EU AI Act for Developers
EU AI Act: TL;DR for Developers and System Owners
LEMA Logic is a software and AI company, not a law firm or regulator. What follows is our own plain-English summary of the EU AI Act and the proposed Digital Omnibus changes, written to help developers and system owners get oriented. It is not legal, compliance, or regulatory advice. The Omnibus timeline changes are still working through the EU's legislative process and the rules are evolving, so this reflects our understanding as of June 2026. Before making compliance decisions, take qualified legal advice and check the primary sources linked throughout and listed in the Sources section.
What you (the provider) must do at each risk level, and when it kicks in.
The EU AI Act has four tiers. The duties ramp up sharply at each one. The tier is set by what the system is for, not how clever it is, and how you describe or market it decides the tier (the "intended purpose" trap). If you put your name on someone else's high-risk system, or modify one, you become the provider and inherit the full list (the Article 25 "accidental provider" trap). We unpack that trap, and the rest, in more detail here.
In This Article
High-risk but you think you're exempt (Article 6(3))
1. Banned Tier (Prohibited)
What it is: Uses the EU won't allow at all, e.g. AI that infers emotions of staff in the workplace, social scoring, certain biometric surveillance.
What you must do: Don't build it, sell it, or run it. No compliance path. Full stop.
Effective Date: Already in force since 2 February 2025. No change proposed.
2. High-Risk Tier
The heavy tier (recruitment AI, credit/insurance scoring of individuals, safety components, the Annex III areas).
What you must do:
As provider you carry almost all the burden.
Keep a risk management system. Actively look for ways it can harm people, for the whole life of the product, not once at launch.
Govern your data. Good-quality training data, checked for bias.
Write technical documentation. A full file showing how it works and that it's safe, ready for a regulator.
Log what it does. Automatic record-keeping so decisions can be traced after the fact.
Build in human oversight. A real person can understand, override, or stop it.
Hit accuracy, robustness and security targets: Prove you did.
Give deployers clear instructions. How to use it safely and within scope.
Run a conformity assessment before you sell it. Self-assessment for most Annex III; an outside body for some.
Register it in the EU's public database, and put a CE mark on it.
Monitor and report. Monitor it after launch and report serious incidents to authorities.
Short version: document everything, prove it's safe, keep watching it, and stay accountable for it forever.
Effective Dates:
Stand-alone Annex III systems (recruitment, credit/insurance scoring, etc.): current law 2 August 2026, proposed 2 December 2027.
Annex I safety components (AI inside regulated physical products): current law 2 August 2027, proposed 2 August 2028.
Plan against the 2026/2027 dates until the Omnibus is actually published. Treat the later dates as near-certain breathing room, not a guarantee.
High-risk but you think you're exempt (Article 6(3))
If your system is in an Annex III area but only does a narrow/preparatory task and doesn't really influence decisions, you can claim an exemption. But:
You must still write up and keep your "we're not high-risk" assessment, and
register the exempted system in the EU database anyway.
The exemption is void if your system profiles individuals; then it's high-risk no matter what.
So "exempt" still means paperwork, not nothing.
Effective: Same date as whichever high-risk tier applies to you. The EU database goes public around August 2026.
3. Limited Risk Tier (Transparency)
What it is: Chatbots, AI-generated content, deepfakes, general-purpose generative tools talking to people.
What you must do: Be honest. Tell people they're dealing with AI, and label AI-generated/manipulated content. That's basically the whole obligation.
Effective Date: 2 August 2026. Not delayed by the Omnibus.
4. Minimal Risk Tier
What it is: Everything else, including spam filters, recommendation engines, AI in games, most ordinary business software.
What you must do: Nothing legally required. Codes of conduct are voluntary.
Effective Date: n/a. No date. No obligations.
Quick Reference
Caveat: The proposed dates come from a provisional political agreement (7 May 2026), not yet adopted into law. Until it is published in the Official Journal, the legally binding dates remain 2 August 2026 and 2027.
One-Line Mental Model
Banned = don't. High-risk = prove it's safe and stay accountable forever. Limited = just disclose it's AI. Minimal = carry on.
Sources
Article 113 (application dates)
Article 6 (classification rules)
Annex III (high-risk classification)
Article 5(1)(f) (emotion recognition ban)
Article 25 (provider obligations along the value chain)
Council/Parliament provisional agreement on the Digital Omnibus, 7 May 2026
What the EU’s New High-Risk AI Guidelines Mean for UK and Isle of Man Businesses
