AI literacy and prohibited practices
Competency obligations and Article 5 prohibitions are in force.
AI Act Cheat Sheet
Check your company's AI Act readiness and plan the next steps
A practical decision framework for organizations using AI. Answer short questions, receive a recommendation, and get a ready-to-use 0-30-90 day action plan.
Milestones (absolute dates)
Key dates resulting from the AI Act (EU 2024/1689) that should be included in your implementation timeline.
GPAI obligations
Requirements for general-purpose AI models begin to apply.
Main wave of obligations
Most provisions, including transparency obligations, fully apply.
Additional high-risk obligations
An additional stage applies to selected high-risk systems.
AI Act Compliance Chain
Step-by-step schema of actions needed to achieve and maintain compliance. Items marked as cyclical require regular reporting.
Requires cyclical reporting
One-time / on change
Critical for selected segment
High impact
AI Act Annual
AI Systems Inventory
Identify and document all AI systems used in your organization — from chatbots to recommendation engines. The register must be updated annually.
Art. 6 AI ActAI Act Semi-annual
Prohibited Practices Audit
Verify that none of your AI systems perform prohibited practices: social scoring, subliminal manipulation, mass biometric recognition.
Art. 5 AI ActAI Act Annual
Risk Assessment & DPIA
Conduct a risk assessment for each AI system. For high-risk systems processing personal data — a mandatory DPIA (Art. 35 GDPR).
Art. 9 AI Act + Art. 35 RODOAI Act On change
Transparency Obligations
Implement AI-generated content labeling, inform users of AI interactions, disclose deepfakes. Update whenever the system changes.
Art. 50 AI ActAI Act Annual
AI Literacy Training
Provide documented training for staff working with AI: model limitations, risks, human oversight principles. Repeat at least annually.
Art. 4 AI ActGDPR Continuous
GDPR Compliance
Ensure lawful basis for AI data processing, fulfill information duties, handle data subject rights, and maintain retention policies.
Art. 6, 13, 14, 15–22 RODOAI Act Continuous
Human Oversight
Implement human review mechanisms for AI decisions, decision logging, incident procedures, and the ability for human intervention.
Art. 14 AI ActWCAG Quarterly
WCAG Accessibility
Maintain AI interfaces compliant with WCAG 2.1 AA: contrast, keyboard navigation, ARIA, accessible forms. Audit regularly.
EN 301 549 / EAAAI Act On change
Technical Documentation
Maintain up-to-date technical documentation for AI systems: architecture, training data, metrics, testing procedures. Update on every significant change.
Art. 11, 12 AI ActAI Act Annual
Internal Audit
Conduct a comprehensive internal audit covering all AI Act, GDPR, and WCAG requirements. Report findings and implement recommendations.
Art. 9, 61 AI ActAI Act Annual
Board Approval
Present audit results and risk assessment to the board. Obtain formal approval of AI strategy and compliance budget.
Art. 26 AI ActCheck your company's readiness
Answer 11 questions about your organization and receive a personalized report with risk assessment, readiness level, and a 0-30-90 day action plan.
Start the readiness wizardTurn your AI Act plan into practical compliance
Complete the step-by-step framework and run GDPR and WCAG scans to reduce risks and scale AI deployments safely.
Legal sources and implementation FAQ
Below you will find legal acts underpinning this form and answers to the most common practical questions.
Legal sources
Official EU and Polish legal acts worth including in your implementation documentation.
FAQ (AI Act + GDPR + WCAG)
Most common operational and legal questions when implementing AI in a company.
Is the AI Act alone enough if we use personal data?
No. The AI Act and GDPR apply in parallel. If your AI process involves personal data, you must also meet GDPR requirements (including legal basis, transparency notices, data subject rights, and security).
When should DPIA be considered for AI processes?
When processing may create high risk to individuals' rights and freedoms, especially in profiling, large-scale monitoring, or automated decision-making. In such cases, DPIA should be completed before rollout.
Do chatbots and AI-generated content require labeling?
As a rule, yes. When a user interacts with AI or consumes generated/synthetic content, you should provide clear notice and appropriate labeling under Article 50 of the AI Act.
Does GDPR Article 22 block every use of AI scoring?
Not every use, but it is critical when a decision is solely automated and produces legal or similarly significant effects. In that case, additional safeguards, human intervention, and an appeal path are required.
Do WCAG requirements also apply to AI-generated content?
Yes. If content or interfaces are available to end users, their accessibility must meet WCAG 2.1 AA and relevant sector-specific rules (EAA/PAD/public sector).
We are B2B and use AI internally only. Do we still have obligations?
Yes, although typically of a different type. Governance, AI literacy, risk analysis, and documentation still apply. Consumer-accessibility obligations may be smaller, but GDPR still applies where personal data is involved.
Is one-time documentation enough?
No. Both the AI Act and GDPR require a continuous approach: updating registers, reviewing risks, monitoring incidents, and refreshing policies as models and processes change.
When do we need an accessibility statement?
In the public sector, it is a standard obligation. For EAA/PAD-covered services, you must ensure accessibility compliance and provide transparent information on compliance level and barrier-removal plans.
Does an AI vendor take full legal responsibility for us?
No. Responsibility remains with the organization using AI. Vendor agreements (DPA/SCC, role and liability split) are important, but they do not replace your own compliance program.
Can this form be treated as legal advice?
No. This is a screening tool for quick risk mapping and prioritization. Final compliance assessment should be validated by legal/compliance and technical experts based on your organization's actual data.