EU turns AI rules into engineering work

Europe just moved artificial intelligence regulation one layer down, from policy teams writing memos to engineers changing system architecture. On April 10, 2026, the European Commission said it was analyzing whether OpenAI’s ChatGPT should count as a very large online platform under the Digital Services Act after OpenAI published user numbers above the threshold. (reuters.com) (digital-strategy.ec.europa.eu) That threshold is 45 million monthly users in the European Union. OpenAI’s published figure for ChatGPT search was about 120.4 million average monthly active users in the European Union over the six months ending September 2025, which is why Brussels is now looking at designation instead of theory. (reuters.com) (digital-strategy.ec.europa.eu) The Digital Services Act is the European Union’s rulebook for giant internet services. When a service crosses that 45 million line, the Commission can put it into the same heavier-supervision bucket already used for the biggest platforms and search engines, with extra duties tied to systemic risk, transparency, and oversight. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) At the same time, a second law is coming into force in stages. The European Union’s Artificial Intelligence Act entered into force in August 2024, started applying in phases in February 2025, and reaches a major compliance date on August 2, 2026 for much of the regime. (digital-strategy.ec.europa.eu) (raconteur.net) (techlaw.ie) That law does not mainly ask whether a model is clever. It asks where the model sits, who uses it, what risk category it falls into, and whether the company can prove what data, controls, and human checks sit around it. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) For the most powerful general-purpose models, the law adds another layer. European Union guidance says providers of general-purpose artificial intelligence models face obligations from August 2, 2025, and models judged to create systemic risk face added risk-management and cybersecurity duties. (digital-strategy.ec.europa.eu) (eur-lex.europa.eu) That is why compliance is turning into plumbing. Raconteur’s April 10, 2026 audit guide says companies now need artificial intelligence inventories that map models across application programming interfaces, integrations, and legacy systems so the whole stack can be audited. (raconteur.net) An inventory is just a parts list with accountability attached. If a bank, hospital, or retailer cannot say which model version touched which workflow on which date, it cannot show an auditor what happened when something goes wrong. (raconteur.net) (eur-lex.europa.eu) The next control is logging. Prompt logs and output logs are becoming the equivalent of a flight recorder, because a company may need to reconstruct the exact input, model, setting, and response behind a harmful answer, a biased decision, or a copyright complaint. (raconteur.net) (eur-lex.europa.eu) Then comes separation. Teams are increasingly being pushed to split low-risk uses like drafting internal notes from high-risk uses like screening job applicants or supporting credit decisions, because the Artificial Intelligence Act applies different obligations depending on the use case, not just the model name. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) The result is that “move fast” systems now need boring features on purpose: model registries, approval gates, incident playbooks, retention rules, and human review paths. Europe is not banning the big models here; it is making companies build the audit trail first and ship the magic second. (raconteur.net) (digital-strategy.ec.europa.eu)