Creating an AI register: requirements and step-by-step guide
What an AI register is, which fields are required under the EU AI Act, and how to build one in five steps that can withstand an audit.
- An AI register is an internal overview of all AI systems your organisation uses or deploys, listing the risk level, responsible person, and applicable obligations for each system.
- The EU AI Act (Regulation (EU) 2024/1689) requires deployers of high-risk AI (Annex III) to maintain registration and documentation; for non-high-risk AI an internal register is not legally mandatory but is strongly recommended.
- High-risk AI for SMEs includes: CV screening, candidate selection, performance assessment software (Annex III category 4), and biometric identification (category 1).
- Delahaye Solutions builds an audit-ready AI register as part of the AI Act Scan (from €750).
What is an AI register and when is it required?
An AI register is an internal document that tracks which AI systems your organisation uses or deploys, what each system does, its risk level, and who is responsible. The EU AI Act (Regulation (EU) 2024/1689, in force 1 August 2024) requires deployers of high-risk AI systems as defined in Annex III to maintain registration and documentation. For most SMEs, this hard obligation only applies when they deploy AI in high-risk categories such as CV screening, biometrics, or credit assessment. Even organisations using only lower-risk AI tools gain credibility with customers, insurers, and tendering bodies by maintaining a current AI register.
Five steps to create an AI register
This step-by-step plan produces a register that meets the EU AI Act documentation requirements for deployers and can withstand an internal or external audit.
1. Inventory all AI applications
List every AI system or AI tool your organisation uses: from ChatGPT and Microsoft Copilot to SaaS applications with an AI component (CV screening, fraud detection, chatbots, recommendation algorithms). Use a simple spreadsheet. Ask each department: which tools do you use where the output or a decision is determined in part by an algorithm or AI model? Record the vendor, version, and intended purpose.
2. Classify each system by risk level
The EU AI Act has four risk categories: prohibited AI (Art. 5, e.g. real-time biometric surveillance in public spaces), high risk (Annex III, including candidate selection and credit assessment), limited risk (transparency obligations, e.g. deepfakes and chatbots), and minimal risk (no specific obligations). Determine which category each tool falls into. Uncertain? The Delahaye Solutions AI Act Scan report includes a substantiated classification.
3. Document the required fields for each system
For high-risk AI, the AI Act (Art. 13 and Annex IV) prescribes specific documentation: name and version of the system, vendor and contact person, intended use case and target group, type of input data (including personal data: GDPR legal basis Art. 6 GDPR), expected accuracy and error margins, human oversight mechanism, and the responsible officer. Also note the contract term and review date.
4. Appoint an AI coordinator
Designate an internal AI coordinator: the person who maintains the register, assesses new tools before adoption, and organises the annual review. In a small organisation this can be the director; in larger SMEs it may be the IT manager, compliance officer, or a designated AI officer. Record the role and responsibilities in a short task description document.
5. Schedule an annual review and keep the register current
An AI register becomes outdated quickly: tools are updated, new versions carry different risk profiles, and the EU AI Act continues to be refined through delegated acts. Set a calendar reminder for an annual review (or after every major tool update). At each review date, check: have new tools been added, are existing classifications still correct, are contact persons and contracts current? Keep dated versions for audits.
Which AI applications fall under high risk for SMEs?
Annex III of the EU AI Act lists eight categories of high-risk AI. For SMEs, the most relevant are: category 4 (employment and workforce management: CV screening, candidate selection, performance assessment software, tools influencing promotion or dismissal decisions), category 5 (access to essential services: credit scoring tools, risk scoring by insurers), and category 2 (critical infrastructure, particularly energy or water sectors). Biometric identification (category 1) is not applicable to most SMEs, but access systems using facial recognition do fall under it. Verify for each tool whether you are the AI system vendor (provider, many obligations) or the user in a work context (deployer, fewer but concrete obligations).
Frequently asked questions about the AI register and the EU AI Act
Is an AI register required for all businesses?
When do EU AI Act obligations apply for high-risk AI?
What is the difference between a provider and a deployer in the AI Act?
What are the fines for non-compliance with the EU AI Act?
How long does it take to create an AI register?
What does the Delahaye Solutions AI Act Scan deliver?
Want an audit-ready AI register for your organisation?
The Delahaye Solutions AI Act Scan delivers a complete AI register, AI policy, and compliance dossier. From €750, one-time, fixed price.
Request a free intake →Free intake and quote · Reply within 1 business day · Fixed price, no surprises