EU AI Act becomes applicable Aug 2: an engineering checklist The EU AI Act becomes generally applicable on August 2, 2026, imposing concrete obligations on high-risk AI systems in areas like hiring, credit scoring, and critical infrastructure. An engineering checklist maps each legal requirement to specific practices and evidence artifacts, treating compliance as a continuous system property rather than a one-time paperwork exercise. Penalties reach up to €35 million or 7% of global annual turnover for violations. On August 2, 2026 , the EU AI Act Regulation EU 2024/1689 becomes generally applicable. If your AI system falls into a high-risk category — hiring, credit scoring, education, critical infrastructure, essential services, and more — a set of concrete, auditable obligations stops being "upcoming regulation" and becomes the law your system runs under. Most teams are approaching this the way they approached GDPR in 2018: a compliance project, run by lawyers, producing documents. That approach fails for AI systems for one simple reason: your system changes faster than your paperwork. A conformity assessment of last quarter's model tells a regulator little about what you shipped this morning. This is the problem conformity engineering / exists to solve: treat regulatory conformity as a property of the system — designed in, enforced by pipelines, and continuously evidenced — rather than a report written about it after the fact. Reliability went through this transition and produced SRE. Security went through it and produced DevSecOps. Compliance is next. What follows is the practical version: the core EU AI Act obligations for high-risk systems, mapped to the engineering practice that satisfies each one and the evidence artifact it should produce. Every item follows the same pattern: Article → Practice → Evidence. First: know your dates | Date | What applies | |---|---| | Feb 2, 2025 | Prohibited AI practices banned; AI literacy obligations | | Aug 2, 2025 | Obligations for general-purpose AI GPAI models; governance bodies operational | Aug 2, 2026 | General applicability — including the high-risk obligations below Annex III systems | | Aug 2, 2027 | High-risk AI embedded in regulated products Annex I | Penalties scale to the violation: up to €35M or 7% of global annual turnover for prohibited practices, and up to €15M or 3% for non-compliance with most other obligations. These are GDPR-class numbers — which is exactly why boards are starting to ask engineering, not just legal, what the plan is. The checklist: Article → Practice → Evidence 1. Classify your system honestly Article 6 + Annex III Everything downstream depends on whether your system is high-risk. Practice: make classification a versioned engineering decision, documented in the repo and re-evaluated on every significant feature change — a use case you add in Q3 can flip a minimal-risk system into a high-risk one. Evidence: a dated classification memo with the reasoning, in version control. 2. Run a living risk management system Article 9 The Act requires risk management to be "continuous" and "iterative" across the lifecycle — that is a process requirement, not a document requirement. Practice: keep a risk register as code, reviewed at every release; block releases that introduce unmitigated known risks. Evidence: the register's change history, tied to release tags. 3. Govern your data like it will be audited Article 10 Training, validation, and test data must meet quality criteria, and you must examine possible biases. Practice: dataset cards for every dataset, lineage tracking from source to model, and bias examinations that run as pipeline steps — not one-time studies. Evidence: dataset documentation and bias test reports generated per training run. 4. Generate technical documentation — don't write it Article 11 + Annex IV Annex IV documentation must exist before market placement and stay current. Hand-written docs are stale by definition. Practice: docs-as-code — generate the Annex IV package from the system itself architecture, model versions, eval results at build time. Evidence: a reproducible documentation build per release. 5. Log for the audit you haven't been asked for yet Article 12 High-risk systems must automatically record events over their lifetime. Practice: design structured, append-only logging around auditability from day one: inputs, decisions, model version, overrides — with a retention policy. Evidence: the logs themselves, immutable and queryable. 6. Ship instructions, not assumptions Article 13 Deployers must be able to interpret and use the system correctly. Practice: versioned system cards and instructions for use, shipped with every release like a changelog. Evidence: the instructions archive, one per version. 7. Make human oversight a feature, not a policy Article 14 Effective oversight means a human can understand, intervene, and override. Practice: build approve/override/halt paths into the product surface — oversight that exists only in a policy PDF is not "effective." Evidence: oversight interaction logs proving humans actually use the controls. 8. Prove accuracy, robustness, and security per release Article 15 These are measurable properties. Practice: eval suites with regression thresholds in CI, adversarial and red-team testing on a schedule, and standard cybersecurity hygiene extended to model-specific attacks poisoning, prompt injection . Evidence: eval reports attached to every release. 9. Let your SDLC be your quality management system Article 17 Providers need a QMS. Most engineering orgs already run 80% of one — code review, CI/CD, incident response — without naming it. Practice: codify your existing lifecycle, close the gaps, and let the pipeline enforce it. Evidence: process documentation plus the CI configuration that enforces it. 10. Treat conformity assessment as a release gate Articles 43, 47–49 Before market placement: conformity assessment, EU declaration of conformity, CE marking, and registration in the EU database. Practice: model it as the final gate of your release process, fed by the evidence the previous nine items already generate — that's the payoff of engineering conformity instead of documenting it. Evidence: the signed declaration and registration record. 11. Monitor after launch like you mean it Articles 72–73 Post-market monitoring is mandatory, and serious incidents must be reported — as fast as within 15 days, faster for the worst categories. Practice: wire production monitoring to an incident process with regulatory reporting as an explicit runbook step. Evidence: monitoring dashboards and incident records. Where to start this week Classify item 1 . Half the anxiety disappears when you know which obligations actually apply to you. Gap-assess against the checklist. For each item: does the practice exist, and does it produce evidence automatically? Most teams find logging and evals are close, documentation and risk management are not. Pick the two worst gaps and engineer them — pipeline checks and generated artifacts, not documents. A generated Annex IV package is worth ten hand-written ones. produce their own conformity evidence as a side effect of running. That is the whole discipline in one sentence. The full conformity engineering guide is in progress. Get it when it ships — join the waitlist. Join the waitlist / waitlist This article is an engineering guide, not legal advice. Obligations vary by role provider vs. deployer , sector, and member-state implementation — validate your specific situation with qualified counsel.