Unorma

EU AI Act

How to Choose EU AI Act Compliance Software: 12 Questions to Ask Vendors

Twelve specific questions to ask any EU AI Act compliance software vendor, designed to reveal real regulatory depth versus surface-level marketing.

Jasper Claes
Jasper Claes

May 6, 2026 · 7 min read

EU AI Act

Send these 12 questions in writing to any EU AI Act compliance software vendor before you buy. The answers — or the absence of specific ones — reveal more than any demo about whether the platform understands the Act's actual structure.

TL;DR

  • The 12 questions fall into four groups: classification depth, article-level mapping, deadline tracking, and provider/deployer support.
  • Ask in writing, not just in a demo — vague verbal answers are easy to give; specific written answers are harder to fudge.
  • The clearest signal of real depth is a vendor who can name specific Annex III categories and Articles 9-15 by number, unprompted.
  • Ask specifically how the vendor is tracking the Digital Omnibus deadline situation — this reveals whether they follow the regulation closely or treat it as a static feature they built once.
  • A vendor unable to answer most of these specifically is likely offering generic AI compliance features with EU AI Act branding attached.

Twelve Questions, Four Groups

ClassificationdepthArticle-levelmappingDeadlinetrackingProvider/deployersupport
The 12 questions fall into four groups — a vendor weak in one group can still sound strong overall in a general sales conversation.

Classification Depth

  1. Which of the 8 Annex III high-risk categories does the platform recognize explicitly?
  2. How does the platform handle the Article 6(3) high-risk carve-out assessment?
  3. How does Annex I (embedded product) classification differ from Annex III in the platform?

Article-Level Mapping

  1. Which specific articles (9-15) are natively mapped to evidence requirements?
  2. How does technical documentation generation map to Article 11 specifically?
  3. How does the platform support Article 14 human oversight tracking?

Deadline Tracking

  1. How is the platform tracking the Digital Omnibus provisional delay?
  2. What happens in the platform if the delay is formally adopted — does the timeline update automatically?
  3. How quickly has the platform historically updated after past regulatory changes?

Provider/Deployer Support

  1. What's different in the platform for a provider vs. a deployer workflow?
  2. How does the platform support Article 27 fundamental rights impact assessments?
  3. How does the platform track Article 73 serious incident reporting obligations?

Reading the Answers

Answer patternWhat it signals
Specific article/category names, unpromptedReal, deep implementation
General 'AI compliance' language, no specificsLikely shallow, generic coverage
No answer on Digital Omnibus trackingPlatform may not track regulatory changes closely

Primary Sources

How to Actually Run This Evaluation

  • Send all 12 questions to 2-3 shortlisted vendors in writing, with a deadline for written responses
  • Score each vendor's answers against the four groups, not just an overall impression
  • Follow up any vague answer with a request for a live demo of that specific capability
  • Weight classification depth and article-level mapping most heavily if you have confirmed high-risk systems

What a Strong Response Actually Looks Like

A strong vendor response names specific Annex III categories relevant to your use case, references Articles 9 through 15 by number when describing features, and gives a concrete, dated answer about how they're tracking the Digital Omnibus situation — rather than a general reassurance that they "monitor regulatory changes."

Scoring the Written Responses

Once responses come back, score each vendor on the same four groups used to structure the questions — classification depth, article-level mapping, deadline tracking, and provider/deployer support — rather than forming an overall impression from reading all 12 answers together. A vendor can be excellent on classification and vague on deadline tracking; scoring each group separately keeps that kind of unevenness from getting averaged away and hidden in a single overall score.

Where Unorma Fits

Send us these 12 questions

Unorma’s EU AI Act framework maps to Annex III/I classification and Articles 9-15 by name. Read the full high-risk systems checklist and current deadline status for how we track the regulation.

Frequently asked questions

Should these questions be asked in writing or just in a demo?

In writing — vague verbal answers are easy to give in a live demo, while specific written answers are harder to fudge and easier to compare across vendors later.

What's the single clearest signal of a vendor's real depth?

Whether they can name specific Annex III categories and Articles 9-15 by number, unprompted — vague 'AI compliance' language without specifics usually signals shallow coverage.

Why does asking about the Digital Omnibus matter?

It reveals whether the vendor actively tracks regulatory developments or built EU AI Act features once and hasn't revisited them since — a meaningful signal for a fast-moving regulation.

Do providers and deployers need different features from the same platform?

Yes — providers need documentation generation and conformity assessment support, while deployers need oversight tracking and incident reporting workflows specifically.

How many vendors should we send these questions to?

Two to three shortlisted vendors, with a deadline for written responses — this keeps the comparison manageable while still surfacing meaningful differences.

What does a genuinely strong vendor answer look like?

It names specific Annex III categories relevant to your use case, references Articles 9-15 by number, and gives a concrete, dated answer on Digital Omnibus tracking rather than a general reassurance.

Should we score responses as one overall impression or by group?

By group — classification depth, article-level mapping, deadline tracking, and provider/deployer support scored separately, since a vendor can be strong on one and weak on another in ways an overall impression would hide.

Is it worth involving legal in the vendor evaluation itself?

For organizations with confirmed high-risk systems, yes — legal can help judge whether a vendor's answers on classification and article-level mapping are actually accurate, not just confident-sounding.

Should the questions change if we're only a deployer, not a provider?

Keep all 12, but weight the deployer-support group most heavily — oversight assignment, monitoring and incident reporting matter more to you than the provider-side documentation generation questions.

About the author

Jasper Claes
Jasper Claes

Compliance Manager & AI Governance Consultant

Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets.

View full profile