EU AI Act
How to Choose EU AI Act Compliance Software: 12 Questions to Ask Vendors
Twelve specific questions to ask any EU AI Act compliance software vendor, designed to reveal real regulatory depth versus surface-level marketing.
May 6, 2026 · 7 min read
EU AI Act
Send these 12 questions in writing to any EU AI Act compliance software vendor before you buy. The answers — or the absence of specific ones — reveal more than any demo about whether the platform understands the Act's actual structure.
TL;DR
- The 12 questions fall into four groups: classification depth, article-level mapping, deadline tracking, and provider/deployer support.
- Ask in writing, not just in a demo — vague verbal answers are easy to give; specific written answers are harder to fudge.
- The clearest signal of real depth is a vendor who can name specific Annex III categories and Articles 9-15 by number, unprompted.
- Ask specifically how the vendor is tracking the Digital Omnibus deadline situation — this reveals whether they follow the regulation closely or treat it as a static feature they built once.
- A vendor unable to answer most of these specifically is likely offering generic AI compliance features with EU AI Act branding attached.
Twelve Questions, Four Groups
Classification Depth
- Which of the 8 Annex III high-risk categories does the platform recognize explicitly?
- How does the platform handle the Article 6(3) high-risk carve-out assessment?
- How does Annex I (embedded product) classification differ from Annex III in the platform?
Article-Level Mapping
- Which specific articles (9-15) are natively mapped to evidence requirements?
- How does technical documentation generation map to Article 11 specifically?
- How does the platform support Article 14 human oversight tracking?
Deadline Tracking
- How is the platform tracking the Digital Omnibus provisional delay?
- What happens in the platform if the delay is formally adopted — does the timeline update automatically?
- How quickly has the platform historically updated after past regulatory changes?
Provider/Deployer Support
- What's different in the platform for a provider vs. a deployer workflow?
- How does the platform support Article 27 fundamental rights impact assessments?
- How does the platform track Article 73 serious incident reporting obligations?
Reading the Answers
| Answer pattern | What it signals |
|---|---|
| Specific article/category names, unprompted | Real, deep implementation |
| General 'AI compliance' language, no specifics | Likely shallow, generic coverage |
| No answer on Digital Omnibus tracking | Platform may not track regulatory changes closely |
Primary Sources
- EUR-Lex — Regulation (EU) 2024/1689
- European Commission — Regulatory framework for AI
How to Actually Run This Evaluation
- Send all 12 questions to 2-3 shortlisted vendors in writing, with a deadline for written responses
- Score each vendor's answers against the four groups, not just an overall impression
- Follow up any vague answer with a request for a live demo of that specific capability
- Weight classification depth and article-level mapping most heavily if you have confirmed high-risk systems
What a Strong Response Actually Looks Like
A strong vendor response names specific Annex III categories relevant to your use case, references Articles 9 through 15 by number when describing features, and gives a concrete, dated answer about how they're tracking the Digital Omnibus situation — rather than a general reassurance that they "monitor regulatory changes."
Scoring the Written Responses
Once responses come back, score each vendor on the same four groups used to structure the questions — classification depth, article-level mapping, deadline tracking, and provider/deployer support — rather than forming an overall impression from reading all 12 answers together. A vendor can be excellent on classification and vague on deadline tracking; scoring each group separately keeps that kind of unevenness from getting averaged away and hidden in a single overall score.
Where Unorma Fits
Send us these 12 questions
Frequently asked questions
Should these questions be asked in writing or just in a demo?
In writing — vague verbal answers are easy to give in a live demo, while specific written answers are harder to fudge and easier to compare across vendors later.
What's the single clearest signal of a vendor's real depth?
Whether they can name specific Annex III categories and Articles 9-15 by number, unprompted — vague 'AI compliance' language without specifics usually signals shallow coverage.
Why does asking about the Digital Omnibus matter?
It reveals whether the vendor actively tracks regulatory developments or built EU AI Act features once and hasn't revisited them since — a meaningful signal for a fast-moving regulation.
Do providers and deployers need different features from the same platform?
Yes — providers need documentation generation and conformity assessment support, while deployers need oversight tracking and incident reporting workflows specifically.
How many vendors should we send these questions to?
Two to three shortlisted vendors, with a deadline for written responses — this keeps the comparison manageable while still surfacing meaningful differences.
What does a genuinely strong vendor answer look like?
It names specific Annex III categories relevant to your use case, references Articles 9-15 by number, and gives a concrete, dated answer on Digital Omnibus tracking rather than a general reassurance.
Should we score responses as one overall impression or by group?
By group — classification depth, article-level mapping, deadline tracking, and provider/deployer support scored separately, since a vendor can be strong on one and weak on another in ways an overall impression would hide.
Is it worth involving legal in the vendor evaluation itself?
For organizations with confirmed high-risk systems, yes — legal can help judge whether a vendor's answers on classification and article-level mapping are actually accurate, not just confident-sounding.
Should the questions change if we're only a deployer, not a provider?
Keep all 12, but weight the deployer-support group most heavily — oversight assignment, monitoring and incident reporting matter more to you than the provider-side documentation generation questions.
Key terms in this article
About the author

Compliance Manager & AI Governance Consultant
Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.