[00]

Resource 01 · AI Act · Regulation (EU) 2024/1689

_

AI Act checklist: 7 questions your company must be able to answer today

AI Act checklist: 7 questions your company must be able to answer today

By Alejandro Rios Calera, CTO

Alejandro Rios Calera is CTO and co-founder of The AI Business, where he leads the technical implementation of EU AI Act compliance in real-world AI projects.

Reading time: 5 min · The AI Business · July 2026

The EU's AI regulation doesn't require a course. It requires you to be able to prove that your team understands the AI it uses — what it can do, what it can't do, and what risks it carries. These seven questions tell you whether you actually have that or only think you do.

Article 4 of Regulation (EU) 2024/1689 establishes something more concrete than it sounds: it isn't enough for your employees to use AI systems. Your organization has to be able to prove that they understand what they're using — what it can do, what it can't, and the consequences of relying on its output without judgment of their own. As of August 2, 2026, AESIA (the Spanish Agency for the Supervision of Artificial Intelligence) can verify that compliance with full authority.

The question we hear most is no longer "what does the law say?" It's "how do I know if what we have is enough?" This checklist is built for exactly that: seven questions that reveal where the work is done and where real gaps remain.

The 7 questions

The 7 questions

[01] Do you have an inventory of the AI systems your company uses?

The obligation applies to those who deploy AI systems, not only to those who develop them. That includes any tool your team uses: writing assistants, predictive analytics, AI-powered hiring tools, content generators — including the ones they use on their own without IT knowing. Without an inventory you can't know who needs training or on what.

What you should have: An up-to-date record of which AI systems are in use, in which departments, and for what functions. A spreadsheet works. What doesn't work is not having one.

[02] Do you know which risk level each system falls into?

The regulation classifies systems into four categories: unacceptable risk (banned), high risk, limited risk, and minimal risk. The requirements grow with the category — and systems that touch hiring, credit, access to services, or critical infrastructure usually fall into high risk.

What you should have: A basic classification of each system in the inventory. For high-risk ones, the requirement for documented competence — and the type of training — is greater.

[03] Have you defined who needs to be trained and to what depth?

"Sufficient literacy" doesn't mean the same thing for everyone. The engineer integrating a model, the sales rep using an analytics tool, and the manager making decisions on automated recommendations each need different levels. Training the entire workforce with the same generic module covers the obligation on paper, not in substance.

What you should have: A roles-and-competencies matrix: for each profile, what they need to understand about the systems they use and in what detail.

[04] Does the training cover capabilities, limitations, and risks — not just usage instructions?

This is where most fall short without realizing it. The rule requires people to understand three dimensions: what the system can do, what it can't do, and what risks come with using it. Tool onboarding ("how to log in, how to run a query") doesn't cover the critical dimension: when it gets things wrong, what biases it carries, what happens if you trust it blindly.

What you should have: Training content with, at a minimum, a section on known limitations and another on the risks of misuse or overreliance for each system.

[05] Do you have records that prove who was trained, when, and with what result?

Tener un sistema de formación no es lo mismo que tener evidencia lista para auditoría. En una inspección no se audita la plataforma, se audita la persona. «María García, de operaciones, completó el módulo de alfabetización en IA el 15 de mayo con un 85%» es evidencia. «Tenemos un curso en la intranet» no lo es. Un PDF enviado por email tampoco genera registro.

What you should have: Individualized records by employee, module, date, and result, generated automatically and exportable in an audit-ready format.

[06] Is there a plan to review the training when tools or the rules change?

The regulation treats literacy as an ongoing competence, not a one-time certificate. Tools get updated, implementation guidance is published progressively, and your catalog of systems will change. Training designed once to comply in August can be obsolete before the end of the year.

What you should have: A periodic review mechanism — at least annual — and a clear process to update modules when an AI system is added or changes.

[07] Could you answer all of this in an inspection today?

Not in three months. Today. This question reveals whether compliance is done or only planned. If the inventory, the classification, the roles matrix, the records, or the update plan exist only as intentions, compliance isn't complete.

AESIA doesn't assess plans. It assesses evidence.

From checklist to action plan

From checklist to action plan

Seven questions. In most organizations, two or three go without a solid answer. That's not a failure — it's a useful diagnosis. The order of the work matters: first the inventory (without it you can't do anything), then the risk classification, then the roles matrix, and from there training with traceability from the very first module.

What doesn't work is treating it as a project for "after the summer." The deadline is this summer. If you want the full diagnosis done by us — inventory, classification, exposure in euros, and roadmap — you can have it in 72 hours.

Frequently asked questions

Frequently asked questions

Does Article 4 apply only to those who develop AI?

No. It applies to any organization that uses AI systems in its operations: if your company uses an AI tool for hiring, customer analytics, or operational management, it applies to you.

What happens if I'm not compliant before August 2, 2026?

AESIA can open supervision proceedings. Penalties for breaching the obligations that apply to operators reach €15 million or 3% of global annual turnover — and the regulation's general ceiling, for the most serious infringements, reaches €35 million or 7%.

Does a generic "AI for everyone" course cut it?

In most cases, no. Training has to be proportional to the role and to the specific systems each employee uses. An introductory module can be the starting point — not the finish line.

Sources: Regulation (EU) 2024/1689 (official text) · artificialintelligenceact.eu · AESIA (aesia.es). This content is informational and does not constitute legal advice.

Still have questions? We close them out.

Still have questions? We close them out.

AI Act exposure diagnosis in 72 hours: inventory, risk classification, your exposure in euros, and the plan to close it. No obligation.

1 vídeo · 3 guías · 20 min de lectura

Miami · Spain · Dubai

GDPR · BY CONTRACT

EU AI ACT · BY CONTRACT

Miami · Spain · Dubai

Miami · Spain · Dubai