← All articles
EU AI Act

The EU AI Act compliance checklist for 2026

Moonlight GRC · 8 min read

The EU AI Act is the world's first comprehensive law on artificial intelligence, and its obligations are phasing in. Here is a plain-language checklist to work out whether it applies to you and where to begin.

This article is a general overview, not legal advice. For your specific obligations, confirm with a qualified advisor. That said, most organisations can get surprisingly far by answering a few structured questions.

Step 1 — Does the AI Act apply to you?

The Act has broad reach. It can apply if you place AI systems on the EU market, put them into service in the EU, or your AI's output is used in the EU — regardless of where your company is based. So a non-EU startup selling to EU customers can still be in scope.

It also assigns different duties depending on your role: provider (you build/brand the system), deployer (you use it), importer, or distributor. Most companies are providers, deployers, or both.

Step 2 — Classify your AI by risk tier

The AI Act is risk-based. Your obligations depend on which tier your system falls into:

Separately, providers of general-purpose AI (GPAI) models have their own set of transparency and documentation duties.

Step 3 — Know the core obligations (high-risk)

If you operate high-risk AI, expect to demonstrate:

Step 4 — Mind the deadlines

The Act applies in phases rather than all at once. The bans on unacceptable-risk systems and certain AI-literacy duties came first; general-purpose AI obligations and the bulk of high-risk requirements follow on a staggered timeline through the mid-2020s. The practical takeaway: the direction is fixed and the clock is running — starting early is far cheaper than scrambling later.

Step 5 — Where to start

  1. Inventory your AI. List every AI system you build or use, and note its purpose.
  2. Classify each one by risk tier and your role (provider/deployer).
  3. Gap-assess the high-risk and GPAI systems against the obligations above.
  4. Stand up governance. This is exactly where an ISO 42001 AI Management System pays off — it operationalises most AI Act requirements in a structured, auditable way.
You don't need to boil the ocean. Start with an inventory and a classification — most of the anxiety disappears once you know which of your systems are actually in scope.

Want to know where you stand?

Moonlight runs an AI Act readiness and gap assessment, then helps you close the gaps — fully async, in plain language.

Get an AI Act readiness check