The Compliance Window Has Closed. Here Is What You Need Now.
The EU Artificial Intelligence Act's requirements for high-risk AI systems entered application in August 2026. Organisations that deploy high-risk AI systems in the EU market must now comply with the full range of obligations under Chapter III, Title III of the Act.
This is not a preparatory phase. Market surveillance authorities are now operationally ready, and the Act's conformity assessment regime is live.
The following checklist covers the minimum requirements for high-risk AI compliance. It is designed for compliance officers, legal teams, and AI product managers who need to assess their current state and prioritise remediation.
Risk Management System (Article 9)
Every high-risk AI system must have an ongoing risk management system throughout its lifecycle. The checklist:
- Risk management process documented and implemented
- Known and foreseeable risks to health, safety, and fundamental rights identified
- Residual risks assessed as acceptable
- Risk management system tested against reasonably foreseeable misuse
- Appropriate risk mitigation measures implemented
- Risk management system updated on a continuous basis post-deployment
The risk management system must be proportionate to the risk class and intended purpose of the AI system. It is not a one-time exercise - it is an ongoing operational requirement.
Data Governance (Article 10)
The data governance requirements for training, validation, and testing datasets:
- Documented data governance and management practices in place
- Training, validation, and testing datasets identified and catalogued
- Relevance, representativeness, and freedom from errors assessed for each dataset
- Cryptographic integrity verification or equivalent in place to prove datasets have not been modified
- Bias and gaps in datasets documented and mitigated
- Special category data handling (Article 10(5)) procedures implemented if applicable
- Data governance documentation available for regulator review
This is typically the most significant gap in enterprise AI compliance programmes. The requirement to prove datasets have not been modified is a technical requirement that access controls alone cannot satisfy - it requires cryptographic integrity verification or equivalent tamper-evidence mechanisms.
ROOTKey's data integrity platform directly addresses the Article 10 integrity requirement. See our detailed guide to EU AI Act data governance requirements for the full technical breakdown.
Technical Documentation and Transparency (Articles 11, 13, 14)
High-risk AI systems must meet extensive documentation and transparency requirements:
Technical documentation (Article 11):
- Technical documentation prepared before market placement
- Includes system description, training data, architecture, intended purpose, performance metrics
- Documentation maintained and updated throughout lifecycle
Instructions for use (Article 13):
- Clear, plain-language instructions provided to deployers
- Intended purpose, performance, limitations, and human oversight requirements documented
- Instructions updated when the system changes
Human oversight (Article 14):
- Human oversight measures integrated by design
- Qualified personnel identified to oversee the system
- Override and intervention capabilities available and tested
For AI systems that interact directly with individuals, additional transparency obligations apply under Article 52 - individuals must be informed they are interacting with an AI system.
Conformity Assessment and Registration (Articles 16, 43, 49)
Before placing a high-risk AI system on the EU market:
Conformity assessment (Article 43):
- Conformity assessment procedure completed (self-assessment or notified body, depending on the AI system type)
- EU Declaration of Conformity prepared and signed
- CE marking affixed where applicable
Registration (Article 49):
- System registered in the EU AI Act database (operated by the European AI Office)
- Registration information accurate and up-to-date
Post-market monitoring (Article 72):
- Post-market monitoring plan in place
- Serious incident reporting procedure ready (incidents must be reported to national authorities)
Organisations deploying third-party high-risk AI systems (as 'deployers' rather than 'providers') have their own obligations under Article 29 - including use limitation to intended purpose, staff training, and oversight implementation.
For comprehensive support on your NIS2 and EU AI Act compliance posture, the provides tools and guidance across both frameworks. .
Get cyber-resilience insights in your inbox
Practical, audit-ready guidance on data integrity, compliance and continuity - delivered as we publish.





