EU AI Act: engineering task

Europe’s Artificial Intelligence Act now reads less like a policy debate and more like a build schedule for teams shipping high-risk systems. (ai-act-service-desk.ec.europa.eu) Article 9 says providers must “establish, implement, document and maintain” a risk-management system for high-risk AI, and it defines that system as a “continuous iterative process” across the model’s full lifecycle. The same article requires regular review, updating, testing, and measures to reduce risks to health, safety, and fundamental rights. (ai-act-service-desk.ec.europa.eu) The deadline is close enough to change roadmaps now: the European Commission’s AI Act Service Desk says most of the law starts applying on August 2, 2026, including rules for Annex III high-risk systems, with enforcement starting at national and European Union level the same day. (ai-act-service-desk.ec.europa.eu) High-risk does not mean every chatbot. Under Article 6 and Annex III, the label covers systems used in areas such as biometrics, critical infrastructure, education, employment, essential private and public services, law enforcement, migration, and justice. (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu) That framing pushes the compliance problem down into engineering work. Article 9 requires teams to identify known and reasonably foreseeable risks, estimate and evaluate them under intended use and foreseeable misuse, and then feed post-market data back into the system. (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu) The law also ties that risk loop to a wider operating stack. Article 17 requires a documented quality-management system covering design, testing, data handling, post-market monitoring, incident reporting, and communication with authorities. (ai-act-service-desk.ec.europa.eu) Documentation is not a side file saved for an audit. Article 11 says technical documentation must be detailed enough for national authorities and notified bodies to assess compliance, and Article 72 says the post-market monitoring plan must actively collect and analyze performance data over the system’s lifetime. (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu) That means model evaluation, incident tracking, version control, human-oversight procedures, and user instructions have to line up before deployment, not after a complaint. The Act’s high-risk section pairs Article 9 with requirements on transparency to deployers, human oversight, and accuracy, robustness, and cybersecurity. (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu) Europe wrote the law as Regulation (EU) 2024/1689, published in the Official Journal on July 12, 2024. The text says its purpose is to create a single market rulebook for AI while protecting health, safety, and fundamental rights. (eur-lex.europa.eu) So the countdown to August 2, 2026 is no longer mainly about lobbying or legal interpretation. For any company building a high-risk system, it is about whether the pipeline can prove, over time, that the system stays inside the rules. (ai-act-service-desk.ec.europa.eu, ai-act-service-desk.ec.europa.eu)