High-Risk AI System Checklist (EU AI Act)
A high-risk AI system checklist starts with one question: is your system actually high-risk? Under Article 6 of the EU AI Act, a system is high-risk when it is a safety component of an Annex I regulated product, or when its use case sits in an Annex III category such as hiring, credit scoring, education, or access to essential services. If that is you, here are the 12 provider obligations, each with its article.
The 12-point provider checklist
| # | Obligation | Article |
|---|---|---|
| 1 | Run a documented, continuous risk management system | Art. 9 |
| 2 | Govern training, validation, and testing data for quality and bias | Art. 10 |
| 3 | Write and maintain technical documentation | Art. 11 + Annex IV |
| 4 | Build automatic event logging into the system | Art. 12 |
| 5 | Ship clear instructions for use to deployers | Art. 13 |
| 6 | Design for effective human oversight | Art. 14 |
| 7 | Meet "accuracy, robustness and cybersecurity" requirements | Art. 15 |
| 8 | Operate a quality management system | Art. 17 |
| 9 | Pass the applicable conformity assessment | Art. 43 |
| 10 | Sign an EU declaration of conformity | Art. 47 |
| 11 | Affix CE marking | Art. 48 |
| 12 | Register the system in the EU database | Art. 49 |
Print it, assign an owner to each row, and date every completion. That table is your audit spine.
When does this apply?
Annex III high-risk obligations apply from 2 August 2026 under the current text. Brussels is debating an amendment that could move parts of that date, and nothing is enacted yet. We plan against the law as written, and we suggest you do too. Working backwards from August 2026, the documentation rows (3, 5, and the Article 17 quality system) are the slow ones. Start there.
What does each row produce?
Every row ends in evidence: a risk register, a data-governance policy, the Annex IV file, oversight procedures, test reports, a signed declaration. AI Comply HQ generates these from one guided interview, so the same system facts feed every document instead of being retyped into each.
FAQ
We only deploy a vendor's high-risk system. Is this our checklist?
No. Deployers have a shorter list under Article 26. We keep a separate deployer obligations checklist.
What happens if we skip it?
Non-compliance with high-risk obligations can draw fines of up to 15 million euros or 3 percent of worldwide turnover. The numbers live in our fines and penalties guide.
Check your system's risk tier free
Sources
This page is informational content, not legal advice. Talk to a qualified lawyer about your specific situation.