Skip to content

EU AI Act Compliance Checklist by Industry: What Applies to You

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
EU AI Act Compliance Checklist by Industry: What Applies to You

Your EU AI Act obligations depend on the use case, not the sector you sit in. The fastest route to a working checklist is to find which of your AI systems fall into Annex III, then run the high-risk duties (Articles 9 to 15) against those, while everyone fixes the banned uses and switches on transparency now. This guide breaks the checklist down by industry so you can start where you actually have exposure.

A quick word on dates, because most checklists published in 2025 are now wrong. The headline "2 August 2026" deadline for stand-alone high-risk systems has been pushed back under the Digital Omnibus. The detail is in the timeline section below, but the short version: you have more runway on the heavy high-risk work, and none on the bans or chatbot transparency.

How risk classification actually works

The Act sorts AI into four tiers, and your duties follow the tier, not your industry label. A loan-approval model in a bank and a loan-approval model in a fintech carry the same obligations, because both sit in the same Annex III slot.

Tier What it means Your duty
Unacceptable Banned under Article 5 (social scoring, manipulative techniques causing harm, untargeted facial-image scraping, certain emotion recognition at work and in education) Stop. Already in force since 2 February 2025
High The Annex III use cases, plus AI as a safety component of regulated products (Annex I) Full Chapter III duties, conformity assessment, CE marking
Limited (transparency) Chatbots, deepfakes, AI-generated content under Article 50 Tell people they are dealing with AI; label AI or deepfake content
Minimal Most AI: spam filters, inventory tools, AI in games None mandated

The catch worth repeating: classification is use-case specific. The same model can be high-risk in one deployment and minimal in another. Inventory by use, not by tool.

What changed in the timeline, and why your checklist needs the new dates

The dates below trace to Article 113 of the Regulation and the Commission's implementation timeline.

Under the Digital Omnibus on AI, the Council and Parliament reached political agreement on 7 May 2026, and Parliament endorsed the text on 16 June 2026, to postpone the high-risk deadlines. As of late June 2026 it is not yet final law. It still needs formal adoption and publication in the Official Journal, expected before the original 2 August 2026 date. Until then, the original Regulation is the binding text. Plan to the new dates, but watch for adoption.

Date What applies Status
2 February 2025 Bans on unacceptable-risk uses, plus AI literacy duties In force
2 August 2025 General-purpose AI model obligations and the governance framework In force
2 August 2026 Article 50 transparency duties (chatbots, deepfakes, content labelling) On schedule, unchanged
2 December 2027 Stand-alone high-risk systems (Annex III) Postponed by the Digital Omnibus, pending final adoption
2 August 2028 High-risk AI embedded in regulated products (Annex I) Postponed by the Digital Omnibus, pending final adoption

So the transparency rules for chatbots and deepfakes still land in August 2026. The heavy Annex III work moved out by 16 months. Don't let the later date make you put off the inventory, because that's the part that takes longest. See the Council statement and the Commission's Omnibus proposal for the source detail.

The baseline every industry shares

Whatever sector you're in, if you have a system that lands in Annex III, the provider duties are the same. They sit in Chapter III, Articles 9 to 15:

  • Risk management running across the system's lifecycle (Article 9)
  • Data governance, with relevant and representative data (Article 10)
  • Technical documentation (Article 11) and automatic logging (Article 12)
  • Transparency and clear instructions for deployers (Article 13)
  • Human oversight built in (Article 14)
  • Accuracy, robustness, and cybersecurity (Article 15)
  • A conformity assessment (Article 43) and CE marking (Article 48)
  • Registration in the EU database where required (Article 49)

Deployers carry their own duties, mainly using the system as instructed and keeping a human in the loop. The per-industry sections below tell you which of your systems trip these duties in the first place.

Which financial services AI is high-risk?

Annex III point 5(b) puts AI that evaluates creditworthiness or sets a credit score squarely in the high-risk box. There's one carve-out worth knowing: AI used purely to detect financial fraud is excluded. That single line resolves a lot of confusion, so it leads the checklist.

System Likely tier Why
Credit scoring, loan approval High-risk Annex III, point 5(b)
Fraud detection (pure) Not high-risk on this ground Express carve-out in 5(b)
Insurance risk and pricing for life and health High-risk Annex III, point 5(c)
Robo-advice with high autonomy Assess case by case Turns on automation and impact on rights
Customer chatbots Limited (transparency) Article 50 disclosure

Financial services checklist:

  • Separate your credit-scoring models from your fraud models; only the former are high-risk on the creditworthiness ground
  • Confirm whether insurance pricing and risk assessment for life and health cover falls under Annex III point 5(c)
  • Run the Article 9 to 15 duties on every high-risk model, with the explainability that credit decisions demand
  • Layer AI Act work on top of existing supervision; this sits alongside your sectoral regime, it doesn't replace it
  • Switch on Article 50 disclosure for any customer-facing chatbot now

Which healthcare AI is high-risk, and what about medical devices?

Healthcare is the sector where two rulebooks collide. A diagnostic or triage AI is usually a safety component of a medical device, which makes it high-risk through the Annex I product route, not Annex III. That matters for your timeline: Annex I embedded high-risk is the one postponed to 2 August 2028.

System Likely tier Why
Diagnostic or clinical-decision AI inside a regulated device High-risk (Annex I product route) Safety component of a medical device
AI triage or patient-risk stratification Assess case by case Turns on clinical impact and device status
Administrative AI affecting access to care May be high-risk If it gates essential services (Annex III point 5)
Patient-facing chatbot Limited (transparency) Article 50 disclosure

Healthcare checklist:

  • Work out the medical device classification first; it sets which AI Act route and deadline apply
  • Run the device conformity assessment and the AI Act duties together, not in sequence
  • Hold clinical validation evidence, not just technical test results
  • Document the human-oversight model for any AI that touches a clinical decision
  • Don't assume the 2028 date covers you; an administrative tool that gates care can be Annex III, due 2027

Which HR and employment AI is high-risk?

This is the cleanest high-risk category to spot. Annex III point 4 covers AI for recruitment and selection, and AI that affects the terms, promotion, or termination of a working relationship. If your tool screens CVs, ranks candidates, or feeds performance and firing decisions, assume high-risk.

System Likely tier Why
CV screening, candidate ranking High-risk Annex III, point 4(a)
Performance scoring feeding promotion or dismissal High-risk Annex III, point 4(b)
Task allocation and monitoring Assess case by case Turns on impact on the working relationship
Emotion recognition on staff Often prohibited Article 5 bans emotion recognition at work, with narrow exceptions

HR and employment checklist:

  • List every AI touchpoint in hiring, performance, and workforce management
  • Pull any emotion-recognition tool aimed at staff; that's an Article 5 ban, not a high-risk duty
  • Run bias testing on screening and ranking models, with documented results (Article 10)
  • Give applicants and staff clear information that AI is in the loop
  • Keep meaningful human review on every reject, promote, and dismiss decision (Article 14)

Which AI in other regulated sectors is high-risk?

The remaining Annex III categories hit education, public services, law enforcement, and critical infrastructure. The pattern is the same: the use case decides, and the duties don't change.

Sector High-risk uses (Annex III) Watch out for
Education Admissions, scoring exams, evaluating learning outcomes, proctoring during tests (point 3) Adaptive-learning tools that gate progression
Public sector Eligibility for benefits and essential services, emergency dispatch (point 5) Administrative tools that quietly decide access
Law enforcement Risk assessment, evidence evaluation, profiling (point 6) Several uses are restricted or banned outright
Critical infrastructure Safety components in utilities, road traffic, digital infrastructure (point 2) Industrial AI where failure causes physical harm
Migration and borders Visa and asylum risk assessment, identification (point 7) Heavy fundamental-rights scrutiny

Cross-sector checklist:

  • Map each AI use to a specific Annex III point, or conclude it's out of scope; vague "might be high-risk" labels help no one
  • For public-sector and education tools, ask whether the system decides access to a service or opportunity; that's the trigger
  • Treat critical-infrastructure AI as high-risk where failure has a physical-safety consequence
  • Flag any law-enforcement or biometric use for legal review early, because some uses are prohibited, not merely controlled

What about general-purpose AI and the fines?

If you build or fine-tune foundation models, you have a separate set of duties already in force since 2 August 2025. Every general-purpose AI provider keeps technical documentation, informs downstream developers, sets a copyright policy, and publishes a training-content summary. Models with systemic risk, presumed where training compute passes 10^25 FLOP, carry extra duties: Commission notification, model evaluation, adversarial testing, incident reporting, and cybersecurity. See the Commission's GPAI guidelines.

The fines under Article 99 are the higher of a fixed sum or a percentage of worldwide annual turnover. Note that the 7% headline applies only to banned practices, not to general non-compliance.

Breach Maximum fine (the higher of the two)
Prohibited practices (Article 5) EUR 35 million or 7% of worldwide annual turnover
Most other obligations EUR 15 million or 3% of turnover
Misleading information to authorities EUR 7.5 million or 1% of turnover

Frequently asked questions

Is my industry automatically high-risk under the EU AI Act?

No. There's no such thing as a high-risk sector. High-risk status attaches to specific use cases listed in Annex III, or to AI built into a product already regulated under EU law. A bank, a hospital, and a school can all run minimal-risk AI alongside high-risk AI. Classify each system by what it does.

When do the high-risk obligations actually apply now?

The original 2 August 2026 date for stand-alone high-risk systems has been postponed to 2 December 2027 under the Digital Omnibus, and embedded high-risk to 2 August 2028. As of late June 2026 that postponement is agreed but not yet final law, so confirm adoption before relying on the later dates. The Article 50 transparency duties still apply from 2 August 2026.

Is AI fraud detection high-risk in financial services?

Not on the creditworthiness ground. Annex III point 5(b) expressly excludes AI used to detect financial fraud from the high-risk credit-scoring category. A model that only flags suspected fraud sits outside that slot, though it can still pick up duties from data-protection or other law.

Does the Act apply to my company if we're outside the EU?

Yes, if the output of your AI is used in the EU. Article 2 reaches providers and deployers in third countries where the system's results land in front of EU users. A US or UK firm whose AI output reaches the Union can be in scope.

The bottom line

The industry framing is useful for finding where you're exposed, but it's a starting filter, not the rule. The rule is the use case. My strong view: spend your first week building an honest inventory tagged to specific Annex III points, not on grand governance theatre. The bans are live, transparency lands in August 2026, and the heavy high-risk work now has a real runway to 2027 and 2028. That runway is a gift only if you use it to do the inventory properly rather than to wait.

For the full mechanics behind these duties, see our EU AI Act compliance implementation guide. For the governance model boards are using, the book Ethical AI: Governing AI Before It Governs You sets out the approach.

References

  1. Regulation (EU) 2024/1689 (the EU AI Act), full text. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. European Commission. AI Act implementation timeline. https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
  3. Council of the EU. Agreement to simplify and streamline AI rules (7 May 2026). https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
  4. European Commission. Digital Omnibus on AI proposal. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
  5. European Commission. Guidelines for providers of general-purpose AI models. https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers

More on how we approach it: AI compliance advisory.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI