Quick Answer
To comply with the EU AI Act , an Indian company should first confirm whether it is a provider or a deployer , classify each AI system by risk tier, then apply the matching obligations, conformity assessment, documentation, transparency, and human oversight for high-risk systems. This checklist turns Regulation (EU) 2024/1689 into concrete steps for India's export-focused IT, GCC, and product teams. General information only, not legal advice. Validate your obligations with qualified EU counsel before relying on this checklist. Step 1: Are you a provider or a deployer? Your obligations follow your role, so settle this first for every AI system. How do I know if I am a provider or a deployer? You are a provider if you develop an AI system or general-purpose AI model and place it on the EU market or put it into service under your own name or trademark.
Free VAPT
CERT-In aligned VAPT and DPDP Act-ready reporting.
ApplyTo comply with the EU AI Act, an Indian company should first confirm whether it is a provider or a deployer, classify each AI system by risk tier, then apply the matching obligations, conformity assessment, documentation, transparency, and human oversight for high-risk systems. This checklist turns Regulation (EU) 2024/1689 into concrete steps for India's export-focused IT, GCC, and product teams.
General information only, not legal advice. Validate your obligations with qualified EU counsel before relying on this checklist.
Step 1: Are you a provider or a deployer?
Your obligations follow your role, so settle this first for every AI system.
How do I know if I am a provider or a deployer?
- You are a provider if you develop an AI system or general-purpose AI model and place it on the EU market or put it into service under your own name or trademark. Most Indian product firms and many IT services teams that build bespoke AI fall here.
- You are a deployer if you use an AI system under your own authority in a professional capacity, for example a GCC running a third-party hiring tool on EU candidates.
- Watch the role-switch rule: if you substantially modify a high-risk system, or put your own brand on it, you can become the provider and inherit the heavier duties. Indian firms that fine-tune or rebrand models should assume this risk.
Write the agreed role into every client contract so responsibility is unambiguous.
Step 2: Classify each AI system by risk
Map every system to one of the four tiers: prohibited, high-risk, limited (transparency), or minimal. Prohibited uses must be stopped. High-risk uses, those listed in Annex III such as employment, credit scoring, biometrics, education, and essential services, or AI as a safety component of a regulated product, trigger the full compliance programme. Limited-risk systems such as chatbots and content generators need transparency disclosures. Minimal-risk systems carry no mandatory duties.
For background on the tiers and extraterritorial scope, see our EU AI Act explainer for Indian businesses.
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations — no obligation, no cost.
Step 3: The core compliance checklist
Use the table below as a working checklist, prioritised for high-risk systems where the obligations concentrate.
| # | Action | Applies to |
|---|---|---|
| 1 | Build and maintain an inventory of all AI systems reaching the EU | All |
| 2 | Classify each system by risk tier and record the rationale | All |
| 3 | Confirm provider vs deployer role per system and per contract | All |
| 4 | Establish a risk-management system across the AI lifecycle | High-risk |
| 5 | Apply data governance: representative, relevant, bias-checked datasets | High-risk |
| 6 | Create technical documentation and keep automatic logs | High-risk |
| 7 | Design effective human oversight into the system | High-risk |
| 8 | Ensure accuracy, robustness and cybersecurity | High-risk |
| 9 | Complete a conformity assessment and draw up the EU declaration of conformity | High-risk |
| 10 | Register the system in the EU database before going to market | High-risk |
| 11 | Appoint an EU authorised representative | Non-EU providers of high-risk / GPAI |
| 12 | Disclose AI interaction and label AI-generated content | Limited-risk |
| 13 | Provide GPAI documentation, training-data summary and copyright policy | GPAI providers |
| 14 | Deliver AI-literacy training to relevant staff | All |
| 15 | Set up post-market monitoring and serious-incident reporting | High-risk |
Step 4: Conformity assessment for high-risk systems
High-risk systems cannot enter the EU market until they pass a conformity assessment, the formal check that the system meets the Act's requirements.
What does conformity assessment involve?
- Verify the system meets all high-risk requirements: risk management, data governance, documentation, logging, transparency, human oversight, and robustness.
- For most Annex III systems, this is an internal (self) assessment against the requirements; certain cases, such as some biometric systems or product-embedded AI, may require a notified body (third-party assessor).
- Draw up the EU declaration of conformity and affix the CE marking where applicable.
- Register the system in the EU database before placing it on the market.
- Re-assess after any substantial modification.
Start this early: assembling evidence across data, model, and process is slow, and gaps are common in first attempts.
Step 5: Documentation and governance
Documentation is the backbone of EU AI Act compliance and your primary defence in an audit. Maintain technical documentation for each high-risk system, keep automatic event logs, and retain records of design decisions, datasets, and testing. On governance, name an accountable owner for AI compliance, define internal policies, run AI-literacy training so staff understand the systems they operate, and set up channels for incident reporting and post-market monitoring. Treat this as a living programme, not a one-time filing.
Step 6: Know your timeline
Sequence your work to the phased dates. Prohibited-practice bans and AI-literacy duties have applied since February 2025; GPAI obligations since August 2025. The headline high-risk deadline of 2 August 2026 is being deferred under the EU's 2026 Digital Omnibus simplification package (provisional agreement reached 7 May 2026): stand-alone Annex III high-risk obligations move toward 2 December 2027, and product-embedded Annex I high-risk toward 2 August 2028. Because adoption was still completing at the time of writing, treat these deferred dates as the current direction and verify the final published deadlines before locking your roadmap. The extra runway is for finishing the work properly, not delaying its start.
Step 7: How Indian delivery teams should start
Indian IT services firms and GCCs can turn compliance into a competitive edge by acting on the delivery layer:
- Data residency: Keep EU customer and training data within the EU where feasible, aligning AI Act and GDPR posture in one move.
- EU-region deployment: Run EU-facing AI workloads in EU cloud regions to simplify data-transfer and documentation questions.
- Pipeline controls: Bake logging, evaluation, bias testing, and model documentation into MLOps so evidence is generated automatically, not reconstructed before an audit.
- Contractual clarity: Define provider, deployer, and authorised-representative responsibilities in master service agreements.
- Reuse DPDP work: Controls built for India's DPDP Act, 2023, such as consent, data mapping, and security, partly overlap with GDPR and the AI Act; extend rather than rebuild them.
For help shaping this into an operating model, explore Opsio's AI solutions and strategy services.
Frequently asked questions
Does the EU AI Act apply to Indian companies?
Yes, when your AI system is placed on the EU market or its output is used in the EU, even with no EU office. Indian providers of high-risk or GPAI systems must also appoint an EU authorised representative. Classify each EU-facing system early to confirm scope.
EU AI Act vs India's DPDP Act, which applies to us?
Often both. The DPDP Act, 2023 governs Indian personal data through consent and data-fiduciary duties. The EU AI Act governs AI systems by risk tier, regardless of personal data. Firms exporting AI to the EU typically comply with the DPDP Act, the EU AI Act, and GDPR together.
When does the EU AI Act apply?
It entered into force on 1 August 2024 and phases in over several years. Prohibited practices applied from February 2025 and GPAI from August 2025. Under the 2026 Digital Omnibus, stand-alone high-risk obligations are being deferred toward December 2027; verify the final dates as adoption completes.
What are the penalties for non-compliance?
Fines reach up to 35 million euros or 7% of worldwide annual turnover for prohibited practices, up to 15 million euros or 3% for most other breaches including high-risk and GPAI duties, and up to 7.5 million euros or 1% for supplying incorrect information to authorities.
Written By
Group COO & CISO
Fredrik is the Group Chief Operating Officer and Chief Information Security Officer at Opsio. He focuses on operational excellence, governance, and information security, working closely with delivery and leadership teams to align technology, risk, and business outcomes in complex IT environments. He leads Opsio's security practice including SOC services, penetration testing, and compliance frameworks.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.