AI GovernanceMay 15, 2025·13 min read

The EU AI Act: A Practical
Engineering Guide for 2026

Most teams are treating this like GDPR — hand it to legal and move on. That is a mistake. The AI Act has direct implications for your code, your infrastructure, and your deployment pipeline. Here is what you actually need to build.

This is not legal advice

This is an engineering interpretation of publicly available EU AI Act text (Regulation (EU) 2024/1689, published June 12, 2024 in the Official Journal of the European Union). Consult legal counsel for compliance decisions. This post focuses on what the Act requires engineers to build, not on legal strategy.

The exact timeline — dates that matter

PASTFeb 2, 2025

Prohibited AI Practices — enforcement began

Article 5 bans are live. Prohibited: subliminal manipulation, social scoring by public authorities, real-time remote biometric ID in public spaces (with narrow exceptions), AI that exploits vulnerable groups. If your product does any of these, you needed to stop before this date.

LIVEAug 2, 2025

GPAI Model Obligations — active now

General-Purpose AI providers (OpenAI, Anthropic, Google, Mistral) must publish technical documentation, maintain training data policies, and comply with copyright law. If you fine-tune a GPAI model and distribute it, these obligations extend to you. For most teams: you just need to ensure your GPAI provider is compliant — check their documentation.

UPCOMINGAug 2, 2026

High-Risk AI Systems — 14 months away

The one that impacts most enterprise AI products. Full conformity assessment, technical documentation, human oversight requirements, audit logs, incident reporting. This is what this article is about.

FUTUREAug 2, 2027

Lower-Risk AI — transparency layer

Transparency obligations for chatbots, deepfake detection requirements, limited-risk AI systems must inform users they are interacting with AI.

What "high-risk" actually means — the engineering trigger list

Annex III of the Regulation lists the high-risk categories. The ones most likely to affect software companies:

AI that influences hiring or HR decisions

CV screening, candidate ranking, interview assessment, promotion decisions, performance evaluation. If your AI scores, ranks, or filters job applicants — this is you.

AI in credit or insurance underwriting

Loan scoring, fraud detection systems that block access to financial services, insurance risk models that set premiums.

AI used in access to essential services

Social benefit eligibility, housing access, utilities. Less common in SaaS but watch for adjacent products.

AI in biometric categorisation

Any system that infers sensitive attributes (gender, race, political opinion, health status) from biometric data.

AI in education or training assessment

Automated grading systems, exam proctoring, student assessment tools that materially affect educational access.

AI in law enforcement

Predictive policing, risk assessment in criminal proceedings, evidence evaluation.

If you are a general B2B SaaS product that uses LLMs for search, summarisation, or chatbots — you are probably not high-risk under Annex III. But you need to confirm this with a documented risk assessment. "Probably not" is not a compliance posture.

What you actually need to build (for high-risk systems)

Article 9–17 of the Regulation specifies the technical requirements. Here is the engineering translation:

Decision Audit Logs (Article 12)

Every AI decision that affects a person must be logged with sufficient detail to audit after the fact. The Act does not specify a schema, but best practice (and what regulators will expect):

// Minimum required audit log entry

{

"decision_id": "dec_01HWXYZ...",

"timestamp": "2025-08-02T14:32:11Z",

"model_id": "gpt-4o-2024-05-13",

"model_version": "2024-05-13",

"input_hash": "sha256:a3b4c5...",

"output_summary": "application_rejected",

"confidence_score": 0.87,

"feature_weights": {...},

"human_reviewed": false,

"data_sources": ["credit_bureau", "bank_statement"],

"system_version": "v2.4.1",

"jurisdiction": "EU"

}

Logs must be retained for at least 6 months post-decision, and up to 10 years for law enforcement applications (Article 12.1). Store in append-only, tamper-evident storage (AWS S3 Object Lock, GCS Bucket Lock, or equivalent).

Human-in-the-Loop Checkpoints (Article 14)

High-risk AI must allow humans to override, intervene, or stop the system. This is not a UI checkbox. It requires:

→A documented override mechanism with access controls (who can override, how, under what conditions)

→The override event must be logged with timestamp and reviewer identity

→The system must be able to halt operation if anomalies are detected (Article 14.4e)

→Meaningful interpretability — the human reviewer must be able to understand what the AI decided and why

Technical Documentation File (Article 11 + Annex IV)

You must maintain a technical file that regulators can audit. Annex IV specifies what it must contain:

✓General description of the AI system and its intended purpose

✓Description of the elements of the AI system and how they interact

✓Design specifications (architecture, training methodology, objectives)

✓Training, validation, and testing datasets used

✓Known limitations and foreseeable risks with mitigations

✓Details of human oversight mechanisms

✓List of standards applied (ISO, IEEE, national standards)

✓Post-market monitoring plan

Incident Reporting (Article 73)

Serious incidents — defined as events causing death, serious harm, property damage, or fundamental rights violations — must be reported to national authorities. Timeline:

72 hoursReport serious incidents (death, serious injury)

15 daysReport serious malfunctions in high-risk systems

30 daysFull incident analysis report

The fines — why this is not optional

€35M or 7% global turnover

Prohibited AI violations (Article 5)

€15M or 3% global turnover

Other non-compliance including high-risk system requirements

€7.5M or 1.5% global turnover

Supplying incorrect information to authorities

Whichever is higher applies. For a startup with €10M ARR, a 3% violation is €300K. For a Series C with €50M ARR, it is €1.5M. These are not theoretical — GDPR enforcement generated €4.18 billion in fines between 2018 and 2023. The EU has demonstrated it enforces these regulations.

The 90-day engineering sprint to compliance

Week 1–2

Risk classification audit

→Map all AI systems in your product

→Classify each against Annex III

→Document which are high-risk, limited-risk, or minimal-risk

→Assign owners

Week 3–4

Audit log infrastructure

→Implement append-only audit log storage

→Define log schema (see above)

→Add logging hooks to all high-risk decision paths

→Set up retention policies

Week 5–6

Human oversight mechanisms

→Build override UI for reviewers

→Implement override logging

→Define escalation policies and document them

→Test halt/pause mechanisms

Week 7–8

Technical documentation

→Write Annex IV technical file (at least a first draft)

→Document model cards for all models in use

→Document training data sources and limitations

→Assign compliance owner

Week 9–12

Testing and validation

→Run bias and fairness testing on high-risk decision outputs

→Document known limitations

→Penetration test the override mechanism

→External legal review of technical file

The honest assessment

14 months is not a lot of time if you start now. It is zero time if you start in 2026.

The teams that will struggle are not the ones building obviously high-risk AI. They are the ones who built general-purpose AI products that crept into high-risk territory as their features expanded — and never noticed the classification change. Do the audit now.

AgentOS is being built specifically to automate the decision logging, human oversight checkpoints, and conformity documentation described above. If you want early access, join the waitlist below.

Join AgentOS waitlist →

← All posts Next: ₹39L → ₹23L case study →

The EU AI Act: A PracticalEngineering Guide for 2026