EU AI Act Templates: 58 Documents for Providers + Deployers

Q: Do I need templates even without high-risk AI?

Yes. AI literacy obligation (Art. 4) has applied to anyone using AI since 2025-02-02, regardless of risk class. Transparency obligations under Art. 50 cover chatbots, deepfakes and AI-generated content.

May 17, 2026· Category: EU AI Act· As of: 2026-05-17· Reading time: ~8 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

4 risk classes, 4 document packages: prohibited (Art. 5), high-risk (Annex III), limited (Art. 50), minimal
Provider high-risk: 9 core documents (risk management, data governance, tech doc Annex IV, logging, transparency, human oversight, accuracy/robustness, conformity assessment, EU declaration of conformity)
Deployer high-risk: Art. 26 (instructions, logging, monitoring) + Art. 27 FRIA (public bodies, banking, insurance, education, critical infrastructure)
GPAI: Art. 53 (all) + Art. 55 (10^25 FLOPS) — tech doc, copyright, training data summary
Fines: up to EUR 35m / 7% global turnover

1. Templates by Risk Class

The EU AI Act (Regulation (EU) 2024/1689) graduates obligations by risk. Template needs follow that classification directly.

1.1 Prohibited Practices (Art. 5) — since 2025-02-02

Eight practices are completely banned: social scoring by public authorities, manipulative subliminal AI, exploitation of vulnerabilities, real-time biometric identification in public spaces (with narrow exceptions), emotion recognition in workplaces and educational institutions, biometric categorization by sensitive attributes, untargeted scraping for facial recognition databases, predictive policing based purely on profiling.

Templates needed: prohibition compliance statement, use-case inventory with classification, deployment-prohibition policy. Companies not engaged in prohibited practices still need to actively document this — supervisory authorities will ask.

1.2 High-Risk (Annex III + Annex I) — from 2026-08-02

Annex III lists eight application areas: biometric identification, critical infrastructure, education and vocational training, employment (applicant screening, promotion decisions, performance monitoring), essential private/public services (creditworthiness, insurance risk assessment, emergency dispatch), law enforcement, migration/asylum/border, justice administration + elections. Annex I covers AI as a safety component in regulated products (medical devices, machinery, toys, lifts).

Templates needed: full compliance set for providers (Art. 16 + Annex IV) plus deployer set (Art. 26-27). Around 30-40 documents per high-risk system.

1.3 Limited Risk (Art. 50) — from 2026-08-02

Transparency obligations for chatbots, AI-generated content, deepfakes, emotion recognition and biometric categorization systems that are not prohibited. Users must be able to recognize that they are interacting with AI or that content is AI-generated (watermarking / labels).

Templates needed: transparency declaration, chatbot disclaimer, deepfake labelling policy, watermarking concept.

1.4 Minimal Risk — since 2025-02-02 only AI literacy

Spam filters, AI in video games, simple recommendation systems: no specific obligations. But: AI literacy under Art. 4 applies to every company that deploys or provides AI — staff must be trained.

Templates needed: AI literacy training concept, training records, AI acceptable-use policy.

2. Provider Duties (Art. 16) — the 9 Core Documents

2.1 Risk Management System (Art. 9)

Iterative process across the entire AI lifecycle: identification of foreseeable risks, assessment, mitigation, residual risk documentation, testing. Template: risk management plan + risk register.

2.2 Data Governance (Art. 10)

Training, validation and test data must be relevant, representative, free of errors and complete. Bias examination is mandatory. Template: data governance policy, bias assessment protocol, data lineage documentation.

2.3 Technical Documentation (Art. 11 + Annex IV)

Annex IV lists 9 sections: general description, detailed operation (architecture, data sets, validation procedures), monitoring procedures, performance metrics, risk management system, change management, standards conformity, EU declaration of conformity, post-market monitoring plan. Template: technical documentation template per Annex IV (typically 40-80 pages).

2.4 Logging (Art. 12)

Automatic recording of events across the lifecycle, at minimum: recording period, input database reference, result-conformity check, identification of persons for human review. Template: logging concept + log specification.

2.5 Transparency + User Information (Art. 13)

Clear, complete, correct instructions must be supplied to deployers: purpose, accuracy, known limitations, training data characteristics, expectations for human oversight, hardware requirements, expected lifetime. Template: user instructions / deployer information document.

2.6 Human Oversight (Art. 14)

Systems must be designed so natural persons can supervise them — stop button, interpretability of outputs, awareness of automation bias. Template: human oversight concept + intervention protocol.

2.7 Accuracy, Robustness + Cybersecurity (Art. 15)

Appropriate performance levels across the lifecycle, resilience against errors / inconsistencies / adversarial inputs / data poisoning. Template: accuracy/robustness test report, cybersecurity concept (oriented towards ENISA guidelines).

2.8 Conformity Assessment (Art. 43)

Before placing on the market: internal control (Module A) or notified body (Modules B+C, B+F, H) depending on Annex. Template: conformity assessment report + internal control procedures.

2.9 EU Declaration of Conformity + CE Marking (Art. 47-48)

Template: EU declaration of conformity per Annex V.

3. Deployer Duties (Art. 26)

Anyone deploying a high-risk AI system is a deployer with their own obligations — even if they did not develop the system:

Follow instructions: implement provider instructions, technical + organizational measures
Human oversight: assign a natural person with sufficient competence
Input data: ensure input data is appropriate for the intended use
Monitoring: monitor operation, report serious incidents to provider + authority within 15 days
Logging: retain automatically generated logs for at least 6 months
Inform workers + works council: before deployment in the workplace (Art. 26(7))
GDPR DPIA: include AI-specific risks

Templates: deployer compliance checklist, human oversight appointment, monitoring concept, incident reporting protocol, works council notification.

4. FRIA — Fundamental Rights Impact Assessment (Art. 27)

Mandatory for: public bodies (all high-risk AI), private entities providing public services (education, employment, critical infrastructure), creditworthiness assessment, life and health insurance risk assessment.

Mandatory content:

Description of deployment processes
Period and frequency of use
Categories of natural persons affected
Specific risks to fundamental rights
Human oversight measures
Measures if risks materialize (complaint mechanisms)

The FRIA must be prepared before first use, notified to the market surveillance authority, and updated upon material changes. It can be combined with the GDPR DPIA (Art. 35 GDPR) where both obligations apply.

Template: FRIA template with 6 mandatory sections + risk matrix worksheet.

5. GPAI — Art. 53-55

General-Purpose AI models are a separate regime. Providers such as OpenAI, Anthropic, Google, Meta, Mistral fall under it.

5.1 All GPAI (Art. 53) — since 2025-08-02

Technical documentation per Annex XI
Information for downstream providers (Annex XII)
Copyright compliance policy (respect Art. 4(3) DSM Directive reservation of rights)
Summary of training data (public, per AI Office template)

Exception: open-source GPAI providers are partially exempt provided no systemic risks.

5.2 GPAI with Systemic Risk (Art. 55) — threshold 10^25 FLOPS

Additionally:

Model evaluations (state-of-the-art protocols, red teaming)
Adversarial testing
Systemic risk assessment + mitigation
Cybersecurity protection (model weights, training infrastructure)
Tracking + reporting serious incidents to the AI Office

Details see GPAI Compliance Template Art. 53-55.

6. Overview Table of the 58 Documents

Category	Count	Sample documents
Governance + AI Literacy	8	AI governance policy, AI literacy training, role matrix, acceptable-use policy
Risk classification	4	Use-case inventory, classification decision, prohibition statement
Provider high-risk (Art. 9-15)	14	Risk mgmt plan, data governance, tech doc Annex IV, logging, user instructions, human oversight, accuracy tests, robustness, cybersecurity, post-market monitoring plan
Conformity + CE (Art. 43-49)	5	Conformity assessment report, EU declaration of conformity, CE marking dossier, EU database registration
Deployer high-risk (Art. 26)	7	Deployer checklist, monitoring plan, incident reporting, works council info, log retention
FRIA (Art. 27)	3	FRIA template, risk matrix, complaint mechanism
Transparency Art. 50	4	Chatbot disclaimer, deepfake labelling, watermarking concept, AI content marking
GPAI (Art. 53-55)	8	Tech doc Annex XI, downstream info Annex XII, copyright policy, training data summary, model evaluation protocol, adversarial testing
Audit + compliance	5	Audit checklist, internal audit report, continuous compliance plan, supplier assessment
Total	58	— complete compliance documentation

7. Deadlines 2025-2027

2025-02-02: Prohibited practices (Art. 5) — immediately, no transitional period. AI literacy (Art. 4) active.
2025-08-02: GPAI obligations (Art. 53-55), AI Office fully operational, governance structures, national supervisory authorities, sanctions (except GPAI).
2026-08-02: High-risk AI Annex III + transparency Art. 50. Code of Practice GPAI binding.
2027-08-02: High-risk AI Annex I (embedded in regulated products) + GPAI penalties.
2030-08-02: Existing public high-risk systems must be compliant.

Summary

The 58-document set covers every obligation across the four risk classes and both roles (provider and deployer). Start from your use-case inventory: classify each AI system, identify your role, then pull the matching template package. AI literacy templates apply to everyone — high-risk packages only when you build or deploy systems on Annex I or III.

View EU AI Act Kit →

Frequently Asked Questions

Which EU AI Act templates do providers need?

High-risk AI providers need 9 core documents: risk management system (Art. 9), data governance (Art. 10), technical documentation per Annex IV (Art. 11), logging concept (Art. 12), transparency instructions (Art. 13), human oversight plan (Art. 14), accuracy/robustness/cybersecurity evidence (Art. 15), conformity assessment (Art. 43), EU declaration of conformity (Art. 47).

Which templates do deployers need?

Deployer duties under Art. 26: follow provider instructions, retain logs (6 months), human oversight, inform workers and works council. Public bodies and specific high-risk uses additionally need a Fundamental Rights Impact Assessment (FRIA) under Art. 27.

What about GPAI?

GPAI providers need technical documentation (Annex XI), downstream information document (Annex XII), copyright compliance statement, training data summary. For systemic-risk GPAI (10^25 FLOPS) additionally model evaluations, adversarial testing, incident reporting to the AI Office (Art. 55).

What are the deadlines?

2025-02-02: prohibited practices + AI literacy. 2025-08-02: GPAI obligations + governance. 2026-08-02: high-risk Annex III. 2027-08-02: high-risk Annex I (regulated products) + GPAI penalties.

How high are the fines?

Up to EUR 35m or 7% of global turnover for prohibited practices, up to EUR 15m or 3% for breaches of provider/deployer obligations, up to EUR 7.5m or 1% for incorrect information to authorities.

Do I need templates even without high-risk AI?

Yes. AI literacy (Art. 4) applies to anyone using AI since 2025-02-02. Transparency obligations under Art. 50 cover chatbots, deepfakes and AI-generated content.

Sources

Regulation (EU) 2024/1689 — EU AI Act (consolidated) (As of: 2026-05-17)
Annex III — High-risk areas (As of: 2026-05-17)
Annex IV — Technical documentation (As of: 2026-05-17)
European Commission — AI Office (As of: 2026-05-17)

Tools & self-assessments

EU AI Act Readiness Check Check your AI Act readiness in 10 minutes. Fining Calculator Calculate the potential fining risk for your organisation. EU AI Act Self-Test Which risk class applies to my AI system? Classified in 5 minutes.