Agnes sets up an AI register step by step at a desk covered in sticky notes and a laptop

How to set up an EU AI Act system register: a step-by-step guide

AI Act, Compliance

The EU AI Act asks something new of you: a register of every AI system your business uses or offers. No regulator showing up with a template. No ready-made government form. Just you, a blank document, and a law that says you need this in order.

For large companies with a compliance department, that is difficult. For small and medium businesses, it is a double challenge. You need to know what to register and how to actually set it up without a full-time legal team on staff.

This guide walks you through it. Checklist included, plus an honest conversation about what happens after the initial setup.

Why an AI register is mandatory

The EU AI Act came into force in phases and touches almost every company that uses AI. Not just developers. Users of AI systems too, which means everyone running a chatbot on their website, using ChatGPT for customer communication, or letting an algorithm screen CVs.

The law distinguishes four risk categories: unacceptable risk (banned), high risk (heaviest obligations), limited risk (transparency duties), and minimal risk. For every AI in your organisation, you must be able to show which category it falls into and what safeguards you have in place.

Showing this is what your AI register is for.

Does this apply to your 12-person company? Almost certainly yes. The Act has no SMB exemption like GDPR partially does. There are lighter regimes for lower-risk systems, but you have to demonstrate yourself which regime applies. No register means no demonstration.

What goes into your AI register

The AI register is not an optional list. The Act and regulator guidelines prescribe specific fields per AI system:

  • Name and purpose of the AI system
  • Provider or developer (your team, or a third party?)
  • Risk category under the AI Act
  • Data processed: what goes in, what comes out
  • Target users and data subjects (customers, employees, applicants)
  • Safeguards in place: human oversight, transparency, bias checks
  • Conformity assessment status (for high-risk systems)
  • Responsible person inside your organisation
  • Deployment date and most recent review

That looks like a lot. For most SMBs, the volume is manageable because the number of AI systems in active use tends to be smaller than people expect. Bigger than they hope, though.

Step-by-step: how to set it up

Step 1: Inventory what you already use

Do not start with legal analysis. Start by digging. Ask every team which tools they use. ChatGPT in marketing. Copilot in engineering. An AI feature in your CRM you did not even know was switched on. A recruitment tool that says "AI-powered" on its product page.

Plenty of AI hides inside software you have used for years. Build a rough list first, no filtering. You will clean up later.

Step 2: Classify by risk level

Walk through the list and determine the risk per system. An AI that drafts marketing copy is usually limited risk. An AI that filters CVs often falls under high risk because it affects access to employment. An AI that calculates credit scores: high risk. A translation tool: almost always minimal risk.

In doubt? Mark it as "to be assessed". An honest unknown beats a guess that turns out wrong six months in.

Step 3: Gather documentation per system

Every system needs documentation. Sometimes the vendor has it ready, often buried on a compliance page. Ask if you cannot find it. A vendor that cannot deliver AI Act documentation is a vendor worth reconsidering.

Step 4: Assign an owner

One responsible person per AI system inside your company. Not "the team", but a name. That person checks annually whether the data is still accurate, whether the vendor changed something, and whether the system is still in use at all.

Step 5: Store it centrally

The register itself belongs in one place, accessible to anyone who needs it. A spreadsheet works at first but gets messy fast. For a structural approach, AI system register software is a better fit: fixed fields, audit trail, and connections to your other compliance records.

AI register checklist

Print it out or tick it off in your document system. This way you know nothing slipped through:

  • [ ] Complete inventory made of every AI tool in use (including hidden AI features inside existing software)
  • [ ] Risk category under the AI Act determined and substantiated per system
  • [ ] Vendor documentation requested and archived for every system
  • [ ] Internal owner assigned per AI system
  • [ ] Personal data processed mapped and linked to your GDPR register
  • [ ] Human oversight and safeguards documented per high-risk system
  • [ ] Conformity assessment started or scheduled for high-risk systems
  • [ ] Annual review date set for the full register

Work the checklist in this order. Assigning an owner before you know what you have leads to empty fields and frustration.

How to keep it current

This is where most registers fall apart. Not at setup. At maintenance.

An AI register that you fill in once and tuck into a folder will be inaccurate within six months. AI vendors update their models. Teams introduce new tools without reporting them. What was limited risk last year may turn into high risk after a product update.

For SMBs without a compliance team, this rhythm works:

Quarterly check (30 minutes): ask team leads whether new AI tools have been purchased or activated. Add to the register, or queue for classification.

Half-yearly review: check per AI system whether the vendor changed anything. Many vendors publish updates through a changelog or compliance page.

Annual evaluation: walk through the full register, re-evaluate classifications, archive systems no longer in use.

The overlap with your GDPR register makes this easier than you might think. AI systems almost always process personal data, so many fields you fill in twice anyway. We wrote earlier about how to use your GDPR register as the foundation of your AI Act dossier: one source, two purposes.

If you do not want to maintain this in scattered spreadsheets, ComplianceHive can set up the rhythm for you. Our AI Act compliance software keeps the register alive with automatic reminders, vendor updates, and direct linking to your GDPR record.

Frequently asked questions

Does our SMB really need an AI register if we only use ChatGPT?

Yes. Even at limited or minimal risk, you must be able to show which AI you use and why you assigned that category. A short registration is enough, but no register at all is not defensible.

How long does setting up an AI register take?

For an SMB with 5 to 15 AI systems, plan for one to two working days for the initial setup. After that, a few hours per quarter for upkeep. The bulk of the work sits in inventory, not legal assessment.

What if a vendor refuses to provide AI Act documentation?

Request documentation in writing and keep the correspondence. If the vendor delivers nothing, the risk shifts to you as the user. Consider switching vendors in that case, especially for high-risk applications.


Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free