EU AI Act hits engineering teams

Europe’s artificial intelligence law is about to land on software teams in a very unglamorous way: logs, version histories, override buttons, and paperwork that has to match what the system actually did. The next big date is 2 August 2026, when rules for high-risk systems and deployers start applying. (artificialintelligenceact.eu) The European Union’s Artificial Intelligence Act is a risk-based law, which means it does not treat a spam filter and a hiring system the same way. It bans a small set of uses outright, puts the toughest duties on “high-risk” systems, and adds separate rules for general-purpose models like the ones behind chatbots. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) That timeline is staggered, not one big launch day. The law entered into force on 1 August 2024, bans and artificial intelligence literacy duties began on 2 February 2025, general-purpose model rules began on 2 August 2025, and another major block arrives on 2 August 2026. (commission.europa.eu) (artificialintelligenceact.eu) “High-risk” usually means systems used in places where a bad output can hurt someone’s job, credit, safety, education, or access to public services. In the law, that bucket includes areas like employment, education, essential private and public services, law enforcement, migration, and some product safety components. (eur-lex.europa.eu) This is why lawyers are suddenly talking like site reliability engineers. The law does not just ask companies to promise responsibility; it asks for risk management, technical documentation, record-keeping, human oversight, accuracy, robustness, and cybersecurity. (eur-lex.europa.eu) Record-keeping is the part engineers can’t fake with a policy memo. If a model helps screen job applicants or support a benefits decision, a company may need to show which version ran, what data it was trained or tested on, what prompts or inputs it received, and what output it produced. (eur-lex.europa.eu) (raconteur.net) Human oversight sounds abstract until you have to build it. In practice, it can mean a real person can review, stop, reverse, or escalate a system’s recommendation instead of letting an automated workflow silently decide a loan, a hiring shortlist, or a border screening flag. (eur-lex.europa.eu) General-purpose model rules already pushed providers toward documentation about training data, downstream use, and copyright-related compliance. The European Commission also backed a General-Purpose Artificial Intelligence Code of Practice in July 2025 as a voluntary way for model providers to show compliance. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) The hard part now is that “agentic” systems turn identity and intent into engineering problems. If one model can call tools, trigger another model, and take multi-step actions, teams need a trail showing which component acted, under what permissions, with what instructions, and who could intervene. (raconteur.net) (eur-lex.europa.eu) That changes how teams ship software. A model release now needs the kind of lineage that finance teams expect from an audit and the kind of kill switch that safety engineers expect from industrial machinery. (raconteur.net) (eur-lex.europa.eu) The companies that struggle most may not be the ones with weak models. They may be the ones with strong models sitting inside messy stacks where nobody can reconstruct, six months later, which dataset, prompt template, guardrail, and human reviewer shaped a single decision on a single day. (raconteur.net)