Are You EU-AI-Act Ready? A Practical Readiness Checklist for Caribbean & Global Firms

By Dawgen Global — Borderless advisory and assurance for a world that runs on data and AI.
 

Whether you sell into the EU, process EU residents’ data, or rely on EU-based vendors, the EU Artificial Intelligence Act (AI Act) is now a planning fact, not a forecast. Obligations begin phasing in across 2025–2026 and beyond, including duties for general-purpose AI (GPAI) providers and stricter controls for high-risk systems. This piece translates the law into an actionable readiness checklist, aligned to Dawgen’s AI Assurance™ methodology and the DART™ control framework—so you can brief your board, assign owners, and show real progress in 12 weeks.

What you’ll get:

• Plain-English overview of scope and roles (provider vs. deployer)

• A 12-step Readiness Checklist

• A focused 12-week plan to become “board-ready”

• The Evidence Pack auditors and customers will expect

• KPIs/KRIs for quarterly board reporting

• Caribbean-specific considerations for global groups

What the EU AI Act actually requires

The AI Act uses a risk-based model. Your obligations depend on how the AI is used and how risky that use is.

• Prohibited practices. A small list of “never” use cases (e.g., certain manipulative or exploitative applications). Don’t do these—design-out early.

• High-risk systems (Annex III). Use cases in critical areas (biometrics, education/testing, employment, essential services such as credit scoring, critical infrastructure, law enforcement, migration, justice). These require quality management, technical documentation, pre-market conformity, post-market monitoring, and incident reporting.

• General-purpose AI (GPAI) models. Foundation models used broadly. Providers must meet transparency, documentation, and—in some cases—enhanced security and reporting obligations.

• Limited-risk systems. Lighter duties (e.g., tell users when they’re interacting with a chatbot; provide a path to a human when appropriate).

If you market into the EU or your systems are used by EU users, assume the Act applies and classify each use case accordingly.

Do you fall in scope? (fast scoping test)

Answer these for each AI system or model:

1. EU touchpoint? Offered or used in the EU, or affecting EU users?

2. Your role: Are you the provider (developing/placing on the market) or the deployer (using the AI in operations)?

3. Risk tier: Prohibited / High-risk (Annex III item?) / GPAI / Transparency-only / Other.

4. GPAI exposure: Do you provide a GPAI model or significantly fine-tune and distribute one?

5. Dependencies: Any third-party models, plugins, or vendors that bring you into scope?

If you answer “yes” to (1) for any system, move it into your AI Act workstream immediately.

The board-ready EU AI Act Readiness Checklist (12 essentials)

Map each item to an owner and due date; track status in your AI Control Dashboard.

1) Build the AI Asset Register

Create a single inventory of AI systems/models, their purposes, data categories, users, geographies, and vendors. Flag EU touchpoints and potential Annex III use cases.

2) Assign provider vs. deployer responsibilities

For each system, decide who owns technical documentation, conformity assessments, post-market monitoring, and incident reporting. Reflect this in contracts and SOWs.

3) Classify risk against Annex III

Use a written, repeatable process to determine whether a use is high-risk. Record the rationale and the specific Annex III category where applicable.

4) Stand up an AI Management System

Use ISO/IEC 42001 concepts as your operating system for AI governance: policy spine, roles (RACI), procedures, controls, and continual improvement.

5) Prepare technical documentation

For high-risk systems, compile purpose, design, data sources and lineage, risk management, testing, human oversight, cybersecurity, and performance metrics—an expanded Model Card with annexes.

6) Implement risk management and testing

Run pre-deployment evaluation for quality, robustness, bias/fairness, adversarial resilience, and privacy. Document thresholds, results, mitigations, and approvals.

7) Establish post-market monitoring and incident playbooks

Set telemetry for performance and drift; define alerting, escalation, rollback/kill-switch, and regulatory reporting steps.

8) Address GPAI obligations (if applicable)

Adopt good-practice measures for GPAI providers: model description, security controls, responsible disclosure channels, and documentation enabling downstream deployers to meet their duties.

9) Update contracts and procurement

Insert AI clauses: role allocation, documentation access, data location/retention, sub-processor transparency, breach SLAs, IP warranties/indemnities, audit rights.

10) Implement transparency for limited-risk uses

Disclose AI interactions to users and provide escalation to a human where appropriate. Keep a log of notices issued and locations where they appear.

11) Train teams and capture attestations

Deliver role-based training (product owners, engineering, security, privacy/legal, risk, internal audit, support). Keep attestations in your Evidence Pack.

12) Produce a Board AI Act Pack

Summarize scope, classifications, documentation status, testing/monitoring KPIs, incidents, and next-quarter milestones. Present quarterly.

A focused 12-week plan to become “ready enough”

We compress Dawgen’s six-phase AI Assurance™ method into a 12-week execution plan.

Weeks 1–2 — Discover & Triage

• Build the AI Asset Register; flag EU touchpoints and Annex III candidates.

• Draft provider/deployer matrix.

• Launch an interim AI Acceptable Use Policy (AUP) and Risk Tiering Guide to stabilize risk.

Weeks 3–4 — Baseline & Benchmark

• Gap analysis vs. AI Act duties and an ISO-style AIMS.

• Quick wins: prompt logging on sanctioned tools, DLP controls for “do-not-paste” data, allow/deny lists for AI domains.

Weeks 5–8 — Design & Govern / Engineer & Control

• Produce technical documentation for two priority systems (use Dawgen’s Model Card + annexes).

• Build an evaluation harness; run quality, robustness, bias/fairness, and adversarial tests; define HITL checkpoints.

• Start vendor re-papering (top AI-relevant suppliers): roles, documentation rights, IP protections, sub-processor transparency.

Weeks 9–10 — Assure (readiness)

• Conduct a mock conformity review for your two priority systems.

• Close critical documentation gaps; finalize risk-accepted mitigations; confirm monitoring hooks.

Weeks 11–12 — Monitor & Improve

• Turn on post-market monitoring; set drift/bias thresholds and alerts.

• Run a tabletop incident drill (e.g., data leak or harmful output) including rollback rehearsal.

• Deliver the first Board AI Act Pack and approve the 6-month roadmap.

Your Evidence Pack (what auditors will ask for)

• AI Asset Register with risk classifications and Annex III mappings

• Provider/Deployer responsibility matrix and signed contract riders

• Technical documentation per system (purpose, data, design, risk management, testing, cybersecurity, human oversight, performance)

• Evaluation reports (quality, robustness, bias/fairness, adversarial) with remediation logs

• Model Cards with owners, last review date, limitations, monitoring plan

• Post-market monitoring plan and incident playbooks, including rollback/kill-switch procedures

• Training records and attestations (AUP, role-based training)

• Quarterly governance reports and KPI/KRI dashboards

KPIs/KRIs for your quarterly board report

Coverage & discipline

• % AI systems in the Asset Register

• % risk-classified (incl. Annex III mapping)

• AUP training/attestation rate

Testing & release hygiene

• % high-risk releases with full pre-deployment test packs

• Mean time to remediate critical findings

• % models red-teamed in the last quarter

Monitoring & incidents

• AI incidents/near misses (volume & severity)

• Mean time to detect (MTTD) / contain (MTTC)

• Rollback rehearsal success rate

Vendor posture

• % top AI-relevant vendors re-papered with AI clauses

• % vendors delivering model documentation and sub-processor lists

Value realization

• Hours saved or quality uplift per use case

• % initiatives meeting or beating benefit forecasts

• Cost avoided from incidents/regulatory findings

Special notes for Caribbean-headquartered groups

• Territorial reach. If EU customers, partners, or subsidiaries use your AI, assume scope and document role allocation explicitly.

• Data movement. Map cross-border data and log flows; record locations and retention.

• Vendor leverage. Ask global providers for their AI Act mappings and model documentation now; prefer vendors with strong transparency and security posture.

• Design for adaptability. New guidance and harmonised standards will emerge; keep your cross-walks modular so you can plug in updates without rework.

Frequently asked questions

Do we need certification?
Not immediately. Build your AIMS (policy spine, roles, controls, evidence). Consider external readiness letters or certifications once your controls are stable.

We only use off-the-shelf models. Are we off the hook?
No. As a deployer, you still need governance: documentation from providers, usage constraints, testing proportional to risk, and post-market monitoring.

Won’t this slow innovation?
Clear release criteria and reusable evidence accelerate launches and reduce rework. Governance is a speed-enabler when it’s practical.

What if our model is general-purpose but internal?
If you provide a GPAI model—even internally across entities—review provider expectations. If you only deploy a vendor’s GPAI, focus on vendor obligations, usage constraints, and monitoring.

How Dawgen Global helps (borderless, end-to-end)

• Scoping & classification: Annex III mapping, provider/deployer matrices, GPAI exposure review

• Documentation & testing: Model Cards, evaluation harnesses, bias/robustness/adversarial testing, HITL design

• Monitoring & incident readiness: Telemetry, drift/bias thresholds, incident playbooks, rollback drills

• Vendor & contract alignment: AI clauses for documentation, IP, sub-processors, breach SLAs; procurement checklists

We deliver borderlessly—Caribbean → North America/EMEA—via secure evidence rooms and distributed audit pods.

Treat 2025 as the year you finish your inventory, allocate roles, build documentation and testing muscle, and stand up monitoring. With Dawgen’s AI Assurance™ methodology and DART™ controls, you can be ready enough now—and assured when deadlines bite.

Next Step!

At Dawgen Global, we help you make smarter, more effective decisions—borderless and on-demand. Let’s scope your EU AI Act exposure and produce a board-ready plan in 12 weeks.
📧 [email protected] · WhatsApp +1 555 795 9071 · 🇺🇸 855-354-2447

About Dawgen Global