (products under existing EU harmonisation legislation).
Brand commitments behind this template

Cite the article number, the tier, and the date. Most vendor and consultant claims about the EU AI Act compress three different penalty tiers into one ("7% of turnover") and conflate four different enforcement dates (Feb 2025, Aug 2025, Aug 2026, Aug 2027) into one ("the EU AI Act takes effect"). The detail is what makes a compliance claim defensible. Use this template to score against specific articles, not against vibes.

Score what is documented and producible — not what is intended. A conformity assessment in someone's email is not a conformity assessment. A model card in draft is not documentation. Article 11 technical documentation must exist in a form that survives a regulator's request. The template scores producibility within 48 hours, not the existence of a roadmap to producibility.

Section 1: Organization Profile

 
 
 
 
 
 
 
 

Scope Determination

Do you deploy AI systems in the EU or to EU residents? If yes, the full EU AI Act applies regardless of where your company is headquartered (Article 2 — extraterritorial scope). If no, you may have reduced obligations — but monitor for supply chain exposure.
Do you provide AI systems or GPAI models that are placed on the EU market? Provider obligations apply even if your end-users deploy them.
Do you import or distribute AI systems into the EU? Importer and distributor obligations under Articles 22–25 may apply (Art. 22 authorised representatives, Art. 23 importers, Art. 24 distributors, Art. 25 deployers acting as providers; Art. 26 covers deployer obligations specifically).

Completed By

 
 

Section 2: Risk Classification Checklist

For each AI system in your inventory, classify its risk tier under the EU AI Act. This classification determines which compliance obligations apply. Be conservative: if a system could reasonably fall into a higher tier, classify it there.

Risk Tier Reference

Prohibited (Article 5): Social scoring, subliminal manipulation, biometric categorization by sensitive attributes, predictive policing, emotion recognition in workplace/education, facial image scraping
High-Risk (Annex III): Biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, democratic processes
Limited Risk: Chatbots, emotion recognition (non-prohibited), deep fakes, AI-generated content — transparency obligations only
Minimal Risk: Spam filters, AI in video games, recommendation engines (non-consequential) — no specific obligations

AI System Classification Register

AI System Name Business Function Risk Tier Classification Rationale Evidence Ref. Status Reviewer

Section 3: Prohibited Practices Audit (Article 5)

Deadline: February 2, 2025 — Already in Force These prohibitions are enforceable now. Non-compliance carries penalties up to €35M or 7% of global annual turnover. If any of your AI systems fall within these categories, immediate remediation is required.

For each prohibited practice, assess whether any of your AI systems — including third-party tools and embedded features — could fall within scope. Document evidence for your assessment.

Prohibited
Article 5(1)(a) — Subliminal Manipulation

AI systems that deploy subliminal techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting behavior and causing significant harm.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(b) — Exploitation of Vulnerabilities

AI systems that exploit vulnerabilities of persons due to their age, disability, or a specific social or economic situation, with the objective or effect of materially distorting behavior and causing significant harm.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(c) — Social Scoring

AI systems used by public authorities (or on their behalf) for evaluation or classification of natural persons based on their social behavior or personal characteristics, leading to detrimental or unfavorable treatment unrelated to the context in which the data was generated or disproportionate to the gravity of the social behavior.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(d) — Predictive Policing (Individual)

AI systems that assess or predict the risk of a natural person committing a criminal offence, based solely on profiling or personality traits. Exceptions exist for systems that augment human assessment based on objective, verifiable facts directly linked to criminal activity.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(e) — Facial Image Scraping

AI systems that create or expand facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(f) — Emotion Recognition in Workplace & Education

AI systems that infer emotions of natural persons in the areas of workplace and education, except where the AI system is intended to be put in place or into the market for medical or safety reasons.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(g) — Biometric Categorization (Sensitive Attributes)

AI systems that categorize natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. Exception: labeling or filtering of lawfully acquired biometric datasets or law enforcement categorization of biometric data.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited
Article 5(1)(h) — Real-Time Remote Biometric Identification in Public Spaces

Real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes. Narrow exceptions exist for: targeted search for missing persons or abduction victims, prevention of specific imminent threat to life or terrorist attack, and identification of suspects of serious criminal offences — each requiring prior judicial authorization.

AI System Assessment Evidence / Rationale Remediation Action Owner
Compliant / Non-Compliant / N/A
Prohibited Practices Audit Summary Total systems assessed: _____ | Compliant: _____ | Non-Compliant: _____ | N/A: _____ | Remediation required for: _____ systems. If any system is non-compliant, it must be decommissioned or modified immediately. There is no grace period.

Section 4: General-Purpose AI (GPAI) Obligations (Articles 51–56)

Deadline: August 2, 2025 GPAI obligations apply to providers of general-purpose AI models. If you use GPAI models (e.g., GPT-4, Claude, Gemini, Llama) as a deployer, your provider bears these obligations — but you should verify compliance and document it. If you fine-tune or significantly modify a GPAI model, you may become a provider.
Aug 2025
All GPAI Models — Base Obligations (Article 53)

These obligations apply to all providers of GPAI models, regardless of systemic risk classification.

Technical documentation maintained — Draw up and keep up to date technical documentation of the model, including training and testing process and evaluation results, for provision to the AI Office and national competent authorities upon request. Art. 53(1)(a)
Information and documentation for downstream providers — Draw up and keep up to date documentation and make it available to downstream providers who intend to integrate the model into their AI systems, enabling them to understand capabilities and limitations and comply with their own obligations. Art. 53(1)(b)
EU copyright law compliance — Put in place a policy to comply with Union copyright law, in particular to identify and comply with text and data mining opt-out reservations expressed by rights holders pursuant to Article 4(3) of Directive (EU) 2019/790. Art. 53(1)(c)
Training data summary published — Draw up and make publicly available a sufficiently detailed summary about the content used for training of the GPAI model, according to a template provided by the AI Office. Art. 53(1)(d)
GPAI Model / Provider Requirement Status Evidence / Documentation Gap / Remediation
Not Started / In Progress / Compliant
Systemic Risk
GPAI Models with Systemic Risk — Additional Obligations (Article 55)

A GPAI model is classified as having systemic risk if it has high-impact capabilities (presumed when cumulative training compute exceeds 1025 FLOPs) or is designated by the European Commission based on criteria in Annex XIII. Currently applies to frontier models from leading AI labs.

Model evaluation performed — Perform model evaluation in accordance with standardized protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing to identify and mitigate systemic risks. Art. 55(1)(a)
Systemic risk assessment and mitigation — Assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, placing on the market, or use of GPAI models with systemic risk. Art. 55(1)(b)
Incident tracking and reporting — Keep track of, document, and report without undue delay to the AI Office and relevant national competent authorities any serious incident and possible corrective measures. Art. 55(1)(c)
Cybersecurity protections — Ensure an adequate level of cybersecurity protection for the GPAI model with systemic risk and the physical infrastructure of the model. Art. 55(1)(d)
Energy consumption reporting — Document and report the energy consumption of the GPAI model, including during training and inference (where measurable), to the AI Office. Art. 55(1) / Recital 110
GPAI Model Systemic Risk? Requirement Status Evidence Gap / Action

Section 5: High-Risk System Requirements (Articles 6–49)

Deadline: August 2, 2026 These requirements apply to each AI system classified as high-risk under Annex III or as a safety component of products listed in Annex I. Complete one copy of this section per high-risk system. Photocopy or duplicate as needed.

System Identification

 
 
 
 
Art. Requirement Status Evidence Gap / Remediation Owner Deadline
Art. 9 Risk Management System
Establish, implement, document, and maintain a continuous, iterative risk management system throughout the AI system's lifecycle. Must identify, analyze, evaluate, and treat known and reasonably foreseeable risks.		 Not Started / In Progress / Compliant
Art. 10 Data Governance
Training, validation, and testing data sets shall meet quality criteria: relevant, sufficiently representative, free of errors, complete. Data governance practices covering collection, preparation, labeling, and bias detection.
Art. 11 Technical Documentation
Drawn up before system is placed on market or put into service. Kept up to date. Content per Annex IV: general description, design specifications, monitoring and functioning, risk management, conformity changes.
Art. 12 Record-Keeping & Logging
Automatic recording of events (logs) throughout the system's lifetime to enable traceability. Logging capabilities proportionate to intended purpose and risk level. Minimum retention periods apply.
Art. 13 Transparency & User Information
Design and develop to ensure operation is sufficiently transparent to enable deployers to interpret output and use it appropriately. Instructions for use with concise, complete, correct, clear, relevant, accessible, and comprehensible information.
Art. 14 Human Oversight
Design to allow effective oversight by natural persons during use. Oversight measures enable individuals to fully understand AI system capabilities and limitations, monitor operation, interpret outputs, decide not to use or override, and intervene or interrupt.
Art. 15 Accuracy, Robustness & Cybersecurity
Achieve appropriate levels of accuracy, robustness, and cybersecurity. Perform consistently throughout lifecycle. Resilient against errors, faults, and adversarial attacks. Technical redundancy solutions where appropriate.
Art. 17 Quality Management System
Put in place a QMS ensuring compliance. Includes: strategy for regulatory compliance, design and development techniques, quality control procedures, examination/test/validation procedures pre-/during/post-development, technical specifications, data management systems, risk management system, post-market monitoring, incident reporting, and communication with competent authorities.
Art. 43 Conformity Assessment
Before placing on market or putting into service, subject to the relevant conformity assessment procedure. For biometric and critical infrastructure systems: third-party assessment by a notified body. For other high-risk systems: internal assessment based on Annex VI is possible.
Art. 47 EU Declaration of Conformity
Draw up a written or electronic EU declaration of conformity for each high-risk AI system. Keep it for 10 years after the system has been placed on the market or put into service. Make available to national competent authorities upon request.
Art. 48 CE Marking
Affix the CE marking visibly, legibly, and indelibly to the high-risk AI system (or its packaging/documentation where not possible). CE marking subject to general principles in Article 30 of Regulation (EC) No 765/2008.
Art. 49 Registration in EU Database
Before placing on market or putting into service, the provider (or authorized representative) shall register the system in the EU database referred to in Article 71. The registration shall include information specified in Annex VIII.

Section 6: Transparency Obligations (Limited Risk — Article 50)

These obligations apply to AI systems classified as limited risk. They focus on ensuring that people interacting with AI systems are aware they are doing so. Transparency obligations are lighter than high-risk requirements but are still legally binding.

Transparency
Limited Risk — Disclosure Requirements
Chatbot / Conversational AI disclosure — Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the person is informed they are interacting with an AI system, unless this is obvious from the circumstances and context of use. Art. 50(1)
Emotion recognition / biometric categorization disclosure — Providers of AI systems that perform emotion recognition or biometric categorization shall inform natural persons exposed thereto of the operation of the system and process personal data in accordance with applicable Union law. Art. 50(3)
Deep fake labeling — Deployers of AI systems that generate or manipulate image, audio, or video content constituting a deep fake shall disclose that the content has been artificially generated or manipulated. Art. 50(4)
AI-generated content labeling — Providers of AI systems that generate synthetic audio, image, video, or text content shall ensure the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. Art. 50(2)
AI System Transparency Type Status Implementation Details Gap / Remediation

Section 7: Penalty Exposure Calculator

The EU AI Act establishes a tiered penalty structure. Penalties are calculated as the higher of a fixed amount or a percentage of worldwide annual turnover. SMEs and startups benefit from proportionate, reduced penalty caps.

EU AI Act Penalty Structure
Prohibited AI practices (Article 5 violations) Up to €35M or 7% of global turnover
High-risk system non-compliance (Articles 6–49) Up to €15M or 3% of global turnover
Supplying incorrect / misleading information to authorities Up to €7.5M or 1% of global turnover
SME / Startup reduced caps Lower of fixed amount or % of turnover

Your Exposure Calculation

 
 
Violation Category Fixed Cap % of Turnover Your Maximum Exposure (€)
Prohibited practices€35,000,0007%
High-risk non-compliance€15,000,0003%
Misleading information€7,500,0001%
Total Maximum Penalty Exposure: € _______________
Note: Actual penalties are determined by enforcement authorities considering gravity, duration, number of persons affected, cooperation, and previous infringements (Article 99).

Section 8: Compliance Timeline

Track your readiness against each enforcement milestone. Mark each as complete or in progress.

February 2, 2025 ENFORCED
Prohibited practices (Article 5) + AI literacy obligations (Article 4)
All prohibited AI practices are banned. Organizations must ensure staff have sufficient AI literacy.
Prohibited practices audit completed
AI literacy program for staff in place
August 2, 2025 UPCOMING
GPAI obligations (Articles 51–56) + Governance body establishment
Obligations for providers of general-purpose AI models. EU AI Office and national competent authorities operational. Codes of practice for GPAI model providers.
GPAI model inventory and provider obligations documented
Copyright compliance policy in place
Training data summaries prepared (if applicable)
August 2, 2026 FUTURE
Full high-risk system requirements (Articles 6–49)
All high-risk AI system obligations become enforceable: risk management, data governance, documentation, conformity assessment, registration, CE marking, post-market monitoring.
All high-risk systems identified and classified
Risk management systems implemented (Art. 9)
Technical documentation complete (Art. 11)
Conformity assessments scheduled or completed (Art. 43)
Quality management system operational (Art. 17)
August 2, 2027 FUTURE
Additional high-risk systems under Annex I (existing EU product legislation)
High-risk obligations extend to AI systems embedded in products already regulated under existing EU harmonisation legislation (e.g., medical devices, machinery, toys, lifts, pressure equipment).
Annex I product scope assessed
Product-specific conformity assessment coordinated with existing CE marking obligations

Section 9: Gap Analysis Summary

Consolidate findings from all sections into an actionable summary. This is the executive view for governance committees and board reporting.

Total AI Systems
High-Risk Systems
Systems Compliant
Systems with Gaps
Critical Gaps (Blocking)
Est. Remediation (person-hrs)

Priority Remediation Actions (Top 5)

# Gap Description Affected Systems Severity Remediation Action Owner Target Date
1
2
3
4
5

Overall Compliance Posture Assessment

Fully Compliant
Gaps Identified
Not Assessed
Fully Compliant
Gaps Identified
Not Assessed
N/A
On Track
At Risk
Not Started
N/A

Section 10: NIST AI RMF Crosswalk

If your organization already follows the NIST AI Risk Management Framework, use this crosswalk to leverage existing work. Many EU AI Act requirements map to NIST subcategories — meaning existing NIST artifacts can serve as evidence for EU AI Act compliance.

EU AI Act Requirement NIST AI RMF NIST Subcategory Overlap Level
Art. 9 Risk Management System MAP, MEASURE MAP-1, MAP-3, MS-1, MS-2 High
Art. 10 Data Governance MAP, MEASURE MAP-2, MS-2.6, MS-2.7 High
Art. 11 Technical Documentation GOVERN GV-1.1, GV-4.3 Medium
Art. 12 Record-Keeping / Logging MEASURE MS-2.5, MS-4.1 Medium
Art. 13 Transparency MAP, GOVERN MAP-5, GV-1.2 Medium
Art. 14 Human Oversight MANAGE MG-2.2, MG-3.1 High
Art. 15 Accuracy, Robustness, Cybersecurity MEASURE MS-1.1, MS-2.3, MS-2.8 High
Art. 17 Quality Management System GOVERN GV-1, GV-2, GV-3 High
Art. 43 Conformity Assessment GOVERN GV-1.3 (partial) Low (EU-specific)
Art. 47–49 Declaration, CE Marking, Registration No direct NIST equivalent None (EU-specific)
Art. 50 Transparency (Limited Risk) MAP MAP-5.1, MAP-5.2 Medium
Art. 51–56 GPAI Obligations GOVERN, MAP GV-4, MAP-2 (partial) Low (EU-specific)
Crosswalk Usage Note High overlap means existing NIST artifacts may satisfy EU AI Act requirements with minimal adaptation. Medium overlap means partial coverage — use NIST work as a starting point but expect gaps. Low/None means EU-specific obligations that require new work streams. Articles 43, 47–49 (conformity assessment, CE marking, EU database registration) have no NIST equivalent and require dedicated EU compliance effort.

Section 11: Related AskAjay Frameworks

This template is part of a connected system of governance tools. Each addresses a different dimension of AI governance maturity and regulatory readiness.

Foundation
Minimum Viable Governance (MVG) — 90-day governance foundation. Directly addresses Articles 9 (risk management), 14 (human oversight), and 17 (quality management system).
Risk
Liability Ledger Framework — Quantify your compliance risk exposure across regulatory, operational, and reputational dimensions. Maps directly to the penalty calculations in this template.
Agentic AI
A7 Agentic Governance Framework — Agentic AI readiness assessment. Relevant for GPAI obligations (Articles 51–56) and autonomous AI system governance as AI agents become more prevalent.
Cross-Framework
NIST AI RMF Practitioner's Guide — Cross-framework compliance playbook. Use the NIST Crosswalk in Section 10 to leverage existing NIST work for EU AI Act compliance.
Value
Trust Premium Assessment — Quantify the business value of your governance investments. Convert compliance spending into measurable trust premium metrics.

Notes & Observations

Glossary

Definitions used throughout this template. These align with the canonical methodology article and the consolidated text of Regulation (EU) 2024/1689.

EU AI Act (Regulation (EU) 2024/1689). The first comprehensive AI regulation globally. Phased enforcement: Article 5 prohibitions and Article 4 AI literacy from Feb 2, 2025; GPAI obligations from Aug 2, 2025; high-risk system obligations from Aug 2, 2026; embedded high-risk products (Annex I) from Aug 2, 2027.

Article 99 Penalty Tiers. 7%/€35M turnover for prohibited-practice violations (Art. 99(3)); 3%/€15M for high-risk system non-compliance and most provider/deployer obligation breaches (Art. 99(4)); 1%/€7.5M for supplying incorrect information to authorities (Art. 99(5)). Most consolidated public summaries get this wrong.

GPAI (General-Purpose AI Model, Chapter V). AI models trained on broad data and capable of a wide range of tasks. Standard obligations apply to all GPAI; systemic-risk obligations apply to models exceeding 10²⁵ FLOPs (Art. 51) or designated by the European Commission based on capability assessments.

High-Risk System (Article 6 + Annex III). AI systems that are safety components of regulated products (medical devices, vehicles, machinery) OR used in eight critical domains: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Trigger the full conformity-assessment regime under Articles 8–15.

Conformity Assessment (Articles 43–49). The documented evaluation evidencing that a high-risk AI system meets requirements of Articles 8–15. Either internal (Annex VI) or third-party (Annex VII) depending on system type. Required before placing on EU market.

Notified Body. An independent third-party organisation designated by an EU Member State to conduct conformity assessments for high-risk AI systems requiring Annex VII assessment. The list is maintained on the NANDO database.

Provider / Importer / Distributor / Deployer. The four EU AI Act value-chain roles. Provider (Art. 16) develops and places the system on the market. Importer (Art. 23) places third-country systems. Distributor (Art. 24) makes systems available downstream. Deployer (Art. 26) uses the system under their authority. A deployer who substantially modifies a high-risk system, puts their name on it, or changes its intended purpose becomes a provider under Article 25 — inheriting full provider obligations.

AI Literacy (Article 4). The requirement that providers and deployers ensure sufficient AI literacy among staff who operate or use AI systems on their behalf. Enforceable from Feb 2, 2025. Reaches every organisation regardless of risk tier.

Authorised Representative (Article 22). A natural or legal person established in the EU that a non-EU provider designates to act on their behalf. Required for providers without an EU establishment placing high-risk systems on the EU market.

CE Marking. The conformity marking that must be affixed to high-risk AI systems before they are placed on the EU market, certifying compliance with applicable EU regulations including the AI Act.

Evidence Base

This template is the operational layer of a published, sourced framework. The methodology, article-level citations, and enforcement timeline live in the canonical article below.

Canonical article: The EU AI Act Strategic Guide for Business Leaders — risk tiers, article-level obligations, tiered penalties, enforcement timeline, deployer-becomes-provider trap.

Companion frameworks:

Key external sources: EU AI Act consolidated text (EUR-Lex) · Article 99 (tiered penalties) · AI Act Explorer · European AI Office · NIST AI RMF + Generative AI Profile

Important Disclaimer
This template is provided for informational and organizational purposes only. It does not constitute legal advice. The EU AI Act is complex, jurisdiction-specific, and subject to evolving interpretive guidance from the European AI Office, national competent authorities, and the courts. Consult qualified legal counsel in your jurisdiction before making compliance decisions based on this template. Requirements described herein reflect the author's understanding of Regulation (EU) 2024/1689 as of May 2026.
AskAjay.ai | EU AI Act Compliance Template · v1.1 (2026-05-03)
askajay.ai/tools | askajay.ai/thinking | askajay.ai/work/advisory
© 2026 AI Exponent LLC
AskAjay.ai is a brand of AI Exponent LLC
30 N Gould St, #61306, Sheridan, WY 82801, USA
Free to use. Attribution appreciated. Not legal advice.
Full disclaimers: askajay.ai/disclaimers