EU AI Act AI Supply Chain Compliance Finale: Complete Provider & Deployer Checklist for August 2026
Post #1456 in the sota.io EU Regulatory Compliance Series — EU AI Act AI Supply Chain 2026 #5/5 (Serie Komplett)
August 2, 2026 is now weeks away. If your SaaS product integrates third-party AI APIs — OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex AI, Mistral, Cohere, or any other model provider — the EU AI Act's supply chain obligations apply to you right now.
This is the finale of a five-part series. We've covered who qualifies as a deployer, Art.13 and Art.26 due diligence requirements, vendor contract requirements, and Art.73 incident response obligations. Now it's time to put it all together.
This guide is the definitive checklist: 60 items across six domains, mapped to specific EU AI Act articles, organized by who owns each obligation.
Why Supply Chain Compliance Is Different
Most EU AI Act commentary focuses on AI system providers — the companies that train and release AI models. But the regulation reaches further. Under Art.3, anyone who deploys a high-risk or GPAI-enabled AI system under their own brand or integrates it into a product serving EU users is a deployer with binding obligations.
That means: if you build a SaaS product using an AI API, you are in scope. The provider (OpenAI, Anthropic, etc.) cannot absorb all your compliance obligations through their terms of service. You retain independent duties under Art.26, Art.50, and Art.73.
This is the supply chain risk that caught many SaaS teams off guard: they assumed vendor compliance cascades down automatically. It doesn't.
The Six Compliance Domains
Domain 1: Role Classification (Art.3, Art.6, Art.16, Art.26)
Before you can comply, you must classify your role in the AI value chain.
| Checklist Item | Article | Owner |
|---|---|---|
| Determine whether your AI integration constitutes a high-risk AI system under Annex III | Art.6 | Deployer |
| Determine whether you are acting as a provider (own-brand model or fine-tuned model) | Art.3(3) | Deployer |
| Determine whether you are acting as a deployer (integrate existing model under provider's classification) | Art.3(4) | Deployer |
| If deployer-that-modifies: re-assess whether modification triggers provider obligations | Art.25(1) | Deployer |
| Document role classification decision with legal reasoning | Art.11 | Deployer |
| Obtain confirmed role classification from AI vendor in writing | Art.13 | Provider + Deployer |
Key insight: If you fine-tune a model, instruct it with system prompts that materially change its risk profile, or integrate it into a use case not covered by the provider's conformity assessment, you may be reclassified as a provider — triggering the full Art.16 obligation set.
Domain 2: Pre-Integration Due Diligence (Art.13, Art.26)
Under Art.13, providers of high-risk AI systems must give deployers "sufficient information" to implement the system correctly. Under Art.26, deployers must verify that this information exists before integrating.
| Checklist Item | Article | Owner |
|---|---|---|
| Request and obtain model card or system documentation from AI vendor | Art.13(1) | Provider → Deployer |
| Verify technical documentation covers: training data sources, known limitations, performance boundaries | Art.13(1)(a–d) | Deployer |
| Confirm vendor provides instructions for human oversight implementation | Art.13(3)(f) | Provider |
| Document AI system's intended purpose as specified by provider | Art.13(1)(b) | Provider → Deployer |
| Verify conformity assessment status (CE marking for high-risk systems) | Art.43, Art.47 | Deployer |
| Check EU AI system database registration (Art.49 database) for high-risk systems | Art.49 | Deployer |
| Assess whether vendor documentation is sufficient for your deployment context | Art.26(2) | Deployer |
| Document gaps between vendor documentation and your deployment requirements | Art.11 | Deployer |
Domain 3: Contractual Requirements (Art.13, Art.25, Art.26)
Supply chain compliance cannot be achieved with standard vendor ToS. The EU AI Act requires specific provisions in contracts between AI system providers and deployers.
| Checklist Item | Article | Owner |
|---|---|---|
| Contract specifies vendor's role as provider and your role as deployer | Art.25 | Both |
| Vendor commits to provide updated technical documentation on material changes | Art.13(2) | Provider |
| Contract includes data processing and log retention obligations | Art.12, Art.26(5) | Both |
| Vendor commits to notify deployer of serious incidents within 2 days of detection | Art.73(2) | Provider |
| Vendor commits to cooperation with national competent authority investigations | Art.21, Art.74 | Provider |
| Contract specifies human oversight measures vendor requires deployer to implement | Art.14 | Provider |
| Vendor provides EU-accessible point of contact for compliance queries | Art.16(j) | Provider |
| Contract includes terms for audit rights if vendor is critical AI infrastructure | Art.26(6) | Both |
| SLA covers minimum uptime requirements tied to critical function continuity | Art.15 | Provider |
| Contract addresses liability allocation for AI system failures under PLD 2024/2853 | External | Both |
A contract without these provisions does not meet the Art.25 standard. If your current AI vendor ToS lacks these terms, you need either amended DPAs/vendor agreements or a vendor who supports them — such as EU-native AI infrastructure providers operating under explicit EU AI Act compliance frameworks.
Domain 4: Deployment Safeguards (Art.14, Art.26, Art.50)
Once integration is complete, deployers must implement ongoing operational safeguards.
| Checklist Item | Article | Owner |
|---|---|---|
| Implement human oversight mechanisms for high-risk AI outputs | Art.14(1) | Deployer |
| Implement kill-switch or manual override capability | Art.14(4)(a) | Deployer |
| Train staff responsible for AI system oversight per Art.26(6) | Art.26(6) | Deployer |
| Limit AI system use to its documented intended purpose | Art.26(1) | Deployer |
| Do not use AI system in ways that discriminate against protected groups | Art.26(3) | Deployer |
| Implement appropriate technical and organizational measures | Art.26(2) | Deployer |
| For GPAI/chatbot interactions: disclose AI nature to users under Art.50 | Art.50(1) | Deployer |
| For AI-generated content: implement C2PA labelling or equivalent | Art.50(2) | Deployer |
| Post a public accessibility statement if EU accessibility-covered services are involved | Art.50 / EAA | Deployer |
| Maintain logs of AI system usage as technically feasible | Art.26(5) | Deployer |
Art.14 Human Oversight is often the most underestimated requirement. It does not mean a human reviews every AI output — it means the system is designed so a human can effectively intervene when needed. For SaaS products, this typically means: output confidence thresholds, audit trails, and administrator override controls.
Domain 5: Record-Keeping and Documentation (Art.11, Art.12, Art.17, Art.26)
The EU AI Act requires deployers to maintain records that demonstrate compliance. There is no prescribed format, but regulators expect to be able to audit the following:
| Checklist Item | Article | Owner |
|---|---|---|
| Maintain record of AI systems integrated under deployer role | Art.26(5) | Deployer |
| Retain vendor documentation for 10 years after last use | Art.18 | Deployer |
| Maintain logs sufficient to detect post-deployment incidents | Art.19 | Deployer |
| Document fundamental rights impact assessment for high-risk AI deployments | Art.26(9) | Deployer (public sector) |
| Maintain internal quality procedures for high-risk AI deployment | Art.17 | Deployer (acts as provider) |
| Document corrective actions taken in response to AI system issues | Art.20 | Deployer |
| Record all serious incidents and near-misses | Art.73 | Deployer |
| Maintain updated risk assessment as AI system usage evolves | Art.9 | Provider / Deployer |
Domain 6: Incident Response and Reporting (Art.73, Art.20, Art.74)
Art.73 is the most operationally demanding supply chain obligation. When a high-risk AI system produces a serious incident — defined as one that causes or could cause death, serious health effects, fundamental rights violations, or significant property damage — deployers must report to national competent authorities.
The correct timelines under Art.73 are:
- 2 days from awareness of a serious incident: initial notification to national competent authority (NCA)
- 10 days from awareness: preliminary report with known facts, affected scope, and initial mitigation steps
- 15 days from awareness (or as required): full report with root cause analysis and corrective actions
These are days, not hours. Do not confuse with NIS2 timelines (4h/24h/1 month) or DORA (4h/24h/72h/1 month) — the EU AI Act Art.73 uses 2/10/15-day windows.
| Checklist Item | Article | Owner |
|---|---|---|
| Define what constitutes a serious incident for your AI deployment | Art.73(1) | Deployer |
| Establish internal escalation path: AI incident detected → responsible team → legal | Art.73 | Deployer |
| Document your national competent authority (NCA) contact in your jurisdiction | Art.73(2) | Deployer |
| Prepare 2-day initial notification template (incident facts, scope, system affected) | Art.73(2) | Deployer |
| Prepare 10-day preliminary report template | Art.73(3) | Deployer |
| Prepare 15-day full report template with RCA section | Art.73(4) | Deployer |
| Establish obligation to receive vendor incident notifications within 2 days | Art.73 / Art.13 | Provider → Contract |
| Test incident response flow in tabletop exercise before August 2026 | Art.17 | Deployer |
| Document near-miss events even when no report is legally required | Art.20 | Deployer |
| Coordinate incident reporting with NIS2/DORA obligations if overlap exists | Art.73 + NIS2/DORA | Deployer |
The 30-Day Action Plan Before August 2, 2026
With the deadline approaching, prioritize in this sequence:
Week 1 (June 2–8): Role and Risk Assessment
- Complete role classification for all AI integrations
- Identify which integrations involve high-risk AI systems under Annex III
- Flag any integrations where you may be acting as a provider, not deployer
Week 2 (June 9–15): Vendor Audit
- Request technical documentation from all AI vendors
- Assess contract terms against the Art.25 checklist
- Identify gaps and initiate contract amendment discussions
Week 3 (June 16–22): Documentation and Controls
- Implement or update human oversight controls (Art.14)
- Set up log retention for AI system usage (Art.12, Art.19)
- Draft internal compliance register for all AI systems
Week 4 (June 23–30): Incident Response Readiness
- Finalize Art.73 incident response playbook
- Conduct tabletop exercise
- Identify your NCA contact in each EU member state you operate in
Final Days (July 1–August 2)
- Complete GPAI transparency disclosures (Art.50)
- Verify EU AI system database registrations
- Conduct final checklist review against all 60 items
What Happens If You Miss the Deadline?
The EU AI Act penalties under Art.99 are tiered:
- Violations of prohibited AI practices (Art.5): up to €35 million or 7% of global annual turnover
- Non-compliance with provider obligations for high-risk AI: up to €15 million or 3% of global annual turnover
- Provision of incorrect information to authorities: up to €7.5 million or 1% of global annual turnover
Deployer violations — including failure to implement Art.26 safeguards, failure to report serious incidents under Art.73, or failure to maintain documentation — fall primarily under the second tier.
More practically: national competent authorities will initially focus on high-profile cases and repeat violations. But the regulatory machinery is in motion, and the documentation burden means that companies without records are disproportionately exposed when an incident triggers an investigation.
EU-Native Infrastructure as a Compliance Accelerant
One underappreciated supply chain risk: US-headquartered AI providers operating under the CLOUD Act create a structural audit risk. If your AI vendor's logs, training data, or model weights are subject to US law enforcement access, that access may occur without your knowledge — and may constitute a data breach under GDPR Art.4(12) that itself triggers NIS2 or DORA reporting obligations, in addition to Art.73.
EU-native infrastructure eliminates this category of risk. Running AI workloads on EU-hosted platforms (Hetzner, Scaleway, OVHcloud, or managed platforms like sota.io) ensures that your AI system's operating environment is subject to EU law exclusively — simplifying Art.26 documentation and reducing the surface area for cross-jurisdictional incident scenarios.
Series Summary: EU AI Act AI Supply Chain 2026
This five-part series has covered the full scope of supply chain compliance:
- When SaaS Developers Become Deployers — the Art.3 classification decision, provider vs. deployer, and the 35-item initial checklist
- Supply Chain Due Diligence — Art.13 & Art.26 — what documentation you must obtain from vendors and what you must verify before deploying
- AI Supply Chain Contracts — Vendor Requirements — the specific provisions that must appear in vendor agreements to satisfy Art.25
- Incident Response — Art.73 Deployer Obligations — the 2/10/15-day reporting framework and the 25-item incident response checklist
- This post — the complete 60-item master checklist across all six compliance domains
The August 2, 2026 deadline is firm. The checklist above is actionable. Start with role classification this week, and work through each domain in sequence. The SaaS teams that are prepared will not just avoid penalties — they'll be positioned to answer enterprise procurement questionnaires and EU public sector tenders that now require AI Act compliance attestations.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.