EU AI Act in Practice: A 2026 Readiness Checklist
Back to BlogAI Regulation + Compliance

EU AI Act in Practice: A 2026 Readiness Checklist

The EU AI Act is now in force. Organizations operating in or serving European markets need practical compliance strategies. Here's what you need to do right now.

Dr. Dédé Tetsubayashi|9 min read

Key Takeaways

  • The EU AI Act applies to you if you operate in the EU market, even if you're headquartered elsewhere.
  • Risk classification determines what you need to do. Most AI systems are low or minimal risk, but high-risk systems require extensive documentation and testing.
  • You need an AI inventory now. Know what AI systems you have, where they're deployed, and what they do.
  • Documentation is your foundation. Technical documentation, training data records, and risk assessments need to be thorough and defensible.
  • Start now. Penalties scale with revenue and get more severe over time. Proactive compliance is much cheaper than enforcement.

The EU AI Act became enforceable in 2024, and we're now in the period where organizations are either getting ahead of compliance or running headlong toward violations. I've seen both approaches. The ones getting ahead are spending time now understanding what they actually need to do. The ones who aren't will find enforcement much more expensive and disruptive.

This is a practical guide to EU AI Act readiness in 2026. Not theoretical. Not what you might do someday. What you need to do now.

First: Does the EU AI Act Apply to You?

This question seems simple but trips up a lot of organizations. The EU AI Act applies if you: operate in the EU market (sell to EU customers, have EU users, or provide services to EU organizations), are based in the EU, or have any AI system in your stack that touches EU users or data.

If any of that applies to you, you need to think about EU AI Act compliance. The Act applies to AI systems, which broadly means software that uses machine learning or algorithmic decision-making. This includes chatbots, recommendation engines, hiring tools, content moderation systems, credit scoring systems, and more.

Second: Classify Your AI Systems by Risk

The EU AI Act has a tiered approach. Not all AI systems require the same level of compliance. Risk classification determines your obligations:

Prohibited AI

Some AI uses are flat-out banned under the Act. This includes subliminal AI manipulation, social credit scores, and real-time facial recognition in public spaces (with very limited exceptions). If you're using any of these, you need to stop.

High-Risk AI

High-risk systems are those that could cause serious harm to fundamental rights. This includes AI used in hiring, education, creditworthiness assessment, and law enforcement. These systems require extensive compliance: detailed documentation, bias testing, human oversight, data quality requirements, and more.

Limited-Risk AI

Systems that interact directly with people (like chatbots) fall into this category and require transparency obligations. You need to tell people they're interacting with AI and explain what it can and can't do.

Minimal or No Risk

Most AI systems that don't directly impact rights or safety fall into this category. No specific compliance obligations, though best practices still matter.

The first practical step: classify every AI system you have. Most organizations have more AI systems than they realize. Tools, plugins, third-party APIs that use AI—it all counts. Make a list. Then classify each one by risk level.

Third: Build Your AI Inventory and Impact Assessment

You can't manage what you don't know you have. Organizations often discover hidden AI systems when they start compliance work. A recommendation algorithm somewhere. A chatbot a team stood up. An API they're using that claims to use AI. An internal tool built with machine learning.

Your inventory should include: name and purpose of the AI system, risk classification, where it's deployed and who uses it, what training data it uses, whether it impacts EU users or data, key performance metrics and known limitations, and who's accountable for it.

For high-risk systems, you also need an impact assessment. This documents how the system could harm people, what safeguards you have in place, and how you'll monitor for problems.

Fourth: Documentation, Documentation, Documentation

EU AI Act compliance is heavily documentation-focused. Regulators want to see evidence that you've thought through risks and taken action. For high-risk systems, you need:

Technical Documentation

How the system was built, what data it uses, what architecture and algorithms power it, how it was trained and tested. This needs to be detailed enough that someone else could understand the system.

Training Data Documentation

What data was used to train the system, how much, where it came from, whether it includes personal data, what biases or quality issues it has. This is critical for demonstrating that your system isn't discriminatory.

Testing and Performance Records

How you tested the system for bias, accuracy, robustness, and adversarial attacks. What tests did you run? What results did you get? Where does the system underperform?

Monitoring and Maintenance Plans

How you'll keep monitoring the system in production. What metrics will you track? What triggers require action? How will you handle drift or degradation?

Human Oversight Procedures

For high-risk systems, humans need to stay in the loop. Document how your team will review system outputs, override decisions when needed, and escalate concerns.

The pattern here is clear: if you can document it, you can demonstrate compliance. If you can't document it, you have a problem.

EU AI Act Readiness Checklist

Phase 1: Assessment and Inventory

  • Identify all AI systems in your organization
  • Determine whether the EU AI Act applies to your organization
  • Classify each system by risk level
  • Create an inventory with all required information
  • Assign ownership and accountability for each system

Phase 2: High-Risk System Compliance

  • Conduct impact assessments for high-risk systems
  • Document training data, architecture, and algorithms
  • Implement and document testing for bias and accuracy
  • Design human oversight procedures
  • Establish monitoring and maintenance plans
  • Create data quality procedures

Phase 3: Limited-Risk and Transparency

  • For chatbots and interactive systems: create clear disclosures that AI is being used
  • Document system capabilities and limitations
  • Create user-facing documentation explaining how AI affects decisions
  • Implement procedures for users to exercise rights

Phase 4: Governance and Ongoing Compliance

  • Designate an AI governance lead or team
  • Establish a process for monitoring compliance over time
  • Create incident response procedures for AI-related harms
  • Build compliance into your AI development process
  • Train teams on EU AI Act requirements
  • Plan for regular audits and updates

Key Things to Get Right Now

Identify Prohibited AI

If you're using real-time facial recognition in public spaces, subliminal manipulation, or social credit scoring, you need to stop now. These are banned, and there's no compliance path. Full stop.

Document Training Data

This is where a lot of organizations stumble. You need to be able to say exactly what data trained your system. If you can't, that's a serious compliance gap. If your data includes personal information from EU residents without proper legal basis, that compounds the problem.

Test for Bias

For high-risk systems, you need evidence that you've tested for bias, particularly in protected characteristics. Use established bias testing frameworks. Document what you found and what you did about it. If you found bias and ignored it, that's a major liability.

Plan for Human Oversight

High-risk systems need human involvement. This doesn't mean hiring an army of people to review every decision. It means your system is designed so humans can understand and override AI decisions when needed, and have procedures to do so.

Be Transparent with Users

If your system interacts with people, they need to know they're interacting with AI. Be clear about what it can do and its limitations. This builds trust and ensures informed consent.

A Word on Penalties

The EU AI Act comes with significant penalties. For high-risk AI violations, organizations can face fines up to 6% of global annual revenue. For other violations, it's 3%. These penalties increase over time as enforcement escalates. Organizations that start compliance now will be in a much better position than those that wait.

There's also reputational risk. Enforcement actions are public. Getting caught violating the Act damages trust with customers, partners, and employees.

The Bottom Line

EU AI Act compliance isn't optional. It's also not impossible if you start now. The organizations that will struggle are the ones that wait until they're under enforcement action or facing a legal challenge.

Your immediate next steps: audit your AI systems, classify them by risk, build your inventory, and start documenting. For high-risk systems, invest in bias testing, impact assessments, and governance structures. The work is substantial, but it's also foundational to responsible AI development. And it's what your regulators expect to see.

Get ahead of this now. Your future self will be grateful.

About Dr. Dédé Tetsubayashi

Dr. Dédé is a global advisor on AI governance, disability innovation, and inclusive technology strategy. She helps organizations navigate the intersection of AI regulation, accessibility, and responsible innovation.

Work With Dr. Dédé
Share this article:
Schedule a Consultation
Previous ArticleFrom Burnout to Boundaries: How Rest-Positive Leadership Improves AI GovernanceNext ArticleBuilding Accessible AI Assistants That Don't Code People Out

Want more insights?

Explore more articles on AI governance, tech equity, and inclusive innovation.

Back to All Articles