EU AI Act hits real‑world friction

A lot of companies thought the European Union’s Artificial Intelligence Act would read like a checklist. In practice, teams are discovering that the first hard question is simply which bucket their product falls into, because the law applies different duties to banned systems, high-risk systems, transparency cases, and general-purpose models on different dates. (ec.europa.eu) That timing is already real, not theoretical. The law entered into force on August 1, 2024, bans on prohibited practices started applying on February 2, 2025, obligations for general-purpose artificial intelligence models started on August 2, 2025, and the main high-risk system rules apply from August 2, 2026. (ec.europa.eu, ec.europa.eu) The European Commission has had to publish extra guidance just to explain who counts as a provider of a general-purpose artificial intelligence model and when a modification is “significant” enough to trigger obligations. When regulators are still defining the edges in July 2025 guidance, product teams shipping in 2026 do not get a clean yes-or-no map on day one. (ec.europa.eu, ec.europa.eu) The hardest translation job sits inside “high-risk.” Under Article 10, high-risk systems need training, validation, and testing data that are relevant, representative, and as free of errors and complete as possible, with documented governance around collection, preparation, and bias mitigation. (ec.europa.eu) That sounds manageable until you turn it into paperwork. Annex IV says providers need technical documentation covering the system’s intended purpose, version history, how it interacts with other software or hardware, development methods, performance metrics, and risk controls before the product goes to market. (ec.europa.eu) So the compliance work does not stop with lawyers reading the regulation. Article 16 pushes providers of high-risk systems to keep documentation and logs, run conformity assessments, issue a European Union declaration of conformity, and apply the CE mark before release, which turns compliance into an engineering deliverable. (ec.europa.eu) That is why practitioners are warning that “data documentation” now means proving where a dataset came from, how it was cleaned, what gaps it has, and whether it fits the exact use case in Spain, Poland, or Germany rather than some generic “Europe” label. A compliance memo cannot manufacture that evidence after launch if the product team never captured it during development. (securityboulevard.com, ec.europa.eu) One developer writing on April 9, 2026 described the problem in plain terms: trying to classify a real software product under the law quickly runs into edge cases around mixed features, changing model roles, and uncertainty over what documentation is “enough.” That is a very different problem from reading a risk pyramid on a conference slide. (dev.to) The strategic question underneath all of this is whether companies build one global product or a separate European Union version. If a team has to maintain special logging, data lineage, human oversight, and release gates for one region, the law starts shaping product architecture, vendor choices, and launch calendars, not just legal review. (securityboulevard.com, ec.europa.eu) The result is not that the law is impossible to follow. The result is that the European Union wrote a framework law, and companies now have about four months until August 2, 2026 to turn words like “representative,” “appropriate,” and “high-risk” into product requirements that auditors, regulators, and engineers can all point to in the same file. (ec.europa.eu, ec.europa.eu)