Your progress
0 / 15
Free Resource — The Watchdogs AI

EU AI Act Pharma
Compliance Checklist

15 actionable items pharma manufacturers need to address before the August 2, 2026 enforcement deadline. Aligned with Annex I risk classification, GxP validation requirements, and GDPR overlap obligations.

15 compliance items
5 risk categories
Deadline: Aug 2, 2026
Applicable to: EU AI Act Art. 6, Annex I
⚠️
Deadline: August 2, 2026. EU AI Act obligations for high-risk AI systems in pharmaceuticals are fully enforceable from this date. Non-compliance exposes manufacturers to fines up to €30M or 6% of global annual turnover — whichever is higher.
01
Risk Classification
Determine whether your AI systems qualify as high-risk under Annex I / Annex III
Map every AI system in your supply chain operations
Inventory all AI/ML tools touching procurement, demand forecasting, batch release, logistics, or quality control. Undeclared systems are still subject to the Act.
Critical
Apply the Annex III high-risk classification test
AI systems used in critical infrastructure, safety components, or employment/worker management fall under Annex III. Pharma supply chain AI managing GxP-critical decisions likely qualifies.
Required
Document classification decisions with legal sign-off
For each AI system, produce a written classification rationale reviewed by legal counsel. Regulators will request this during audits. Undocumented exemptions will not hold.
Required
02
Data Sovereignty
Ensure training data governance meets EU AI Act + GDPR requirements
Document the provenance of all training datasets
The Act requires high-risk AI providers to document data sources, collection methods, and any pre-processing steps. This must be maintained for the system's full operational lifecycle.
Required
Implement data governance policies for AI training pipelines
Establish written policies for data access, retention, and deletion within AI training workflows. Cross-border data transfers to non-EU providers must have valid transfer mechanisms (SCCs, adequacy decisions).
Critical
Assess GDPR overlap for any AI processing personal data
AI systems that infer health status, location, or personal identifiers are subject to both the AI Act and GDPR Article 22 (automated decision-making). Both frameworks must be satisfied simultaneously.
Required
03
Audit Trail & Logging
Article 12 mandates automatic logging of high-risk AI events
Enable automatic event logging for all high-risk AI decisions
Article 12 requires high-risk AI systems to automatically record events sufficient to trace back to the AI system's output. Logs must capture input context, model version, output, and timestamp.
Critical
Align AI audit logs with existing GxP audit trail requirements (21 CFR Part 11 / Annex 11)
Pharma manufacturers already subject to GxP audit trail rules must now extend those requirements to cover AI-generated decisions. A unified audit trail covering both is the most defensible approach.
Required
Define log retention period and access control policy
The EU AI Act does not specify a minimum retention period, but GxP convention and enforcement precedent suggest at least the product lifecycle plus 5 years. Access must be restricted and auditable.
Recommended
04
Transparency & Human Oversight
Articles 13–14: explainability, operator disclosures, and human intervention capability
Produce user-facing instructions for high-risk AI systems (Article 13)
Every high-risk AI system must come with instructions of use covering the intended purpose, performance metrics, known limitations, and conditions under which the system should not be relied upon.
Required
Implement a human override mechanism for every AI-driven decision
Article 14 mandates that high-risk AI systems allow human operators to understand, override, or interrupt the system at any time. This is not optional — fully autonomous closed-loop AI in GxP-critical processes is non-compliant without it.
Critical
Train responsible operators on AI system capabilities and limitations
Article 14 also requires that the persons assigned to operate high-risk AI systems have the necessary competence, training, and authority to exercise meaningful oversight. Competence records must be maintained.
Required
05
Technical Conformity
Articles 9–11, 16–17: risk management system, technical documentation, and quality management
Establish a risk management system for each high-risk AI system (Article 9)
Article 9 requires a continuous, iterative risk management process covering identification of known/foreseeable risks, evaluation of risks arising from use, and appropriate risk mitigation measures.
Critical
Prepare and maintain technical documentation (Annex IV)
Annex IV lists the full set of documentation required for high-risk AI systems — including architecture description, training methodology, performance benchmarks, and post-market monitoring plan. This must be available to authorities on request.
Required
Register high-risk AI systems in the EU database (Article 51)
Providers of high-risk AI systems must register their systems in the EU AI Act public database before placing them on the market or putting them into service. The registration portal is operated by the European AI Office.
Required
The Watchdogs AI

Ready to automate your
compliance infrastructure?

The Watchdogs AI handles audit trails, human oversight workflows, and real-time monitoring — so your team focuses on decisions, not documentation.

Book a Demo Calculate Your ROI