How to set up an EU AI Act system register: a step-by-step guide
AI Act, Compliance
The EU AI Act asks something new of you: a register of every AI system your business uses or offers. No regulator showing up with a template. No ready-made government form. Just you, a blank document, and a law that says you need this in order.
For large companies with a compliance department, that is difficult. For small and medium businesses, it is a double challenge. You need to know what to register and how to actually set it up without a full-time legal team on staff.
This guide walks you through it. Checklist included, plus an honest conversation about what happens after the initial setup.
Why an AI register is mandatory
The EU AI Act came into force in phases and touches almost every company that uses AI. Not just developers. Users of AI systems too, which means everyone running a chatbot on their website, using ChatGPT for customer communication, or letting an algorithm screen CVs.
The law distinguishes four risk categories: unacceptable risk (banned), high risk (heaviest obligations), limited risk (transparency duties), and minimal risk. For every AI in your organisation, you must be able to show which category it falls into and what safeguards you have in place.
Showing this is what your AI register is for.
Does this apply to your 12-person company? Almost certainly yes. The Act has no SMB exemption like GDPR partially does. There are lighter regimes for lower-risk systems, but you have to demonstrate yourself which regime applies. No register means no demonstration.
What goes into your AI register
The AI register is not an optional list. The Act and regulator guidelines prescribe specific fields per AI system:
- Name and purpose of the AI system
- Provider or developer (your team, or a third party?)
- Risk category under the AI Act
- Data processed: what goes in, what comes out
- Target users and data subjects (customers, employees, applicants)
- Safeguards in place: human oversight, transparency, bias checks
- Conformity assessment status (for high-risk systems)
- Responsible person inside your organisation
- Deployment date and most recent review
That looks like a lot. For most SMBs, the volume is manageable because the number of AI systems in active use tends to be smaller than people expect. Bigger than they hope, though.
Step-by-step: how to set it up
Step 1: Inventory what you already use
Do not start with legal analysis. Start by digging. Ask every team which tools they use. ChatGPT in marketing. Copilot in engineering. An AI feature in your CRM you did not even know was switched on. A recruitment tool that says "AI-powered" on its product page.
Plenty of AI hides inside software you have used for years. Build a rough list first, no filtering. You will clean up later.
Step 2: Classify by risk level
Walk through the list and determine the risk per system. An AI that drafts marketing copy is usually limited risk. An AI that filters CVs often falls under high risk because it affects access to employment. An AI that calculates credit scores: high risk. A translation tool: almost always minimal risk.
In doubt? Mark it as "to be assessed". An honest unknown beats a guess that turns out wrong six months in.
Step 3: Gather documentation per system
Every system needs documentation. Sometimes the vendor has it ready, often buried on a compliance page. Ask if you cannot find it. A vendor that cannot deliver AI Act documentation is a vendor worth reconsidering.
Step 4: Assign an owner
One responsible person per AI system inside your company. Not "the team", but a name. That person checks annually whether the data is still accurate, whether the vendor changed something, and whether the system is still in use at all.
Step 5: Store it centrally
The register itself belongs in one place, accessible to anyone who needs it. A spreadsheet works at first but gets messy fast. For a structural approach, AI system register software is a better fit: fixed fields, audit trail, and connections to your other compliance records.
AI register checklist
Print it out or tick it off in your document system. This way you know nothing slipped through:
- [ ] Complete inventory made of every AI tool in use (including hidden AI features inside existing software)
- [ ] Risk category under the AI Act determined and substantiated per system
- [ ] Vendor documentation requested and archived for every system
- [ ] Internal owner assigned per AI system
- [ ] Personal data processed mapped and linked to your GDPR register
- [ ] Human oversight and safeguards documented per high-risk system
- [ ] Conformity assessment started or scheduled for high-risk systems
- [ ] Annual review date set for the full register
Work the checklist in this order. Assigning an owner before you know what you have leads to empty fields and frustration.
How to keep it current
This is where most registers fall apart. Not at setup. At maintenance.
An AI register that you fill in once and tuck into a folder will be inaccurate within six months. AI vendors update their models. Teams introduce new tools without reporting them. What was limited risk last year may turn into high risk after a product update.
For SMBs without a compliance team, this rhythm works:
Quarterly check (30 minutes): ask team leads whether new AI tools have been purchased or activated. Add to the register, or queue for classification.
Half-yearly review: check per AI system whether the vendor changed anything. Many vendors publish updates through a changelog or compliance page.
Annual evaluation: walk through the full register, re-evaluate classifications, archive systems no longer in use.
The overlap with your GDPR register makes this easier than you might think. AI systems almost always process personal data, so many fields you fill in twice anyway. We wrote earlier about how to use your GDPR register as the foundation of your AI Act dossier: one source, two purposes.
If you do not want to maintain this in scattered spreadsheets, ComplianceHive can set up the rhythm for you. Our AI Act compliance software keeps the register alive with automatic reminders, vendor updates, and direct linking to your GDPR record.
Frequently asked questions
Does our SMB really need an AI register if we only use ChatGPT?
Yes. Even at limited or minimal risk, you must be able to show which AI you use and why you assigned that category. A short registration is enough, but no register at all is not defensible.
How long does setting up an AI register take?
For an SMB with 5 to 15 AI systems, plan for one to two working days for the initial setup. After that, a few hours per quarter for upkeep. The bulk of the work sits in inventory, not legal assessment.
What if a vendor refuses to provide AI Act documentation?
Request documentation in writing and keep the correspondence. If the vendor delivers nothing, the risk shifts to you as the user. Consider switching vendors in that case, especially for high-risk applications.