EU AI Act Compliance Toolkit Compliance task checklist, progress tracker, documentation templates & sample documents
The EU AI Act Compliance Toolkit is a practical, step-by-step kit for businesses operating customer-facing AI systems. A 47-item compliance checklist across 5 phases (with testing methods and article references), an editable progress tracker, 9 completed sample compliance documents, and 9 matching fill-in-the-blank templates you rebrand as your own.
Time remaining
2 August 2026 — AI transparency disclosure deadline
Customer-facing AI must tell people they are interacting with AI, and deployers of emotion recognition or biometric categorisation systems must notify the people exposed (Article 50). These duties apply regardless of risk classification and were not delayed by the Digital Omnibus. Machine-readable marking of AI-generated content follows on 2 December 2026, and the main high-risk obligations on 2 December 2027. Which transparency deadline applies to you.
Understanding the EU AI Act
The world's first comprehensive AI regulation. And it almost certainly applies to your business.
What is it?
The EU AI Act (Regulation 2024/1689) is a binding legal framework adopted by the European Parliament and Council in 2024. It establishes rules for the development, deployment, and use of artificial intelligence across the European Union.
The regulation takes a risk-based approach: the higher the risk an AI system poses to people's health, safety, or fundamental rights, the stricter the rules. A spam filter faces no mandatory obligations. A chatbot must disclose it's AI. A hiring algorithm must pass a full conformity assessment with documented risk management, bias testing, and human oversight.
The Act doesn't ban AI. Businesses that comply can operate freely across all 27 EU Member States. Businesses that don't face penalties of up to €35 million or 7% of global annual turnover.
Why does it exist?
AI is being used to screen job applicants, price insurance policies, triage medical patients, assess creditworthiness, and interact with millions of customers daily. These systems can be biased, opaque, manipulable, and wrong. When they fail, the people affected often have no way to understand why or challenge the outcome.
The Act was shaped by real incidents: discriminatory hiring algorithms, opaque credit scoring systems, manipulative recommendation engines, chatbots that leaked confidential data, and deepfakes. It is a response to documented harm, not hypothetical risk.
Does it apply to my business?
The Act has extraterritorial scope. If your AI system affects people in the EU, you must comply — regardless of where your business is headquartered.
- A US company running an AI chatbot that serves European customers is in scope
- An Australian fintech using AI credit scoring for EU applicants is in scope
- A Japanese SaaS tool with AI features used by EU businesses is in scope
This mirrors the extraterritorial approach of GDPR, which caught many non-EU businesses off guard in 2018. If GDPR taught us anything, it's that "we're not based in the EU" is not a defence.
Obligations phase in from February 2025 to December 2030, and the prohibitions and GPAI rules are already in force. The implementation timeline below shows every date and where you are now.
The risk classification system
The Act organises AI systems into four risk tiers. Your tier determines your obligations, from no requirements at all to a complete ban.
Prohibited
BANNED ENTIRELY
Social scoring, cognitive manipulation, untargeted facial scraping, emotion recognition in workplaces. If you operate any of these — stop immediately.
High-Risk
FULL COMPLIANCE REQUIRED
AI used in hiring, credit scoring, insurance, healthcare, education. Requires risk management, bias testing, technical documentation, and conformity assessment.
Limited-Risk
TRANSPARENCY OBLIGATIONS
Chatbots, AI-generated content, deepfakes. Must disclose AI nature to users and label AI-generated media. Most customer-facing chatbots fall here.
Minimal-Risk
NO MANDATORY OBLIGATIONS
Spam filters, AI-enabled games, basic recommendation engines, inventory management, predictive text. Voluntary codes of conduct encouraged.
The EU AI Act is not something you can comply with the week before the deadline. It requires organisational change, technical implementation, and documented processes.
Get the full compliance checklistWho is responsible? Provider vs. Deployer
The Act assigns different obligations depending on your role. Getting this wrong means preparing for the wrong requirements.
Provider
DEVELOPER / COMMISSIONER
You developed the AI system, or had it developed, and place it on the market or put it into service under your own name or trademark.
- Risk management system
- Data governance & bias testing
- Technical documentation
- Conformity assessment
- EU database registration
- Post-market monitoring
Deployer
USER / OPERATOR
You use an AI system under your authority, even if someone else built it. Most businesses using third-party AI tools are deployers.
- Use per provider's instructions
- Human oversight by trained staff
- Monitor & report issues
- Inform affected individuals
- Fundamental rights impact assessment
- Cooperate with authorities
The grey zone: when a deployer becomes a provider
You carry full provider obligations even if you didn't build the AI from scratch, if you:
- •Put your own name or trademark on someone else's AI system
- •Substantially modify the system beyond its intended purpose
- •Fine-tune or customise a general-purpose AI model for a specific high-risk application
Example: You build a customer support chatbot using the ChatGPT or Claude API, customise the system prompt, integrate it into your product, and launch it under your brand. You are likely the provider of that chatbot system, not just a deployer, even though you didn't build the underlying model. Using a third-party AI model does not absolve you of compliance obligations.
Implementation timeline
The EU AI Act phases in over several years. These are the dates that matter.
Published in Official Journal
AI Act formally published as Regulation 2024/1689.
Art. 113
Entry into force
The AI Act enters into force. No requirements apply yet. Obligations phase in over time.
Art. 113
Prohibitions & AI literacy apply
Banned AI practices (social scoring, cognitive manipulation, untargeted facial scraping) are now prohibited. AI literacy training obligations begin.
Art. 113(a)
GPAI, governance & penalties apply
Rules for general-purpose AI models, notified bodies, governance structures, confidentiality and penalty provisions start to apply. Member States designate national competent authorities.
Art. 113(b)
Commission Article 6 guidelines due
Commission publishes guidelines on the practical implementation of high-risk classification (Article 6) including post-market monitoring.
Art. 6(5), 72(3)
AI transparency disclosure applies
The Article 50 disclosure duties apply: customer-facing AI must tell people they are interacting with AI, deployers of emotion recognition or biometric categorisation systems must notify the people exposed, and deepfakes must be disclosed. Applies to AI systems of any risk classification. Not delayed by the Digital Omnibus.
Art. 50, 113
AI-generated content marking applies
Marking of AI-generated content (Article 50(2)) must be in place: synthetic audio, image, video and text carry machine-readable markers. The Digital Omnibus cut the grace period to three months (deadline 2 Dec 2026).
Art. 50, 113
Legacy GPAI compliance
General-purpose AI models placed on the market before 2 Aug 2025 must be brought into compliance by this date. (Unchanged by the Digital Omnibus.)
Art. 111(3)
Main high-risk deadline
The headline deadline for Annex III high-risk systems: risk management (Art. 9), data governance (Art. 10), technical documentation, logging, human oversight, accuracy/robustness (Articles 9–15), conformity assessment, EU database registration, and fundamental rights impact assessments all apply. Delayed from 2 Aug 2026 by the Digital Omnibus (agreed 7 May 2026) — roughly 16 extra months.
Art. 113 (as amended)
Regulated-product AI (Annex I)
Article 6(1) obligations apply to AI that is a safety component of products covered by EU harmonisation legislation (medical devices, machinery, toys, etc.). Delayed from 2 Aug 2027 by the Digital Omnibus.
Art. 6(1), 113(3)(c)
Public authority high-risk AI
High-risk AI systems used by public authorities must comply. Providers and deployers of these systems must meet all requirements by this date.
Art. 111(2)
Large-scale EU IT systems
AI components in large-scale EU IT systems (Schengen Information System, Visa Information System, Eurodac) placed on the market before August 2027 must be compliant.
Art. 111(1)
Source: artificialintelligenceact.eu. Dates based on Regulation 2024/1689, Article 113, as amended by the Digital Omnibus (provisional agreement 7 May 2026, pending formal adoption).
Look inside
Real documents, not links to the regulation
The Toolkit includes nine sample documents, completed end-to-end for a fictional organisation deploying a high-risk AI system. Each serves as a worked example, and is also provided as a blank template for your own compliance work.
Sample pages shown at reduced size. The full toolkit contains the 47-item checklist, all nine worked documents, nine editable templates and the progress tracker.
Contents
The toolkit has four parts: a compliance checklist, an editable tracker, nine worked sample documents and nine matching fill-in templates. The checklist itself is organised into five compliance phases, plus a practical testing annex:
AI System Inventory & Classification
8 itemsMap every AI system to a risk tier. Determine your role as provider or deployer.
Governance Structure
6 itemsAppoint compliance ownership, establish cross-functional working groups and policies.
Transparency Compliance
8 itemsAI disclosure at first contact, human escalation paths, content labelling under Article 50.
High-Risk System Compliance
16 itemsRisk management, data governance, technical documentation, conformity assessment.
Ongoing Monitoring & Maintenance
9 itemsPost-market surveillance, incident reporting, quarterly audits, regulatory tracking.
Testing Annex
40+ promptsPractical copy-paste test prompts for transparency verification, adversarial robustness, bias detection, and documentation review.
Everything in the toolkit
- 1. Compliance checklist (PDF): the 47-item framework above, across five phases plus the testing annex.
- 2. Progress tracker (Excel): every checklist item as an assignable, status-tracked spreadsheet with owner, due date and status dropdowns. Opens in Excel or Google Sheets.
- 3. Nine sample compliance documents (PDF): AI System Register, Fundamental Rights Impact Assessment, Risk Management File, Data Governance Policy, Technical Documentation, Instructions for Use, Post-Market Monitoring Plan, Declaration of Conformity, and Serious Incident Report, each fully worked through for a fictional organisation deploying a high-risk AI system.
- 4. Nine editable templates (Word): the same nine documents as blank, rebrandable templates with fill-in guidance, so you start from a proven structure instead of a blank page. Open in Word or Google Docs.
Also included in this guide
- Plain-English explanations of relevant Articles
- Provider vs. Deployer responsibility guide with grey-zone scenarios
- Risk classification quick-reference table for 11 common AI system types
- Glossary of regulatory terms with article references
- 40+ adversarial test prompts (prompt injection, jailbreaking, data leakage)
- Bias and fairness testing methodology with example prompt pairs
- Documentation completeness checklist and freshness test
- Links to official EU sources, Annex III, and the EU AI Office
Penalties for non-compliance
The EU AI Act carries the heaviest fines of any AI regulation worldwide. They exceed GDPR.
| Violation | Maximum fine | % of turnover |
|---|---|---|
| Prohibited AI practices | €35 million | 7% |
| High-risk system non-compliance | €15 million | 3% |
| Incorrect information to authorities | €7.5 million | 1% |
Whichever is higher (fine or percentage of global annual turnover) applies.
For SMEs and startups, the lower of the two amounts applies.
For comparison, GDPR penalties cap at €20 million or 4% of turnover.
For 20 years I've helped organisations navigate regulatory frameworks like GDPR, WCAG accessibility, privacy legislation, and the other rules that periodically reshape how software has to be built. My clients have been government agencies, large non-profits, and SMEs across Australia, the UK, the US, and Europe, through my companies Viperfish and Joomstore.
When the EU AI Act came into force I expected the usual pattern: anxiety, then manageable with the right guidance. Then I started reading it. The compliance burden is unlike anything I've seen. Technical documentation, continuous risk management, human oversight, conformity assessments, post-market monitoring. Extra-territorial reach. And fines reaching €35M.
Most business owners and CTOs I've spoken to have no idea the Act applies to them, or that using an AI API in their product makes them the provider under the Act, not just a deployer.
I spent three months working through the regulation, reading the articles, recitals, and annexes. I built ComplyDrive because something practical needed to exist. Every checklist item is tied to a specific article. 144 pages of dense legislation, condensed into 47 actionable points.
Free worked document
Get a complete Article 26 AI System Register, free.
One of the nine worked documents from the toolkit. A finished Article 26 AI System Register for a high-risk AI deployment, completed end-to-end so you can see exactly what a completed register looks like instead of starting from a blank page. Enter your email and we'll send you the download link. Unsubscribe at any time.
Get the Compliance Toolkit
EU AI Act Compliance Toolkit. Checklist, Progress Tracker, Templates & Sample Documentation
June 2026 Edition — Formats: PDF, Excel & Word — Instant download
Includes VAT. One-time purchase. Instant download.
BUY NOWCheckout is handled securely using Payhip.com.
14-day refund guarantee, no questions asked
Updated editions are free. When a new edition ships we email you a fresh download link, and you can re-download the latest version any time.
Compliance consultants charge thousands. This toolkit covers the same ground for less than the cost of a team lunch.
EU AI Act Knowledge Base
Practical guidance on the EU AI Act's requirements, deadlines, and obligations.
Latest Articles
-
Yes, AI-Generated Text Can Be Watermarked
-
Article 49 Makes Your EU AI Act Compliance Public
-
Anthropic Now Wants Your ID and a Selfie. Is That an EU AI Act Issue?
-
Article 50 Transparency and What's Required Under the Code of Practice
-
EU AI Act Transparency Requirements: Article 13 vs Article 50
-
Conformity Assessment and CE Marking Under the EU AI Act
-
How EU AI Act Compliance Reduces Your CRA Burden
-
Article 17 of the EU AI Act: The Quality Management System Requirement
Most Popular
-
EU AI Act Deadlines: What's Due and When After the Omnibus Delay
-
High-Risk AI: Does Your System Qualify?
-
Who Counts as a Deployer Under the EU AI Act?
-
The Transparency Requirements You're Probably Missing
-
Prohibited AI Practices That Are Already Banned
-
Penalties Under the EU AI Act: How Fines Are Calculated
-
AI Literacy Training: Article 4's Overlooked Obligation
-
GDPR and the AI Act: Where They Overlap and Where They Don't
-
Article 13 of the EU AI Act: Transparency and Information to Deployers
Frequently asked questions
Is this legal advice?
No. This is a practical compliance checklist: a structured framework to help you understand and work through the Act's requirements. It does not replace professional legal counsel. For advice specific to your situation, consult a qualified lawyer.
Does the EU AI Act apply to my business?
If your AI system affects people in the EU, yes, regardless of where your business is headquartered. The Act has extraterritorial scope. A US company running a chatbot that serves European customers is in scope. An Australian fintech using AI credit scoring for EU applicants is in scope.
What if I only use a third-party AI tool?
You are a 'deployer' under the Act, and you still have obligations. You must use the system according to the provider's instructions, ensure human oversight, monitor it in operation, and report issues. If you have customised the AI or launched it under your brand, you may be classified as a 'provider' with heavier obligations.
When do I need to comply?
Deadlines are phased. Article 50 transparency obligations apply from 2 August 2026, with AI-generated content marking required by 2 December 2026, and the main high-risk obligations were moved to 2 December 2027 by the Digital Omnibus. Some obligations are already in force: prohibited AI practices have been banned since February 2025, and AI literacy training (Article 4) is already required.
Is the toolkit kept up to date?
Yes. Each edition is dated (this is the June 2026 edition), and we update the toolkit whenever significant regulatory developments occur. Updated editions are free: when a new edition ships we email everyone who bought it a fresh download link, and you can re-download the latest version any time.
What's included, and what file formats are they?
Four parts in one download: the compliance checklist (PDF), an editable progress tracker (Excel), nine fully worked sample compliance documents (PDF), and nine matching fill-in-the-blank templates (Word). The templates open in Microsoft Word or Google Docs, and the tracker works in Excel or Google Sheets.
What's in the toolkit that I can't find online for free?
The regulation is public — the problem is the blank page. The hard part of compliance isn't finding Article 27, it's knowing what a finished Fundamental Rights Impact Assessment actually contains. The core of the toolkit is nine complete compliance documents — the FRIA, the risk management file, technical documentation to Annex IV, the declaration of conformity and five more — each drafted end to end for a realistic high-risk AI system, plus nine editable templates of those same documents to adapt to your own. The 47-item checklist, the progress tracker and the 40-prompt testing annex sit around them. A general-purpose chatbot can paraphrase the Act; it can't hand you a coherent, cross-referenced documentation set a regulator would recognise.
Is this a one-time payment or a subscription?
One-time payment. You pay once, download the toolkit, and it's yours. No subscription, no recurring charges, no account required.
What if it doesn't meet my expectations?
We offer a 14-day, no-questions-asked refund. Email complydrive@viperfish.com.au within 14 days of purchase with your order details and we'll refund you in full. The guarantee applies to all customers, regardless of location.
Can I share this with my team?
Yes. Your purchase covers use within your organisation. You can share it with colleagues, contractors, and advisers involved in your AI compliance work. You may not redistribute it outside your organisation or publish it elsewhere. Consultancies using it on behalf of multiple clients need a separate purchase per client.
What's the difference between a provider and a deployer?
A provider develops or commissions an AI system and places it on the market. A deployer uses an AI system under their authority. Each role carries different obligations under the Act. The critical nuance: if you've customised a third-party AI model, fine-tuned it, or launched it under your own brand, you may be classified as a provider, with significantly heavier compliance requirements. The checklist includes a detailed guide to help you determine your role.
My chatbot uses ChatGPT or Claude — am I a provider or a deployer?
If you built a chatbot using an API, customised the system prompt, integrated it into your product, and launched it under your brand, you are likely the provider of that chatbot system, even though you didn't build the underlying model. The model provider (OpenAI, Anthropic, etc.) has their own obligations for the general-purpose AI model, but the transparency and risk obligations for your specific application fall on you.