EU AI Act Compliance
Annual AI Compliance Review Checklist for EU AI Act Deployers
Every deployer of AI systems in the EU must treat compliance as a living process, not a one-time project. Here is exactly what to check, update, and document in your annual AI compliance review.
The 12-month clock starts the moment you deploy
Running an annual AI compliance review checklist is not optional for EU companies that deploy AI systems. Under the EU AI Act, deployers carry ongoing obligations that do not expire after initial setup. Article 26 places a clear duty on deployers to monitor AI systems throughout their operational lifecycle, verify that systems are used within their intended purpose, and maintain up-to-date documentation. Miss a yearly review cycle and you risk regulatory penalties reaching up to €15 million or 3% of global annual turnover under Article 99.
The good news: a structured 12-month review is entirely manageable, even for a 50-person company without a dedicated compliance team. The six areas below give you a repeatable framework you can run every calendar year.
1. Refresh your AI system inventory
Every review starts here. AI tools change fast. A tool your procurement team bought 14 months ago may have quietly added a new AI feature. Shadow AI is real.
Go through every department. Ask three questions for each tool:
- Has the system's functionality changed since last year?
- Is it still being used for the same purpose it was risk-classified for?
- Has the vendor added or removed AI components?
Risk classification shifts matter. A system that scored low-risk at onboarding may now fall under the high-risk categories listed in Annex III if it is being used for employee monitoring, recruitment scoring, or creditworthiness assessment. Catch that drift now, not when a regulator asks.
Document each tool: name, vendor, version, risk tier, deploying department, and date of last review. One spreadsheet is enough to start. Update it before moving on.
2. Verify AI literacy training records
Article 4 of the EU AI Act requires that all staff who work with AI systems have a sufficient level of AI literacy for their role. This obligation applies to deployers directly, not just providers.
Your annual review must confirm:
- Which employees received AI literacy training in the past 12 months?
- Were new hires trained before they began using AI tools?
- Did role changes trigger a training update? (An HR coordinator who moves into a recruitment screening role needs additional training on high-risk AI use.)
Pull your training records. Check completion dates. Flag any gaps. Keep certificates or completion logs for at least the duration of the system's deployment plus any applicable retention period under your sector's rules.
If your current training is more than 12 months old, it needs refreshing. The regulatory guidance and best practices in this space evolve, and your training content should reflect that.
3. Update your internal AI policies
Most SMEs wrote their first AI use policy under time pressure. After 12 months of actual use, you know far more about how staff interact with AI tools. This is the moment to close the gap between your written policy and operational reality.
Review your policy against these specific checkpoints:
- Does it reflect every AI system currently in use, including new additions since the last version?
- Does it assign named ownership for each high-risk AI system, as Article 26 requires deployers to designate?
- Does it cover the transparency obligations from Article 50, specifically where your organisation uses AI-generated content or AI that interacts with people directly?
- Does it set a clear escalation path for AI-related concerns raised by employees?
Get sign-off from your legal or compliance lead on any material changes. Date the new version and archive the old one. Regulators will want to see a version history.
4. Review your incident log
Your organisation should have logged any AI-related incidents, near-misses, or anomalies over the past 12 months. This is the moment to read that log carefully.
Look for patterns:
- Did the same system trigger multiple complaints or errors?
- Were any incidents related to biased outputs, incorrect decisions, or unexpected behaviour?
- Was every incident reported to the right internal owner within a reasonable timeframe?
Article 26 also requires deployers to inform providers of serious incidents without undue delay. If your incident log shows a serious event that was not escalated to your vendor, address that gap immediately and document the corrective action.
If your log is empty after 12 months of active AI use, that is a red flag. Either nothing went wrong (possible) or your reporting culture needs attention (more likely). Introduce a simple, anonymous incident reporting channel if you do not already have one.
5. Reassess your AI vendors
Your vendors' compliance posture affects yours. The AI Act creates a shared responsibility chain between providers and deployers. If a provider fails to maintain conformity of their high-risk system, your deployment can be non-compliant by extension.
For each vendor providing a high-risk or significant-risk AI system, confirm:
- Have they updated their technical documentation or EU Declaration of Conformity in the past year?
- Have they notified you of any changes to the system that could affect risk classification?
- Do they still hold a valid CE mark where applicable?
- Have they experienced any regulatory actions, fines, or enforcement notices in any EU member state?
This is also a good moment to revisit your contracts. Your agreement with each AI vendor should allocate responsibility clearly for incident reporting, data processing, and system documentation. If the contract predates August 2024, it likely needs an AI Act addendum.
For GDPR-governed data flows, confirm that your Data Processing Agreements are still accurate and that any Fundamental Rights Impact Assessments (FRIAs) remain valid given any changes to system use. The European Commission's digital strategy resources provide useful orientation on where GDPR and the AI Act intersect.
6. Run an audit readiness check
The EU AI Act empowers national supervisory authorities to conduct audits and request documentation on short notice. In the Netherlands, the Autoriteit Persoonsgegevens is designated as a key market surveillance authority for AI systems touching personal data. In Belgium, the APD/GBA plays an equivalent role.
Audit readiness means you can produce the following within 48 hours:
- Your current AI system inventory with risk classifications
- Training completion records for all relevant staff
- The current version of your internal AI use policy
- Incident logs for the past 12 months
- Vendor documentation including technical documentation and conformity assessments
- Any FRIA or DPIA conducted for high-risk systems
Run a mock document pull right now. Time yourself. If it takes longer than two hours to gather everything, your documentation is not audit-ready. Fix the filing system before the real request arrives.
Your 12-month calendar template
Building the review into your operational calendar prevents it from being postponed indefinitely. Here is a simple schedule:
| Month | Activity |
|---|---|
| January | AI inventory refresh and risk reclassification |
| February | Training records audit and gap remediation |
| March | Policy review and version update |
| April | Incident log analysis and reporting culture check |
| May | Vendor reassessment and contract review |
| June | Audit readiness drill and documentation filing |
| December | Light-touch mid-year check on new tool adoptions |
You do not need to run all six steps simultaneously. Spreading them across the first half of the year keeps the workload manageable and ensures issues from each step can inform the next.
Start with a 2-minute check
If you are not sure where your organisation stands today, the fastest first step is to use the free compliance check at comply.khairos.ai. It takes two minutes, covers the core deployer obligations under the EU AI Act, and tells you which of the six areas above needs the most urgent attention. Run it before you schedule the first team meeting.
# Need help getting compliant?
The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.
Start the free check →