EU AI Act hits engineering mode

The European Union’s AI Act has moved from broad principles to checklists engineers have to build into products and supply chains. (digital-strategy.ec.europa.eu) The law entered into force on 1 August 2024, but its rollout is staggered. The first rules started applying on 2 February 2025, covering the AI system definition, AI literacy and a narrow set of banned uses such as certain prohibited-risk practices. (digital-strategy.ec.europa.eu) The next big compliance phase already arrived on 2 August 2025 for providers of general-purpose AI models, the foundation models that can be reused across many products. Those providers must produce technical documentation, adopt a copyright policy and publish a summary of training data content; providers of models deemed to pose systemic risk face added duties on risk assessment, incident reporting and cybersecurity. (digital-strategy.ec.europa.eu) That is why the work is shifting inside companies from policy teams to product, data and platform teams. A firm now needs records showing which model was used, what data trained or tuned it, which vendor supplied it, and who inside the company can intervene when the system fails or drifts. (digital-strategy.ec.europa.eu) The European Commission tried to make that phase more concrete on 1 August 2025, when it published guidelines on who must comply and a template for public summaries of training content. It also backed a voluntary General-Purpose AI Code of Practice as a way for providers to show compliance with the Act. (digital-strategy.ec.europa.eu) For companies that do not build their own frontier models, the harder question is classification. TechRound reported on 17 April 2026 that founders are still waiting for clearer lines around which products count as “high-risk,” while the heavier high-risk system rules — including quality-management systems, conformity assessments, human oversight and post-market monitoring — are scheduled to apply from 2 August 2027. (techround.co.uk) That uncertainty is feeding hiring. The International Association of Privacy Professionals and Credo AI said in their 2025 profession report that 77% of surveyed organizations were working on AI governance, rising to nearly 90% among organizations already using AI, and many were building dedicated teams by reassigning staff first and then adding managers and executives. (iapp.org) The staffing pressure did not ease in 2026. An International Association of Privacy Professionals opinion article published 17 April 2026, citing the Stanford Human-Centered Artificial Intelligence Index, said AI governance roles grew 17% in 2025 even as model pipelines became more complex and reporting on responsible AI benchmarks remained uneven. (iapp.org) Startups say the burden lands unevenly because the Act regulates by product category, not company size. TechRound said critics argue a small team building a high-risk hiring tool can face the same Annex III obligations as a large enterprise, even though the startup has far less legal and engineering capacity to absorb six-figure compliance costs. (techround.co.uk) The Commission’s answer is that the law also includes support mechanisms, including regulatory sandboxes and measures for small and medium-sized enterprises. But the practical direction of travel is already visible: companies selling AI in Europe need inventories, documentation and controls that can survive an audit, not just principles on a slide deck. (techround.co.uk)