EU Compliance Checklist for Shopify Stores: 15 Steps Before August 2026

Last updated: April 7, 2026

No legal jargon. No 200-page regulation PDFs. Just a clear, actionable checklist of what your Shopify store needs to do before the EU AI Act and Cyber Resilience Act enforcement deadlines.

EU AI Act Compliance (Deadline: August 2, 2026)

1. 1

   Label AI-generated product descriptions AI Act

   Add a visible disclosure to every product page where AI was used to write or assist with the description. Include text like "This description was created with AI assistance."

2. 2

   Label AI-generated images AI Act

   If product images were generated or enhanced by AI, disclose this in the image alt text or product page.

3. 3

   Disclose AI-powered recommendations AI Act

   If your store shows "Recommended for you" or "You might also like" sections, add a note that these are generated by AI algorithms.

4. 4

   Identify chatbots as AI AI Act

   If you use a chatbot, make sure it clearly identifies itself as an AI system at the start of every conversation.

5. 5

   Disclose automated decision-making AI Act

   If AI determines pricing, review visibility, or search rankings, inform customers and offer the right to request human review.

6. 6

   Update privacy policy with AI section AI Act

   Add a dedicated section about how AI processes customer data. Name the AI systems used and their purpose.

7. 7

   Create an AI disclosure page AI Act

   A standalone page listing all AI systems your store uses, what they do, and how customers can opt out or request human alternatives.

8. 8

   Document human oversight mechanisms AI Act

   Show that humans can review and override AI decisions. Add a contact method for customers to reach a human about AI-made decisions.

Cyber Resilience Act Compliance (Deadline: September 11, 2026)

9. 9

   Create an incident response plan CRA

   Document how your store handles security incidents. Include the 24-hour reporting requirement and who is responsible for each step.

10. 10

    Add a security contact CRA

    Provide a dedicated email or form for reporting security vulnerabilities. Publish a vulnerability disclosure policy.

11. 11

    Document third-party integrations CRA

    List every third-party script, app, and service your store uses. Note their security practices and data access.

12. 12

    Address payment data security CRA

    Explicitly state in your privacy policy how payment data is handled, encrypted, and secured. Reference PCI compliance.

13. 13

    Define data retention policies CRA

    State how long you keep customer data and when it's deleted. Include this in your privacy policy.

14. 14

    Address cross-border data transfers CRA

    If data moves outside the EU, document this and explain the legal basis and safeguards.

15. 15

    Set up compliance monitoring Both

    Regulations evolve. Your store changes. Set up recurring compliance scans to catch new issues as they emerge.

Related reading

• The EU AI Act and Your Shopify Store: What You Need to Know
• Cyber Resilience Act: What Shopify Merchants Must Do Before September 2026