Search pages, courses, and articles
Score yourself 0 to 100 against the 10 steps of EU AI Act compliance. Weighted by Article 99(6) proportionality: foundation steps carry 60 of the 100 weighted points (every deployer needs them); scaling steps carry 40 (proportional to AI use complexity). N/A is allowed on optional steps and is excluded from the denominator. Result is a number, a readiness tier, and the next-step priority.
Source: Regulation (EU) 2024/1689 on EUR-Lex. Self-assessment, not legal advice.
You are missing the foundational steps required of every AI deployer. Start with the inventory and risk classification immediately.
Every organisation deploying AI must complete these regardless of risk profile. They carry 60 of the 100 weighted points.
You have a documented list of every AI system in use, with vendor, department, purpose, data processed, and responsible person. Includes embedded AI in third-party software.
Each AI system is classified as prohibited, high-risk, limited risk, or minimal risk under Article 6 and Annex III. Classification is documented with rationale.
You have determined whether your organisation is a provider, deployer, importer, or distributor for each AI system, per Article 3 definitions. Role is documented per system.
A named person is responsible for AI compliance, with documented authority, reporting structure, and budget. AI compliance is on the senior management agenda.
Scale with the complexity and risk of your AI use. Steps that do not apply (e.g. no high-risk systems means no FRIAs needed) can be marked N/A and are excluded from the score denominator.
For each high-risk AI system, an FRIA has been completed before deployment, covering affected persons, specific risks, human oversight, and mitigation measures.
AI vendor contracts include EU declarations of conformity, technical documentation access, instructions for use, incident notification, and audit cooperation rights.
Role-based AI literacy training is delivered to all staff using AI: awareness for general staff, governance for managers, technical oversight for operators.
Records exist for AI inventory, risk classifications, FRIAs, vendor compliance, training completion, incident logs, and monitoring reviews. Retention policy in place.
Documented procedures for detecting, assessing, escalating, reporting, and remediating AI incidents. Article 26(5) 15-day reporting path identified for high-risk systems.
Quarterly compliance reviews, annual reassessments, regulatory update tracking, AI system performance monitoring, and training programme refresh cycle in place.
Every deployer needs these regardless of AI use scale.
Proportional to the complexity and risk of your AI use.
The score maps to a tier. Each tier has a clear next move.
Missing the foundational steps every AI deployer must do. Start with steps 1 and 2 immediately.
Foundation in place but scaling steps need work. Prioritise FRIAs and Article 4 training.
On track for the 2 December 2027 high-risk deadline (delayed from 2 August 2026 by the Omnibus deal of 7 May 2026). Close the remaining gaps and lock the documentation.
Substantive requirements met. Maintain monitoring + incident response, and document changes as the regulation evolves.
Each of the 10 steps has a weight matching its proportionality under Article 99(6). Foundation steps 1 to 4 (inventory, risk classification, role determination, governance) carry 60 weighted points; scaling steps 5 to 10 (FRIAs, vendor contracts, Article 4 training, documentation, incident response, ongoing monitoring) carry 40. Each step is rated Not Started (0), In Progress (0.5), or Complete (1). N/A is allowed on optional steps and is excluded from the denominator. Final score is (earned points / available points) × 100.
0 to 39: Behind. You are missing the foundational steps every AI deployer must do. 40 to 69: Catching up. Foundation in place but scaling steps need work. 70 to 89: On track for the 2 December 2027 high-risk Annex III deadline (delayed from 2 August 2026 by the Omnibus deal of 7 May 2026). 90 to 100: Compliant on the substantive requirements; maintain monitoring and document changes as the regulation evolves. Article 4 literacy and Article 5 prohibited practices are live today regardless of score.
Article 99(6) and Recital 56 emphasise proportionality: every organisation must complete the foundational compliance steps (inventory, classification, role, governance) regardless of AI use scale. The scaling steps (FRIAs, vendor contracts, Article 4 training, documentation, incident response, monitoring) are weighted to reflect that depth scales with the complexity and risk of AI deployment. A small consultancy with one chatbot needs the foundation but lighter scaling; a multinational with high-risk AI needs both at depth.
Yes. Steps 5 (FRIAs), 6 (vendor contracts), and 9 (incident response) accept an N/A answer. If you have no high-risk AI systems, you do not need FRIAs and selecting N/A excludes that step from the score denominator. The four foundation steps and the training, documentation, and monitoring steps cannot be marked N/A: every deployer needs them.
Three actions, in order. First, if your score is below 70, address the foundation steps (1 to 4) before anything else. Second, run the AI Readiness Check (linked from the scorecard) for a deeper assessment across People, Tools, Compliance, and Infrastructure pillars. Third, read the full EU AI Act compliance checklist article for the implementation guide that walks through each step in detail with EUR-Lex citations.
No. This is a self-assessment tool, not a legal opinion. A real audit weighs evidence, documentation, process integrity, and observed practice, not just self-reported completion status. For binding interpretation of any specific obligation against your operation, consult a qualified lawyer in the relevant Member State.
The scorecard tells you where you stand. The article walks through each step in detail: what to inventory, how to classify, where the FRIA template lives, what to put in vendor contracts, how Article 4 training rolls out across roles. With EUR-Lex citations and worked examples.
