EU AI Act: the first comprehensive AI law

Who is affected

• ◆Providers of AI systems marketed or used in the EU — regardless of where the provider is based. A US startup with German customers is in scope.
• ◆Deployers: companies or authorities using AI in their operations (e.g. AI-supported candidate pre-screening, automated claims handling, customer-support chatbot).
• ◆Importers and distributors of AI systems from third countries — they share liability if they place a non-compliant system on the EU market.
• ◆SaaS providers integrating AI features into existing workflows — even if the underlying model comes from OpenAI or Anthropic.
• ◆GPAI providers (general-purpose AI) with their own models — stricter duties above 10^25 FLOPS training budget (Art. 51 ff.).
• ◆Public bodies and authorities using AI in Annex III areas (social benefits, migration, law enforcement).
• ◆Any employer using AI for personnel decisions (recruiting, performance, dismissal) — almost always high-risk (Annex III point 4).

What I take care of

• →Risk classification per feature, documented in the repo (`docs/history/YYYY-MM-DD_*.md`) with references to specific AI Act articles — auditable and review-ready.
• →AiBadge component for all AI outputs (text, image, audio) — DE+EN, dark/light mode, with provider and confidence score where available.
• →Approval gates for customer-facing AI content (blog, email, invoice) — the AI proposes, a human approves. Nothing is sent automatically.
• →Audit logs in Postgres with admin search UI: which agent did what when, with which model, which prompt, which result. Retention: 6+ months (Art. 26(6)).
• →EU-hosted models by default (Scaleway Paris with Mistral and Pixtral) instead of US LLMs for sensitive workloads — lower compliance risk for GDPR third-country transfer.
• →Privacy policy with a dedicated AI section: which models, which data, which purposes, which rights the user has (access, deletion, objection).
• →AI literacy training for your team (Art. 4): two-hour workshop on when AI may be used, where limits are, how incidents are reported.
• →Risk workshop for your product: 90-minute session in which we determine the AI Act risk class together and produce a written report.
• →For high-risk: full risk management system per Art. 9-15, including threat model, test-data documentation, technical specification and conformity assessment.

Legal basis

Regulation (EU) 2024/1689 (AI Act) · EU Commission implementing regulations · GDPR Art. 22 (automated individual decisions) · revised ProdHaftG (product liability for AI damages, transposing EU Product Liability Directive 2024/2853) · NIS2 Directive (when AI is used in critical infrastructure) · Art. 99 AI Act (penalties)

Frequently asked

My chatbot only answers product questions — am I affected?

Yes. Even a simple chatbot falls under Art. 50 AI Act: the user must be able to recognise that they are interacting with AI (not a human). That is 'limited risk' and only costs you a clear hint in the UI. You only become high-risk under Annex III (education, employment, law enforcement etc.).

What do I need to do if I publish AI-generated text on my website?

Art. 50 requires labelling as AI-generated — visible to the user. In Schwankl Software installations that's the `<AiBadge />` component. If AI only 'rephrased' a human-written text, the situation is fuzzy — labelling is always the safer choice.

Can I use OpenAI/Anthropic in the EU or does everything have to run on EU servers?

You can use them, but you need a viable framework for the third-country transfer (Standard Contractual Clauses + Transfer Impact Assessment) AND must inform users transparently. For sensitive workloads (HR decisions, health, finance) I recommend EU-hosted models like Scaleway Mistral — lower compliance risk.

What does a concrete AI Act violation cost?

Art. 99 sets three tiers: prohibited practices (Art. 5) up to EUR 35m or 7% of global turnover — whichever is higher. Violations of high-risk or GPAI duties up to EUR 15m or 3%. Misleading information to supervisory authorities up to EUR 7.5m or 1%. For SMEs the fine is capped at the lower of the two values (absolute/percentage) — but it's still six figures.

Do I need my own AI policy for staff?

In practice, yes — even if the AI Act doesn't literally use the word 'policy'. Art. 4 obliges every provider and deployer to ensure that staff using AI have sufficient AI literacy. In real terms that means: a written guideline on what is allowed (e.g. ChatGPT for internal research), what isn't (e.g. dumping customer data into external LLMs), how incidents are reported, plus training on onboarding and annually. I provide a template and the workshop.

How do I document risk assessments audit-ready?

In the repository, not in a Word file. One entry per feature in `docs/history/YYYY-MM-DD_*.md` with: which AI Act articles you checked, the resulting risk class, who made the decision, what controls are in place, what tests exist. If a supervisory authority shows up, you can show git history + code instead of 'there was a PDF somewhere'. That's also the standard the EU Commission recommends in its guidance.