WHICH PRODUCTS ARE ACTUALLY IN SCOPE
The first task is classification, and it's more nuanced than the headlines suggest. The AI Act uses a risk-tiered framework: prohibited AI systems (real-time biometric surveillance in public spaces, social scoring systems), high-risk AI systems with specific obligations, and general-purpose AI with transparency requirements. The majority of commercial AI products fall into the general-purpose category, which carries meaningful but manageable obligations rather than the full high-risk burden.
High-risk classification applies to AI systems in specific annexes: biometric identification and categorisation, critical infrastructure management, educational and vocational training systems that determine access, employment and workers management, access to essential services including credit scoring, law enforcement, migration and asylum management, and administration of justice. If your product operates in any of these domains and processes data about EU residents, you are almost certainly in scope for the high-risk requirements.
The practical test: does your AI system produce outputs that humans use to make decisions with significant consequences for individuals? A customer support chatbot that escalates to a human for every consequential decision is lower risk than an automated credit underwriting system that issues approvals without human review. The degree of human oversight built into the system affects both the classification and the compliance requirements.
WHAT HIGH-RISK COMPLIANCE ACTUALLY REQUIRES
High-risk AI system providers must implement a quality management system covering the full AI lifecycle: data governance, technical documentation, record-keeping, transparency to deployers, human oversight measures, accuracy, robustness, and cybersecurity. This is not a one-time audit — it's an ongoing operational requirement with mandatory incident reporting when things go wrong.
Technical documentation is the most immediately demanding requirement. You must maintain records of the AI system's intended purpose, the data used to train and test it, the accuracy and performance metrics across different population groups, and the risk assessment methodology used to evaluate it. For products built on top of foundation model APIs, this requires coordination with your model provider — Anthropic, OpenAI, and Google all began publishing GPAI transparency documentation in 2025 that feeds into this chain of documentation.
Human oversight is the other high-stakes requirement. High-risk AI systems must be designed to allow effective oversight by natural persons. This doesn't mean a human approves every decision, but it does mean the system must support human intervention, provide output that humans can understand and review, and have documented processes for how humans override or correct the system. The "human in the loop" design pattern that AI application developers have been implementing for reliability reasons turns out to also be the compliance-safe pattern for the AI Act.
THE GPAI TRANSPARENCY LAYER
General-purpose AI models with significant impact — defined as trained on more than 10^25 FLOPs, which captures all major frontier models — are subject to model-level transparency requirements. As a product builder using these APIs, this affects you primarily through the documentation your model provider publishes, which flows into your own technical documentation.
Anthropic's model card documentation, OpenAI's system card releases, and Google's technical reports now serve a dual purpose: research communication and EU AI Act compliance documentation. When you build a high-risk AI application on Claude or GPT-4o, you can reference these as upstream documentation for the model layer, limiting your own documentation obligation to the application-specific risk assessment and the human oversight measures you've implemented.
For products not classified as high-risk but using GPAI models, the transparency requirements are simpler: disclose to users that they are interacting with an AI system, and for AI-generated content that could be mistaken for authentic human output, label it as AI-generated. The watermarking and provenance requirements for AI-generated images, audio, and video that were debated through 2025 are now enforceable in the EU.
WHAT YOU SHOULD DO IN THE NEXT 90 DAYS
Four months is tight for teams that haven't started. The practical sequencing: first, determine your risk classification honestly — most products are not high-risk even if they use AI, and over-classifying creates unnecessary compliance burden. Second, for products that are high-risk, commission a conformity assessment if you haven't. Third, close the documentation gaps — the technical documentation requirement is the most commonly incomplete item in audits we've seen, and it's also the most straightforward to address with the right process.
Register your high-risk AI systems in the EU AI Act database by August. This is a non-optional administrative step that many teams are treating as a back-burner task — it's not. The database registration is how regulators know which systems to audit, and being unregistered is itself a compliance failure that regulators will find when they conduct market surveillance.
The enforcement reality through the first year is likely to focus on egregious violations rather than technical non-compliance in good-faith implementations. National AI authorities in Germany, France, and the Netherlands have signalled that their initial enforcement priorities are prohibited AI systems and high-risk systems with no compliance documentation at all. Teams that have made genuine attempts to comply — even if imperfectly — are in a considerably better position than teams that haven't started. Start now, document what you're doing, and iterate.
THE GDPR PLAYBOOK, REPEATED
The pattern here rhymes with GDPR in 2018: significant regulatory deadline, initial panic, gradual realisation that compliance is an engineering and process problem rather than an existential threat, market for compliance tooling, and ultimately a changed default for how products are built. GDPR improved data practices across the industry in ways that turned out to benefit users regardless of enforcement — explicit consent flows, data minimisation, and right-to-deletion are now standard product expectations.
The EU AI Act will have the same effect on AI product design. Human oversight, documentation of AI system behaviour, transparency to users about when they're interacting with AI, and meaningful accuracy measurement across demographic groups are not compliance burdens — they're good engineering practices that produce more reliable and trustworthy products. Building them in from the start is easier than retrofitting them under regulatory pressure.