Compliance Checklist

EU AI Act: 23-Point Technical Compliance Checklist

A practical, technical checklist for engineering and compliance teams preparing for EU AI Act enforcement on August 2, 2026. Covers decision logging, identity separation, audit trails, data governance, and human oversight.

Category 1: Decision Logging & Provenance (Art. 12)

1.AI decisions are recorded with structured metadata (model, inputs, outputs, confidence)

2.Decision records are cryptographically signed (Ed25519 or equivalent)

3.Records are chained (hash chain) to prevent tampering

4.Independent timestamps from external TSA (RFC 3161)

5.Decision records are retained for the system’s regulatory minimum lifetime

Category 2: Human Oversight (Art. 14)

6.Authorised personnel can access decision records on demand

7.Decision records include sufficient context to understand the AI’s reasoning

8.Human override mechanisms exist for high-risk decisions

9.Oversight interfaces are available for DPOs (not just engineers)

10.Audit trail links decisions to the humans who reviewed them

Category 3: Identity Separation & Data Minimisation (Art. 10, GDPR Art. 25)

11.PII is detected before AI processing (automated, not manual)

12.Identity data is separated from AI inference at infrastructure level

13.AI models cannot access identity data (network-enforced, not policy-enforced)

14.Pseudonymous tokens replace identity in AI processing

15.Re-linkage requires explicit authorisation workflow

Category 4: Data Governance (Art. 10)

16.AI training data is inventoried and documented

17.Operational data flows are mapped and classified

18.Data retention and deletion policies are technically enforced

19.Cross-border data transfers are tracked and compliant

20.Data quality checks run before AI processing

Category 5: Verification & Audit (Art. 15, Art. 61)

21.Compliance can be verified independently (not self-reported)

22.Certificates or attestations are available for auditors

23.Regular compliance testing is automated (not annual manual review)

This checklist is based on The Veil platform’s interpretation of EU AI Act requirements for high-risk AI systems. It is not legal advice. Consult your legal team for jurisdiction-specific guidance.

Download as PDF — enter your email

Or download directly

Book an Assessment Back to Compliance Hub