Why you need this checklist
Regulation (EU) 2024/1689, the EU AI Act, is the world's first comprehensive regulatory framework for artificial intelligence. It is already in force. Obligations are rolling out in phases, and the most critical deadline for most companies is August 2026.
The problem: many companies know the AI Act exists, but have no clear picture of what applies to them and what they still need to do. This checklist solves that. It covers 25 points across 6 blocks. Each point is a concrete yes/no question. By the end, you know exactly where you stand and what to do next.
Important: The EU Council agreed in March 2026 to delay obligations for standalone high-risk AI systems until December 2027. However, Article 4 (mandatory AI literacy training) has not moved. It remains in force from August 2026. Do not confuse a partial delay with a general postponement.
Block 1: AI inventory and governance (5 points)
Without an inventory there is no compliance. If you do not know which AI systems your company uses, you cannot classify them or manage their risks.
| # | Control point | Yes/No |
|---|---|---|
| 1 | We have a complete inventory of all AI systems, tools, and applications used by the organization (including Shadow AI used by teams without formal approval). | |
| 2 | Each system in the inventory has an assigned owner within the organization. | |
| 3 | We have classified each system according to its risk level under the AI Act: unacceptable, high, limited, or minimal. | |
| 4 | A formal process exists to evaluate new AI systems before acquiring or deploying them. | |
| 5 | We have a documented internal AI usage policy that has been communicated to the entire organization. |
If you answered "no" to 3 or more points in this block, start here. The inventory is the foundation for everything else.
Block 2: AI literacy - Article 4 (5 points)
Article 4 has been in force since February 2025. It requires all organizations using AI to ensure a sufficient level of AI literacy among their staff. This is not a recommendation. It is a legal obligation.
| # | Control point | Yes/No |
|---|---|---|
| 6 | We have identified which roles in the organization interact with AI systems (directly or indirectly). | |
| 7 | A documented AI training plan exists, tailored to the profiles of each team. | |
| 8 | Staff who work with AI systems have received training on how they work, their limitations, and their risks. | |
| 9 | Training is documented with attendance records, content delivered, and assessments. | |
| 10 | A periodic training update plan exists (it was not a one-off event). |
This is the block where most companies fall short. Many have heard of the AI Act, but very few have completed documented, role-adapted training. If your company has not covered this, read our article on what Article 4 requires and act as soon as possible. Delbion's secure AI courses meet these requirements and are fully subsidized through FUNDAE (zero cost for most companies).
Block 3: Prohibited practices - Article 5 (3 points)
Since August 2025 it has been prohibited to operate AI systems classified as unacceptable risk. Penalties for non-compliance are the highest in the regulation: up to 35 million euros or 7% of global turnover.
| # | Control point | Yes/No |
|---|---|---|
| 11 | We have reviewed the list of prohibited practices under Art. 5 and confirmed that no system in our organization falls within it. | |
| 12 | Our AI vendors have confirmed that their systems do not include prohibited features (subliminal manipulation, social scoring, emotion inference in the workplace, etc.). | |
| 13 | Where we use biometrics, we have verified they do not fall into prohibited categories (mass facial recognition, biometric categorization by race/orientation/etc.). |
Block 4: High-risk systems (5 points)
If your company uses AI to make decisions about people (hiring, performance evaluation, credit scoring, patient triage, etc.), you are likely operating high-risk systems. These obligations take effect in August 2026 (or December 2027 for standalone systems under the delay agreed by the Council).
| # | Control point | Yes/No |
|---|---|---|
| 14 | We have identified which of our AI systems are high-risk under Annex III of the AI Act. | |
| 15 | For each high-risk system, a documented risk management system exists (Art. 9). | |
| 16 | The training and validation data for our high-risk systems comply with data governance requirements (Art. 10). | |
| 17 | Each high-risk system has complete, up-to-date technical documentation (Art. 11). | |
| 18 | Our high-risk systems have effective human oversight mechanisms (Art. 14) and automatic event logging (Art. 12). |
Our AI governance and risk management course covers step by step how to implement these requirements.
Block 5: Transparency and documentation (4 points)
| # | Control point | Yes/No |
|---|---|---|
| 19 | We inform users when they are interacting with an AI system (chatbots, virtual assistants, etc.). | |
| 20 | AI-generated content (text, images, audio, video) is labelled as such when published externally. | |
| 21 | We maintain up-to-date documentation on the instructions for use, limitations, and known risks of each AI system (Art. 13). | |
| 22 | AI systems meet appropriate levels of accuracy, robustness, and cybersecurity (Art. 15). |
Block 6: Action plan and deadlines (3 points)
| # | Control point | Yes/No |
|---|---|---|
| 23 | We have an action plan with specific dates to cover pending obligations before August 2026. | |
| 24 | We have allocated budget and resources for AI Act compliance (training, consulting, tooling). | |
| 25 | A designated person or team leads AI Act compliance within the organization. |
How to interpret your score
20-25 points met: Your company is well on track. Review the remaining gaps and make sure your documentation is current. Stay on top of regulatory changes (the AI Act continues to evolve).
12-19 points met: You have started, but critical areas are missing. Prioritize blocks 2 (training) and 4 (high-risk) where applicable. There is still time before August 2026, but you need to accelerate.
Fewer than 12 points: Your company is not ready. The regulatory risk is high. You need an immediate action plan. Start with the inventory (block 1) and training (block 2): those are the two pillars everything else is built on.
Next step
If your score is below 20, there is work ahead. The good news: most companies are in the same position, and the deadlines still allow time to act.
Article 4 training is the most urgent point because it is already in force. If you need to cover this obligation, our secure AI and EU AI Act courses are designed for exactly that. They are 100% subsidized through FUNDAE for most companies (real cost: 0 EUR). And if you need a more detailed assessment of your situation, we offer a free 60-minute assessment to map exactly where you stand and what you still need.
Free download
Download this checklist as a PDF
Print it and run through it with your compliance or IT team. Each block takes 2 minutes. In 10 minutes you have a clear picture of where you stand.
Download the free checklist
Assess whether your company complies with Article 4 of the EU AI Act