A compliance officer at a mid-size European bank added your fraud detection SaaS to their vendor review queue three weeks ago. Yesterday, a questionnaire landed in your inbox.

It's 68 questions.

Section 1 asks whether you consider your system "high-risk" under the EU AI Act. Section 3 asks about your training data. Section 5 asks how human analysts can override your system's decisions. Section 9 asks whether you've performed a Fundamental Rights Impact Assessment.

You weren't expecting a Fundamental Rights Impact Assessment.

Here's what you need to know — and how to answer the questions that matter most.

Is Fraud Detection Software High-Risk?

Almost certainly yes, if your product makes or informs decisions that affect individual customers.

EU AI Act Annex III lists high-risk AI system categories. Point 5(b) covers AI systems used "for the purpose of evaluating the creditworthiness of natural persons or establish their credit score." Recital 58 of the Act clarifies that this scope includes systems used in fraud detection contexts where outputs have legal or similarly significant effects on individuals — for example, blocking a transaction, freezing an account, or denying a refund.

If your software scores transactions, flags behavioral anomalies, or produces risk ratings that determine whether a customer is blocked or a case is escalated to manual review, you are almost certainly operating in high-risk territory.

Your bank customer already knows this. They ran the classification analysis on their side before they sent you the questionnaire. A vendor who responds that their fraud detection tool is "probably limited-risk" loses credibility immediately and creates a compliance gap in the buyer's own documentation.

The Questions That Trip Up Fraud Detection Vendors

"Do you consider your system high-risk under Annex III?"

Don't hedge. Be explicit and map to the specific Annex III point.

Answer framework:

"[Product] processes individual-level behavioral and transaction data to produce risk scores that inform decisions affecting individual customers, including transaction blocking and case escalation. Based on Annex III point 5(b) and the financial services context described in Recital 58, we classify [product] as a high-risk AI system. As a provider of a high-risk system, we maintain the technical documentation, risk management system, and human oversight mechanisms required under Articles 11, 9, and 14 respectively."

"Describe your model's false positive rate and how it is monitored."

This is the question fraud detection vendors most frequently dodge — usually because the false positive rate varies significantly by customer configuration, fraud pattern distribution, and transaction volume, and vendors don't want to commit to a number.

The problem is that banks are subject to consumer protection regulation. They need to show their regulator that AI-driven fraud blocks don't disproportionately affect certain customer groups. Article 10 bias concerns apply directly here. Vague answers generate follow-up requests from the bank's DPO and legal team that add weeks to your deal cycle.

Answer framework:

"At standard deployment thresholds, [product] achieves a false positive rate of approximately [X]% on our internal benchmark dataset. Actual false positive rates vary by customer configuration, transaction volume, and the fraud pattern distribution in the customer's market. Real-time performance monitoring is available in the [reporting interface], with configurable alerts triggered when the false positive rate exceeds a customer-defined threshold. Monthly performance summaries are available for customer compliance documentation and regulatory review."

"How can our analysts override or reject AI recommendations?"

Article 14 applies to fraud detection AI exactly as it applies to hiring tools. Your bank customer needs to document that human analysts reviewed flagged transactions before accounts were blocked or customers were contacted.

Answer framework:

"[Product] presents fraud flags and risk scores as recommendations in the analyst interface. No automated action is taken on a flagged transaction until an analyst confirms, overrides, or escalates the recommendation within the system. All analyst decisions are timestamped and stored in the audit log, retained for [X months]. The audit log is exportable in [CSV / JSON / specify format] and is available for use in the customer's compliance documentation and regulatory submissions."

"Have you conducted a Fundamental Rights Impact Assessment?"

This question startles founders who haven't encountered it before. It sounds like something only the largest enterprise AI companies would need to produce.

Here is the key distinction: under Article 27 of the EU AI Act, the obligation to conduct a Fundamental Rights Impact Assessment sits primarily with the deployer — in this case, your bank customer. As the AI provider, you are not directly required to produce a FRIA. But sophisticated banks ask this question because they want to know whether you can support theirs.

Answer framework:

"As a provider rather than deployer under Article 3(3) of the EU AI Act, the primary obligation for a Fundamental Rights Impact Assessment under Article 27 rests with [bank name] as the deployer. [Product] supports our customers' FRIA process by providing: model documentation covering intended use, known limitations, and performance characteristics across demographic groups; bias evaluation results; and technical documentation in the format required under Annex IV. This documentation is available to enterprise customers upon request under NDA."

"What is your data retention and deletion policy for transaction data processed through your system?"

Banks have their own regulatory data retention requirements under EBA guidelines and national financial regulation. They need to confirm that your retention practices are compatible with theirs.

Answer framework:

"Transaction data processed through [product] is retained for [X period] in a secured, access-controlled environment consistent with the terms of our data processing agreement. Data deletion requests are honored within [X business days] in compliance with GDPR Article 17. [Product] does not use customer transaction data to train or update shared models without explicit, documented customer consent."

"Is your system compliant with the EU AI Act as of August 2, 2026?"

This is increasingly common as the high-risk obligations deadline approaches. Banks are running vendor reviews ahead of time because they need to document that their AI vendor list was assessed before the deadline, not after.

Don't claim full compliance you can't substantiate. But don't deflect, either.

Answer framework:

"[Product] is on track to meet the high-risk AI system obligations under the EU AI Act effective August 2, 2026. Specifically: our risk management system under Article 9 is operational; technical documentation under Article 11 and Annex IV is [complete / in final review]; our conformity assessment process under Article 43 is [complete / underway, targeted for completion by (date)]; our EU declaration of conformity under Article 47 is [complete / targeted for (date)]. We are happy to share current documentation and a compliance milestone timeline."

Why Bank Questionnaires Are Different

What makes financial services questionnaires different from other enterprise questionnaires is specificity. Banks have compliance teams who have read the EU AI Act. They ask about specific articles. They send follow-up questions when answers are vague. They compare your answers to your competitors' answers.

If your first answer to "describe your human oversight mechanism" is "our system is designed to be auditable," you will receive a follow-up asking what specifically is logged, how analysts access it, what format the log exports in, and how long records are retained. That follow-up adds a week to your deal cycle. Sometimes more.

Go specific in your first answer. It closes the loop faster and signals to the bank's legal team that you have the depth to support a regulated enterprise customer.

Preparing Before the Questionnaire Arrives

The 68-question vendor review doesn't arrive randomly. Banks build their AI vendor review queues ahead of regulatory deadlines. If your fraud detection SaaS is deployed with any European bank or financial institution, your questionnaire is likely already queued.

The preparation gap is almost always the same: founders have the product knowledge to answer every question, but haven't written the answers down in a format that's consistent, referenceable, and copy-pasteable across deals.

The first questionnaire takes days to answer from scratch. The second questionnaire, if you documented the first one properly, takes an afternoon. The tenth questionnaire takes an hour.

August 2, 2026 is less than four months away.

Try Complizo free — paste your first questionnaire and get your fraud detection compliance answers drafted in minutes.

The questionnaire arrived at 9 AM. You've answered the easy parts — company name, product description, which regulation applies to you.

Then you hit the data governance section.

"Describe the data used to train your AI system, including data sources, data quality measures applied, and steps taken to identify and address bias in the training dataset."

Your AI model was trained on a dataset your ML team assembled two years ago. You're not entirely sure what's in it. You don't know how to phrase "data quality measures" for a legal audience. And you've never written this down for a customer before.

Here's how to answer this question — and the five others like it that almost always follow.

Why This Section Appears in Every Questionnaire

For high-risk AI systems under the EU AI Act, Article 10 imposes specific requirements on training, validation, and test data. It requires that:

• Training data is subject to data governance practices
• Data is relevant, representative, and free from errors "to the best extent possible"
• Data is examined for potential biases that could lead to discriminatory outcomes
• Data covers the specific geographic, contextual, or behavioral settings where the system operates

HR tech products — resume screeners, candidate ranking tools, interview scoring systems — almost universally fall under Annex III, point 4(a) as high-risk systems. Article 10 applies in full.

When your enterprise buyer asks about training data, they are not conducting academic research. They need answers they can include in their own compliance documentation, which they will show to their DPO, their legal team, and potentially their regulator. Your answer has to be usable, not vague.

The Six Questions You'll Typically Get

Most data governance sections follow a similar structure. Here are the six most common questions and how to answer each.

Question 1: What data did you use to train your AI?

Describe the source type, not the raw dataset. Enterprise buyers understand that training data is often proprietary. They want to know:

• What category of data (anonymized application records, public job board data, recruiter-labeled outcomes, synthetic data)
• Approximate scale ("over 500,000 anonymized hiring event records")
• Whether data was licensed, collected under consent, or drawn from public repositories

Example answer:

"[Product] was trained on a proprietary dataset of [X]+ anonymized hiring-event records, including application data, recruiter decisions, and candidate outcome labels. No personally identifiable information was retained in the training dataset. Data was sourced from customers who participated in our model development program under applicable data processing agreements."

Question 2: What steps did you take to ensure data quality?

Article 10(3) requires training data to be "relevant, sufficiently representative, and free from errors to the best extent possible." Map your answer directly to this language.

Example answer:

"Prior to training, the dataset was reviewed for completeness, duplicate records, and systematic anomalies. Records originating from markets or roles with fewer than [X] observations were excluded to prevent low-sample overfitting. A held-out test set representing [Y]% of the full dataset was reserved to evaluate model performance before deployment. Quality review is repeated on each model update."

Question 3: How did you test for bias?

This is the question that causes the most hesitation. Founders often worry that acknowledging bias in their training data will sink the deal. It won't. The absence of a testing process is what sinks deals.

If you ran bias testing, describe it specifically. If you didn't run formal testing, describe what you did do — and what your roadmap looks like.

Example answer:

"The training dataset was evaluated for statistical representation across protected characteristics including age, gender, and national origin [specify what applies]. We applied [re-sampling / re-weighting / fairness-aware training — describe what you did] to reduce differential performance across demographic groups. Bias evaluation is conducted on a [quarterly / per-release] basis using [equalized odds / disparate impact ratio / specify metric]. Results are documented in our internal model card."

Question 4: Was the training data representative of our use case?

This question asks whether your model will generalize to their specific context — their industry, their geography, their role types.

Answer it specifically. Vague answers here generate follow-up questions that slow down the deal.

Example answer:

"[Product] was trained on data drawn primarily from [specify: industry vertical, company size range, geographies represented]. Customers deploying in significantly different contexts — for example, roles requiring highly domain-specific credentials not well-represented in the training data — are advised to evaluate model performance in our configuration interface during onboarding. Our implementation team can support this assessment."

Question 5: How long do you retain training data?

Example answer:

"Training data used in model development is stored in a secured, access-controlled environment and retained for [X years] in accordance with our data retention policy. Model artifacts do not contain retrievable training records. Customer data processed through [product] is not used to retrain the shared model without explicit opt-in from the customer."

Question 6: Can you provide documentation of your data governance practices?

This is often the final question in the data section, and the one founders dread most — because it assumes formal documentation exists.

If you have a model card, data card, or internal data governance policy, reference it and offer to share a summary. If you don't have formal documentation yet, describe the practices you follow and note that formal documentation is in progress.

Example answer:

"[Product] maintains internal data governance documentation covering dataset composition, quality assurance processes, and bias evaluation methodology. A summary data card is available to enterprise customers upon request under NDA. We are in the process of formalizing this into a full Annex IV technical documentation package, targeted for [date]."

The Part Founders Skip — And Shouldn't

Buyers don't just read your answers. They compare them.

If your answer to "describe your training data" in one questionnaire is three paragraphs long, and in the next questionnaire it is two sentences that mention different features, the discrepancy is noticed. Legal teams flag it. It becomes a negotiation issue.

Your Article 10 answers should be identical across every questionnaire you submit. Not similar — identical. That requires writing down your canonical answers once, documenting them somewhere consistent, and copying from them every time.

Most HR tech founders are re-answering the same training data questions from scratch, on deadline, in slightly different ways every time. The inconsistencies accumulate. Trust erodes slowly, then all at once.

What If You Have Gaps?

Article 10 compliance is not binary. The regulation uses language like "to the best extent possible" deliberately. Buyers understand that no model is perfectly bias-free and no dataset is perfectly representative.

What they do not accept is silence. If your bias testing was informal, describe it. If your training data was from a narrow geographic region, acknowledge it and explain what it means for deployment. If your documentation is incomplete, say so and give a timeline.

The buyers asking these questions are building compliance files they will stand behind when their regulator reviews their AI vendor list. They need enough detail to make a defensible record. Give them that detail.

August 2, 2026 is the deadline for high-risk AI obligations. It is less than four months away. The questionnaires are arriving now.

Try Complizo free — paste your first questionnaire and get your Article 10 answers drafted in minutes.

A procurement manager at a large European retailer sent you a questionnaire. You've handled most of it. You explained your risk classification. You described your data governance. You listed your bias testing methodology.

Then you hit Section 4: Human Oversight.

"Describe the mechanisms by which a human operator can review, override, or reject recommendations made by your AI system."

You stare at it. Your product has a recruiter dashboard. Recruiters can see scores. They can ignore them. Is that enough? How do you articulate it in a way that satisfies a legal team reviewing your answer?

This is the question that stalls more HR tech deals than any other. Here's how to answer it.

Why Human Oversight Is a Legal Requirement for HR AI

Your hiring tool almost certainly qualifies as high-risk under the EU AI Act. Annex III, point 4(a) explicitly lists AI systems used "for recruitment or selection of natural persons" — resume screening, candidate ranking, and AI-scored interviews are all in scope.

For high-risk AI systems, Article 14 is not optional. It requires that high-risk AI systems be designed so that humans can "effectively oversee" the system during deployment. In practice, that means three things:

• Humans can understand what the system is doing and why
• Humans can intervene, pause, or override outputs before decisions are final
• Humans are not simply rubber-stamping AI recommendations without meaningful review

Your procurement contact knows this. When they ask about human override mechanisms, they are checking whether your product actually supports Article 14 compliance — not just whether you've written a policy about it.

What Buyers Are Actually Checking

Before you draft your answer, understand what the question is really probing.

Buyers are not asking "can a recruiter ignore the score?" They are asking four specific things.

First: Is the override technically possible? Can a recruiter reject an AI recommendation inside your product, or do they have to export data to do it elsewhere?

Second: Is the override documented? If the AI scored a candidate "reject" and a recruiter overrode it to "advance," is that decision logged somewhere retrievable?

Third: Does oversight happen before decisions are final? Or does your AI produce an output that is already acted on before a human sees it?

Fourth: Do users know they're working with AI? Article 13 requires transparency about AI system capabilities. Candidates can't invoke their rights under EU law if they don't know AI was involved.

Map your product honestly to these four checks before you write a word.

The Answer Template

Here is a structure that works for most HR tech products. Adapt it to your product — don't invent features you don't have.

Section 4.1 — Override Mechanism

[Product name] is designed so that all AI-generated recommendations are advisory only. Recruiters access scores and rankings via the [Dashboard / Candidate View] and can advance, reject, hold, or flag any candidate regardless of the AI output. No recommendation in [product name] automatically triggers a workflow action; a human must confirm or override each recommendation before any candidate status changes.

Section 4.2 — Audit Log

All recruiter decisions — including decisions that differ from the AI recommendation — are timestamped and stored in [product name]'s activity log. This log is exportable in CSV format and retained for [X months / X years]. Customers may use this data to document oversight activity for their own EU AI Act compliance records.

Section 4.3 — Pre-Decision Review

AI recommendations are surfaced to recruiters before any communication is sent to the candidate. No automated rejection emails, interview invitations, or status changes occur without a recruiter action in the system.

Section 4.4 — Candidate Disclosure

[Product name] provides customers with a configurable candidate disclosure notice, which explains that AI-assisted screening was used in their evaluation. This supports customers in meeting transparency obligations under Article 50 of the EU AI Act and applicable national employment regulations.

If you don't have a configurable disclosure notice, describe what you do have. Honest answers that reflect real product capabilities win more deals than polished boilerplate that collapses under follow-up questions.

Four Mistakes That Kill Deals at This Stage

Mistake 1: Describing policy, not product

"Our policy ensures that all AI outputs are reviewed by a human" is not an answer. Buyers want to know how the product enforces this. Which screen? Which button? What happens if a recruiter doesn't review before the candidate times out?

Mistake 2: Treating data export as human oversight

"Recruiters can always export the data to a spreadsheet and review it there" is not Article 14 compliance. Oversight must occur within a meaningful window, inside a workflow, before decisions with legal or similar effect are finalized.

Mistake 3: Answering for your compliance instead of theirs

The buyer is a deployer under the EU AI Act. They need to document their own human oversight mechanisms to their regulator. Your answer must explain what their team can do inside your product — not what your engineering team did to build it.

Mistake 4: Being vague about logging

"Decisions are tracked in our system" is not sufficient. Specify what is logged, how long it is retained, who can access it, and what format it exports in. Buyers drafting their own compliance documentation need this level of detail, and vague answers generate follow-up requests that slow down deal velocity.

What to Do If Your Product Has Gaps

Not every product has a complete Article 14 story today. If your audit log is sparse, if your override mechanism is rudimentary, or if candidate disclosure is still on the roadmap — say so. Then describe what is there and what's coming, with dates where you can commit to them.

A buyer who discovers a gap after signing is a churned customer. A buyer who signs knowing the current state and trusting your roadmap is an advocate.

Document what you have. Be specific about what's planned. Give honest timelines.

The Consistency Problem

The human oversight question is not just a compliance check. It is also a test of vendor credibility.

Buyers who ask detailed Article 14 questions compare your answers across interactions. If your answer looks different in one questionnaire than it does in another — longer here, shorter there, different features mentioned — it raises questions about whether you actually have what you say you have. Legal teams notice inconsistencies. They ask follow-ups. Deals slow down.

The answer to "describe your human oversight mechanism" should be identical in every questionnaire you submit. Not similar. Identical. That requires documenting your canonical answers once and copying from them every time — rather than re-writing from memory under deadline pressure.

The August 2, 2026 deadline for high-risk AI obligations is less than four months away. European enterprise buyers are running vendor reviews now. The time to write your Article 14 answer is before the next questionnaire lands in your inbox.

Try Complizo free — paste your first questionnaire and get your Article 14 answer drafted in minutes.

The questionnaire arrived with a question in Section 1 that the founder had never seen before.

"Under the EU AI Act, does your company consider itself an AI provider, an AI deployer, or both? Please explain your reasoning with reference to the relevant Articles."

The founder ran a SaaS company. They had built the product. They were selling it to enterprise customers. But "provider or deployer" — which one were they exactly?

They looked it up. Found two conflicting blog posts. Spent two hours going in circles. Eventually wrote something vague and moved on.

Three weeks later, the same question appeared in a different questionnaire from a different customer — phrased differently but asking the same thing. The answers they sent were inconsistent.

This question is appearing on enterprise procurement questionnaires right now. Here is the definitive answer, and why getting it right on the first questionnaire matters for every answer that follows.

The Definitions (And Why They Matter)

The EU AI Act draws a clear line between two roles under Article 3.

An AI provider (Article 3(3)) is any entity that develops an AI system — or has it developed — and places it on the market or puts it into service under its own name or trademark. If you built the AI, trained the model, and are selling or licensing it to customers, you are a provider.

An AI deployer (Article 3(4)) is any entity that uses an AI system under its own authority in a professional context. If you are taking an AI system built by someone else and incorporating it into your own product or service, you are a deployer.

Why does this distinction matter? Because the compliance obligations differ — significantly.

Providers of high-risk AI systems must:

• Maintain technical documentation (Article 11)
• Implement a quality management system (Article 17)
• Register the system in the EU AI database (Article 49)
• Draw up an EU Declaration of Conformity (Article 47)
• Implement post-market monitoring (Article 72)
• Report serious incidents to national authorities (Article 73)

Deployers of high-risk AI systems must:

• Ensure appropriate human oversight of AI-assisted decisions (Article 26)
• Maintain logs of AI use (Article 26(5))
• Ensure transparency to affected individuals when legally required (Article 26(11))
• Not modify a high-risk AI system beyond its intended purpose without re-evaluation

The obligations are different. If you answer the provider/deployer question incorrectly, every downstream answer about your obligations will be wrong — and a careful procurement team will notice the inconsistency.

Most B2B SaaS Companies Are Providers

If you have built an AI feature into your product — even a single AI-powered feature — and you are selling or licensing that product to business customers, you are an AI provider under the EU AI Act. Full stop.

You built the AI. You put it in your product. You put your product on the market under your name. That is the provider definition.

This applies even if:

• The AI feature is powered by a third-party model (an LLM API, a computer vision service, a scoring API). You are still the provider relative to your customers.
• You call it an "AI-assisted" feature rather than "AI." The Act applies to systems that use machine learning, deep learning, or statistical approaches to generate outputs — not systems labelled "AI."
• You are a small company. The EU AI Act applies to companies of all sizes.

If you use a third-party AI model (an OpenAI API, a Hugging Face model, a third-party scoring engine), you are simultaneously a deployer relative to that model's provider, and a provider relative to your own customers. Both/and — not either/or.

What the Questionnaire Is Actually Asking

When a customer asks "provider or deployer?", they are doing two things at once.

First, they are trying to understand what obligations sit with you. If you are the provider of a high-risk AI system, they want to know that you have technical documentation, post-market monitoring, and incident reporting in place — because that is what will satisfy their own regulators if your product gets audited through them.

Second, they are trying to understand their own obligations. A deployer of a high-risk AI system has specific duties under Article 26. They want to understand what those duties are relative to your product — and they want you to tell them, not their lawyers.

How to Answer This Question

Here is a template that works for most B2B SaaS companies with AI features built in-house (or via API that they control):

"[Company name] operates as an AI provider under the EU AI Act (Article 3(3)). We develop the AI system, maintain and update the underlying model, and place the system on the market under our own brand.

As the provider, we are responsible for:

• Maintaining technical documentation (Article 11)
• Implementing a quality management system (Article 17)
• Post-market monitoring and performance reporting (Article 72)
• Registration in the EU AI database for high-risk systems (Article 49)

Our customers operate as deployers under Article 3(4) in that they deploy and use the AI system within their own professional context. Deployer responsibilities that apply to our customers include: ensuring appropriate human oversight of AI-assisted decisions (Article 26), maintaining logs of use where required, and ensuring transparency to affected individuals in accordance with applicable law.

We provide customers with the technical documentation, monitoring reports, and support materials needed to fulfill their deployer obligations and to respond to regulatory inquiries about AI tools in their stack."

Adapt this for your specific situation. If you are a fintech company using a credit-scoring model from a third-party provider, add a sentence noting that for the third-party model you are a deployer, and describe what due diligence you conduct on that provider.

The Follow-Up Questions

Once you answer "provider," three follow-up questions arrive almost immediately in the same questionnaire:

1. Is your AI system high-risk under Annex III? This requires you to look at the Annex III list and take a position. Annex III covers 8 categories including biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. If your product falls in any of these verticals, you are almost certainly high-risk.

2. What technical documentation do you have? Article 11 specifies what belongs in technical documentation. Buyers ask because they may need to produce it to a regulator. "Documentation available upon request" is no longer sufficient — name what you have specifically.

3. What is your post-market monitoring process? Article 72 requires high-risk AI providers to monitor the performance of deployed systems. Buyers want specifics: what metrics, what frequency, what threshold triggers review, and how are customers notified of issues.

Getting the provider/deployer answer right means all three follow-ups can be answered consistently, because the framework for your answers is established.

Why Section 1 Sets the Tone for the Entire Deal

Procurement teams notice when answers contradict each other. Section 1 establishes your role. If Section 1 says "deployer" and Section 4 describes provider-level monitoring and documentation, the inconsistency signals either that you don't understand your own obligations, or that you are not answering carefully.

Either signal is bad.

The provider/deployer question is the foundation. Every answer about documentation, testing, incident reporting, and customer obligations builds on it. Answer it correctly the first time — and the same way every time.

Complizo starts with role classification and risk classification before you answer a single questionnaire question. Your role is established once. Every answer that references your obligations is framed correctly — and consistently — across every deal.

Try Complizo free — paste your first questionnaire.

The email arrived on a Tuesday afternoon.

It was from a compliance officer at a regional bank — one of the fintech SaaS company's biggest customers. Attached was a 72-question AI compliance questionnaire. At the top: "Please complete the attached document by end of month. This is required for our annual vendor review under EU AI Act Article 28."

The founder had been expecting a questionnaire eventually. But not this one. Not 72 questions. And not from their largest account.

If you sell B2B SaaS to financial institutions — credit scoring tools, fraud detection, loan underwriting assist, KYC automation, financial analytics with AI features — this scenario is arriving in inboxes now.

Here is what the questionnaire contains, and how to answer it.

Why Financial Services Sends the Most Demanding Questionnaires

Banks and financial institutions are regulated on two sides simultaneously. Their own regulators — the EBA, ECB, and national supervisory authorities — expect them to conduct AI due diligence on every vendor they deploy AI from. And their customers — borrowers, account holders — may have individual rights under the EU AI Act when AI affects decisions about them.

So when a bank's compliance team sends you a questionnaire, it is longer and more detailed than what a technology company would send. They have already internalized the EU AI Act framework and they are applying it to your product.

Financial services AI tools frequently fall under Annex III high-risk classification when used in:

• Credit scoring or assessment of creditworthiness
• Risk assessment in insurance
• Fraud detection that affects individual customers
• Any AI that makes or influences decisions about access to financial services

High-risk classification triggers the full set of provider obligations — and the full set of due diligence questions from the deployer.

The 5 Questions Your Financial Services Buyers Will Ask

Q1: What is the scope and intended purpose of your AI system?

This sounds broad, but buyers need a precise answer they can insert into their own AI inventory. They need to know: what decision does your AI inform, what is the input, what is the output, and where in their workflow your output is consumed.

How to answer: Describe your AI in two to three sentences that specify the task (classification, scoring, recommendation, prediction), the input data type, the output format, and how the output is used. Avoid marketing language. Be literal.

Example answer: "Our AI system analyzes structured applicant financial data — income history, existing debt, payment behavior — to generate a creditworthiness score between 0 and 1000. The score is one input into loan officer underwriting decisions. The AI does not make final approval or rejection decisions; it surfaces a score and a ranked list of contributing factors for human review."

Q2: Is your AI system high-risk under Annex III, and what obligations follow?

Financial institutions need to know your risk classification position so they can document it in their own AI governance register.

How to answer: Take a position. Name the Annex III entry that applies (or explain why it does not apply). Then describe what obligations you are fulfilling as a result.

Example answer: "We classify our system as high-risk under Annex III, Point 5(b) of the EU AI Act, which covers AI used in creditworthiness assessment and credit scoring. As a high-risk AI provider, we maintain technical documentation under Article 11, implement a quality management system under Article 17, conduct post-market monitoring under Article 72, and will register the system in the EU AI database under Article 49 ahead of the August 2, 2026 deadline."

Q3: How do you ensure explainability for AI-influenced financial decisions?

This question comes with regulatory backing. Under certain implementations of GDPR Article 22, individuals subject to automated decisions have rights — including the right to an explanation. Financial regulators in Germany, France, and the Netherlands have specifically called for explainability in AI credit decisioning.

How to answer: Describe the explainability mechanism in your product concretely. What does the output include beyond a score? Are contributing factors expressed in plain language? Is there an audit log?

Example answer: "Our system outputs a score and up to five contributing factors ranked by impact, expressed in plain language — for example, 'Debt-to-income ratio above the threshold for this risk band.' These factors can be provided to affected individuals upon request via our reporting export. All decisions are logged with timestamp, model version, input hash, and output, and logs are retained for [X years] to support regulatory audit."

Q4: How do you monitor for model drift?

Banks need to know your system will perform accurately next year, not just today. Model drift — where accuracy degrades as real-world data patterns shift — is a known risk in credit and fraud AI, especially during economic volatility.

How to answer: Describe your post-market monitoring cadence with specific metrics and specific thresholds. Vague answers ("we monitor continuously") fail at this level of buyer.

Example answer: "We monitor model performance on a monthly basis using [specific metrics — e.g., Gini coefficient, KS statistic, Population Stability Index for input distribution]. When we detect significant drift — defined as PSI above 0.2 or Gini decline greater than 5 percentage points — we trigger an investigation and retraining cycle within [X] business days. Customers are notified of all model version updates and receive the performance metrics of new versions before deployment."

Q5: What technical documentation is available if our regulators ask for it?

Financial regulators may audit your customer's use of AI. Your customer may be required to produce documentation about your system. This is Article 11 and it is non-negotiable at this buyer level.

How to answer: List what you have, specifically. A vague reference to "documentation available upon request" does not satisfy a compliance officer.

Example answer: "We maintain EU AI Act Article 11-compliant technical documentation including: system architecture overview and data flow diagram, training data description and quality assessment including demographic audit, model validation reports including out-of-time testing and backtesting results, bias and fairness analysis, ongoing monitoring reports, and a change log with version history. This documentation package is available to enterprise customers and can be shared with their regulators under a standard data sharing agreement."

Why These Questionnaires Are Landing Now

Financial institutions have been preparing for the EU AI Act since the rules were finalized in 2024. The August 2, 2026 high-risk AI deadline has been on their roadmap for 18 months. Their compliance teams are not waiting until August. They are running vendor audits now — six to nine months ahead of the deadline — so that any gap in vendor compliance can be remediated before regulators start asking.

If you sell into financial services and have not received a questionnaire yet, it is coming. The institutions that move first are the most sophisticated buyers — the ones you most want to keep.

One Answer Set, Every Banking Deal

The five questions above will appear — in different wording, across different questionnaires — in every financial services deal you close this year. A large bank's questionnaire will be 72 questions. A fintech platform will send 15. A credit union may send 8. The core questions are the same.

Complizo stores your answers to these questions against the specific product controls that back them. When Q3 on explainability arrives again next month from a different institution, your answer is already there — consistent with every prior answer, linked to the specific feature that generates the contributing factors.

Try Complizo free — paste your first questionnaire.

A European bank asked a hiring software company a question last month that stopped the deal cold.

Not a general question about the EU AI Act. A specific one: "Describe the steps you have taken to test your AI system for potential discriminatory effects against protected characteristics including gender, ethnicity, and age."

The founder knew their product worked well. They had customers. Low churn. But no one had ever made them put their bias testing process in writing before. And now, with a seven-figure enterprise deal on the line, they had 48 hours to answer.

This is the questionnaire moment that HR tech founders are walking into right now. The bias and discrimination section is the hardest part of an AI compliance questionnaire — and the one that kills the most deals when answered badly.

Here is what your buyers are asking, and exactly how to answer.

Why HR Tech Gets the Hardest Bias Questions

Under the EU AI Act, AI systems used for recruitment, candidate selection, or evaluation of people in employment contexts are listed in Annex III as high-risk. That single classification changes everything about how your enterprise buyers approach procurement.

High-risk classification means buyers are required — not just encouraged — to conduct due diligence on your system before deploying it. Their procurement and legal teams have checklists. Those checklists ask about bias. And they ask in detail.

If your product touches any of these areas, you are in the high-risk zone:

• Automated resume screening or shortlisting
• AI-assisted candidate ranking or scoring
• Evaluation or assessment of candidates during hiring
• AI that serves job ads to specific demographics

The EU AI Act's Article 10 requires that training data for high-risk systems be "relevant, sufficiently representative, and, to the best extent possible, free of errors." Article 9 requires systematic risk management including testing for bias before the system goes live. Buyers know this. Their questionnaires reflect it.

The 5 Bias Questions You Will Get

Here is what the questionnaire section on bias and non-discrimination actually looks like — and how to answer each one.

Q1: What training data did you use, and what steps did you take to ensure it was representative?

The goal of this question is to understand whether your model was trained on data that reflects historical patterns of discrimination — for example, historical hiring decisions that favored certain demographics.

How to answer: Describe the source of your training data. Be specific: proprietary labelled data, public datasets, customer-provided data, or a combination. Then describe what you did about representativeness — whether you audited demographic balance, whether you excluded certain signals (like zip code or school name as proxies for protected characteristics), and how you handled class imbalance.

Example answer: "Our model was trained on [X million] anonymized hiring outcomes from [Y] enterprise customers, with personally identifiable information removed. We audited training data for demographic balance across gender and ethnicity. We removed variables identified as potential proxies for protected characteristics, including name-based inference and educational institution prestige scores. We retrain the model [frequency] and repeat the representativeness audit with each cycle."

Q2: How do you test for discriminatory outputs?

This is asking about your ongoing bias testing methodology, not just a one-time audit.

How to answer: Name the specific testing methods you use. Disparate impact analysis is the most common — measuring whether your model's outputs (scores, recommendations, rankings) differ significantly across demographic groups. Also mention counterfactual testing if you do it: changing only protected attributes and checking if scores change.

Example answer: "We conduct disparate impact analysis on model outputs [frequency], measuring selection rates across gender, ethnicity, and age cohorts using the 4/5ths rule as a baseline. We run counterfactual tests at each model update cycle, holding all non-protected features constant and varying protected attribute proxies. Results are reviewed by our AI governance lead and documented in our bias testing log."

Q3: What happens when you detect bias?

Buyers want to know your response process, not just your testing process. Detecting bias and doing nothing is worse than not testing.

How to answer: Describe your escalation path: who gets notified, what investigation happens, what remediation looks like (retraining, feature removal, threshold adjustment), and how you communicate to customers.

Example answer: "If disparate impact analysis shows a selection ratio below 0.8 for any protected group, we flag the issue in our internal incident tracker, notify our AI governance lead, and pause deployment of the model update pending investigation. Affected customers are notified within [X] business days. We document the remediation steps taken — retraining, feature removal, or threshold recalibration — and provide customers with a remediation summary."

Q4: Do you provide transparency to candidates about AI use?

This is an Article 13 question (transparency obligations) dressed up as a bias question. Buyers want to know if their end users — job candidates — will know AI is involved in evaluating them.

How to answer: Describe your disclosure mechanism. Is it a notice in the application flow? An FAQ? Do you allow candidates to request human review?

Example answer: "Our platform provides a disclosure notice in the candidate-facing application interface stating that AI is used to assist in evaluating applications. The notice explains what factors the AI considers and how scores are used in the hiring process. Candidates can request human review of any AI-assisted recommendation at any stage, at no cost."

Q5: What documentation is available for regulatory audit?

This is the Article 11 technical documentation question. Buyers ask it because they may need to produce your documentation to a regulator — and they cannot produce what you haven't given them.

How to answer: Tell them exactly what documentation exists. A technical documentation package, a data card, a model card, a bias audit report. Offer to share it under NDA.

Example answer: "We maintain EU AI Act Article 11 technical documentation including: system architecture description, training data description with demographic audit results, bias testing methodology and results by protected category, human oversight mechanisms, and version history with changelog. This documentation package is available to enterprise customers under NDA upon request."

Why Buyers Ask These Questions Now

August 2, 2026 is the compliance deadline for high-risk AI systems under the EU AI Act. Fines for non-compliance reach €35 million or 7% of global annual turnover, whichever is higher. Enterprise buyers — especially large employers in regulated sectors — know their internal compliance teams will scrutinize any AI tool in the hiring stack. Procurement is getting ahead of that scrutiny.

This means the questionnaire you received today is not the last one. It is the first of many. The buyers who ask carefully now will ask again at every contract renewal.

Stop Answering From Scratch

Most HR tech founders answer these questions by typing something into an email and hoping it sounds credible. The problem is that next month a different enterprise buyer will ask the same question slightly differently, and you'll type something slightly different.

Your answers will be inconsistent. Sophisticated procurement teams compare notes. They notice.

Complizo stores your answers to these questions against the specific product features that back them. When the next buyer asks about bias testing, your answer is already there — word-for-word consistent with what you told the last buyer, linked to the feature that actually does the bias testing.

Try Complizo free — paste your first questionnaire.

Most founders have one of two reactions. They freeze — because writing a precise description of an AI system from scratch, with regulator-grade language, is not what they planned to do today. Or they overshare — pasting in an engineering-blog-level explanation of their architecture that immediately raises five follow-up questions.

Both reactions cost deals. Here's a cleaner way to handle this section, plus the exact template language that buyers' compliance teams actually want to see.

Why this question matters more than the rest

The "describe your AI system" question looks like a warm-up. It isn't. It's the anchor that determines how every other answer in the questionnaire is interpreted.

If your description is fuzzy, every downstream answer becomes fuzzy. "What's your risk classification?" means nothing if the system it applies to was never nailed down. "How do you handle human oversight?" becomes un-verifiable. If your description is too broad (entire platform) or too narrow (one model), the rest of the questionnaire is either too scary to sign off on or too small to be credible.

EU AI Act Article 11 and Annex IV require providers of high-risk AI systems to maintain technical documentation that, among other things, describes the intended purpose, the persons or groups affected, the inputs and outputs, and the general logic. Procurement teams know this. When they read your Question 1 answer, they're really asking: "Have you actually written your Annex IV documentation yet?"

The template

Use this exact structure. Five short paragraphs, each with a fixed job.

1. Name and intended purpose (2–3 sentences).

"[Feature name] is the AI system under this questionnaire. Its intended purpose is to [one-sentence task description], in the context of [one-sentence deployment context]. It is used by [who operates it] as part of [which workflow]."

Example: "Candidate Ranking is the AI system under this questionnaire. Its intended purpose is to score and rank inbound job applicants against an open role, in the context of our HR SaaS product used by EU-based employers. It is used by in-house recruiters as part of the pre-screen step of the hiring workflow."

2. Inputs (1 short paragraph, list-form acceptable).

"Inputs include: [data category 1], [data category 2], [data category 3]. Inputs are provided by [source]. Personal data categories are limited to [specific categories], processed under [lawful basis] per the customer's DPA."

Be concrete. "Structured CV fields (name, work history, education) and free-text cover letter, provided by the candidate via the customer's application form." Much better than "application data."

3. Outputs (1 short paragraph).

"Outputs are [type of output]: [specific format]. Outputs are delivered to [who]. They are [used as / never used as] a basis for automated decision-making; final decisions are made by [who]."

Example: "Outputs are a numeric score (0–100) and an ordered ranking, with the top three contributing factors for each score. Outputs are delivered to the customer's recruiter. They are never used as the sole basis for rejecting a candidate; final hiring decisions are made by the recruiter."

4. Models and third parties (1 paragraph).

"The system is built on [base model(s) and version(s)], [hosted/self-hosted]. [If fine-tuned]: we fine-tune on [data source] using [method]. [If any third-party AI service]: [provider, service, purpose]. No training uses customer-identifying data without explicit written consent."

Name the base model. Name the version. Name the cloud region if it matters. This is where founders over-explain architecture; don't. Procurement doesn't want a diagram, they want to know what's inside the black box well enough to tick a box.

5. Classification and scope statement (2 sentences).

"Under the EU AI Act, we classify this system as [high-risk per Annex III point X / limited-risk subject to transparency obligations / minimal-risk / out of scope], because [one-line reason]. The system is [or is not] subject to the high-risk provider obligations that become enforceable on August 2, 2026."

Don't hide the classification at the end of the questionnaire. Say it in Question 1 and the rest of the answers flow naturally.

What not to write

A few traps that drag these answers into the bin.

Marketing language. "Our cutting-edge AI empowers recruiters with next-generation insights." Procurement sees this and sighs. Cut every adjective that wouldn't survive a legal review.

Vague scope. "Our platform uses AI in many places." If you say this, you've just told the customer's compliance team that every feature you ship is in scope — and that they need to treat the whole platform as a high-risk system. That's not what you want.

Overbroad claims of safety. "The system cannot produce biased outcomes." No AI system's provider can claim this under Article 15. Replace with: "We evaluate the system for disparate impact on [groups] on a [cadence]; most recent evaluation result: [summary]."

Unnamed base models. "We use a large language model." Name it. "We use Anthropic Claude Sonnet 4.5 via the API, with no fine-tuning" is a sentence a compliance team can work with.

The consistency problem

The dirty secret about the "describe your AI system" question is that the answer you give on Monday's deal has to match the answer you give on Friday's deal, and the next quarter's deal, and the one after. If the wording drifts, procurement teams notice. Law firms definitely notice. A change in how you describe your own system between two customers can read like a change in scope, which reads like a change in risk.

This is why the best practice isn't to write this answer into each questionnaire from scratch. It's to write it once, maintain it as part of your AI feature registry, and pull it in verbatim every time. The first time takes work. Every time after, it's copy-and-confirm.

That's the workflow Complizo is built around: define your AI features once, get a classification per feature, and have the "describe your system" answer — and every downstream answer — generated consistently and mapped back to the feature that backs it. You still own the words. You just don't rewrite them at 11pm the night before the procurement deadline.

The next questionnaire is going to hit your inbox this week or next. The answer to Question 1 is the single most-leveraged piece of writing in your sales cycle right now.

Try Complizo free — paste your first questionnaire and let the answers come out ready-to-send.

"Thanks for the answers. One clarification — when you say 'we implement human oversight per Article 14,' which part of your product does that actually refer to? We couldn't tell if you meant the whole platform or a specific feature."

If you've been in B2B sales long enough, you know the shape of that email. It's the sound of a deal stalling on the compliance team's desk for another sprint.

The problem is almost never that your answers were wrong. The problem is that they were generic. Procurement teams can't sign off on generic. They need to see which feature each answer is about — otherwise they can't tell you what they're actually approving.

Why generic answers fail procurement

There are three reasons a compliance team will kick your questionnaire back, and they all trace to the same root cause — answers that float free of the product.

Reason one: the auditor test. If a regulator knocks on the customer's door in 2027, the customer needs to point at one of your features and say "that is the AI system, and here is the evidence that it meets Article X." If every answer you gave is "we do this across our platform," the customer can't map anything to anything, and they know it.

Reason two: the risk-scoping test. Your product probably has AI features that are high-risk (Annex III) and AI features that are limited-risk or out of scope. An answer that doesn't name a feature implies every feature has the same classification, which is both wrong and alarming to procurement. They'd rather see "our candidate-ranking feature is high-risk; our job description generator is limited-risk transparency-only" than a single blanket claim.

Reason three: the override test. Compliance teams know that SaaS companies ship fast. If your "human oversight" answer points to a specific feature with a specific override button, they know where to look when they test it. If it points to "the platform," they know you haven't thought about it.

The shape of a procurement-ready answer

A clean answer has four layers, in this order:

1. The feature. One named AI feature you ship. Not the platform. Not the category. The feature.
2. The classification. Where that feature sits under the AI Act — Annex III high-risk, limited-risk transparency, minimal-risk, or out of scope — and why.
3. The control. The specific thing in your product or process that addresses the questionnaire question.
4. The evidence. Where the reviewer can go to see that control in action — a screenshot, a doc link, a field in the Admin panel, a policy.

Put together, a human-oversight answer for a hiring tool looks like this:

Feature: Candidate Ranking (auto-scores applicants against a role). Classification: Annex III(4)(a) — high-risk. Control: Every ranking surfaces top contributing factors and a one-click override. The system does not auto-reject candidates; final decisions remain with the recruiter. Evidence: See Admin → Audit Log for a sample override event; see §3.2 of the Evidence Pack for the UX spec.

Procurement reads that and knows what they're signing up for. The auditor test passes. The risk-scoping test passes. The override test passes.

Why this is hard to do by hand

In theory, every founder could write answers this way. In practice, almost no one does, because doing it by hand across 60 questions, 5 features, and 12 customers requires you to:

• Keep a canonical list of every AI feature your product ships
• Keep a canonical classification for each feature
• Keep a canonical description of the controls for each feature
• Rewrite every procurement answer in a way that anchors back to that list

Do it once and it's a lot of work. Do it for every deal and watch the same sentence end up worded three different ways, each version slightly wrong.

That's where answers start to contradict each other — one deal says "we retain logs for 6 months," the next deal says "12 months," the third deal says "industry-standard retention." Procurement teams talk. Law firms talk more. The minute two of your answers disagree, every answer becomes suspect.

Doing it once, sending it everywhere

The version that actually works looks like this: you define your AI features in one place, classify each of them against the AI Act once, write the controls once, and attach each answer to the feature it describes. Every time a new questionnaire arrives, the answer engine pulls the right feature-answer pair for each question, and the words come out the same every time — because the underlying source is the same every time.

This is the shape Complizo ships. You build a registry of your AI features, you get a classification per feature, and when you paste a customer's questionnaire, every answer that comes back is mapped to the feature that backs it. The reviewer sees which feature is being described. The auditor test passes. The words are identical to the words the last customer saw.

"Showing your work" isn't a nice-to-have on enterprise deals anymore. It's how procurement decides whether to advance or stall. The companies that are closing EU enterprise deals in the last 100 days before August 2, 2026 are the ones whose answers point to specific features — not the ones with the longest, smoothest prose.

Try Complizo free — paste your first questionnaire and see your answers mapped feature-by-feature.

If you sell hiring or HR software that uses AI — resume parsing, candidate ranking, interview scoring, anything that touches a candidate's pipeline — this is now a normal part of every enterprise deal in the EU. And it's going to keep happening, because under the EU AI Act, AI systems used in employment decisions are classified as high-risk (Annex III). That means every one of your buyers has a legal reason to ask hard questions before they sign.

Here are the five questions you will see in almost every HR tech procurement questionnaire, and the exact framing to use when you answer.

1. "Is your product classified as a high-risk AI system under the EU AI Act?"

This is the gate question. Get it wrong and procurement will stop reading.

If your AI is used to filter, rank, score, or recommend candidates for employment, the honest answer is: yes, it is in scope of Annex III, point 4(a) — "AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates."

Don't try to wriggle out of this. Procurement teams have seen the dodges. Instead, write:

"Our candidate ranking feature is in scope of Annex III of the EU AI Act as a high-risk AI system used in employment. We have identified this classification, documented the specific feature(s) it applies to, and have the controls below in place to meet the high-risk provider obligations by August 2, 2026."

Then actually list the controls. We'll get to that.

2. "Who is the provider and who is the deployer?"

Procurement asks this because the AI Act splits obligations between the provider (the company that places the AI system on the market — usually you, the SaaS vendor) and the deployer (the company using it — usually your customer).

As the provider, you own the bigger list: risk management system, data governance, technical documentation, logging, transparency, human oversight design, accuracy/robustness/cybersecurity, conformity assessment, registration in the EU database, and a post-market monitoring plan.

Your customer, as deployer, owns a narrower list: use the system per instructions, ensure input data relevance, monitor operation, keep logs, inform workers, and run a fundamental rights impact assessment where required.

Answer by naming the split explicitly:

"Complizo Inc. is the provider of the AI system under Article 3(3) of the EU AI Act. [Customer] is the deployer under Article 3(4). Provider obligations are documented in our Evidence Pack; deployer obligations are summarised in our Customer AI Act Guide."

3. "Describe your training data and how you prevent bias."

This is where HR tech founders often blow the answer — either by being vague ("we use diverse data") or by oversharing in ways that invite follow-up pain.

You want to hit four points, briefly:

• What data categories are used (application text, structured CV fields, historical hiring outcomes — say which)
• Where the data comes from (customer-provided, synthetic, third-party licensed)
• What bias-evaluation testing you run (disparate impact analysis against protected characteristics, cadence, last result)
• How you handle data governance (Article 10: relevance, representativeness, freedom from errors, appropriate statistical properties)

Three to five sentences. Don't write a research paper. Procurement wants to see that you have a process, not a PhD.

4. "How is human oversight implemented?"

Article 14 is explicit: high-risk AI systems must be designed so a human can "oversee their functioning," "intervene or interrupt," and "disregard, override or reverse the output."

For HR tech, this means you have to show that no candidate gets rejected purely by the algorithm. There must be a human decision-maker with the ability to see why a candidate was ranked where they were, and to override it.

Good answer:

"Every ranking or score presented by Complizo to a recruiter shows (a) the score, (b) the top factors contributing to that score, and (c) a one-click override. Final advance/reject decisions are always made by the human recruiter in the customer's workflow; our system does not auto-reject candidates."

Bad answer: "A human is always in the loop." Procurement has read that sentence 500 times. Say what the human sees and what the human can do.

5. "What logs do you retain, and can we access them?"

Article 12 requires automatic event logging for high-risk AI systems, and Article 19 requires providers to keep those logs for at least six months (longer if other laws apply). Deployers often want access to their own subset.

Answer specifically:

"We log every scoring event (timestamp, input hash, model version, score, top feature contributions, override if any). Logs are retained for 12 months. Your organisation's logs are exportable from the Admin panel or via our API, and are available on request for any regulatory inquiry."

Name the retention window, the export path, and the regulator-inquiry workflow. You don't need to show the logs themselves in the questionnaire — just prove they exist.

The pattern under all five answers

Every one of these answers follows the same shape: name the article, state the specific feature it applies to, describe the control in one or two sentences, point to where the evidence lives.

The reason HR tech founders panic at these questionnaires isn't that the answers are hard — it's that each question needs to be anchored to a specific AI feature you ship, and most teams haven't mapped their product that way yet. Mapping "candidate ranking" to Annex III(4)(a) to Article 14 to the override button in your UI takes work, and every answer has to be consistent with every other answer you've sent to every other customer. Procurement teams compare notes.

That's the problem Complizo solves. You define your AI features once, get a risk classification, and turn every customer questionnaire into structured, consistent, ready-to-send answers — with each answer mapped back to the feature that backs it. No more rewriting "how do you handle bias" for the seventh time and hoping the language lines up.

August 2, 2026 is when the high-risk provisions become enforceable. Your customers' procurement teams are already acting like it's live. The HR tech companies that answer cleanly are the ones keeping deals moving.

Try Complizo free — paste your first questionnaire and see what ready-to-send answers look like.

They had no idea how to answer.

If you build hiring software that uses AI — for candidate screening, resume parsing, interview scoring, or job-ad targeting — there is a very good chance the answer is yes. And your customers are going to need proof, not guesses.

Here is how to figure out your risk classification before the next questionnaire lands in your inbox.

Why HR Tech Gets Special Treatment Under the AI Act

The EU AI Act does not treat all AI the same. It uses a tiered risk system: unacceptable, high-risk, limited, and minimal. Most SaaS products fall into limited or minimal risk. HR and hiring technology is different.

Annex III of the AI Act explicitly lists "AI systems intended to be used for recruitment or selection of natural persons, notably to place targeted job advertisements, to screen or filter applications, and to evaluate candidates" as high-risk. That is Category 4, Area 4 — employment, workers management, and access to self-employment.

This is not a gray area. If your product uses AI to influence who gets hired, who gets interviewed, or who sees a job posting, the EU has already classified you.

The Three Questions That Determine Your Classification

Before you can answer your customer's questionnaire, you need to answer three questions yourself.

1. Does your product use AI as defined by the Act?

The EU AI Act defines an AI system broadly: a machine-based system that infers from inputs to generate outputs like predictions, recommendations, or decisions. If your product uses machine learning models, large language models, or statistical inference to process candidate data, the answer is almost certainly yes.

Simple keyword matching or rule-based filters probably do not qualify. But the moment you add a model that learns from data — even a basic ranking algorithm — you cross the line.

2. Does your AI system operate in an Annex III domain?

For hiring software, this is straightforward. Annex III, Category 4 covers:

• Placing targeted job advertisements
• Screening or filtering applications
• Evaluating candidates in recruitment, promotion, or termination decisions
• Monitoring or evaluating worker performance and behavior

If your product touches any of these use cases, you are in Annex III territory.

3. Does the "significant harm" exception apply?

Article 6(3) of the AI Act allows providers to argue their system does not pose a significant risk of harm despite falling into an Annex III category. However, this exception is narrow. You must document your reasoning, notify the relevant authority, and the system cannot make profiling decisions about natural persons.

For hiring software, this exception is almost never viable. Hiring decisions directly affect people's livelihoods. Regulators will scrutinize any attempt to self-exempt, and your enterprise customers will not accept "we decided we are not high-risk" as an answer on their questionnaire.

What High-Risk Classification Actually Requires

Once you know you are high-risk, the next question your customer will ask is: "What are you doing about it?" Here is what the AI Act requires of high-risk system providers under Articles 8 through 15:

Risk management system (Article 9). You need a documented, ongoing process to identify and mitigate risks throughout your AI system's lifecycle. This is not a one-time audit.

Data governance (Article 10). Training, validation, and testing datasets must meet quality criteria. For hiring software, this means you need to demonstrate your models were not trained on biased data that discriminates by gender, ethnicity, age, or disability.

Technical documentation (Article 11). A detailed description of your system — its purpose, how it works, what data it uses, how it was tested, and what its known limitations are. This is typically what procurement teams are asking for in their questionnaires.

Record-keeping (Article 12). Automatic logging of system operations so that your AI's decisions can be traced and audited.

Transparency (Article 13). Deployers — your customers — must be able to understand your system's output and use it appropriately. This means clear documentation, not a 200-page PDF that no one reads.

Human oversight (Article 14). Your system must allow meaningful human review of its outputs. A "rubber stamp" workflow where a human clicks approve on every recommendation does not count.

Accuracy, robustness, and cybersecurity (Article 15). You need to demonstrate your system performs as documented and is resistant to adversarial manipulation.

How This Shows Up on Procurement Questionnaires

Enterprise customers are not asking about these requirements in the abstract. They are translating them into specific questions on their procurement forms. Here are the ones HR tech founders see most often:

• "Is your AI system classified as high-risk under the EU AI Act? If so, under which Annex III category?"
• "Can you provide your Article 11 technical documentation?"
• "How do you ensure your training data does not introduce bias in candidate screening?"
• "What human oversight mechanisms are built into your system?"
• "How do you test for accuracy and robustness of your AI outputs?"

Each of these maps directly to a specific Article. If you know your classification and have your documentation organized, answering them is systematic, not stressful.

The Real Problem: Answering Consistently Across Every Deal

Knowing your risk classification is step one. The harder problem is answering these questions the same way every time.

When your head of sales answers the questionnaire for Customer A in March, and your CTO answers it for Customer B in June, the answers need to match. One inconsistency — different descriptions of your risk management process, different claims about human oversight — and you have a credibility problem that can kill a deal.

This is why founders are moving away from ad-hoc questionnaire responses. You need a single source of truth that maps every question to a verified answer, and keeps those answers consistent regardless of who on your team is filling out the form.

What to Do This Week

You do not need to wait until August 2, 2026 — the enforcement deadline — to get this right. Your customers are sending questionnaires now.

Step 1: Determine your Annex III classification. If your product uses AI in hiring, screening, or candidate evaluation, you are almost certainly high-risk under Category 4.

Step 2: Map your existing documentation to Articles 9 through 15. Identify the gaps. Most early-stage HR tech companies have partial coverage at best.

Step 3: Build a questionnaire answer set. Take the five questions above, write clear answers, and make them your baseline. Every future questionnaire response should start from this set.

Step 4: Make those answers accessible to everyone who touches procurement. Sales, legal, CTO — they all need to give the same answer.

Complizo turns this into a 10-minute workflow. Paste your customer's questionnaire, and Complizo maps each question to the right answer from your verified answer set. Same answer every time, traceable to the specific AI feature or process it describes.

Try Complizo free — paste your first questionnaire

The EU AI Act's high-risk obligations for HR tech are not optional and not distant. Your customers are asking today. The founders who can answer clearly and consistently are the ones closing deals.

You stare at it. Questions about risk classification, Annex III, conformity assessments, human oversight mechanisms. You built a great SaaS product. You didn't build a compliance department.

Sound familiar? You're not alone. According to a recent readiness report, 78% of enterprises have not taken meaningful steps toward AI Act compliance. And the deadline — August 2, 2026 — is now less than four months away.

Here's what you need to know, and more importantly, how to answer the questions your customers are about to ask.

What Happens on August 2, 2026?

The EU AI Act's remaining provisions become fully enforceable. That means:

• High-risk AI system requirements kick in. If your product falls under Annex III categories (employment, credit scoring, education, critical infrastructure), you must comply with rules on risk management, data governance, technical documentation, transparency, human oversight, accuracy, and cybersecurity.

• Deployer obligations are active. Your enterprise customers who use your AI-powered product in the EU are "deployers" under the Act. They're responsible for compliance — and they'll push that responsibility upstream to you, their vendor.

• Market surveillance begins. National authorities can investigate, audit, and fine. Penalties reach up to €35 million or 7% of global annual turnover, whichever is higher.

• Extraterritorial scope applies. If your product produces outputs used in the EU or affects EU-based individuals, you're in scope — even if your company is headquartered in San Francisco, Tel Aviv, or Bangalore.

The bottom line: your EU customers can't buy from you unless you can prove compliance. And they'll prove due diligence by asking you pointed questions.

The 7 Questions Your Customers Will Ask

Based on the EU's model contractual clauses for AI procurement (MCC-AI) and real procurement questionnaires we've seen, here are the questions heading your way:

1. "What is the risk classification of your AI system?"

They need to know if your product is high-risk, limited-risk, or minimal-risk under the AI Act. High-risk systems (Annex III) face the strictest requirements. If you use AI for hiring decisions, credit scoring, or student assessment, you're almost certainly high-risk.

How to answer: State your classification clearly. Reference the specific Annex III category if applicable, or explain why your system falls outside high-risk scope.

2. "Do you have a risk management system in place?"

Article 9 requires a documented, ongoing risk management process for high-risk systems. Your customers need to see that you've identified risks, tested mitigations, and have a process for continuous monitoring.

How to answer: Describe your risk management framework, including how you identify and mitigate risks related to health, safety, and fundamental rights.

3. "What data governance practices do you follow?"

Article 10 covers training, validation, and testing data. Customers want to know your data is relevant, representative, and free from bias.

How to answer: Explain your data sourcing, quality controls, bias testing procedures, and how you handle personal data under GDPR alongside the AI Act.

4. "Can you provide technical documentation?"

Article 11 requires comprehensive technical documentation that proves your system meets AI Act requirements. This isn't optional — it's a prerequisite for the conformity assessment.

How to answer: Confirm you maintain technical documentation covering system design, development methodology, risk management, and performance metrics.

5. "What transparency measures do you provide?"

Articles 13 and 50 require that deployers (your customers) can understand your AI system's capabilities, limitations, and intended purpose. They need clear instructions for use.

How to answer: Point to your user documentation, explain how your system communicates its AI-generated outputs, and describe any disclosure mechanisms.

6. "What human oversight mechanisms are built in?"

Article 14 requires that high-risk systems can be effectively overseen by humans. Your customers need to show their regulators that a person can intervene, override, or shut down the AI.

How to answer: Describe the human-in-the-loop or human-on-the-loop controls in your product, including override capabilities and alert systems.

7. "Have you completed a conformity assessment?"

For many Annex III systems, you need to complete a conformity assessment before August 2, 2026. Some categories require third-party assessment; others allow self-assessment.

How to answer: State your conformity assessment status, the method used (self-assessment or notified body), and when it was completed or is expected.

Why This Matters for Your Sales Pipeline

This isn't just a legal checkbox. It's a sales blocker.

Enterprise procurement teams are already adding AI Act compliance sections to their vendor questionnaires. If you can't answer these questions clearly and quickly, you lose the deal. Your competitor who can answer them wins.

The math is simple: 83% of organizations don't even have a formal inventory of their AI systems yet. If you get ahead of this, you're in a small minority of vendors who make the procurement team's life easy.

How to Get Ready Before August 2

You don't need a team of lawyers or a six-month compliance project. You need to:

1. Know your risk classification. Map your AI features to the AI Act's categories. This takes an afternoon, not a quarter.

2. Prepare your answers. Draft clear, specific responses to the seven questions above. Reuse them across every customer questionnaire.

3. Build your documentation. Technical documentation, risk management records, and transparency disclosures should live in one place, ready to share.

4. Automate the repetitive parts. You'll get the same questions from different customers, phrased slightly differently. Having a consistent answer engine saves hours per questionnaire.

That last point is exactly what Complizo does. Paste your customer's questionnaire, get accurate, EU AI Act-aligned answers in minutes — not weeks.

Try Complizo free — paste your first questionnaire

The Clock Is Ticking

August 2, 2026 is not a soft launch. It's the day enforcement begins, fines become real, and procurement teams start rejecting non-compliant vendors.

You have less than four months. The questions are coming. The only question is whether you'll be ready with answers.

Complizo is the AI-powered questionnaire answer engine for EU AI Act compliance. Paste a questionnaire, get accurate answers. No jargon, no six-month projects.

If your company uses AI in hiring, customer scoring, fraud detection, or any other meaningful decision-making context, you need to understand exactly what you're risking.

How the EU AI Act Penalty Structure Works

The EU AI Act creates a three-tier penalty structure. Each tier has an absolute cap in euros and a percentage of global annual turnover — the higher applies.

Tier 1: Prohibited Practice Violations — Up to €35M or 7% of Turnover

The harshest penalties cover AI systems that should never exist: social scoring, real-time biometric surveillance, AI that exploits vulnerable people, subliminal manipulation, and systems predicting criminal intent based on protected characteristics.

If your product falls into a prohibited category and you continued operating it after February 2, 2025, you're already exposed. For a company with €10M in annual revenue, that's a maximum fine of €700,000. For a company with €100M in revenue: €7M. For a multinational: up to €35M.

Tier 2: High-Risk AI Obligations — Up to €15M or 3% of Turnover

This is where most SMBs face real risk. High-risk AI systems (Annex III) include AI used in:

• Recruitment and HR decisions — CV screening, interview scoring, performance monitoring
• Credit scoring and insurance — automated loan decisions, creditworthiness assessments
• Education — AI determining access to educational institutions or evaluating students
• Critical infrastructure — safety-critical components in energy, water, transport
• Healthcare — diagnostic AI, treatment recommendations
• Law enforcement — risk assessment tools
• Border control — automated risk profiling

Failing to meet obligations — incomplete technical documentation, missing risk assessment, inadequate human oversight, lack of conformity assessment — can result in fines of up to €15M or 3% of global turnover. For a €5M revenue startup, that’s €150,000.

Tier 3: Providing Incorrect Information — Up to €7.5M or 1% of Turnover

If you supply false or misleading information to a national AI authority during an investigation, that’s a separate violation — up to €7.5M or 1% of turnover.

What "Global Annual Turnover" Actually Means for You

It’s global annual turnover, not just EU revenue. If your company makes €2M in the EU but €8M globally, the fine is calculated on €10M.

For multinational groups, the parent company’s consolidated revenue is used. This matters if you’re a startup operating as a subsidiary: the whole group’s revenue is in scope.

SME protections: For SMEs (under 250 employees, under €50M turnover), the percentage-of-turnover cap applies even when the absolute figure would otherwise be higher. An early-stage startup with €500K in revenue faces a maximum of €35,000 for a Tier 1 violation — still painful, but not existential.

Enforcement: Who Has the Power to Fine You?

National Market Surveillance Authorities (MSAs) are the primary enforcers for high-risk AI systems. Each EU member state must designate at least one MSA by August 2, 2025. They investigate complaints, conduct audits, and issue fines.

The European AI Office handles enforcement against General Purpose AI (GPAI) model providers.

Data Protection Authorities enforce aspects intersecting with GDPR.

Enforcement starts at the national level — different MSAs across member states will have different priorities, similar to how GDPR enforcement has varied between Ireland’s DPC and Germany’s BfDI.

What Triggers an Investigation?

Unlike GDPR’s complaint-driven model, the EU AI Act also enables proactive market surveillance. MSAs can:

1. Require documentation on demand — conformity assessments, technical documentation, risk management records
2. Investigate based on complaints — from employees, customers, or competitors
3. Act on notified body reports
4. Conduct sector-wide sweeps — similar to what DPAs have done under GDPR

The most common near-term trigger is likely competitor and employee complaints. Any person or organisation can report suspected non-compliance to the relevant MSA.

The Hidden Costs Beyond the Fine

• Mandatory remediation: MSAs can order you to bring your AI system into compliance — or withdraw it from market entirely.
• Reputational damage: EU AI Act violations are public. The European AI Office maintains a registry of decisions.
• Customer contract risk: Enterprise customers are already including EU AI Act compliance warranties in procurement contracts.
• Investor scrutiny: Post-August 2026, compliance status will be a standard diligence item.

The Four Highest-Risk Mistakes SMBs Are Making Right Now

1. Assuming "we’re too small to be targeted"

The Act creates citizen complaint rights. A former employee’s complaint about your AI-powered hiring tool doesn’t get ignored because you’re small.

2. Not knowing whether your AI system is "high-risk"

A recruitment scoring tool almost certainly is. A customer support chatbot probably isn’t. A fraud detection system in financial services: yes. Get a clear risk classification on paper before August 2026.

3. Confusing "we use AI" with "we provide AI"

The Act applies to deployers as well as providers. If you use a third-party AI model in a high-risk context, you’re a deployer with compliance obligations — even if the model is from OpenAI or Anthropic.

4. No human oversight documentation

Article 14 requires documented human oversight mechanisms — a named role, defined procedures, a documented intervention capability, and evidence that oversight actually happens. Most SMBs have none of this in writing.

What You Should Do in the Next 30 Days

Step 1: Get classified. Run your AI systems through an Annex III risk classification and document the reasoning.

Step 2: Inventory your documentation gaps. High-risk systems need technical documentation, a risk management system, data governance records, accuracy/robustness metrics, human oversight procedures, and a conformity assessment.

Step 3: Assign accountability. Name the person responsible for compliance. Give them authority and a budget.

Step 4: Start the paper trail now. Enforcement actions look at the state of your documentation at the time of investigation. Contemporaneous records of good-faith compliance efforts matter.

Step 5: Get a compliance baseline. Complizo can help you classify your AI systems, identify documentation gaps, and generate Annex IV technical files — in hours, not months.

The Bottom Line

€35 million. 7% of global revenue. These are not theoretical — they are the law, effective in 117 days.

The question isn’t whether to comply. It’s whether to start now, or start after an MSA investigation makes compliance mandatory under a tighter timeline with public scrutiny.

Starting now costs less, takes less time, and gives you a defensible record.

Complizo helps SMBs classify their AI systems, identify documentation gaps, and generate compliance documentation in hours. Start for free →

The EU AI Act is the world's first comprehensive AI regulation, and it doesn't care how big your company is. If your AI systems affect people in the EU, you have obligations — whether you're a 10-person startup or a 200-person scale-up.

The problem? Most compliance guidance is written for enterprises with dedicated legal teams and six-figure budgets. If you're an SMB without a compliance department, you need a checklist that's practical, accurate, and built for your reality.

This is that checklist.

What's the Current Timeline?

Before diving into the checklist, here's where things stand as of March 2026:

Already enforced:

• February 2, 2025: Prohibited AI practices banned (social scoring, real-time biometric surveillance in public spaces, manipulation techniques)
• August 2, 2025: General-Purpose AI (GPAI) model obligations in effect — providers must have documentation packages ready for the EU AI Office on request

Coming next:

• August 2, 2026: High-risk AI system obligations (Annex III) take effect — this is the big one for most SMBs
• August 2, 2027: Full enforcement across all remaining provisions

Important update: On March 26, 2026, the European Parliament voted to approve the Digital Omnibus package, which proposes delaying the Annex III high-risk deadline to December 2, 2027 (standalone systems) and August 2, 2028 (embedded products). Trilogue negotiations between Parliament, Council, and Commission are expected to begin in April 2026. However, this delay is not yet law — trilogue must conclude and the final text must be adopted. Treat August 2, 2026 as the live deadline and use any potential extension as a head start, not an excuse to wait.

Step 1: Build Your AI System Inventory

You can't comply with what you can't see. The very first thing every SMB needs is a complete inventory of every AI system in use.

What to document for each system:

• System name and vendor (or "in-house" if you built it)
• What it does and who it affects
• Where it's deployed (EU customers? EU employees? Both?)
• Who owns it internally (the person accountable for compliance)
• Date deployed and current version

Don't forget third-party AI. If you use an AI-powered hiring tool, a customer service chatbot, an AI credit scoring system, or even AI-assisted medical diagnostics — these all count. You're responsible for the AI you deploy, even if someone else built it.

Pro tip: Most SMBs are surprised to find they use 5–15 AI systems once they actually audit. Start with your software vendor list and ask: "Does this use AI or machine learning?" The answer is increasingly yes.

Start your AI inventory for free with Complizo →

Step 2: Classify Each System by Risk Tier

The EU AI Act uses a four-tier risk classification. Your compliance obligations depend entirely on which tier each system falls into.

Unacceptable Risk (Banned)

These AI uses are prohibited outright. If you're doing any of these, stop immediately:

• Social scoring systems that evaluate people based on behavior or personal traits
• Real-time biometric identification in public spaces (with narrow law enforcement exceptions)
• AI that exploits vulnerabilities of specific groups (age, disability)
• Emotion recognition in workplaces and educational institutions (with limited exceptions)

High Risk (Annex III — Strictest Requirements)

This is where most SMB compliance work lives. High-risk systems include AI used in:

• Recruitment and HR: CV screening, interview assessment, hiring decisions
• Credit and finance: Credit scoring, loan approval, insurance risk assessment
• Education: Student assessment, admissions decisions, learning optimization
• Healthcare: Diagnostic assistance, treatment recommendations, patient triage
• Critical infrastructure: Energy, water, transport management systems

If any of your AI systems fall here, you have significant documentation and governance obligations (covered in Steps 3–7).

Limited Risk (Transparency Obligations)

These systems require transparency but not full compliance documentation:

• Chatbots (users must know they're interacting with AI)
• AI-generated content (must be labeled as such)
• Emotion recognition systems (where permitted)
• Biometric categorization systems

Minimal Risk (No Specific Obligations)

Most AI applications — spam filters, AI-recommended playlists, inventory optimization — fall here. No specific regulatory requirements, but voluntary codes of conduct are encouraged.

The critical question: Do any of your AI systems touch hiring, credit, healthcare, education, or critical infrastructure? If yes, you almost certainly have high-risk systems that need the full compliance treatment.

Classify your AI systems automatically with Complizo →

Step 3: Implement a Risk Management System

For every high-risk AI system, you need a documented risk management system that runs throughout the system's lifecycle. This isn't a one-time assessment — it's an ongoing process.

Your risk management system must include:

• Identification and analysis of known and foreseeable risks
• Estimation and evaluation of risks that may emerge during intended use and reasonably foreseeable misuse
• Adoption of risk mitigation measures
• Testing to ensure risks are managed effectively
• Documentation of all risk decisions and their rationale

For SMBs, this means: Create a risk register for each high-risk system. Review it quarterly. Document what risks you identified, what you did about them, and why. Keep records for the system's commercial lifetime plus 10 years.

Step 4: Get Your Data Governance in Order

High-risk AI systems must meet strict data governance requirements. The EU AI Act cares deeply about the data that trains and feeds your AI.

What you need:

• Documentation of training, validation, and testing datasets
• Data quality criteria and governance procedures
• Bias detection and mitigation measures
• Evidence that datasets are relevant, representative, and error-free (to the extent possible)
• Clear records of data sources and processing decisions

If you use third-party AI: Request data governance documentation from your vendor. Under the EU AI Act, deployers of high-risk AI systems have obligations too — you can't simply point to your vendor and say "they handle it."

Step 5: Prepare Your Technical Documentation

This is the documentation package that proves your AI system complies with the EU AI Act. For high-risk systems, you need six key document types:

1. Model Cards — Technical specifications of each AI model: architecture, training methodology, performance metrics, known limitations
2. Data Governance Records — How training data was collected, processed, validated, and maintained
3. Human Oversight Protocols — How humans supervise AI decisions, when and how they can override the system, escalation procedures
4. Conformity Assessments — Formal evaluation showing the system meets all applicable EU AI Act requirements
5. Risk Management Records — Your ongoing risk identification, assessment, and mitigation documentation
6. Transparency Notices — Clear information for users about the AI system's capabilities, limitations, and intended purpose

This documentation must be:

• Created before the system is placed on the market or put into service
• Kept up to date throughout the system's lifetime
• Available to national authorities on request
• Retained for 10 years after the system is withdrawn

The enterprise approach: Hire consultants at €5,000–€50,000+ per assessment to create these manually.

The SMB approach: Use purpose-built tools to generate audit-ready documentation automatically. Complizo generates all six document types from your system inventory →

Step 6: Establish Human Oversight Controls

The EU AI Act requires that high-risk AI systems are designed to be effectively overseen by humans. This means:

• Designated oversight personnel — Name the specific people responsible for monitoring each high-risk AI system
• Override capability — Humans must be able to intervene in or override AI decisions
• Understanding requirements — Oversight personnel must understand the system's capabilities, limitations, and risks
• Monitoring procedures — Document how you monitor system performance and detect anomalies
• Incident response — Create and test a procedure for when things go wrong

For SMBs: This doesn't mean hiring a dedicated AI oversight team. It means formally assigning responsibility, training the assigned person, and documenting your oversight process. One person can oversee multiple systems.

Step 7: Set Up Logging and Post-Market Monitoring

High-risk AI systems must automatically generate logs throughout their operational lifetime, and you need a plan to monitor system performance after deployment.

Logging requirements:

• Record system inputs and outputs for traceability
• Log all human oversight decisions and overrides
• Maintain audit trails that regulators can review
• Ensure logs are retained for an appropriate period

Post-market monitoring:

• Define performance metrics and acceptable thresholds
• Monitor for bias drift, accuracy degradation, and unintended behaviors
• Establish a process for reporting serious incidents to authorities (within 15 days for providers, or as soon as reasonably practical for deployers)
• Plan for system updates and re-assessment when changes occur

Step 8: Train Your Team

The EU AI Act requires that personnel involved with high-risk AI systems have sufficient AI literacy. This isn't optional — it's a legal obligation under Article 4.

What "AI literacy" means in practice:

• Staff understand what AI systems are in use and what they do
• Oversight personnel can interpret AI outputs and know when to intervene
• Everyone knows the escalation process for AI-related incidents
• Training is documented and refreshed regularly

For SMBs: A 60-minute workshop covering your AI inventory, risk classifications, and oversight procedures is a solid starting point. Document who attended and what was covered.

Step 9: Register in the EU Database (If Required)

Providers of high-risk AI systems must register their systems in the EU database before placing them on the market. Deployers of high-risk systems in certain categories (particularly public sector use) must also register.

Check whether your role (provider vs. deployer) and your specific use case trigger the registration requirement. The EU AI Act Compliance Checker can help you determine this.

Step 10: Build Your Compliance Dashboard

Compliance isn't a one-time project — it's an ongoing obligation. You need visibility into your compliance posture at all times.

Track these metrics:

• Number of AI systems inventoried vs. estimated total
• Risk classification status for each system
• Documentation completeness (which documents are done, which are pending)
• Outstanding risk items and mitigation status
• Training completion rates
• Last review dates for each system
• Upcoming deadlines and renewal dates

The goal: If a regulator knocks on your door tomorrow, you can demonstrate your compliance posture in minutes, not weeks.

Get a real-time compliance dashboard with Complizo — free for up to 3 AI systems →

What Happens If You Don't Comply?

The penalties are severe and proportional to the violation:

• Prohibited AI practices: Up to €35 million or 7% of global annual turnover (whichever is higher)
• High-risk system violations: Up to €15 million or 3% of global annual turnover
• Incorrect information to authorities: Up to €7.5 million or 1% of global annual turnover

For SMBs, these fines are designed to be proportionate — but "proportionate" to 3% or 7% of your revenue is still existential for most small businesses.

SMB-Specific Advantages Under the EU AI Act

The regulation does offer some relief for smaller organizations:

• Regulatory sandboxes: SMEs and startups get priority access, free of charge, to test AI systems under regulatory supervision
• Simplified documentation: Where feasible, SMEs can use simplified forms of technical documentation
• Awareness resources: The EU AI Office provides tailored guidance and dedicated communication channels for SMBs
• Proportionate fines: Penalties are capped at proportionate levels for SMEs (though still significant)

Your 30-Day Quick Start Plan

If you're starting from zero, here's how to make meaningful progress in 30 days:

Week 1: Build your AI system inventory. List every AI tool your company uses, develops, or deploys.

Week 2: Classify each system by risk tier. Identify which systems are high-risk and require full compliance.

Week 3: Start documentation for your highest-risk system. Create the risk management record and data governance documentation first.

Week 4: Assign human oversight roles, schedule team training, and set up your compliance tracking process.

Beyond 30 days: Generate your remaining compliance documents, establish post-market monitoring, and build your ongoing review cadence.

Start Your Compliance Journey Today

Complizo is the self-service EU AI Act compliance platform built for SMBs. Register your AI systems, classify risks automatically, and generate all six required document types — in minutes, not months.

Free for up to 3 AI systems. No credit card required. Setup in 5 minutes.

Start for free at complizo.com →

Complizo provides a compliance framework to help businesses meet their EU AI Act obligations. This content is for informational purposes only and does not constitute legal advice. For legal questions specific to your situation, consult a qualified legal professional. For the latest regulatory text, refer to EUR-Lex.

If you run a small or mid-size business that develops, deploys, or even uses AI systems affecting EU residents, you need a compliance plan. Not next quarter. Now.

This checklist walks you through every step — from figuring out whether the law applies to you, to generating the documentation that keeps you audit-ready.

Does the EU AI Act Apply to Your Business?

The EU AI Act has extraterritorial reach. You don't need to be headquartered in Europe.

You're in scope if your business does any of the following:

• Develops AI systems placed on the EU market or put into service in the EU
• Deploys AI systems that affect people located in the EU
• Imports or distributes AI systems into the EU market
• Uses output from AI systems where that output is used in the EU

Even a single EU customer using your AI-powered feature can trigger obligations. A SaaS company in Austin with 50 EU subscribers? In scope. A recruitment platform in London processing EU candidate data? In scope.

Your first action: Map your AI systems against your user base. If any system touches EU residents, keep reading.

Step 1: Build Your AI System Inventory

You cannot comply with a law you can't map to your technology. Over half of organisations lack a systematic inventory of AI systems in production or development — don't be one of them.

For every AI system your company develops, deploys, or procures (including embedded AI in third-party tools and cloud services), document:

• System name and purpose — what does it do, and why?
• Your role — are you the provider, deployer, importer, or distributor?
• Input data types — what data feeds the system?
• Output and decisions — what does the system produce or influence?
• Affected users — who is impacted by the system's output?
• Third-party dependencies — is the AI component from a vendor? Which one?

This inventory is the foundation of everything that follows. Without it, risk classification is guesswork.

Complizo's AI System Inventory lets you register and track every AI system in under 5 minutes — free for up to 3 systems.

Step 2: Classify Each System by Risk Tier

The EU AI Act defines four risk tiers. Your obligations depend entirely on where your systems land.

Unacceptable Risk (Banned)

These AI practices have been prohibited since February 2, 2025:

• Social scoring by governments
• Real-time remote biometric identification in public spaces (with narrow law enforcement exceptions)
• Emotion recognition in workplaces and educational institutions
• AI that exploits vulnerabilities of specific groups (age, disability)
• Untargeted scraping of facial images for facial recognition databases

If any of your systems fall here, stop using them immediately. Fines reach €35 million or 7% of global annual turnover — whichever is higher.

High Risk (Annex III)

This is where most compliance effort concentrates. High-risk AI systems are those used in:

1. Biometric identification and categorisation of natural persons
2. Critical infrastructure management — transport, water, gas, electricity
3. Education and vocational training — exam scoring, admissions decisions
4. Employment and worker management — recruitment, promotion, termination, task allocation
5. Access to essential services — credit scoring, emergency response prioritisation, insurance pricing
6. Law enforcement — evidence evaluation, crime prediction, profiling
7. Migration and border control — visa and asylum application assessment
8. Justice and democratic processes — legal research tools, election-related systems

Important exception: An AI system listed in Annex III is not automatically high-risk if it doesn't pose a significant risk of harm or doesn't materially influence decision-making outcomes. But you need to document that assessment — you can't just assert it.

Limited Risk

Systems like chatbots, AI-generated content tools, and emotion detection systems (outside banned contexts) carry transparency obligations. Users must know they're interacting with AI, and AI-generated content must be marked in machine-readable format.

Minimal Risk

Most AI systems fall here — spam filters, AI-assisted search, recommendation engines in non-critical contexts. No specific obligations beyond general product safety law.

Complizo's Risk Classification engine walks you through Annex III classification with guided questions — no compliance consultant required.

Step 3: Meet Your Role-Specific Obligations

Your obligations vary based on your role in the AI value chain.

If you're a provider (you built or branded the AI system): you carry the heaviest obligations. You must implement a risk management system, ensure data governance, produce technical documentation, enable human oversight, and register high-risk systems in the EU database.

If you're a deployer (you use an AI system provided by someone else): you must use the system according to instructions, monitor its operation, conduct a fundamental rights impact assessment for high-risk systems, and keep logs.

If you're an importer or distributor: you must verify the provider's conformity assessment and documentation before placing the system on the EU market.

Most SMBs are deployers — but if you've fine-tuned a model, built a custom pipeline, or put your brand on an AI feature, you may be a provider without realising it.

Step 4: Generate the Required Documentation

For high-risk AI systems, you need six categories of documentation, audit-ready and current:

1. Model Cards — technical description of the system's capabilities, limitations, and intended use
2. Data Governance Records — how training and operational data is collected, labelled, and managed
3. Human Oversight Protocols — how humans monitor, intervene, and override the system
4. Conformity Assessments — demonstration that the system meets all applicable requirements
5. Risk Management Records — identification, analysis, and mitigation of risks throughout the system lifecycle
6. Transparency Notices — clear information for users about the system's functioning and limitations

Producing these from scratch takes weeks with a consultant — and costs €5,000–€50,000+.

Complizo generates all six document types as audit-ready PDFs using AI. Pro plan starts at $99/month.

Step 5: Set Up Ongoing Monitoring

Compliance isn't a one-time exercise. The EU AI Act requires:

• Post-market monitoring — continuously track system performance and report serious incidents
• Log retention — maintain operational logs for the periods specified in the Act
• Incident reporting — report serious incidents to national authorities without undue delay
• Documentation updates — keep all compliance documents current as your systems evolve

Build this into your engineering and operations workflows now, before the deadline.

Step 6: Train Your Team

The EU AI Act explicitly requires that staff involved in operating high-risk AI systems receive adequate AI literacy training. This includes:

• Understanding how the AI system works
• Knowing when and how to intervene or override
• Recognising signs of malfunction or bias
• Understanding reporting obligations

Document your training programme and keep attendance records.

The Digital Omnibus: A Delay, Not a Reprieve

On March 26, 2026, the European Parliament voted (569-45-23) to adopt its position on the Digital Omnibus package, which proposes delaying certain AI Act deadlines. Under the Parliament's proposal, Annex III high-risk obligations would shift to December 2, 2027, with sectoral systems pushed to August 2, 2028.

But this is not law yet. The Council and Parliament must still enter trilogue negotiations. The original August 2, 2026 deadline remains legally binding until a final text is adopted.

Even if the delay passes, the smart move is to start now. Companies that wait until 2027 will face the same scramble — except the consultant market will be even more expensive, and regulators will have even less patience.

Getting compliant early gives you a competitive advantage. It's a trust signal for EU customers and partners. It's cheaper to do it methodically over months than in a panic over weeks.

Your 10-Point Quick Checklist

1. Confirm whether the EU AI Act applies to your business
2. Build a complete AI system inventory
3. Classify each system by risk tier (Unacceptable / High / Limited / Minimal)
4. Determine your role for each system (Provider / Deployer / Importer / Distributor)
5. Stop any prohibited AI practices immediately
6. Generate required documentation for high-risk systems
7. Register high-risk systems in the EU database
8. Set up post-market monitoring and incident reporting
9. Train staff on AI literacy and oversight obligations
10. Schedule quarterly compliance reviews to keep documents current

Start for Free

You don't need a €50,000 consultant or a $200,000 enterprise platform.

Complizo is purpose-built for EU AI Act compliance. Register your AI systems, classify risk, and generate audit-ready documentation — all self-serve, setup in 5 minutes.

Free for up to 3 AI systems. No credit card required. Get started

Complizo provides an EU AI Act compliance framework. It does not provide legal advice. For legal questions specific to your situation, consult a qualified attorney. For the official regulation text, visit EUR-Lex.

Here's exactly what you need to prepare — and what each document actually covers.

1. Model Cards

A Model Card is a structured summary of what your AI system does, how it was trained, and where it performs well (or doesn't). Think of it as your AI system's ID card.

What to include:

• The intended purpose and use cases
• Training data sources and methodology
• Known limitations and failure modes
• Performance benchmarks across different populations

Regulators want to see that you understand your own system. If you can't describe what your model does and where it breaks down, that's a red flag in any audit.

2. Data Governance Records

Article 10 of the EU AI Act sets strict rules around training, validation, and testing data. Your Data Governance Record proves you followed them.

What to include:

• Data collection methods and sources
• How you handled bias detection and mitigation
• Data quality metrics and validation procedures
• Data retention and deletion policies

This is where many SMBs get stuck. You may be using third-party models or pre-trained systems — but you still need to document the data practices behind them as far as reasonably possible.

3. Risk Management Records

Article 9 requires a risk management system that runs throughout the entire lifecycle of your AI system — not just a one-time assessment.

What to include:

• Identified risks and their severity ratings
• Mitigation measures implemented
• Residual risk assessment
• Ongoing monitoring procedures

The key word is "ongoing." Your risk management documentation needs to show a living process, not a PDF you created once and forgot about.

4. Human Oversight Protocols

High-risk AI systems must be designed so humans can effectively oversee them. Your Human Oversight Protocol documents exactly how that works in practice.

What to include:

• Who is responsible for oversight (roles and qualifications)
• What controls are in place to intervene or override
• When and how human review is triggered
• Training requirements for oversight personnel

This matters especially if your AI system makes or influences decisions about people — hiring, credit, insurance, or public services.

5. Conformity Assessments

Before placing a high-risk AI system on the EU market, you need a conformity assessment proving it meets all Chapter III, Section 2 requirements. For most Annex III systems, this is a self-assessment (no third-party auditor required).

What to include:

• Evidence of compliance with each applicable requirement
• Reference to harmonised standards applied
• Test results and validation data
• The EU Declaration of Conformity (a formal statement you sign)

The conformity assessment pulls together evidence from all your other documents. It's the capstone of your compliance package.

6. Transparency Notices

If your AI system interacts with people, generates content, or processes biometric data, you need a Transparency Notice. Articles 50 and 52 set out specific disclosure obligations.

What to include:

• Clear disclosure that an AI system is in use
• What the system does and how it affects the user
• How users can contest or seek review of AI-driven decisions
• Contact information for the responsible party

Transparency isn't optional, even for limited-risk systems. If people interact with your AI, they have the right to know.

How SMBs Can Actually Get This Done

Here's the reality: most SMBs don't have a compliance team. They don't have €10,000 for a consultant to prepare these documents. And they can't afford to ignore the deadline.

That's the problem Complizo was built to solve. You register your AI systems, classify them under Annex III, and Complizo auto-generates all six document types as audit-ready PDFs. Setup takes 5 minutes, and the free plan covers up to 3 AI systems — no credit card required.

If you're not sure whether your systems qualify as high-risk, start with a free risk classification to find out where you stand.

Don't Wait for the Deadline

The August 2, 2026 deadline for Annex III high-risk AI obligations is less than 131 days away. Yes, the EU Council proposed a potential extension to December 2027 through the Digital Omnibus — but that proposal hasn't passed Parliament yet, and trilogue hasn't started. Treating it as a sure thing is a gamble no SMB should take.

Start documenting now. The earlier you begin, the less painful the audit will be.

Complizo is a self-service EU AI Act compliance platform for SMBs. It does not provide legal advice. For the full text of the regulation, visit EUR-Lex.

If you're running a company with 5 to 200 employees and you use AI in any capacity — a chatbot on your website, an AI-powered hiring tool, a recommendation engine — the EU AI Act applies to you. And unlike GDPR, where the early days felt chaotic, regulators have signaled they intend to enforce this one fast.

This EU AI Act compliance checklist breaks down exactly what SMBs need to do, step by step, without the jargon and without the €50,000 consultant fee.

Why SMBs Can't Ignore the EU AI Act

Most compliance content online is written for enterprises with dedicated legal teams and six-figure budgets. That's not you.

Here's the reality for small and mid-size businesses:

The EU AI Act creates obligations for anyone who develops, deploys, or uses AI systems that affect EU residents. That includes a 15-person SaaS startup in Berlin just as much as it includes Google. The fines don't scale down for smaller companies — €35 million or 7% of global annual turnover for prohibited AI practices, €15 million or 3% for other violations.

The difference? Google has a compliance team. You probably don't.

That's exactly why having a clear checklist matters. You need a structured approach that doesn't require a law degree to follow.

Step 1: Build Your AI System Inventory

Before you can classify risk or generate documents, you need to know what AI you're actually using. This sounds obvious, but most companies undercount their AI systems by 40–60%.

Start by cataloguing every AI system your organization touches:

• AI you built in-house (recommendation algorithms, classification models, NLP pipelines)
• AI you purchased from vendors (CRM scoring tools, AI-powered analytics)
• AI embedded in platforms you use (Salesforce Einstein, HubSpot AI features, Copilot integrations)
• AI used by contractors or partners who process data on your behalf

For each system, document the purpose, what data it processes, what decisions it influences, and who it affects. If it touches EU residents in any way, it's in scope.

Pro tip: Most SMBs discover 2–3x more AI systems than they initially expected once they look at their full vendor stack. Complizo's AI System Inventory automates this cataloguing process and keeps it up to date as you add new tools.

Step 2: Classify Each System by Risk Tier

The EU AI Act defines four risk tiers. Every AI system in your inventory needs to be mapped to one:

Unacceptable Risk — Banned Outright

These AI practices have been prohibited since February 2, 2025. If you're doing any of these, stop immediately:

• Social scoring systems that evaluate people based on behaviour or personality
• Real-time remote biometric identification in public spaces (with narrow law enforcement exceptions)
• AI that exploits vulnerabilities of specific groups (age, disability, economic situation)
• Emotion recognition in workplaces and educational institutions (with limited exceptions)

High Risk — The Core of Compliance

This is where most of the regulatory weight falls, and it's where SMBs get tripped up. High-risk AI systems are defined in Annex III of the Act and include AI used in:

• Employment and worker management (hiring tools, performance monitoring, task allocation)
• Education and vocational training (admissions decisions, grading, proctoring)
• Access to essential services (credit scoring, insurance pricing, social benefits)
• Law enforcement and border management
• Critical infrastructure management

If any AI system in your inventory falls into one of these categories, you'll face the full set of obligations: risk management systems, data governance, technical documentation, human oversight protocols, accuracy and robustness requirements, and conformity assessments.

Limited Risk — Transparency Required

AI systems that interact with people (chatbots, AI-generated content, emotion detection) must disclose their AI nature. Users need to know they're talking to a machine, and AI-generated content must be labelled as such.

Minimal Risk — No Specific Obligations

Spam filters, AI in video games, inventory management AI — these carry no specific regulatory burden, though voluntary codes of conduct are encouraged.

Not sure where your systems fall? Complizo's Risk Classification tool walks you through the Annex III criteria in plain language and gives you a definitive classification for each system in under 5 minutes.

Step 3: Generate Required Documentation

For high-risk AI systems, the EU AI Act requires six categories of documentation that must be audit-ready before August 2, 2026:

Model Cards

Technical specifications of your AI system — architecture, training methodology, performance metrics, known limitations.

Data Governance Records

How you source, validate, clean, and manage the data your AI systems use. This must cover training data, validation data, and ongoing monitoring data.

Human Oversight Protocols

Documented procedures for how human operators monitor, intervene in, and override AI system decisions. This isn't just a checkbox — regulators want evidence of meaningful human control.

Conformity Assessments

Self-assessments (or third-party assessments for certain biometric systems) demonstrating your AI system meets all applicable requirements.

Risk Management Records

A living document covering risk identification, analysis, evaluation, and mitigation throughout the AI system's lifecycle. This must be updated continuously, not written once and shelved.

Transparency Notices

Clear, accessible information for users about how the AI system works, its intended purpose, and its limitations.

Generating these documents manually takes most companies 3–6 months and costs anywhere from €5,000 to €50,000 when working with compliance consultants. Complizo generates all six document types automatically using AI, producing audit-ready PDFs for a fraction of consultant costs. Free for up to 3 AI systems — no credit card required.

Step 4: Implement a Risk Management System

The EU AI Act doesn't just want documents. It wants an ongoing risk management process that covers the entire lifecycle of each high-risk AI system.

Your risk management system must:

1. Identify and analyse known and reasonably foreseeable risks
2. Estimate and evaluate risks that may emerge during intended use and foreseeable misuse
3. Adopt risk mitigation measures based on your analysis
4. Test the effectiveness of those measures
5. Document everything — risk registers, mitigation decisions, test results

This is an ongoing obligation. Risk management doesn't end when you file your initial documentation. You need continuous monitoring and regular reassessment.

Step 5: Establish Data Governance Practices

High-risk AI systems must be trained and operated with data that meets specific quality standards. The regulation requires:

• Clear criteria for data collection and selection
• Bias examination and mitigation procedures
• Identification of data gaps and shortcomings
• Appropriate data preparation steps (annotation, labelling, cleaning)

For SMBs using third-party AI models (which is most of you), this means documenting what data you feed into the system and how you validate its outputs — even if you didn't build the underlying model.

Step 6: Set Up Human Oversight

Every high-risk AI system must have human oversight measures proportionate to the risks involved. This means:

• Designated people who understand the system's capabilities and limitations
• Clear procedures for when and how humans intervene in automated decisions
• Ability to override or reverse AI decisions
• Monitoring mechanisms to catch anomalous behaviour

Document who is responsible, what training they've received, and what escalation paths exist.

Step 7: Prepare for Ongoing Compliance

Compliance isn't a one-time event. After August 2, 2026, you'll need to:

• Monitor your AI systems continuously for performance degradation, bias drift, and new risks
• Update documentation whenever you modify an AI system
• Report serious incidents to national authorities
• Maintain your conformity assessment as systems evolve
• Stay current as the regulation is refined through implementing acts and standards

The Digital Omnibus: A Possible Extension (But Don't Count on It)

On March 13, 2026, the EU Council proposed delaying the Annex III high-risk deadline to December 2027 for stand-alone AI systems. This sounds like good news, but it is not yet law. The European Parliament must still set its position, and trilogue negotiations haven't begun.

The smart move is to treat August 2, 2026, as your hard deadline. If the extension passes, you'll be ahead of your competitors. If it doesn't, you'll be compliant when enforcement begins.

What This Costs (Realistically)

Here's the honest math for SMBs:

• Compliance consultants: €5,000–€50,000+ for an initial assessment
• Enterprise governance tools (like those built for Fortune 500s): \(50,000–\)200,000+/year
• Internal team time (DIY approach): 200–500 hours across legal, engineering, and ops

Or you can use a purpose-built tool designed for companies your size. Complizo starts at \(0/month for up to 3 AI systems and scales to \)499/month for unlimited systems. Setup takes 5 minutes. No sales call, no contract, cancel anytime.

Your 133-Day Action Plan

Here's the compressed timeline if you're starting today:

Days 1–14: Complete your AI system inventory and risk classification. This is the foundation everything else builds on.

Days 15–45: Generate all required documentation for high-risk systems. Focus on the six document types: Model Cards, Data Governance Records, Human Oversight Protocols, Conformity Assessments, Risk Management Records, and Transparency Notices.

Days 46–90: Implement your risk management system and data governance practices. Assign human oversight roles and train your team.

Days 91–133: Test everything. Run internal audits. Fix gaps. Build your audit trail.

You don't need a compliance team to do this. You need a structured approach and the right tool. Start your EU AI Act compliance checklist today — free.

Complizo is a self-service EU AI Act compliance platform built for small and mid-size businesses. It is not a law firm and does not provide legal advice. For legal counsel, consult a qualified attorney in your jurisdiction.

But before you exhale and close this tab, here's what you actually need to know.

What the Council Decided

The Council's new position, part of the so-called Digital Omnibus package, would push the application dates for high-risk AI obligations to:

• 2 December 2027 for stand-alone high-risk AI systems
• 2 August 2028 for high-risk AI systems embedded in regulated products (previously already extended to 2027)

These are proposals, not law. The Council's mandate now goes into negotiations with the European Parliament, with a final vote expected in June 2026 and amended text targeted for July 2026.

In other words: the delay isn't confirmed yet, and the August 2, 2026 deadline for the broader set of EU AI Act obligations remains fully in force.

What August 2026 Still Means for You

Don't confuse "high-risk delay" with "nothing to do until 2028." The August 2, 2026 full application date still covers a wide range of obligations for deployers and providers:

• Transparency requirements for AI systems that interact with people (e.g., chatbots, AI-generated content)
• Fundamental rights impact assessments for certain deployers
• AI literacy obligations for staff using or overseeing AI systems (already in force since February 2025)
• GPAI model obligations (in force since August 2025)

Fines for non-compliance remain eye-watering: up to €15 million or 3% of global annual turnover for high-risk violations, and €7.5 million or 1% for lesser infringements.

Why SMBs Shouldn't Wait for the Final Text

The proposal to delay is a signal that regulators recognise compliance infrastructure — standards, guidance, accredited bodies — isn't fully ready. It is not a signal that compliance doesn't matter or that enforcement will be lax.

Here's the practical reality:

1. Inventorying your AI systems takes time. Over half of organisations still lack a complete list of the AI tools they use. Start there.
2. Your vendors need to be compliant too. As a deployer, you're responsible for verifying that AI providers can show you technical documentation and conformity assessments.
3. The guidance you need may still be missing. The European Commission missed its own February 2026 deadline to publish guidance for high-risk systems under Article 6. Build your compliance programme on the law itself, not on guidance that may shift.

For the official EU AI Act text and timeline, see the European Commission's AI Act page.

The Bottom Line

The Council's proposed delay is good news for companies deploying high-risk AI who aren't ready. But it isn't a hall pass — it's a gift of time that will run out.

If your organisation uses AI in hiring, customer scoring, content moderation, or other high-stakes contexts, the clock is still ticking. The difference between August 2026 and December 2027 is roughly 16 months. That sounds like a lot until you're three months out from a deadline with no documentation, no conformity assessment, and a €10M fine exposure.

Complizo automates the hard parts of EU AI Act compliance — risk classification, documentation generation, and Annex III checks — free for up to 3 AI systems. Start your free compliance audit →

Already past the basics? See Complizo's pricing for teams managing larger AI portfolios, or book a demo to see how it works for your industry.

Sources: EU Council press release, March 13 2026 | OneTrust: Digital Omnibus Delay Analysis | EU AI Act implementation timeline