Here’s a draft NGO-friendly compliance checklist for the EU Artificial Intelligence Act (AI Act). Use it as a practical starting point if your nonprofit or NGO uses AI tools.
NGO / NPO Compliance Checklist under the EU AI Act
1. Map your AI use
- List all AI tools or systems your organisation uses — including content-generation tools (text, image, audio, video), data-analysis tools, chatbots, decision-support tools, translation tools, etc.
- Note roughly what each tool does and who it interacts with (public, staff, beneficiaries).
2. Determine risk level
- If AI is used for simple tasks (e.g. draft text, translate, format data): likely “minimal” or “limited” risk. These have few obligations. (Digital Strategy)
- If AI touches decisions about people (aid eligibility, applicant screening, profiling), or uses biometric/emotion recognition — treat as “high risk.” (Latham & Watkins)
- If AI use involves banned practices (e.g. mass biometric surveillance, manipulative profiling), stop immediately — these are “unacceptable risk.” (Digital Strategy)
3. Apply transparency and labeling rules (especially for content generation)
If you use AI-generated text, image, video, or audio in public communications:
- Disclose that content is AI-generated or manipulated when shared publicly. (euaiact.com)
- If the AI interacts directly with people (chatbots, automated response systems), inform users that they are engaging with an AI. (euaiact.com)
4. Set up human oversight and data-governance when using high-risk systems
If you operate or deploy a high-risk AI system (e.g. for decision-making, aid allocation, profiling):
- Maintain documentation of how the system is used, its purpose, limitations, and oversight procedures. (Artificial Intelligence Act)
- Ensure input data meets quality, fairness, bias-testing standards. (adra-e.eu)
- Keep records of decisions made with AI support, especially where individuals are affected. (Latham & Watkins)
- Provide human review or human-in-the-loop control before final decisions. (Latham & Watkins)
5. Comply with related EU laws (data protection, privacy)
- If AI processes personal data (especially sensitive or biometric data), ensure compliance with General Data Protection Regulation (GDPR) or other national data protection/ privacy laws. (Latham & Watkins)
6. Inform stakeholders and users clearly
- Provide accessible information about your AI use, its purpose, and what users should expect (e.g. whether a response is generated by AI). (euaiact.com)
- If you deploy AI publicly — plan ahead for disclosures, transparency statements, and possibly labelling AI-generated content. (Digital Strategy)
7. Review and update policies before rollout
- For any new AI-based project: do a quick risk assessment (ethical, legal, data quality).
- Document decisions about whether you accept, modify or reject the use of AI tool.
- Keep a simple “AI use log”: tool used, date, purpose, who uses it, where output goes.
- Schedule periodic reviews (every 6–12 months) to reassess compliance and relevance.
8. Train your team for AI literacy
- Make sure your staff understand basic AI limitations (bias, errors, misuse) and the obligations under the AI Act.
- Assign one or two people responsible for compliance oversight (even in small organisations). This helps prevent accidental misuse. (adra-e.eu)
✨ Why this matters for NGOs / NPOs
- Transparency builds trust among beneficiaries, donors, and the public.
- Responsible AI use prevents harm to vulnerable groups (bias, privacy violations, misleading content).
- Even limited-risk AI requires disclosure when interacting with people or generating public content.
- High-risk or decision-support AI tools demand oversight, documentation, and fair data — to avoid legal and ethical pitfalls.
If you keep this checklist in a living document and review it before each new AI use, your organisation can stay compliant — while still benefiting from AI tools.
