Policy and Governance
The EU AI Act starts biting in August. Most small teams aren't ready
The EU AI Act's first enforcement wave kicks in this August, and most small teams building AI products for European users are underprepared. High-risk system classifications now require conformity assessments, technical documentation, and human oversight mechanisms. The EU AI Office released updated SME guidance this week with simplified compliance pathways — but the clock is ticking. Key exemptions exist for open-source and research use, but commercial deployments don't qualify. Fines start at €15M or 3% of global revenue, whichever is higher.
Why it matters
If you have any European users and use AI in a customer-facing product, this affects you. The 'we're a small startup' defense won't hold up under enforcement.
Network impact
LatencyAudit logging requirements for high-risk systems add minimal but measurable latency overhead.
SecurityMandatory incident reporting within 72 hours mirrors GDPR breach notification — align your runbooks.
ScalabilityConformity assessment requirements scale with risk level — plan documentation overhead into your roadmap.
What to do
- Classify your AI systems using the EU AI Act risk tiers (link in sources)
- Download the EU AI Office SME compliance checklist
- Identify if any features qualify as 'high-risk' under Annex III
- Assign a compliance owner on your team before July 1
- Review your data governance docs for alignment with Act requirements