vista infosec white

EU AI Act Readiness Checklist

EU AI Act Readiness Checklist

Most organisations don’t fall short on the EU AI Act because they ignored it — they fall short because they can’t say with confidence which risk tier a system sits in, or where a vendor’s duties end and theirs begin. The Act has applied in phases since February 2025, and the high-risk Annex III deadline now lands 2 December 2027. Undocumented classification, vendor reliance, and stale risk files are exactly what market-surveillance authorities examine first. This guide maps where you stand, tier by tier — before a regulator writes the roadmap for you.

Download the White Paper

What’s inside this guide:

The four risk tiers and the obligations attached to each, from prohibited practices to voluntary codes

A phased deadline table (Feb 2025 → Aug 2028), including how the 2025 Digital Omnibus re-timed the high-risk clock

Role-by-role duties for providers, deployers, importers, distributors, and general-purpose AI model providers

A complete, article-referenced readiness checklist spanning governance, classification, high-risk obligations, transparency, and post-market monitoring

The evidence and documentation pack a market-surveillance authority will actually ask for

A worked example — a high-risk AI recruitment tool — showing how obligations split between provider and deployer

The penalty structure by infringement tier, up to €35M or 7% of global turnover

A 3-phase roadmap from AI inventory to full high-risk conformity

The 5 most common readiness pitfalls seen in early AI Act programmes

A quick-reference obligation matrix by role (Annex A)

Expert Auditors. Faster Certification.