Article

Creating an AI register: requirements and step-by-step guide

What an AI register is, which fields are required under the EU AI Act, and how to build one in five steps that can withstand an audit.

Short answer
  • An AI register is an internal overview of all AI systems your organisation uses or deploys, listing the risk level, responsible person, and applicable obligations for each system.
  • The EU AI Act (Regulation (EU) 2024/1689) requires deployers of high-risk AI (Annex III) to maintain registration and documentation; for non-high-risk AI an internal register is not legally mandatory but is strongly recommended.
  • High-risk AI for SMEs includes: CV screening, candidate selection, performance assessment software (Annex III category 4), and biometric identification (category 1).
  • Delahaye Solutions builds an audit-ready AI register as part of the AI Act Scan (from €750).

What is an AI register and when is it required?

An AI register is an internal document that tracks which AI systems your organisation uses or deploys, what each system does, its risk level, and who is responsible. The EU AI Act (Regulation (EU) 2024/1689, in force 1 August 2024) requires deployers of high-risk AI systems as defined in Annex III to maintain registration and documentation. For most SMEs, this hard obligation only applies when they deploy AI in high-risk categories such as CV screening, biometrics, or credit assessment. Even organisations using only lower-risk AI tools gain credibility with customers, insurers, and tendering bodies by maintaining a current AI register.

Step by step

Five steps to create an AI register

This step-by-step plan produces a register that meets the EU AI Act documentation requirements for deployers and can withstand an internal or external audit.

1. Inventory all AI applications

List every AI system or AI tool your organisation uses: from ChatGPT and Microsoft Copilot to SaaS applications with an AI component (CV screening, fraud detection, chatbots, recommendation algorithms). Use a simple spreadsheet. Ask each department: which tools do you use where the output or a decision is determined in part by an algorithm or AI model? Record the vendor, version, and intended purpose.

2. Classify each system by risk level

The EU AI Act has four risk categories: prohibited AI (Art. 5, e.g. real-time biometric surveillance in public spaces), high risk (Annex III, including candidate selection and credit assessment), limited risk (transparency obligations, e.g. deepfakes and chatbots), and minimal risk (no specific obligations). Determine which category each tool falls into. Uncertain? The Delahaye Solutions AI Act Scan report includes a substantiated classification.

3. Document the required fields for each system

For high-risk AI, the AI Act (Art. 13 and Annex IV) prescribes specific documentation: name and version of the system, vendor and contact person, intended use case and target group, type of input data (including personal data: GDPR legal basis Art. 6 GDPR), expected accuracy and error margins, human oversight mechanism, and the responsible officer. Also note the contract term and review date.

4. Appoint an AI coordinator

Designate an internal AI coordinator: the person who maintains the register, assesses new tools before adoption, and organises the annual review. In a small organisation this can be the director; in larger SMEs it may be the IT manager, compliance officer, or a designated AI officer. Record the role and responsibilities in a short task description document.

5. Schedule an annual review and keep the register current

An AI register becomes outdated quickly: tools are updated, new versions carry different risk profiles, and the EU AI Act continues to be refined through delegated acts. Set a calendar reminder for an annual review (or after every major tool update). At each review date, check: have new tools been added, are existing classifications still correct, are contact persons and contracts current? Keep dated versions for audits.

High-risk AI for SMEs

Which AI applications fall under high risk for SMEs?

Annex III of the EU AI Act lists eight categories of high-risk AI. For SMEs, the most relevant are: category 4 (employment and workforce management: CV screening, candidate selection, performance assessment software, tools influencing promotion or dismissal decisions), category 5 (access to essential services: credit scoring tools, risk scoring by insurers), and category 2 (critical infrastructure, particularly energy or water sectors). Biometric identification (category 1) is not applicable to most SMEs, but access systems using facial recognition do fall under it. Verify for each tool whether you are the AI system vendor (provider, many obligations) or the user in a work context (deployer, fewer but concrete obligations).

Frequently asked questions

Frequently asked questions about the AI register and the EU AI Act

Is an AI register required for all businesses?
No. The EU AI Act only requires deployers and providers of high-risk AI systems (Annex III) to formally register and document. For SMEs that exclusively use low- or minimal-risk AI, an internal register is not legally mandatory but is strongly recommended as part of AI governance and for tendering or customer inquiries.
When do EU AI Act obligations apply for high-risk AI?
The EU AI Act entered into force in phases. Prohibited practices (Art. 5) and AI literacy (Art. 4) apply from 2 February 2025. GPAI obligations (Chapter V) apply from 2 August 2025. Obligations for deployers of high-risk AI systems (Annex III, including employment AI) were due from 2 August 2026 but have been deferred to 2 December 2027 via the 'Digital Omnibus' (agreed 7 May 2026; not yet formally adopted). Obligations for providers of AI in CE-marked products (Annex I) have moved accordingly from 2 August 2027 to 2 August 2028.
What is the difference between a provider and a deployer in the AI Act?
A provider develops or places an AI system on the market. A deployer uses an AI system from another party in their own work context. Most SMEs are deployers: they use tools such as ChatGPT, a CV screening platform, or a recommendation algorithm from a SaaS vendor. Providers face heavier obligations (technical documentation, conformity assessment, CE marking for Annex III); deployers face lighter but concrete obligations (human oversight, registration for high-risk AI).
What are the fines for non-compliance with the EU AI Act?
Fines for prohibited AI (Art. 5): up to €35 million or 7% of global annual turnover. Fines for non-compliance with high-risk AI obligations (Art. 9-49): up to €15 million or 3% of annual turnover. Fines for providing false information to supervisors: up to €7.5 million or 1% of annual turnover. In the Netherlands, the Autoriteit Persoonsgegevens is the primary market supervisor for the EU AI Act in most sectors.
How long does it take to create an AI register?
A first version for an SME with five to twenty AI tools typically takes two to four hours. The inventory phase (step 1) is the most time-consuming: you need to consult all departments. Classification (step 2) requires the most expertise and is where Delahaye Solutions assists via the AI Act Scan. Annual maintenance (step 5) takes one to two hours per year.
What does the Delahaye Solutions AI Act Scan deliver?
The AI Act Scan delivers an audit-ready dossier: a fully completed AI register, a tailored AI policy, an AI literacy plan for your staff, and a compliance checklist. Price: from €750 for micro and small teams; from €1,500 for businesses with 10 to 50 employees. The scan is a one-time service and can be reviewed annually.

Want an audit-ready AI register for your organisation?

The Delahaye Solutions AI Act Scan delivers a complete AI register, AI policy, and compliance dossier. From €750, one-time, fixed price.

Request a free intake →

Free intake and quote · Reply within 1 business day · Fixed price, no surprises