Agentic Fluxus · Ten concrete steps before the high-risk deadline

EU AI Act 10-Step Compliance Checklist

Before the EU AI Act high-risk deadline of 2 December 2027 (per the Digital Omnibus deal of 7 May 2026), every deployer of high-risk Annex III AI needs to be operationally ready. This checklist sequences the 10 concrete steps in the order most organisations should tackle them.

The 10-step ramp

1. Inventory every AI system: department-by-department. Tool name, vendor, purpose, data processed, accountable owner.
2. Classify each system by risk tier: prohibited (Article 5), high-risk (Article 6 + Annex III), limited (Article 50), or minimal.
3. Determine your role per system: provider, deployer, importer, or distributor under Article 3.
4. Assign named governance ownership. Existing role (DPO, CTO, compliance lead) is fine.
5. Run FRIAs for in-scope high-risk systems (Article 27).
6. Update vendor contracts: Article 13 instructions for use, technical documentation, incident notification, audit cooperation.
7. Build Article 4 literacy training programme. 3-tier framework, role-mapped.
8. Create documentation + audit trails: inventory, risk classifications, FRIAs, training records, incident log.
9. Establish incident response procedures. Article 73 reporting clock. Article 26(5) chain notification.
10. Set up ongoing monitoring: quarterly review of inventory + risk tiers, annual reassessment, regulatory update tracking.

Critical timing

Article 4 + Article 5 live since 2 February 2025. Annex III standalone obligations from 2 December 2027. Annex I embedded obligations from 2 August 2028.

Open the full compliance checklist guide:

https://agenticfluxus.com/blog/eu-ai-act-compliance-checklist

By John Ferguson · Founder, Agentic Fluxus · agenticfluxus.com · Amsterdam, Netherlands

Agentic Fluxus · Ten concrete steps before the high-risk deadline

EU AI Act 10-Step Compliance Checklist

The 10-step ramp

1. Inventory every AI system: department-by-department. Tool name, vendor, purpose, data processed, accountable owner.
2. Classify each system by risk tier: prohibited (Article 5), high-risk (Article 6 + Annex III), limited (Article 50), or minimal.
3. Determine your role per system: provider, deployer, importer, or distributor under Article 3.
4. Assign named governance ownership. Existing role (DPO, CTO, compliance lead) is fine.
5. Run FRIAs for in-scope high-risk systems (Article 27).
6. Update vendor contracts: Article 13 instructions for use, technical documentation, incident notification, audit cooperation.
7. Build Article 4 literacy training programme. 3-tier framework, role-mapped.
8. Create documentation + audit trails: inventory, risk classifications, FRIAs, training records, incident log.
9. Establish incident response procedures. Article 73 reporting clock. Article 26(5) chain notification.
10. Set up ongoing monitoring: quarterly review of inventory + risk tiers, annual reassessment, regulatory update tracking.

Critical timing

Article 4 + Article 5 live since 2 February 2025. Annex III standalone obligations from 2 December 2027. Annex I embedded obligations from 2 August 2028.

Open the full compliance checklist guide:

https://agenticfluxus.com/blog/eu-ai-act-compliance-checklist

By John Ferguson · Founder, Agentic Fluxus · agenticfluxus.com · Amsterdam, Netherlands

Search

EU AI Act 10-Step Compliance Checklist

The 10-step ramp

Open the full compliance checklist guide

EU AI Act 10-Step Compliance Checklist

The 10-step ramp

Open the full compliance checklist guide