EU AI Act Compliance Checker
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It classifies AI systems by risk level and imposes obligations accordingly, with healthcare AI typically falling under the "high-risk" category. This tool evaluates your AI system against risk classification criteria, data governance practices, transparency and documentation requirements, human oversight mechanisms, accuracy and robustness testing, and post-market monitoring obligations.
Progress: 0/24
Risk Classification
0/4Data Governance
0/4Transparency & Documentation
0/4Human Oversight
0/4Accuracy & Robustness
0/4Post-Market Monitoring
0/4Risk Classification
Determination of your AI system's risk level and applicable regulatory tier.
Q1
Have you formally classified your AI system's risk level (unacceptable, high-risk, limited, or minimal) according to Annex III of the EU AI Act?
Q2
If your AI system is used in healthcare (e.g., diagnosis, treatment recommendations, triage), have you registered it as a high-risk system in the EU database as required by Article 60?
Q3
Have you completed a conformity assessment (self-assessment or third-party) appropriate to your AI system's risk classification before placing it on the EU market?
Q4
Do you have a documented process to re-evaluate the risk classification whenever the AI system undergoes a substantial modification to its intended purpose, training data, or architecture?
VertiComply
Build HIPAA-compliant healthcare applications with AI-powered code generation.
Product
Features
Pricing
Tools
Company
About
Blog
Contact
Legal
Privacy
Terms
Compliance
© 2026 VertiComply. All rights reserved.
Built for HIPAA + SOC 2 Type II
About the EU AI Act Compliance Checker
The EU AI Act Compliance Checker assesses readiness against Regulation (EU) 2024/1689, the first comprehensive horizontal AI regulation worldwide, in force since August 2024 with phased applicability through 2026–2027. The 24 questions classify your AI system against the Act's risk tiers (prohibited, high-risk, limited-risk, minimal-risk) and assess required controls — data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. The healthcare-adjacent context matters: AI systems intended as medical devices or used in healthcare contexts are presumptively high-risk under Annex III, which triggers the heaviest compliance obligations including conformity assessments, post-market monitoring, and serious incident reporting. The score reflects gap to the high-risk obligations because that's where most healthcare AI lands.
What this EU AI Act assessment covers
The 24-question assessment scores 100 points across 6 weighted categories. Each category reflects a distinct EU AI Act control domain.
Risk Classification · 18 pts · 4 questions
Determination of your AI system's risk level and applicable regulatory tier.
Data Governance · 17 pts · 4 questions
Assessment of training, validation, and testing data management practices.
Transparency & Documentation · 18 pts · 4 questions
Evaluation of documentation, explainability, and information disclosure obligations.
Human Oversight · 17 pts · 4 questions
Assessment of human-in-the-loop controls and override mechanisms.
Accuracy & Robustness · 15 pts · 4 questions
Evaluation of performance testing, validation, and resilience against adversarial inputs.
Post-Market Monitoring · 15 pts · 4 questions
Assessment of ongoing monitoring, incident reporting, and continuous improvement obligations.
Common EU AI Act compliance gaps
The patterns we see most frequently in EU AI Act self-assessments and remediation work. Each is the kind of finding an auditor flags first.
Risk tier classification is unclear. Teams build AI features without first determining whether they fall under prohibited, high-risk, limited-risk, or minimal-risk categories. Misclassification is the most common gap — features perceived as low-risk often qualify as high-risk under Annex III, particularly anything involving medical decisions, employment screening, or biometric identification.
Training data lineage isn't documented. Article 10 requires training, validation, and testing datasets be relevant, representative, and free of errors. High-risk providers must document the data's source, collection process, and any preprocessing. Most teams cannot reconstruct training data provenance for models trained 18+ months ago.
Human oversight is named but not designed. Article 14 requires human oversight measures that allow humans to understand, monitor, intervene, and override AI system outputs. 'A human reviews the output' is not sufficient — the design must enable meaningful intervention with adequate time, information, and authority.
Transparency obligations to users aren't met. Article 13 requires high-risk system providers to give users instructions for use including the AI's intended purpose, accuracy levels, foreseeable circumstances of use, and limitations. Article 50 requires AI systems interacting with humans to disclose AI involvement. Both are routinely missed in user-facing features.
No conformity assessment plan. High-risk systems require conformity assessment before market placement — either internal control (Annex VI) for most providers or notified body involvement (Annex VII) for biometrics. Teams discover this requirement when they're already in market.
Post-market monitoring is not designed. Article 72 requires high-risk system providers to actively collect performance data, document predictable risks, and report serious incidents to authorities within 15 days (3 days for widespread infringements). Most teams have product analytics but not a regulated post-market monitoring system.
Generative AI model usage isn't documented. Article 53 introduces transparency obligations for general-purpose AI (GPAI) model providers; Article 55 adds systemic risk obligations for the largest models. Downstream users (deployers) need documentation from their GPAI provider — most teams use OpenAI, Anthropic, or others without reviewing the GPAI compliance posture.
What to do with your EU AI Act results
Your score is a starting point — these are the steps that convert the assessment into actionable remediation.
Classify every AI feature against Annex III high-risk categories. Healthcare-adjacent classifications (medical devices, employment, biometric ID, public service decisions) trigger the highest obligations. Document the reasoning even when the classification is low-risk — auditors evaluate the analysis, not just the conclusion.
Build a technical documentation file per high-risk system. Annex IV specifies the contents: system description, design specifications, training data, testing methodologies, risk management, change management. The file must be ready when the system is placed on the market and maintained throughout.
Stand up a risk management system per Article 9. Continuous (not one-time) identification, analysis, and mitigation of risks across the system lifecycle. Document the methodology.
Identify GPAI provider obligations downstream. If you use third-party models (OpenAI, Anthropic, Google, Meta), confirm what compliance documentation they provide and what residual obligations fall to you as the deployer.
Plan for the conformity assessment timeline. Internal control conformity assessment takes 4–12 weeks; notified body assessment can take 6–9 months. Place this on the roadmap as a non-negotiable gate before market launch.
EU AI Act compliance FAQ
When does the EU AI Act apply to my product?
Phased application: prohibited practices banned 2 February 2025; GPAI obligations 2 August 2025; high-risk obligations 2 August 2026 (most healthcare AI); some Annex II high-risk systems 2 August 2027. By 2026 most healthcare AI products either fall under the high-risk regime or must demonstrate why they don't.
Does the EU AI Act apply to my US healthcare AI product?
If your AI system is placed on the EU market or its output is used in the EU, yes — the Act is extraterritorial. A US healthcare AI vendor with EU customers triggers the obligations regardless of where the system is hosted or developed.
What is a 'high-risk' AI system under the EU AI Act?
Defined in Annex III. Includes: AI used as safety components of products covered by EU product safety legislation; AI for biometric identification and categorization; AI in critical infrastructure, education, employment, essential services, law enforcement, migration, justice, and democratic processes. Most healthcare-decision AI lands in this category.
What's the maximum penalty under the EU AI Act?
Up to €35 million or 7% of worldwide annual turnover for prohibited practice violations (higher of the two). High-risk system violations cap at €15 million or 3% of turnover. Providing incorrect information to authorities caps at €7.5 million or 1% of turnover. SME-specific caps apply.
How does the EU AI Act interact with GDPR?
Complementary, not redundant. GDPR governs the processing of personal data; the AI Act governs the AI system itself. An AI system processing personal data must comply with both. The GDPR's automated decision-making provisions (Article 22) overlap with the AI Act's high-risk obligations and frequently apply simultaneously.
What does 'human oversight' actually require?
Per Article 14, the system must be designed so individuals to whom oversight is assigned can fully understand its capabilities and limitations, monitor operation, correctly interpret outputs, decide not to use it or override it, and intervene in operation. Generic 'a human reviews' workflows often fail this standard — the design must enable meaningful intervention.
Build it instead of buying it
Generate a EU AI Act-compliant healthcare app with the controls built in
VertiComply generates production-ready healthcare applications with EU AI Act controls scaffolded from the first commit — no add-on tier, no platform lock-in, code exported to your GitHub.
Start free