PowerQuantEUSend your AI questionnaire

A structured on-page schema for deployers under Regulation (EU) 2024/1689 Article 26. Each field is tied to a specific Article 26 paragraph, Annex III sub-point or GDPR coordination duty, so reviewers can see why every column exists. A worked example for an HR-tech CV-screening system follows each field.

The 12 fields

Build the register in a spreadsheet, a wiki page or your GRC platform — the format does not matter to the regulator. What matters is that every high-risk AI system you put into use is represented and that each field is traceable to an Article 26 obligation.

01 — System name + version

Why: Uniquely identifies the AI system. Version is required because Article 26(5) monitoring duties attach to the version deployed.

Example: TalentFit Screener v3.2.1

02 — Provider (legal entity + CVR/VAT)

Why: Article 26(1) requires use in accordance with the provider's instructions. You need the legal counter-party for incident escalation.

Example: TalentFit ApS, CVR 12345678

03 — Provider's CE marking + DoC reference

Why: Article 26(1) presupposes the provider has placed a compliant high-risk system on the market. Capture the EU Declaration of Conformity reference.

Example: DoC ref TF-2026-014 dated 2026-03-12

04 — Intended purpose (verbatim from provider)

Why: Article 26(1) ties your obligations to the provider's stated intended purpose. Off-purpose use can re-classify you as a provider under Article 25.

Example: Pre-screening of job applications for IT-engineering roles in Denmark

05 — Risk classification (high / limited / minimal / prohibited)

Why: Drives the entire compliance regime. Annex III Point 4 covers HR-tech recruitment and workplace decision-making.

Example: High-risk — Annex III(4)(a)

06 — Annex III sub-point (if high-risk)

Why: Several sub-points can apply (e.g. 4(a) recruitment + 4(b) performance). Each triggers the full Article 26 stack.

Example: Annex III(4)(a) recruitment + Annex III(4)(b) candidate ranking

07 — Input data sources controlled by you

Why: Article 26(4) duty for input-data relevance attaches only to data the deployer controls. Capture sources to scope the duty.

Example: Applicant CVs uploaded via careers portal; LinkedIn-imported profiles

08 — Output type + downstream decision

Why: Article 26(11) requires you to inform affected persons when output contributes to a decision producing legal or similarly significant effects.

Example: 0-100 fit score; used to shortlist top 30 candidates per role

09 — Named human oversight role + competence

Why: Article 26(2) requires assignment to a named natural person with competence, training and authority — not a generic team mailbox.

Example: Head of Talent Acquisition, completed Article 4 literacy module 2026-04

10 — Log retention location + period

Why: Article 26(6) requires automatically generated logs to be retained for at least 6 months unless other Union or national law requires longer.

Example: AWS S3 eu-north-1 bucket talentfit-logs, 24-month retention, immutable

11 — DPIA reference (GDPR Article 35)

Why: Profiling and automated decision-making about job applicants typically triggers DPIA. Article 26(9) lets you re-use provider documentation but the DPIA stays your responsibility.

Example: DPIA-2026-007, last review 2026-05-15, owner DPO@example.com

12 — Worker-information evidence (Article 26(7))

Why: Employers must inform workers' representatives and affected workers before putting a high-risk system into use in the workplace. GDPR information duties run in parallel.

Example: Works-council briefing minute 2026-02-08; intranet notice published 2026-02-15

Operating notes

  • Maintain one row per (system + version + intended purpose) combination. A material change to any of these creates a new row, not an edit.
  • Cross-link to your GDPR Article 30 record of processing activities — the two registers serve different regulators (national AI authority vs. data protection authority) but reference the same systems.
  • Review cadence: minimum annually, and immediately on (a) provider version upgrades, (b) new Annex III sub-point exposure, (c) any Article 73 serious-incident report you submit.
  • Owner: a single accountable role (Head of Compliance, DPO or CIO). Editors can be many; one accountable signatory per row.

What this template does not cover

The inventory is the foundation, not the whole compliance file. You still need separately:

  • The Article 27 fundamental-rights impact assessment (FRIA) for the deployers obliged to perform one — public bodies, private operators of public services and certain Annex III deployers.
  • The Article 4 AI-literacy register (training records per person handling the system), in force since 2 February 2025.
  • The Article 50 transparency disclosures for chatbots, emotion recognition, biometric categorisation and AI-generated content (applies from 2 August 2026).
  • Your Article 26(5) and Article 73 serious-incident reporting runbook.

Sources

  • Regulation (EU) 2024/1689 (AI Act), Articles 4, 25, 26, 27, 50, 73 and Annex III — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
  • Regulation (EU) 2016/679 (GDPR), Articles 22, 30, 35 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj
  • European Commission AI Act Service Desk Q&A on AI literacy and Article 4 (current 2026).

Note: PowerQuant supplies software and documentation for use in your internal compliance process — not legal advice. Concrete obligations depend on each system's classification, your role (provider, deployer, both) and the applicable phase of the EU AI Act.