GovCompass
Knowledge base
GuideAccountability

First steps: EU AI Act compliance for deployers

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

The first steps to EU AI Act compliance for deployers are: build an AI inventory, classify each system against Art. 6, request the provider documentation, start AI-literacy training under Art. 4, and assign ownership. These steps create the foundation for the Art. 26 obligations.

Updated: June 2026

Introduction: starting from zero

Most Dutch organisations are somewhere on the spectrum between "we haven't started" and "we have a basic inventory." Very few have achieved the level of systematic compliance that the EU AI Act ultimately requires. The good news: you do not need to achieve full compliance immediately. The regulation's phased deadlines, and the proportionalityproportionalityMatching the weight of governance to the risk of the use case — heavy gates for high stakes, light touch for low stakes — which keeps controls credible and followed.Open full entry → principle built into the law, allow for a structured approach.

This article identifies the five most important first steps for deployers, prioritised by legal urgency and practical impact.

Step 1: build your AI inventory

You cannot comply with obligations you do not know about. The first step is a systematic inventory of every AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → your organisation uses, not just the ones IT knows about, but the SaaS tools that business units procure independently, the AI features embedded in enterprise software, and the AI-enabled workflows in your operations.

A useful inventory structure:

  • System name and vendor
  • Business function (HR, finance, operations, etc.)
  • Primary use case
  • Affected categories of individuals
  • Preliminary risk classification (to be confirmed in Step 2)
  • Operational status (in use / planned / under review)

Assign this exercise to a cross-functional team that includes IT, legal, HR, and business unit representatives. The AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry → often surfaces surprise discoveries, business units using AI tools that IT is unaware of, vendor features that have enabled AI without explicit organisational decision.

Step 2: classify your AI systems

For each system in your inventory, determine its risk classification under Art. 6:

  • Prohibited (Art. 5): Immediately assess against the eight prohibitions
  • High-risk (Annex I or III): Full Art. 26 compliance obligations apply
  • GPAI systems (Art. 52–55): TransparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → obligations
  • Minimal risk: No mandatory EU AI Act obligations (though voluntary codes of practice apply)

For systems where classification is uncertain: apply the conservative default. Classify as high-risk until you can substantiate a lower classification. Document your reasoning.

Step 3: set up AI governance

Compliance requires accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → structures. At minimum:

  • Appoint an AI Officer (or assign the function to an existing role like the DPO or CTO)
  • Define the AI Officer's responsibilities: maintaining the inventory, overseeing classification, approving risk downgrades, liaising with supervisory authorities
  • Establish a governance process for new AI system procurement: no new high-risk AI without classification, DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry →/FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → assessment, and sign-off
  • Create a policy document that sets out your organisation's AI governance framework

Step 4: prioritise high-risk systems

Not all compliance work has equal urgency. Focus first on your high-risk AI systems in the categories that took effect earliest:

  • Art. 5 prohibited practices: compliance required since 2 February 2025
  • Art. 4 AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry →: required since 2 February 2025
  • High-risk AI in regulated products (Annex I): deadline 2 August 2028
  • Stand-alone high-risk AI (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →): deadline 2 December 2027

For Annex III high-risk systems: build your compliance dossier now. The 2027 deadline appears distant but the work is substantial: FRIA, DPIA, human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → arrangements, training documentation, log retention systems.

Step 5: establish supplier relationships

For every high-risk AI system you procure: engage your supplier. Request:

  • The providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry →'s technical documentation (summary)
  • The EU declaration of conformity (or conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → status)
  • The instructions for use
  • The EU database registration number
  • Contractual commitments on incident notification, performance monitoring, and documentation updates

Suppliers who cannot or will not provide this information present a compliance risk. Document your requests and their responses.

Compliance checklist

  1. Is there a complete AI inventory for your organisation?
  2. Has every AI system been classified against Art. 5 and Art. 6?
  3. Is there an appointed AI Officer with defined responsibilities?
  4. Is there a governance process for new AI procurement?
  5. Have you engaged suppliers of high-risk AI systems and requested compliance documentation?
  6. Is there a documented compliance roadmap for high-risk AI systems with deadlines assigned?
Legal referencesArt. 26Art. 4Art. 6

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.