The EU AI Act deployer checklist — what an SME has to do before August 2026
The short answer
EU AI Act readiness for a deployer comes down to five things: (1) inventory every AI system you use, with owner and purpose; (2) classify each one — prohibited, high-risk (Annex III), limited-risk with transparency duties, or minimal; (3) meet the Article 50 transparency obligations where they apply (tell people they are interacting with AI, label AI-generated and deepfake content); (4) cover the Article 26 deployer duties for any high-risk system (human oversight, monitoring, keeping logs, using it per the provider's instructions); and (5) keep the evidence — inventory, risk classification, and disclosures — in a form an auditor can walk through. Most of this is documentation discipline; reserve counsel for the genuinely ambiguous edge cases. Key obligations apply from 2 August 2026.
The readiness checklist — six moves
- 01
Build the AI system inventory
List every AI system in use — bought, embedded in SaaS, or built — with its owner, its purpose, and what data it touches. You cannot classify or govern what you have not inventoried, and 'we didn't know that tool used AI' is not a defence.
- 02
Classify each system by risk tier
Place each system in a tier: prohibited (banned outright), high-risk (the Annex III use cases — e.g. employment/CV-screening, credit, certain biometric and critical-infrastructure uses), limited-risk (transparency duties apply), or minimal. The classification drives every obligation that follows.
- 03
Meet the Article 50 transparency obligations
Where they apply: disclose to people when they are interacting with an AI system (e.g. a chatbot), and label AI-generated or manipulated content and deepfakes. Draft the actual disclosure text and publish it — a documented, live disclosure is the evidence.
- 04
Cover the Article 26 deployer duties for high-risk systems
For any high-risk system: assign human oversight, use the system according to the provider's instructions, monitor its operation, keep the automatically generated logs, and inform affected people where required. These are operational controls, not paperwork.
- 05
Reserve counsel for the genuine edge cases
Producing an inventory, classifying obvious cases, and formatting a disclosure are documentation tasks. Send counsel the genuinely ambiguous ones — for example, whether a specific CV-screening plugin is high-risk under Annex III. Routing everything through legal costs too much and moves too slowly.
- 06
Assemble the evidence pack
Keep the inventory, the risk classification with the reasoning per system, and the published disclosures together, in a form someone can open and walk through in thirty minutes. The supervisor at an inspection cares whether the evidence exists, not how expensive the review was.
Why readiness is a documentation problem, not a legal one
The operator who treats the EU AI Act as a legal function will pay specialist hourly rates to produce templates that should have cost a fraction to build internally. The operator who treats it as a documentation function — build the inventory, classify the systems, publish the disclosures, keep the evidence — produces something a supervisor can open on a laptop and walk through in thirty minutes.
Counsel is for interpretation: the genuinely ambiguous Annex III edge cases, the novel situations specific to your business. Counsel is not for formatting an Article 50 disclosure for a website chatbot. Conflating the two means you pay too much and move too slowly — and the enforcement deadline does not move to accommodate a slow legal queue.
The inventory is the keystone
Everything downstream depends on the inventory. You cannot classify a system you have not listed, you cannot meet transparency duties for a chatbot you forgot was AI, and you cannot evidence anything without knowing what is in scope. Start there — including the AI quietly embedded in SaaS tools you already pay for, which is where most “we didn’t realise that counted” gaps live.
The shift underneath all of this — from document-based compliance to a governance-maturity assessment — is the subject of the essay What supervisory authorities actually look for in DORA and EU AI Act compliance.
This guide is operator practice and a plain-language summary, not legal advice. Confirm obligations and classifications against the Regulation as written and with qualified counsel.
Frequently asked
When does the EU AI Act apply?
The Act entered into force in 2024 and applies in stages: the prohibitions on unacceptable-risk systems applied first, general-purpose AI obligations followed, and the bulk of the deployer-relevant obligations — including the Article 50 transparency duties and the high-risk regime — apply from 2 August 2026, with some provisions phasing in later. Treat 2 August 2026 as the planning anchor.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops or places an AI system on the market; a deployer uses an AI system under its own authority. Most SMEs are deployers — they buy or embed AI rather than build it — and the deployer obligations (notably Article 26 for high-risk systems and Article 50 transparency) are the ones that apply to them.
What are the Annex III high-risk categories?
Annex III lists the high-risk use cases — including certain uses in employment and worker management (such as CV screening), access to essential services and credit, certain biometric systems, critical infrastructure, education, law enforcement, and migration. If a system falls in one of these areas, the high-risk obligations apply. Confirm a borderline case against the text with counsel.
Is this legal advice?
No. This guide — and the Vihren Labs compliance products — are operator-grade organizational and evidence tools. They help you structure and document readiness. They are not legal advice; confirm your specific obligations with qualified counsel, especially for borderline Annex III classifications.
The done-for-you version: an AI system inventory, a risk-classification workbook, a compliance checklist, and Article 50 disclosure templates — so an SME can structure and evidence readiness ahead of 2 August 2026 instead of starting from a blank page.
Get the EU AI Act SME Compliance Starter — €149 →Written by Petko Petkov — 15 years inside enterprise IT operations. Vihren Labs publishes operator-grade templates and playbooks for the enterprise IT stack.