# AI Act checklist — YRproject

> A working checklist per regime, derived from the AI Act readiness scan on yrproject.nl. Tick what is in order; each item references the underlying article.

## High risk (Annex III/I)
- [ ] Risk management system — Art. 9 requires a systematic process to identify and mitigate risks across the full lifecycle.
- [ ] Data governance — Art. 10 sets requirements for relevant, representative and error-minimised datasets, with attention to bias.
- [ ] Technical documentation — Art. 11 + Annex IV: documentation demonstrating conformity, in place before the system is placed on the market.
- [ ] Logging — Art. 12 + 19: the provider builds in automatic logging; the deployer retains the logs.
- [ ] Human oversight — Art. 14 + 26: the provider makes oversight possible; the deployer assigns competent people to exercise it.
- [ ] Accuracy and cyber-resilience — Art. 15 requires an appropriate, consistent level of accuracy, robustness and security, stated in the instructions.
- [ ] Quality management system — Art. 17 obliges providers to maintain a documented quality system that ensures and demonstrates compliance.
- [ ] Conformity assessment and registration — Art. 43 + 49 + 71: complete a conformity assessment, affix the CE marking and register in the EU database before market entry.
- [ ] Fundamental-rights impact assessment — Art. 27 requires certain deployers (e.g. public bodies) to carry out a FRIA before putting the system into use.
- [ ] Use per instructions and monitoring — Art. 26 obliges deployers to use the system in line with the instructions and to monitor its operation.

## GPAI model (Chapter V)
- [ ] Model documentation — Art. 53 + Annex XI/XII: documentation for the AI Office and information for downstream users building on the model.
- [ ] Copyright policy — Art. 53 requires a policy that respects EU copyright law, including the text-and-data-mining reservation.
- [ ] Training-data summary — Art. 53 requires a sufficiently detailed public summary of the content used for training.
- [ ] Model evaluation (systemic risk) — Art. 55 requires state-of-the-art evaluation for systemic-risk models, including adversarial testing (red-teaming).
- [ ] Systemic-risk mitigation — Art. 55 requires assessing and mitigating systemic risks that may stem from the model.
- [ ] Incident reporting and cybersecurity — Art. 55 requires tracking and reporting serious incidents and an adequate level of cybersecurity.

## GPAI in use
- [ ] Vendor assessment — Your compliance leans on your model provider's; ask for their documentation and conformity (Chapter V).
- [ ] Output transparency — Art. 50 applies to your use of GPAI output; see the transparency entry.
- [ ] Risk of becoming a provider — Substantial modification plus your own branding can pull you into the GPAI provider regime.

## Transparency (Art. 50)
- [ ] Chatbot disclosure — Art. 50(1): the provider ensures a system interacting with people makes clear that it is AI.
- [ ] Marking of synthetic output — Art. 50(2): the provider marks AI output in a machine-readable, detectable format (see the 10 June 2026 code of practice).
- [ ] Deepfake label — Art. 50(4): the deployer discloses that image/audio/video content is a deepfake.
- [ ] Emotion-recognition notice — Art. 50(3): the deployer informs the people exposed about the system's operation.

## AI literacy (Art. 4)
- [ ] Literacy programme — Art. 4 calls for measures ensuring a sufficient level of AI literacy among those working with AI.
- [ ] Role-based knowledge — Art. 4 ties the required level to context, tasks and the persons the AI system is applied to.
- [ ] Record-keeping — Supervisors expect you to demonstrate your literacy measures; record-keeping makes that possible.