Self-audit checklist: thirty questions to answer before commissioning an EU AI Act audit

Block A — Scope and exposure (questions 1–6)

1. Can a person located in the European Union sign up for and use your product today?

2. Does your sign-up flow accept email addresses ending in .eu, .de, .fr, .es, .it, or any other EU member-state TLD?

3. Do you have at least one paying or free user located in the EU?

4. Does any feature of your product make a prediction, recommendation, decision, or generate content based on a machine-learning model, an inference call to an external API, or a logic-based system that learns from data?

5. Do any of those features touch a user's input, output, or behaviour?

6. Is any of those features available without authentication, or behind a free-tier signup, where a person could use it without being a paying customer?

If you answered 'yes' to questions 1, 4, and 5, you are in scope of the EU AI Act under Article 2(1)(a). Continue.

Block B — Article 50 transparency (questions 7–14)

7. Does your product have a chatbot, virtual assistant, or any conversational interface where a person types or speaks and gets a response generated by an AI model?

8. When a user first enters that conversation, do you display a visible disclosure that they are talking to AI?

9. Does your product generate text, image, audio, or video content that the user receives as output?

10. Is that generated content marked with a machine-readable provenance signal (e.g. C2PA Content Credentials embedded in the file)?

11. Does your product display a visible 'AI-generated' label on or alongside such content at the point of delivery?

12. Does your product produce a deepfake, voice clone, face swap, or any synthetic media depicting real persons?

13. If yes, do you label that content as artificially generated or manipulated when it is shown to the user?

14. Does your product offer features that analyse emotional state, sentiment, or biometric categories of users?

If you answered 'yes' to question 7 but 'no' to question 8: Article 50(1) gap. If you answered 'yes' to question 9 but 'no' to questions 10 and 11: Article 50(2) gap. If you answered 'yes' to question 12 but 'no' to question 13: Article 50(4) gap. If you answered 'yes' to question 14 in a workplace or educational deployment: potential Article 5 prohibition.

Block C — Annex III high-risk (questions 15–22)

15. Does your SaaS perform remote biometric identification or large-scale voice ID?

16. Does your SaaS run as a safety component in road, water, gas, electricity, heating, or digital infrastructure?

17. Does your SaaS automatically grade student work, monitor exams, or determine school admissions?

18. Does your SaaS screen resumes, score candidates, automate promotion or termination decisions, or surveil worker productivity?

19. Does your SaaS make credit decisions, set insurance premiums, or determine eligibility for public benefits or essential services?

20. Does your SaaS support law enforcement risk assessment, evidence weighting, or polygraph-style functions?

21. Does your SaaS handle migration, asylum, border control, or visa determinations?

22. Does your SaaS influence the administration of justice or democratic processes (election advice, judicial reasoning support, jury selection)?

If you answered 'yes' to any of 15–22: your SaaS is high-risk under Annex III. The full Article 9–15 obligation stack applies plus Article 26 deployer duties and potentially Article 27 fundamental rights impact assessment.

Block D — Documentation and operations (questions 23–30)

23. Do you have a written model card for each AI feature in your product?

24. Do you have a public AI-use page at /ai-use or equivalent?

25. Do you reference your upstream GPAI provider's Article 53 disclosures in your own documentation?

26. Do you log, per inference, the input fingerprint, output fingerprint, model version, timestamp, and requester context?

27. Do you have a written human-oversight procedure for any high-risk AI feature?

28. Have you assessed your training, validation, and testing data for bias under Article 10?

29. Do you have a DPA AI addendum drafted for your enterprise procurement?

30. Do you have a documented incident-reporting procedure aligned to Article 73?

Number of 'no' answers in this block, particularly when combined with high-risk classification under Block C, is the strongest signal that you should commission the practice's audit before 30 June 2026.

How to score yourself

0 gaps total. You are in good shape. Commission the practice's audit only as a paper trail for procurement or for board-level certification.

1–3 gaps in Block B, 0 elsewhere. Self-implementation from our snippet library may be enough. Read the article-by-article matrix on /eu-ai-act and ship the relevant snippets. If you want a signed deliverable for counsel, commission the audit.

3+ gaps in Block B or any gaps in Block D. Commission the audit. The reviewer time required to ship a clean implementation across multiple gaps quickly exceeds the €997 audit fee.

Any 'yes' in Block C. Commission the audit immediately. High-risk obligations are not safely self-implemented; the documentation requirements alone justify the engagement.

Any Article 5 trigger. This is an enforcement risk requiring immediate action, not an audit. Cease the practice, then engage the audit to confirm cessation and document the remediation.

The practice's intake form is at disclos.eu → 'Get audited — €997'.

Frequently asked questions

Can you score me through the intake form instead?

The intake form is for customers who have already paid and want to commission an audit. The self-audit checklist is a pre-intake tool — no commitment, no charge, just thirty questions. If you want a human read on your answers without commissioning a full audit, send the thirty answers to hello@disclos.eu and the lead reviewer will respond within one business day with a recommendation.

Does answering 'yes' to question 14 in a workplace context immediately mean we are prohibited?

Article 5(1)(f) prohibits emotion recognition in the workplace and in educational institutions, with limited exceptions for medical or safety reasons. If your product infers emotional state in those contexts and is not within those exceptions, you are non-compliant under Article 5. Disclosure does not cure a prohibited practice — only ceasing the practice does. Our reviewers will walk this on intake if you flag it.

What if I am unsure on a question?

Default to 'yes' for triage. Over-counting gaps at the self-audit stage is safe; under-counting them costs money later. The full audit will resolve each one with evidence.

Is this checklist legally binding?

No. It is a self-triage tool the practice publishes for free. It is not legal advice and it does not bind us to a specific finding in a paid audit. The audit is the binding deliverable; the checklist is the on-ramp.

Will the checklist be updated when the Act is amended?

Yes. The page's last_updated field reflects the most recent change. When the EU AI Office publishes guidance affecting any of the thirty questions, our reviewers update the relevant block and republish.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://disclos.eu/tools/annex-iii-triage