{"id":32471,"date":"2026-07-17T08:00:00","date_gmt":"2026-07-17T06:00:00","guid":{"rendered":"https:\/\/pegamento.nl\/niet-gecategoriseerd\/what-is-an-ai-act-checklist-and-how-do-you-use-it-in-practice\/"},"modified":"2026-07-17T10:01:34","modified_gmt":"2026-07-17T08:01:34","slug":"what-is-an-ai-act-checklist-and-how-do-you-use-it-in-practice","status":"publish","type":"post","link":"https:\/\/pegamento.nl\/en\/contact-center\/what-is-an-ai-act-checklist-and-how-do-you-use-it-in-practice\/","title":{"rendered":"What is an AI Act checklist, and how do you use it in practice?"},"content":{"rendered":"<p>An AI Act checklist is a structured overview of the obligations your organization must meet under the EU AI Act (Regulation (EU) 2024\/1689). To use this checklist, first take stock of your AI systems, classify them by risk level, and then work through the corresponding compliance steps for each category. The law applies to anyone who develops, uses, imports, or distributes AI in the EU. In this article, we answer the most frequently asked questions about <a href=\"https:\/\/pegamento.nl\/en\/ai-powered-intelligence\/\">AI compliance<\/a> and how to address them.   <\/p>\n<h2>Which organizations must comply with the AI Act?<\/h2>\n<p>The EU AI Act applies to any organization that develops, places on the market, imports, distributes, or uses AI systems within the European Union, regardless of where that organization is based. Even if you\u2019re based outside the EU but your AI system produces output that\u2019s used within the EU, you\u2019re subject to the law. This makes its scope broad and extraterritorial.  <\/p>\n<p>The law distinguishes four roles, each with its own obligations:<\/p>\n<ul>\n<li><strong>Provider:<\/strong> the party that develops and markets an AI system. Has the most stringent obligations. <\/li>\n<li><strong>Deployer (responsible party):<\/strong> any organization that deploys an AI system under its own authority. Has less stringent but still serious obligations. <\/li>\n<li><strong>Importer:<\/strong> responsible for verifying compliance before a system enters the EU market.<\/li>\n<li><strong>Distributor:<\/strong> Must verify the presence of required documents and suspend distribution in the event of non-compliance.<\/li>\n<\/ul>\n<p>An important point to note is that you can inadvertently go from being a deployer to a provider. This happens when you put your name on a system, make a substantial change to it, or modify its intended purpose in such a way that the system becomes high-risk. Organizations that purchase AI systems and customize them internally must be vigilant about this. Providers outside the EU are required to designate an authorized representative in the EU.   <\/p>\n<h2>How does risk classification work under the AI Act?<\/h2>\n<p>The AI Act classifies AI systems into four risk levels: prohibited applications, high-risk AI, low-risk AI, and AI with minimal or no risk. The risk level determines which obligations apply to your system. Most AI applications fall into the lowest category and remain largely unregulated.  <\/p>\n<h3>Prohibited AI Applications<\/h3>\n<p>Applications that pose an unacceptable risk are completely prohibited. These include, among other things, manipulative techniques that influence behavior without a person\u2019s awareness and cause harm; social scoring by governments; predictive policing based on profiling; and the creation of facial recognition databases through indiscriminate scraping. Emotion recognition in the workplace or in educational institutions also falls under this prohibition, with the exception of medical or safety applications. These prohibitions have been in effect since February 2, 2025.   <\/p>\n<h3>High-Risk AI Systems<\/h3>\n<p>A system is considered high-risk if it is a safety component of a regulated product that requires a conformity assessment by a third party, or if it falls within one of the eight domains listed in Annex III. These areas are biometrics, critical infrastructure, education and vocational training, employment and human resources management, access to essential services such as credit and insurance, law enforcement, migration and border control, and the administration of justice. Systems that profile individuals are always high-risk.  <\/p>\n<h2>What is included on an AI Act checklist for high-risk systems?<\/h2>\n<p>An AI Act checklist for high-risk systems outlines the mandatory measures that providers and deployers must take to comply with the law. The requirements for providers are the most extensive; deployers have a shorter but still significant list. <\/p>\n<p>For <strong>providers<\/strong>, a comprehensive checklist must include at least the following:<\/p>\n<ul>\n<li>A continuous risk management system throughout the entire system lifecycle<\/li>\n<li>Use of training, validation, and test data that are representative and as free of errors as possible<\/li>\n<li>Systematic investigation and mitigation of potential bias<\/li>\n<li>Technical documentation in accordance with Annex IV<\/li>\n<li>Automatic logging of events throughout the product lifecycle<\/li>\n<li>A Clear User Guide for Deployers<\/li>\n<li>A design that effectively enables human oversight, including awareness of automation bias<\/li>\n<li>Guarantees of accuracy, robustness, and cybersecurity<\/li>\n<li>A quality management system<\/li>\n<li>A conformity assessment and an EU declaration of conformity<\/li>\n<li>CE marking and registration in the EU database<\/li>\n<\/ul>\n<p>For <strong>deployers<\/strong>, the checklist includes:<\/p>\n<ul>\n<li>Use the system in accordance with the provider&#8217;s user manual<\/li>\n<li>Assign human supervision to qualified and trained individuals<\/li>\n<li>Retain logs for at least six months<\/li>\n<li>Informing Employees Before Commencement of Use (Article 26(7))<\/li>\n<li>Conduct a data protection impact assessment (DPIA) where applicable<\/li>\n<\/ul>\n<p>Under Article 86, individuals who are subject to a decision made by a high-risk system have the right to request an explanation of the factors that determined that decision. As a deployer, you must be able to facilitate this. <\/p>\n<h2>When must your organization be compliant with the AI Act?<\/h2>\n<p>The AI Act will take effect in phases. The deadline that is most relevant to your organization depends on the role you play and the type of AI system you use or develop. The key dates are:  <\/p>\n<ul>\n<li><strong>February 2, 2025:<\/strong> The prohibitions set forth in Article 5 and the AI literacy requirement (Article 4) take effect.<\/li>\n<li><strong>August 2, 2025:<\/strong> Requirements for GPAI models, governance structures, and penalty provisions take effect. National supervisory authorities must be designated. <\/li>\n<li><strong>August 2, 2026:<\/strong> Most requirements for high-risk Annex III systems will become enforceable. This is the most relevant deadline for most organizations. <\/li>\n<li><strong>August 2, 2027:<\/strong> Requirements for high-risk AI used as a safety component in regulated products (Annex I) take effect. GPAI models that were on the market before August 2025 must therefore also be compliant. <\/li>\n<\/ul>\n<p>Since 2026 is the critical deadline for most high-risk applications, now is the time to get your AI registry in order and begin the compliance process.<\/p>\n<h2>How do you use the AI Act checklist step by step?<\/h2>\n<p>You use an AI Act checklist by systematically following four steps: identifying, classifying, determining obligations, and implementing. Each step builds on the previous one and gives you a clear picture of what still needs to be done. <\/p>\n<p><strong>Step 1: Take inventory of all AI systems.<\/strong>  Create a registry of all AI systems that your organization develops, purchases, or uses. For each system, also note the role you play: Are you a provider, deployer, importer, or distributor? Be aware of situations in which you could inadvertently become a provider by making modifications to an existing system.  <\/p>\n<p><strong>Step 2: Classify each system by risk level.<\/strong>  For each system, determine whether it is prohibited, high-risk, medium-risk, or low-risk. To do so, review the eight domains listed in Annex III and determine whether the system performs profiling of individuals. Document your reasoning, especially if you conclude that an Annex III system does not fall into the high-risk category.  <\/p>\n<p><strong>Step 3: Determine the responsibilities for each system and role.<\/strong>  Use the checklist from the previous section as a starting point. Also include the AI literacy requirement: your employees must have sufficient knowledge of AI to use it responsibly. <\/p>\n<p><strong>Step 4: Implement and document.<\/strong>  Establish the necessary processes, prepare documentation, designate individuals responsible for human oversight, and ensure that logging and retention requirements are in place. Schedule periodic reviews, as AI systems may change risk categories over the course of their lifecycle. <\/p>\n<h2>What are the consequences of noncompliance with the AI Act?<\/h2>\n<p>Failure to comply with the AI Act may result in substantial fines, depending on the nature of the violation. The fine structure has three tiers and will take effect on August 2, 2025. For small and medium-sized enterprises, the lower of the percentage or the fixed amount applies in each case.  <\/p>\n<ul>\n<li><strong>Violation of the prohibitions (Article 5):<\/strong> up to 35 million euros or 7% of global annual revenue, whichever is higher.<\/li>\n<li><strong>Non-compliance with other obligations:<\/strong> up to 15 million euros or 3% of global annual revenue.<\/li>\n<li><strong>Inaccurate or misleading information provided to authorities:<\/strong> up to 7.5 million euros or 1% of global annual revenue.<\/li>\n<\/ul>\n<p>In addition to fines, there are also reputational risks. Oversight of high-risk AI rests with national market surveillance authorities, which may lead to differences in enforcement priorities among Member States. In January 2026, Finland became the first Member State to grant enforcement powers under Article 99 to its authority. It is therefore realistic to expect that enforcement will become more concrete and proactive in the coming years.   <\/p>\n<h2>How Pegamento Helps with AI Compliance<\/h2>\n<p>AI compliance is not a one-time project, but an ongoing process that combines technical, organizational, and legal aspects. We help Dutch organizations use AI responsibly, positioning <a href=\"https:\/\/pegamento.nl\/en\/agentic-ai-for-customer-service\/\">Agentic AI for customer service<\/a> as an evolution from task-oriented bots to self-thinking assistants that take the initiative and act independently. This requires a clear governance structure and thorough documentation\u2014exactly what compliance processes are built upon.  <\/p>\n<p>What we specifically offer:<\/p>\n<ul>\n<li>Inventory and Classification of Your Existing and Planned AI Systems<\/li>\n<li>Assistance with the preparation of technical documentation and risk management systems<\/li>\n<li>Implementation of human oversight and logging in accordance with the AI Act requirements<\/li>\n<li>Customized solutions using standard building blocks\u2014not costly custom work, but a smart combination of proven modules<\/li>\n<li>Everything under one roof: from consulting and implementation to management and support, without complex supplier structures<\/li>\n<\/ul>\n<p>We are ISO 27001 (information security), ISO 9001, and ISO 26000 certified, which means that information security and quality assurance are structurally embedded in our operations. Would you like to know where your organization stands in terms of AI compliance? <a href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">Contact us<\/a>, and we\u2019d be happy to help you figure it out. <\/p>\n        <div class=\"wp-block-seoaic-faq-block\">\n            <h2 class=\"seoaic-faq-section-title\">Frequently Asked Questions<\/h2>\n                            <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How do I know if my AI system falls under Annex III if it has multiple functions?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        If an AI system has multiple functions, you must assess each use separately based on its intended purpose. As soon as one of the functions falls within one of the eight Annex III domains and has a significant impact on decisions affecting individuals, the system as a whole is considered high-risk. Always document your reasoning carefully, as the regulator may request justification for your classification decision.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What exactly is the AI literacy requirement, and how do I comply with it?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The AI literacy requirement (Article 4) obligates organizations to ensure that employees who work with AI systems have sufficient knowledge and skills to use those systems responsibly. In practice, this means offering training tailored to the employee\u2019s role: someone who manages a high-risk system needs more in-depth knowledge than an end user. Keep a record of which training courses have been completed and when, so you can demonstrate this in the event of an audit.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the AI Act also apply to AI systems that we use internally and never offer to customers?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, AI systems used internally are also subject to the AI Act if they are high-risk, for example, when used in HR processes such as recruitment, performance evaluations, or termination. In that case, you are considered the deployer and are subject to the corresponding obligations, such as human oversight, log retention, and informing employees before the system is put into use. Only AI systems used exclusively for personal, non-professional purposes are exempt.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What should I do if a supplier cannot provide technical documentation or user instructions?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        If a provider cannot supply the required documentation, you, as the deployer, face a serious compliance risk. Explicitly ask the supplier for the Annex IV documentation and user instructions in accordance with the AI Act; and, if necessary, stipulate this in the contract. If the supplier is unable or unwilling to provide this, it is wise to reconsider using that system or to seek legal advice regarding the allocation of liability.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How often do I need to update my AI register and risk assessments?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        There is no legally mandated minimum frequency, but the AI Act requires a continuous risk management system throughout the entire lifecycle of a high-risk system. In practice, this means you should review the register and risk assessments whenever there is a substantial change to a system, when new use cases arise, when legislation changes, or when incidents occur. An annual scheduled review is a good rule of thumb, supplemented by ad hoc updates when the situation calls for it.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is the difference between a DPIA and a fundamental rights impact assessment under the AI Act?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        A DPIA (Data Protection Impact Assessment) is a requirement under the GDPR and focuses specifically on privacy risks associated with the processing of personal data. The fundamental rights impact assessment (Article 27 of the AI Act) is broader in scope and mandatory for deployers of certain high-risk AI systems in the public sector or in services of public interest; it assesses the impact on a broader set of fundamental rights. Both assessments may overlap but are not interchangeable: for each high-risk system, verify whether one or both apply.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Can small organizations and startups follow a simplified approach for AI Act compliance?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        The AI Act does not provide a formal exemption for small organizations, but the penalty structure does take company size into account: for SMEs, the lower of the percentage or the fixed amount applies. In practice, smaller organizations can prioritize the highest-risk systems and start with a concise AI register and a documented risk assessment. Scalable compliance building blocks, such as those offered by specialized partners, are a cost-effective way to meet the requirements without having to build a full in-house legal and technical team.                    <\/p>\n                <\/div>\n                        <\/div>\n        ","protected":false},"excerpt":{"rendered":"<p>Find out how an AI Act checklist can help your organization stay compliant before the crucial 2026 deadline.<\/p>\n","protected":false},"author":2,"featured_media":32472,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[500],"tags":[],"class_list":["post-32471","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-contact-center"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=32471"}],"version-history":[{"count":2,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32471\/revisions"}],"predecessor-version":[{"id":32474,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/32471\/revisions\/32474"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/32472"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=32471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=32471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=32471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}