The EU AI Act Is Live: What Software Companies Need to Do Before the Next Enforcement Milestone

The EU AI Act is not a future obligation. The prohibition articles — covering unacceptable-risk AI practices — have been in effect since August 2024. The high-risk AI system obligations took effect in August 2026. GPAI model rules are live. The grace periods that allowed organisations to treat the regulation as a planning exercise are over.

Most software companies building AI-powered products, or integrating third-party LLM APIs into their workflows, have not completed their compliance assessment. Many have not started. The regulation's scope is broader than most teams expect, the technical obligations are more specific than most assume, and the penalty structure is material enough to represent a board-level risk.

The Risk Classification Framework

The EU AI Act classifies AI systems across four risk tiers, with obligations scaling from transparency requirements at the lowest level to outright prohibition at the highest.

• Unacceptable risk (prohibited): Social scoring, real-time biometric identification in public spaces for law enforcement, subliminal manipulation, AI that exploits vulnerabilities of specific groups. These practices are banned outright — no compliance path exists.
• High risk: AI systems used in critical infrastructure, educational assessment, employment decisions, essential private and public services (credit scoring, social benefits), law enforcement, migration, and the administration of justice. These require mandatory conformity assessments, technical documentation, logging, human oversight, and registration in the EU database.
• Limited risk: AI that interacts with humans (chatbots, deepfakes) must comply with transparency obligations — users must know they are interacting with AI.
• Minimal risk: Most AI applications fall here. No specific obligations, though voluntary codes of practice apply.

High-Risk AI: What Qualifies and What It Requires

The high-risk category catches more software products than most companies realise. An AI system used in any of the following contexts is high risk: screening job applications, assessing employee performance, evaluating creditworthiness, determining eligibility for social benefits, conducting student assessments, triaging clinical decisions, or influencing judicial or administrative decisions.

If you are selling, deploying, or integrating an AI system that touches any of these contexts — even as a component within a larger system — you are likely in scope for high-risk obligations.

The technical obligations for high-risk AI systems are substantial:

• Risk management system: A documented, ongoing risk assessment process that identifies foreseeable risks, evaluates probability and severity, and implements risk mitigation measures.
• Data governance: Training, validation, and testing data must meet quality criteria. Bias assessment is required. Data lineage documentation is mandatory.
• Technical documentation: Full system documentation including design specifications, training methodology, performance metrics, intended purpose, and known limitations — maintained and updated throughout the system's lifecycle.
• Logging and audit trails: Automatic logging of all inputs and outputs sufficient to reconstruct decision context. Logs must be stored for a minimum period appropriate to the use case.
• Transparency to deployers: Providers must give deployers enough information about the system's capabilities, limitations, and required oversight to enable meaningful human review.
• Human oversight: Systems must be designed to allow natural persons to monitor operation, identify anomalies, and intervene or override automated decisions.
• Accuracy, robustness, and cybersecurity: Systems must meet accuracy thresholds specified in the conformity assessment, must be resilient to adversarial manipulation, and must implement appropriate cybersecurity controls.

General-Purpose AI Model Obligations

The EU AI Act introduces a separate regulatory tier for providers of general-purpose AI (GPAI) models — foundation models like GPT-4o, Claude, Gemini, and Llama that can be used across a broad range of applications. If you are providing, not just using, a GPAI model, you have obligations under Chapter V of the regulation.

GPAI providers must maintain technical documentation, publish a summary of training data, implement a copyright compliance policy, and publish information about the model sufficient for downstream integrators to understand its capabilities and limitations. GPAI models classified as systemic risk — those trained above a 10^25 FLOP threshold — face additional obligations including adversarial testing, incident reporting, and cybersecurity assessments.

What Software Companies Building on Third-Party APIs Need to Do

If you are building on OpenAI, Anthropic, Google, or another GPAI provider's API, you are a 'deployer' under the Act. As a deployer, you are responsible for ensuring the AI system is used in accordance with its intended purpose, implementing human oversight appropriate to the context, and not using it in ways that would make the final application high-risk without completing the required conformity assessment.

This means the compliance obligation does not end with your vendor contract. If your product uses an LLM to make or influence decisions in a high-risk context, you are responsible for completing the required conformity assessment and implementing the technical controls — regardless of whether the underlying model provider has done their part.

The Compliance Roadmap

1. 1Inventory: Map every AI system you build, sell, deploy, or integrate. Classify each against the four risk tiers using the regulation's Annex III criteria and the use-context test.
2. 2Gap assessment: For any system touching high-risk contexts, assess current technical documentation, logging, human oversight mechanisms, and data governance against the Act's requirements.
3. 3Conformity assessment: High-risk AI systems require a conformity assessment before market placement. Some systems can self-assess; others require third-party audit. Determine which applies to your systems.
4. 4Technical implementation: Implement or upgrade logging infrastructure, human oversight interfaces, accuracy monitoring, and cybersecurity controls as required by the conformity assessment findings.
5. 5Register: High-risk AI systems must be registered in the EU database before being placed on the market.
6. 6Ongoing compliance: The Act imposes continuous obligations — post-market monitoring, incident reporting, documentation updates, and periodic review.

GYSP's AI Governance Practice

GYSP's Cyber Security and AI/ML Development teams offer EU AI Act compliance assessments covering risk classification, gap analysis, technical documentation design, conformity assessment preparation, and logging infrastructure implementation. Our IT Consulting & Advisory practice works with product and legal teams to build the governance frameworks that sustain compliance as AI systems evolve.

“The companies that are going to have a problem with the EU AI Act are not the ones that deployed AI intentionally in a high-risk context without thinking about compliance. They are the ones that deployed AI without realising their use case qualified as high-risk — and now have a live production system with no documentation, no logs, and no human oversight mechanism.”

— Rahul, AI/ML Delivery Head — GYSP.tech