The EU AI Act Is Enforcing in 2025: What Developers Actually Need to Know

The EU AI Act Is Enforcing in 2025: What Developers Actually Need to Know

The EU AI Act is not a future concern for most developers building AI systems — it’s present tense. High-risk AI prohibitions have been in effect since August 2024. Obligations for general-purpose AI models (GPAIs) went into effect in August 2025. Full application of high-risk AI requirements follows in August 2026. If you’re building AI that touches European users, you’re operating in a regulated environment.

This is a practical breakdown of what the Act requires and what it means if you’re developing or deploying AI systems.

The Risk-Based Framework

The EU AI Act uses a risk-tiered approach:

Unacceptable Risk (Prohibited):

  • AI for subliminal manipulation
  • Social scoring systems by governments
  • Real-time biometric surveillance in public spaces (with narrow exceptions)
  • AI that exploits vulnerable groups
  • Emotion recognition in workplaces and schools (mostly prohibited)

These are flat banned. No compliance path exists.

High Risk: This is where most commercial AI development runs into requirements. High-risk applications include:

  • AI in hiring decisions and CV screening
  • AI in credit scoring and financial services
  • AI in medical devices and health
  • AI in critical infrastructure management
  • Biometric categorization systems
  • Law enforcement AI (predictive policing, etc.)
  • Border control AI
  • AI used in education and training assessments
  • AI used in justice and democratic processes

Limited Risk: Chatbots and AI-generated content must be disclosed as such. You must tell users they’re interacting with AI.

Minimal Risk: Spam filters, AI in video games, recommendation systems — minimal obligations.

What High-Risk AI Compliance Actually Requires

If you’re building high-risk AI, here’s what the Act requires technically:

Risk Management System

You need a documented risk management system throughout the AI lifecycle:

Documentation Requirements:
├── Intended purpose and limitations
├── Risk analysis and mitigation measures
├── Residual risks after mitigation
├── Testing methodology and results
├── Monitoring procedures post-deployment
└── Incident response procedures

This isn’t a one-time document — it’s a living system that updates as the AI system changes.

Data Governance

Training data must be:

  • Examined for biases (with documented examination)
  • Relevant and representative
  • Collected with appropriate consent
  • Documented with data cards or similar
# Example: documenting dataset characteristics (simplified)
dataset_card = {
    "name": "employee_screening_v2",
    "size": 50000,
    "collection_period": "2022-2024",
    "geographic_coverage": ["DE", "FR", "NL", "ES"],
    "demographic_breakdown": {
        "gender": {"male": 0.54, "female": 0.44, "other": 0.02},
        "age_distribution": "18-65, approximately normal",
        "known_biases": ["underrepresentation of >55 age group"],
        "bias_mitigations": ["oversampling older candidates in training"]
    },
    "consent_basis": "GDPR Article 6(1)(b) contract performance",
    "data_sources": ["internal_hr_system", "anonymized_recruitment_data"]
}

Technical Documentation

For each high-risk AI system, you must maintain:

  • System architecture and design documentation
  • Training data characteristics
  • Performance metrics on relevant test sets
  • Known limitations and edge cases
  • Instructions for human oversight
  • Cybersecurity measures

Transparency and Explainability

High-risk AI decisions must be explainable to affected individuals:

# When an AI system makes a consequential decision,
# you need to be able to explain the key factors

class HiringDecisionExplainer:
    def explain(self, application_id: str, decision: str, model_output: dict) -> dict:
        return {
            "decision": decision,
            "key_factors": [
                {
                    "factor": "relevant_experience",
                    "influence": "positive",
                    "description": "10+ years in required field"
                },
                {
                    "factor": "skill_match",
                    "influence": "positive",
                    "description": "8 of 10 required skills matched"
                }
            ],
            "human_review_available": True,
            "appeal_process": "contact [email protected] within 30 days",
            "generated_at": "2026-02-28T10:00:00Z",
            "model_version": "cv_screener_v2.3",
            "regulation_compliance": "EU AI Act Article 13"
        }

Human Oversight

The Act requires meaningful human oversight — not rubber-stamping by a human who can’t override the AI:

  • Humans must be able to understand AI outputs
  • Humans must be able to intervene and stop the AI
  • Humans must not be under pressure to defer to AI decisions
  • High-risk decisions must have human review before taking effect

This is particularly meaningful for automated hiring, credit, and medical decisions.

Conformity Assessment

Before deploying high-risk AI, you need to do a conformity assessment:

  • Internal conformity assessment (for most high-risk AI)
  • Third-party notified body assessment (for AI in safety-critical infrastructure)

The assessment verifies your documentation and controls are in place.

General-Purpose AI Model Obligations

This is the category that catches foundation model providers:

Any GPAI (like GPT-4, Claude, Gemini, DeepSeek) must:

  • Maintain technical documentation
  • Make compliance information available to downstream deployers
  • Have a copyright policy
  • Publish summaries of training data used

High-capability GPAIs (above a compute threshold, approximately 10^25 FLOPS training compute):

  • Red-team and adversarial testing
  • Incident reporting to EU AI Office
  • Security measures against modification
  • Energy efficiency reporting

OpenAI, Anthropic, Google, and Meta all fall under GPAI obligations. They’ve been publishing model cards and system cards partly in response to this.

Practical Implications for Developers

You’re Often a Deployer, Not a Provider

Most developers aren’t building foundation models — they’re deploying existing models (via API or open-weight) for specific purposes. As a deployer, your obligations include:

  • Using AI only for its intended purpose (per the provider’s documentation)
  • Ensuring high-risk use cases meet all technical requirements
  • Registering high-risk systems in the EU database
  • Monitoring the AI system’s behavior post-deployment
# Track AI system metadata for compliance
ai_system:
  name: "candidate_screening_assistant"
  version: "2.1.0"
  eu_registration_id: "AI-2025-HR-00342"  # Required for high-risk systems
  risk_category: "high"  # EU AI Act Annex III category 4
  intended_use: "Initial CV screening for engineering roles"
  prohibited_uses:
    - "Final hiring decisions"
    - "Personality assessment"
    - "Emotional evaluation"
  human_oversight_required: true
  review_before_action: true
  deployed_regions: ["DE", "FR", "NL"]
  compliance_officer: "[email protected]"
  last_assessment_date: "2025-08-15"
  next_assessment_due: "2026-08-15"

Minimal Risk AI Is Simple

If you’re building a customer service chatbot, a recommendation system, or internal tooling: your main obligation is disclosure. Tell users they’re interacting with AI:

<!-- Minimum required disclosure for chatbots -->
<div class="ai-disclosure">
  <p>You are chatting with an AI assistant. This conversation is not with a human.
  Learn more about how we use AI.</p>
</div>

For AI-generated text published publicly, it must be machine-readable that it was AI-generated:

<meta name="ai-generated" content="true">
<meta name="ai-tool" content="Claude claude-opus-4-6">

Documentation is the Foundation

The biggest practical requirement for high-risk AI is documentation. Start maintaining:

  1. A model registry (what models are deployed, versions, purposes)
  2. Data lineage documentation
  3. Risk assessments for each use case
  4. Testing results and performance on different demographic groups
  5. Incident logs

This doesn’t require fancy tooling — a structured set of documents in a repository is compliant if they contain the required information.

Penalties and Enforcement

The EU AI Act has significant teeth:

  • Prohibited practices violations: up to €35M or 7% of global annual turnover
  • High-risk obligations violations: up to €15M or 3% of global annual turnover
  • Providing false information: up to €7.5M or 1.5% of global annual turnover

Enforcement is by national authorities (similar to GDPR’s structure). The EU AI Office handles GPAI oversight.

The comparison to GDPR is instructive: GDPR enforcement ramped slowly (2-3 years to significant fines), but when it started, fines were substantial and broad. Expect similar dynamics with the AI Act.

Conclusion

The EU AI Act is not GDPR 2.0 in terms of complexity — for most minimal-risk AI applications, disclosure is the primary obligation. For high-risk applications (hiring, credit, healthcare, critical infrastructure), the requirements are substantial but not unreasonable if you’re building AI responsibly anyway.

The Act pushes AI development toward practices that many responsible teams were doing informally: document your systems, test for bias, require human review before consequential decisions, and tell users when they’re interacting with AI.

If you’re building AI for European users, audit your current deployments against the risk categories now. The deadline for high-risk compliance is August 2026 — which sounds distant, but documentation and conformity assessments take time to do properly.

Share this post: LinkedIn Reddit WhatsApp Mastodon
Jesse Borden

Jesse Borden

Software Engineer with an interest in hands on learning

I have several years of professional Information Technology (IT) experience leading staff and projects within the Department of War (DOW). I have managed Service Desk, Web Application Development, and System Administration teams. My two greatest passions are learning and conti...