The EU AI Act (Regulation EU 2024/1689) has been in force since 2 August 2024. Prohibited practices apply since 2 February 2025, GPAI obligations since 2 August 2025, high-risk systems from 2 August 2026. Unlike GDPR 2018, there is no two-year grace period this time — the duties take effect in stages and some are already live. Anyone using AI in their product in 2026 needs to act. This article is a technical guide for software vendors in the EU market.
Four risk classes, four duty catalogues
The AI Act classifies AI systems into four risk classes — prohibited, high, limited, minimal — and sets duties for each. Violations cost up to EUR 35 million or 7% of global group turnover.
- Prohibited (Art. 5): manipulation, social scoring, untargeted face capture, emotion recognition at work or in education.
- High risk (Art. 6 + Annex III): biometrics, critical infrastructure, education, employment, social benefits, law enforcement, migration, justice administration.
- Limited risk: chatbots, image generation, deepfakes — transparency duties under Art. 50.
- Minimal risk: spam filters, AI in games, everyday recommendation systems — no specific duties.
In practice "limited risk" hits most software vendors. That's the area where most unconscious violations happen.
What a chatbot or AI feature must have today
1. Transparency notice (Art. 50)
Users must be able to recognise that they're interacting with AI — not a human. That goes for chatbots, voice assistants, AI applicant pre-screening, everything. Is a one-time hint at the start of the conversation enough, or labelling in the UI? Both ways are possible, but it has to be noticeable.
2. Labelling AI-generated content (Art. 50 (2)-(4))
AI-generated texts, images, audio or video must be labelled as such. In Schwankl Software projects that's the `
export function AiBadge({ model }: { model?: string }) {
return (
<span className="inline-flex items-center gap-1.5 rounded-full bg-amber-50
px-2.5 py-0.5 text-xs font-medium text-amber-900">
<svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor">
<path d="M12 2l3 7h7l-5.5 4 2 7-6.5-4.5L5.5 20l2-7L2 9h7z" />
</svg>
AI-generated{model ? ` · ${model}` : ""}
</span>
);
}
Apply it: every AI answer, every generated summary, every AI-translated content gets the badge. The backend logs which model created the content when.
3. Human oversight (Art. 26)
Customer-facing content — blog posts, emails, invoices, contracts — must not be sent without human approval. The architecture: AI generates a suggestion, it lands in an approval queue, a human clicks "Send". Only then does it go out.
4. Documentation (Art. 11, 13)
Per AI feature I document: which model, which training data, which accuracy, which risks, which mitigations. In Schwankl Software this lives in `docs/history/` as a Markdown entry per feature.
GDPR Art. 22 — the often-overlooked twin
The AI Act regulates AI systems as a whole. GDPR Art. 22 additionally prohibits fully automated individual decisions with legal effect — for example automatic credit checks, automatic applicant pre-selection. Anyone using AI for HR decisions combines both frameworks and usually needs:
- opt-in from the data subject,
- guaranteed human-in-the-loop,
- right to manual review,
- a DPIA (Data Protection Impact Assessment).
Audit trail in Postgres
Every AI run lands in an audit log. That's both AI Act duty (Art. 12) and GDPR-relevant (Art. 30):
CREATE TABLE ai_audit_log (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
feature TEXT NOT NULL,
model TEXT NOT NULL,
input_hash TEXT NOT NULL,
output_preview TEXT,
user_id UUID REFERENCES auth.users(id),
approved_by UUID REFERENCES auth.users(id),
approved_at TIMESTAMPTZ,
status TEXT NOT NULL CHECK (status IN ('pending', 'approved', 'rejected')),
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX idx_ai_audit_log_status ON ai_audit_log (status);
The input hash allows reproducibility without storing sensitive data. Retention: typically 30 days — longer only for high-risk systems.
EU hosting for sensitive workloads
For sensitive AI applications (HR, health, finance) I prefer EU-hosted models. Scaleway Paris offers Mistral and Pixtral with GDPR-compliant data processing — no third-country transfer to the US, no Schrems risk, no Transfer Impact Assessment needed. For less sensitive use cases, US models (OpenAI, Anthropic) with Standard Contractual Clauses are often acceptable.
What I do concretely
In an AI Act audit for your project I classify every feature into a risk class, document Annex III proximity, check transparency and labelling duties, look at human oversight architecture and audit trail.
On the implementation side I deliver the `
More at /compliance/ai-act.
