EU AI Act Readiness: 10 Controls Every Organization Should Implement in 2026

EU AI Act readiness control
Rate this post

Last Updated on July 16, 2026 by Narendra Sahoo

This is for compliance and security leaders who already know the EU AI Act applies to them and need a concrete control set for where the law actually stands today — not a summary written before the rules changed. Awareness is done; 2026 is the year of implementation, and the rules just moved. On 29 June 2026 the Council of the EU gave its final green light to the Digital Omnibus on AI — the package that resets several of the dates compliance teams have been building toward. This guide gives you the ten controls that work together as one compliance system, current as of the Omnibus’s final adoption.

2 Dec 2027
New Annex III high-risk deadline, deferred from 2 Aug 2026
2 Aug 2026
Article 50 disclosure duty — still live, not delayed
€35M / 7%
Top fine tier for prohibited-practice violations (Article 99)
10 Controls
One governance system, not ten isolated tasks

What the Digital Omnibus Changed

Obligation Original date Date after Omnibus Status (16 Jul 2026)
Annex III high-risk systems (Art. 9, 14, 11) 2 Aug 2026 2 Dec 2027 Adopted; awaiting OJ publication
Annex I high-risk systems (embedded products) 2 Aug 2027 2 Aug 2028 Adopted; awaiting OJ publication
Article 50 AI-interaction disclosure 2 Aug 2026 2 Aug 2026 — unchanged Live; not delayed
Article 50(2) watermarking (systems on market before 2 Aug 2026) 2 Aug 2026 2 Dec 2026 grace period Adopted
New Art. 5 ban: intimate imagery / CSAM (“nudifiers”) — (new) Transitional to 2 Dec 2026 New provision

💡 CRITICAL INSIGHT

Most EU AI Act checklists published before mid-2026 still show 2 August 2026 as the deadline for high-risk obligations. That date now applies only to Article 50 disclosure — the high-risk duties in Controls 5–8 below were deferred by over a year. A control set built on the old timeline isn’t just outdated, it’s actively misleading about what’s due when.

1️⃣ Control 1 — A Complete AI System Inventory

Every obligation in the Act attaches to a specific system, so readiness starts with a register: one row per model, with owner, purpose, provider, data classification, and deployment status. Include shadow AI — assistants in browser tabs, coding copilots, AI features inside SaaS. An unlisted system is an unmanaged compliance risk, and the first thing an assessor may discover. For the full step-by-step version of this control, see VISTA InfoSec’s EU AI Act Compliance Checklist.

✅ CONTROL 1 CHECKLIST — INVENTORY

□  Build one inventory row per AI system: owner, purpose, provider, data classification, deployment status
□  Include shadow AI — browser copilots, coding assistants, AI features buried inside SaaS tools
□  Review and refresh the inventory on a recurring cycle, not once and done

2️⃣ Control 2 — Risk Classification for Every System

Map each system to the Act’s tiers — prohibited, high-risk, limited, minimal — using Article 6 and the Annex III categories. Classification drives every downstream duty: misclassify a high-risk system and Controls 5 through 8 below get built on the wrong foundation.

👉 IN PRACTICE — AN AI-POWERED RECRUITMENT TOOL

A mid-market SaaS company adds an AI-powered resume-screening feature to its recruitment product. Under the inventory (Control 1), it gets one line: owner (Head of Product), purpose (candidate shortlisting), provider (in-house model fine-tuned on a third-party foundation model), data classification (personal data, employment-related). Under classification (Control 2), Annex III lists AI systems intended for recruitment or selection of natural persons as high-risk by default — so this system triggers Articles 9, 10, and 14, plus, from 2 December 2027, the full high-risk control set below. The Article 50 disclosure duty applies today, regardless of tier. That single classification call decides whether Controls 5–8 apply at all — exactly why Control 2 sits upstream of everything that follows.

✅ CONTROL 2 CHECKLIST — CLASSIFICATION

□  Map each system against Article 6 and the Annex III high-risk categories
□  Document the classification rationale in writing, not just the conclusion
□  Re-classify whenever a system’s purpose, provider, or deployment changes

Not sure how the Digital Omnibus changes your deadlines?

VISTA InfoSec’s AI governance consultants map your systems, confirm your classification, and tell you exactly which post-Omnibus deadline applies — no guesswork, no jargon.

Explore EU AI Act Compliance Services →

3️⃣ Control 3 — A Prohibited-Practices Screen

Screen the inventory against the Article 5 bans — social scoring, manipulative systems, unlawful biometric use — and, since the Digital Omnibus, a new prohibition on AI-generated non-consensual intimate imagery and CSAM (“nudifiers”), which carries a transitional period to 2 December 2026 for providers to add safeguards. The original bans have been enforceable since February 2025 and carry the top fine tier (€35M / 7% of turnover under Article 99). This is the one control with no partial credit: if a use is prohibited, it stops.

✅ CONTROL 3 CHECKLIST — PROHIBITED PRACTICES

□  Screen every system against the Article 5 bans, including the new nudifier/CSAM prohibition
□  Treat any prohibited use as a hard stop — not a risk to document and manage
□  Track the 2 December 2026 transitional deadline for the new prohibition

4️⃣ Control 4 — AI Literacy Training

Under Article 4, staff who work with AI must understand its capabilities and limits — mandatory since February 2025 and one of the easiest things an auditor can check. The Digital Omnibus softens the legal standard from guaranteeing a specific literacy level to supporting its development, but that’s a drafting nuance, not a compliance exemption. Cover developers, deployers, procurement, and anyone exercising human oversight, and keep attendance records: unevidenced training doesn’t count as done.

✅ CONTROL 4 CHECKLIST — AI LITERACY

□  Train developers, deployers, procurement, and human-oversight staff on AI capabilities and limits
□  Keep dated attendance and completion records as evidence
□  Update materials to reflect the Omnibus’s softened literacy standard

Want all ten controls as a downloadable checklist?

Download VISTA InfoSec’s free EU AI Act Readiness Checklist — covering all ten controls in this guide, ready to work through control by control.

Download Free Readiness Checklist →

5️⃣ Control 5 — A Risk-Management Process for High-Risk AI

For high-risk systems, Article 9 requires a documented, lifecycle-long risk-management system — identify, assess, mitigate, monitor. The Digital Omnibus pushed the compliance date for stand-alone (Annex III) high-risk systems to 2 December 2027, so there’s more runway than the original 2 August 2026 date implied. Use it to anchor the process in a recognised AI risk management framework — the NIST AI Risk Management Framework and its Generative AI Profile — rather than to delay starting.

✅ CONTROL 5 CHECKLIST — RISK MANAGEMENT

□  Stand up an Article 9 risk-management process: identify, assess, mitigate, monitor
□  Anchor it in the NIST AI RMF and its Generative AI Profile
□  Use the extended runway to build it properly — not as a reason to delay starting

6️⃣ Control 6 — Data Governance and Quality Checks

High-risk systems must eventually be trained and operated on data that is relevant, representative, and examined for bias — a duty now due by 2 December 2027 for Annex III systems, not 2 August 2026. That extra runway applies to the AI Act deadline only: GDPR exposure from poorly governed personal data runs on its own clock and doesn’t move with the Omnibus. Build documented data lineage, quality gates before training, and records of the checks performed now, while the deadline pressure is off and the gaps are still cheap to fix.

✅ CONTROL 6 CHECKLIST — DATA GOVERNANCE

□  Document data lineage and quality gates before training begins
□  Keep records of every bias and quality check performed
□  Remember: GDPR exposure doesn’t move with the Omnibus’s extra runway

7️⃣ Control 7 — Technical Documentation and Logging

The Act expects technical documentation sufficient for an authority to assess compliance, plus automatic logging so decisions are traceable after the fact — due for Annex III high-risk systems by 2 December 2027 under the Digital Omnibus’s revised timeline. Build record-keeping into the pipeline now anyway: documentation reconstructed retroactively is obvious to an assessor, whichever year the assessment lands in.

✅ CONTROL 7 CHECKLIST — DOCUMENTATION & LOGGING

□  Build technical documentation as you go, not retroactively before an assessment
□  Turn on automatic logging so decisions are traceable after the fact
□  Assign a named owner responsible for keeping documentation current

8️⃣ Control 8 — Human Oversight and Transparency Duties

Under Article 14, a competent person must be able to understand, intervene in, or stop a high-risk system — named individuals with real authority and training, not a policy sentence. That duty now follows the deferred high-risk timeline: 2 December 2027 for Annex III systems. Article 50 transparency duties are a separate track, and the Omnibus left them alone: they apply from 2 August 2026, regardless of a system’s risk tier — disclose AI interaction and label AI-generated content.

⚠ DON’T CONFUSE THESE TWO CLOCKS

The one partial exception is watermarking under Article 50(2): systems already on the market before 2 August 2026 get a four-month grace period, to 2 December 2026. Don’t let the high-risk deferral above lull you into treating Article 50 as delayed too — it isn’t. Disclosure obligations are live from 2 August 2026 for every system that interacts with people, no matter its risk tier.

✅ CONTROL 8 CHECKLIST — OVERSIGHT & TRANSPARENCY

□  Name individuals with real authority to intervene in or stop a high-risk system
□  Meet the Article 50 disclosure duty by 2 August 2026, regardless of risk tier
□  Track the separate 2 December 2026 watermarking grace period

Need your human-oversight and transparency duties audited?

VISTA InfoSec reviews your oversight assignments and Article 50 disclosure mechanisms against the post-Omnibus timeline — so nothing slips through on the wrong clock.

Get Expert Support →

9️⃣ Control 9 — Third-Party and Vendor AI Governance

Most organisations’ riskiest AI arrives through vendors. Extend due diligence to model providers: training-data provenance, change-notification SLAs, security testing evidence, and clear breach terms. The GPAI Code of Practice is the benchmark for what a serious provider should already commit to. Vendor contracts allocate responsibilities — they don’t transfer your deployer obligations under the Act.

✅ CONTROL 9 CHECKLIST — VENDOR GOVERNANCE

□  Extend due diligence to model providers: provenance, SLAs, security evidence, breach terms
□  Benchmark providers against the GPAI Code of Practice
□  Remember vendor contracts don’t transfer your deployer obligations

🗿 Control 10 — Incident Response and Serious-Incident Reporting

High-risk systems carry serious-incident reporting duties with strict timelines, and failing to report is a separate violation that compounds the first. Extend your incident-response playbooks to AI: detection for model failures and prompt-injection abuse — the OWASP Top 10 for LLM Applications and MITRE ATLAS map that attack surface — defined escalation, and a rehearsed notification path to the right authority.

✅ CONTROL 10 CHECKLIST — INCIDENT RESPONSE

□  Extend incident-response playbooks to model failures and prompt-injection abuse
□  Map your attack surface against the OWASP LLM Top 10 and MITRE ATLAS
□  Rehearse the notification path to the right authority before you need it

🔗 Tie the Ten Together — Then Test Them

Ten controls only protect you if they operate as one system. ISO/IEC 42001 gives you the management-system wrapper — and helps satisfy the Act’s own quality-management duty under Article 17 — while a conformity assessment is the formal test high-risk systems must pass before going live. Not sure whether you need the certification on top of the Act itself? See VISTA InfoSec’s EU AI Act vs. ISO 42001: What’s the Difference, and Do You Need Both? Track the moving dates through the implementation timeline and the EU AI Office. Guidance from ENISA and CISA closes the security loop.

The table below shows how the ten controls actually gate one another — and which deadline governs each, now that high-risk and transparency duties sit on two different clocks.

Control Depends on Deadline status (post-Omnibus)
1 — AI system inventory No fixed deadline — enables everything below
2 — Risk classification 1 No fixed deadline — gates Controls 5–8
3 — Prohibited-practices screen 1 Enforceable now (since Feb 2025); nudifier/CSAM addition transitional to Dec 2026
4 — AI literacy training Ongoing since Feb 2025 (standard softened by Omnibus)
5 — Risk-management process 2 Annex III: 2 Dec 2027 / Annex I: 2 Aug 2028
6 — Data governance & quality 2, 5 Same as Control 5
7 — Technical docs & logging 5, 6 Same as Control 5
8a — Human oversight (Art. 14) 5 Same as Control 5
8b — Transparency (Art. 50) 1 2 Aug 2026 (watermarking: 2 Dec 2026 grace)
9 — Vendor & third-party governance 1 Ongoing
10 — Incident response & reporting 1–9 Ongoing, own reporting-timeline duties

“A checklist isn’t evidence. A tested control is.”

How VISTA InfoSec Turns This Checklist Into a Tested Control Set

VISTA InfoSec’s AI governance assessments follow the same practitioner-led, evidence-based methodology behind our other regulatory engagements, run in three phases:

1. Inventory & Classification

Build or validate your AI system inventory and confirm risk classification against Article 6 and Annex III, including shadow AI.

2. Control Gap Assessment

Benchmark current practice against all ten controls above and the Act’s post-Omnibus deadlines — policies, technical controls, and vendor contracts.

3. Remediation Roadmap

A prioritised remediation roadmap that names owners and dates, ahead of conformity assessment.

In our published DPO-as-a-Service case study, a full compliance gap assessment, policy framework, and staff training rollout were delivered inside four weeks for a UK financial services client. We bring that same audit rigor to benchmarking your AI estate against all ten controls above.

KEY TAKEAWAYS

✓  High-risk (Annex III) deadlines are now 2 December 2027, not 2 August 2026 — but Article 50 disclosure is still due 2 August 2026
✓  Start with the inventory (Control 1) — every other control depends on knowing what systems you run
✓  Prohibited practices (Control 3), now including the new nudifier/CSAM ban, have no partial credit and no deadline flexibility
✓  The extra runway on high-risk duties is time to build controls properly — not a reason to delay starting
✓  A checklist isn’t evidence — a documented, tested control is what an assessor actually credits

Frequently Asked Questions

Is the EU AI Act in force?
Yes. It entered into force on 1 August 2024 and is rolling out in phases: prohibited-practice bans and AI literacy duties since 2 February 2025, GPAI model obligations since 2 August 2025, and Article 50 transparency duties from 2 August 2026. High-risk system obligations, originally due 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).
When does the EU AI Act apply to my organization?
It depends on what your AI systems do, not where your company is headquartered. If a system is prohibited under Article 5, that ban already applies. If it’s high-risk under Annex III, you now have until 2 December 2027. If it interacts with people or generates content for them, Article 50 disclosure applies from 2 August 2026 regardless of risk tier.
Does the EU AI Act apply to the UK?
Yes, for UK organizations whose AI systems process the data of people in the EU or place AI outputs on the EU market — the Act has extraterritorial reach similar to the GDPR.
What is the Digital Omnibus on AI?
A package of amendments to the EU AI Act, formally endorsed by the European Parliament on 16 June 2026 and given final Council approval on 29 June 2026, that defers high-risk system deadlines, adds a new ban on AI-generated non-consensual intimate imagery and CSAM, and gives providers a grace period on watermarking. It leaves the Article 50 transparency duties untouched.
What happens if we fail an EU AI Act assessment?
It depends on which duty is failed. Prohibited-practice violations carry the top fine tier (€35M or 7% of global turnover). High-risk and other obligations carry lower, still material, tiers. Beyond fines, a failed assessment typically means a remediation timeline set by the regulator rather than by you.
Do we need ISO/IEC 42001 as well as EU AI Act compliance?
Not automatically, but the two are complementary rather than interchangeable: ISO/IEC 42001 is a voluntary AI management-system certification, while the EU AI Act is a legal obligation. Building an ISO 42001-aligned management system is one of the more efficient ways to satisfy the Act’s Article 17 quality-management duty and support your Control 5–7 documentation. See VISTA InfoSec’s EU AI Act vs. ISO 42001 comparison for how the two map to each other and whether you need both.

The Bottom Line

The organisations that fail their first EU AI Act assessment won’t be the ones who misjudged the law — they’ll be the ones still planning against a deadline the Digital Omnibus already moved. The EU AI Act requirements still reward early movers: an inventory can be built in weeks; fixing gaps found during an assessment often takes months, regardless of which year that assessment lands in. Individually, these are EU AI Act controls. Mapped together with current dates, they’re a governance system you can hand to a control owner today.

Related reading: VISTA InfoSec’s EU AI Act Compliance Checklist — the step-by-step version of Control 1.

VISTA InfoSec • AI Governance & EU AI Act Compliance Specialists

Ten Controls, Two Real Deadlines — Know Where You Stand

2 August 2026 for Article 50 disclosure, 2 December 2027 for high-risk systems. Get an EU AI Act readiness assessment now and know exactly which of the ten controls you’d fail today, while fixing them is still cheap.

 

Schedule a Free Readiness Assessment → Download Free Readiness Checklist