The EU AI Act is not a future concern for most developers building AI systems — it’s present tense. High-risk AI prohibitions have been in effect since August 2024. Obligations for general-purpose AI models (GPAIs) went into effect in August 2025. Full application of high-risk AI requirements follows in August 2026. If you’re building AI that touches European users, you’re operating in a regulated environment.
This is a practical breakdown of what the Act requires and what it means if you’re developing or deploying AI systems.
The Risk-Based Framework
The EU AI Act uses a risk-tiered approach:
Unacceptable Risk (Prohibited):
- AI for subliminal manipulation
- Social scoring systems by governments
- Real-time biometric surveillance in public spaces (with narrow exceptions)
- AI that exploits vulnerable groups
- Emotion recognition in workplaces and schools (mostly prohibited)
These are flat banned. No compliance path exists.
High Risk: This is where most commercial AI development runs into requirements. High-risk applications include:
- AI in hiring decisions and CV screening
- AI in credit scoring and financial services
- AI in medical devices and health
- AI in critical infrastructure management
- Biometric categorization systems
- Law enforcement AI (predictive policing, etc.)
- Border control AI
- AI used in education and training assessments
- AI used in justice and democratic processes
Limited Risk: Chatbots and AI-generated content must be disclosed as such. You must tell users they’re interacting with AI.
Minimal Risk: Spam filters, AI in video games, recommendation systems — minimal obligations.
What High-Risk AI Compliance Actually Requires
If you’re building high-risk AI, here’s what the Act requires technically:
Risk Management System
You need a documented risk management system throughout the AI lifecycle:
Documentation Requirements:
├── Intended purpose and limitations
├── Risk analysis and mitigation measures
├── Residual risks after mitigation
├── Testing methodology and results
├── Monitoring procedures post-deployment
└── Incident response procedures
This isn’t a one-time document — it’s a living system that updates as the AI system changes.
Data Governance
Training data must be:
- Examined for biases (with documented examination)
- Relevant and representative
- Collected with appropriate consent
- Documented with data cards or similar
# Example: documenting dataset characteristics (simplified)
dataset_card = {
"name": "employee_screening_v2",
"size": 50000,
"collection_period": "2022-2024",
"geographic_coverage": ["DE", "FR", "NL", "ES"],
"demographic_breakdown": {
"gender": {"male": 0.54, "female": 0.44, "other": 0.02},
"age_distribution": "18-65, approximately normal",
"known_biases": ["underrepresentation of >55 age group"],
"bias_mitigations": ["oversampling older candidates in training"]
},
"consent_basis": "GDPR Article 6(1)(b) contract performance",
"data_sources": ["internal_hr_system", "anonymized_recruitment_data"]
}
Technical Documentation
For each high-risk AI system, you must maintain:
- System architecture and design documentation
- Training data characteristics
- Performance metrics on relevant test sets
- Known limitations and edge cases
- Instructions for human oversight
- Cybersecurity measures
Transparency and Explainability
High-risk AI decisions must be explainable to affected individuals:
# When an AI system makes a consequential decision,
# you need to be able to explain the key factors
class HiringDecisionExplainer:
def explain(self, application_id: str, decision: str, model_output: dict) -> dict:
return {
"decision": decision,
"key_factors": [
{
"factor": "relevant_experience",
"influence": "positive",
"description": "10+ years in required field"
},
{
"factor": "skill_match",
"influence": "positive",
"description": "8 of 10 required skills matched"
}
],
"human_review_available": True,
"appeal_process": "contact [email protected] within 30 days",
"generated_at": "2026-02-28T10:00:00Z",
"model_version": "cv_screener_v2.3",
"regulation_compliance": "EU AI Act Article 13"
}
Human Oversight
The Act requires meaningful human oversight — not rubber-stamping by a human who can’t override the AI:
- Humans must be able to understand AI outputs
- Humans must be able to intervene and stop the AI
- Humans must not be under pressure to defer to AI decisions
- High-risk decisions must have human review before taking effect
This is particularly meaningful for automated hiring, credit, and medical decisions.
Conformity Assessment
Before deploying high-risk AI, you need to do a conformity assessment:
- Internal conformity assessment (for most high-risk AI)
- Third-party notified body assessment (for AI in safety-critical infrastructure)
The assessment verifies your documentation and controls are in place.
General-Purpose AI Model Obligations
This is the category that catches foundation model providers:
Any GPAI (like GPT-4, Claude, Gemini, DeepSeek) must:
- Maintain technical documentation
- Make compliance information available to downstream deployers
- Have a copyright policy
- Publish summaries of training data used
High-capability GPAIs (above a compute threshold, approximately 10^25 FLOPS training compute):
- Red-team and adversarial testing
- Incident reporting to EU AI Office
- Security measures against modification
- Energy efficiency reporting
OpenAI, Anthropic, Google, and Meta all fall under GPAI obligations. They’ve been publishing model cards and system cards partly in response to this.
Practical Implications for Developers
You’re Often a Deployer, Not a Provider
Most developers aren’t building foundation models — they’re deploying existing models (via API or open-weight) for specific purposes. As a deployer, your obligations include:
- Using AI only for its intended purpose (per the provider’s documentation)
- Ensuring high-risk use cases meet all technical requirements
- Registering high-risk systems in the EU database
- Monitoring the AI system’s behavior post-deployment
# Track AI system metadata for compliance
ai_system:
name: "candidate_screening_assistant"
version: "2.1.0"
eu_registration_id: "AI-2025-HR-00342" # Required for high-risk systems
risk_category: "high" # EU AI Act Annex III category 4
intended_use: "Initial CV screening for engineering roles"
prohibited_uses:
- "Final hiring decisions"
- "Personality assessment"
- "Emotional evaluation"
human_oversight_required: true
review_before_action: true
deployed_regions: ["DE", "FR", "NL"]
compliance_officer: "[email protected]"
last_assessment_date: "2025-08-15"
next_assessment_due: "2026-08-15"
Minimal Risk AI Is Simple
If you’re building a customer service chatbot, a recommendation system, or internal tooling: your main obligation is disclosure. Tell users they’re interacting with AI:
<!-- Minimum required disclosure for chatbots -->
<div class="ai-disclosure">
<p>You are chatting with an AI assistant. This conversation is not with a human.
Learn more about how we use AI.</p>
</div>
For AI-generated text published publicly, it must be machine-readable that it was AI-generated:
<meta name="ai-generated" content="true">
<meta name="ai-tool" content="Claude claude-opus-4-6">
Documentation is the Foundation
The biggest practical requirement for high-risk AI is documentation. Start maintaining:
- A model registry (what models are deployed, versions, purposes)
- Data lineage documentation
- Risk assessments for each use case
- Testing results and performance on different demographic groups
- Incident logs
This doesn’t require fancy tooling — a structured set of documents in a repository is compliant if they contain the required information.
Penalties and Enforcement
The EU AI Act has significant teeth:
- Prohibited practices violations: up to €35M or 7% of global annual turnover
- High-risk obligations violations: up to €15M or 3% of global annual turnover
- Providing false information: up to €7.5M or 1.5% of global annual turnover
Enforcement is by national authorities (similar to GDPR’s structure). The EU AI Office handles GPAI oversight.
The comparison to GDPR is instructive: GDPR enforcement ramped slowly (2-3 years to significant fines), but when it started, fines were substantial and broad. Expect similar dynamics with the AI Act.
Conclusion
The EU AI Act is not GDPR 2.0 in terms of complexity — for most minimal-risk AI applications, disclosure is the primary obligation. For high-risk applications (hiring, credit, healthcare, critical infrastructure), the requirements are substantial but not unreasonable if you’re building AI responsibly anyway.
The Act pushes AI development toward practices that many responsible teams were doing informally: document your systems, test for bias, require human review before consequential decisions, and tell users when they’re interacting with AI.
If you’re building AI for European users, audit your current deployments against the risk categories now. The deadline for high-risk compliance is August 2026 — which sounds distant, but documentation and conformity assessments take time to do properly.