{"slug": "we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12", "title": "We open-sourced our EU AI Act compliance checklist, and most teams misread Article 12", "summary": "A developer has open-sourced an engineer-readable EU AI Act compliance checklist, revealing that most teams misread Article 12's record-keeping requirements. The repository, available on GitHub under an MIT license, includes a seven-step self-audit, a decision-tree classifier for risk tier assessment, and templates for transparency disclosures. The project highlights that Article 12 requires automatic, tamper-proof event logging across the AI system's lifecycle, with minimum retention of six months, while Article 14 mandates a visible kill switch for human oversight.", "body_md": "The EU AI Act takes full effect on 2 August 2026. Most SaaS teams I talk to are in “we’ll deal with it later” mode. Partly that’s denial. Mostly it’s that the official text is 458 pages of lawyer-prose with the implementation details buried.\n\nSo we wrote an engineer-readable version and open-sourced it today:\n\nRepo: github.com/GatisOzols/eu-ai-act-checklist (MIT, no signup)\n\nThis post walks through what’s in it, why we built it, and the four article references most teams underestimate.\n\nWhat’s in the repo\n\n11 files, ~24KB total. One afternoon to run through start to finish for a single-product SaaS.\n\nREADME.md\n\nchecklist.md — 7-step self-audit, plain English\n\nannex-iii-categories.json — 8 high-risk areas, machine-readable\n\nclassify.py — Decision-tree classifier for risk tier\n\npenalty-bands.json — Article 99 penalty tiers as JSON\n\nchatbot.html — Article 50(1) disclosure template\n\ngenerated-content.md — Article 50(2) synthetic content template\n\ndeepfake.md — Article 50(4) deepfake template\n\nemotion-recognition.md — Article 50(3) emotion / biometric template\n\ntranslations.json — Disclosure labels in 6 EU languages\n\nLICENSE — MIT\n\nThe classifier\n\nThe most interesting file is classify.py. It walks you through five questions about each AI feature in your product and returns the risk tier under the regulation.\n\nIt’s intentionally tiny: no dependencies, no framework, runs anywhere Python runs. Output is plain text you can paste into your audit record.\n\nExample output for an AI resume-scoring feature:\n\nHIGH-RISK under Annex III §4. Article 6 obligations apply (risk management, technical documentation, record-keeping, human oversight, accuracy/robustness, conformity assessment, CE marking, EU database registration).\n\nWhat teams underestimate\n\nMost “EU AI Act readiness” content I read online stops at “disclose your chatbot.” Article 50(1) is the obvious one. Four others matter more for engineers.\n\nArticle 12 — record-keeping isn’t “we log stuff”\n\nArticle 12 requires automatic event logging across the AI system’s lifecycle. The specific fields are in Annex IV section 9:\n\nPeriod of each use (start, stop)\n\nReference database checked, where applicable\n\nInput data when the search led to a match\n\nIdentification of natural persons involved in result verification, where Article 14(5) applies\n\nMinimum retention is 6 months under Article 12(2), but most teams should plan for 12-24 months because Member State authorities can extend.\n\nThe word “tamper-proof” isn’t in the statute, but it’s the practical bar. The auditor will ask “can you prove these logs weren’t edited.” So design for it from day one: hashed lines, append-only storage, signed batches, whatever your stack supports. Retrofitting this after launch is painful.\n\nArticle 14 — human oversight is process plus UI, not just policy\n\nArticle 14(4) lists what the supervising person must be able to do:\n\nUnderstand the system’s capacities and limitations enough to monitor operation (4a)\n\nStay aware of automation bias (4b)\n\nInterpret output correctly (4c)\n\nDecide not to use the output or override it (4d)\n\nIntervene on operation or interrupt through a “stop” button or similar procedure (4e)\n\nThat last requirement is concrete and often skipped. If your agent runs in a long-running loop, the supervising operator needs a kill switch that is visible, accessible, and produces a safe state. Most internal tools we’ve looked at don’t have this and need to retrofit.\n\nFor documentation: write down who the oversight person is, the SLA between alert and intervention, what the stop procedure actually does, and how oversight personnel are trained.\n\nArticle 50 — four sub-paragraphs, four different triggers\n\nArticle 50 transparency obligations are not one rule, they’re four:\n\n50(1) — AI interacting with humans (chatbots, voice assistants): disclose at the start of interaction, clear and distinguishable\n\n50(2) — Synthetic content generation (text, image, audio, video): mark output machine-readable, plus visible label on publication\n\n50(3) — Emotion recognition or biometric categorisation: inform users they’re being subjected to it\n\n50(4) — Deepfakes (real persons depicted): disclose as artificially generated\n\nEach has a different practical implementation. The repo has separate templates per sub-paragraph. Don’t reuse a chatbot disclosure for a deepfake feature, the requirements are different.\n\nArticle 86 — explainability for end users\n\nThis is the GDPR Article 22 analog. End users (not deployers, end users) have the right to a “clear and meaningful explanation of the role of the AI system in the decision-making procedure and the main elements of the decision taken” when the decision is based on high-risk AI output AND produces legal or similarly significant effects.\n\nMost teams treat this as a customer-support overhead. It isn’t. Article 86 is enforceable from 2 August 2026 with the rest of the main wave.\n\nThe minimum-viable explanation per the recitals: which features contributed, what the alternative outcomes would have been, what the user can do to change the outcome. Counterfactuals satisfy this. Pure feature-importance plots usually don’t.\n\nPenalty bands\n\nArticle 99 sets three tiers:\n\nProhibited AI (Article 5): up to €35M or 7% of global annual turnover, whichever is higher\n\nHigh-risk or Article 50 violations: up to €15M or 3%\n\nMisleading information to authorities: up to €7.5M or 1%\n\nSME proportionality applies under Article 99(6), but the upper bound still binds.\n\nWhy we built it\n\nWe run a productized €997 EU AI Act audit at disclos.eu — a 5-business-day deliverable for SaaS founders who want someone else to do the legwork. While building the audit methodology, we kept seeing the same gap: there was no engineer-readable starting point that wasn’t a paid platform or a €15k law firm engagement.\n\nThe 80% of EU SaaS that’s under €1M ARR has nothing to work with. So we open-sourced our internal checklist. The audit service stays paid, the repo stays free under MIT, and the licensing means anyone (including competitors) can fork it.\n\nContributing\n\nIf you want to help, the highest-leverage contributions are:\n\nTranslations of the Article 50 disclosure labels for the remaining 18 EU languages.\n\nAnnex III mapping refinements, particularly edge cases around agentic systems that touch §4 (employment) and §5 (essential services).\n\nReal-world classification examples (anonymized) of how teams classified ambiguous features.\n\nOpen an issue first for anything substantial so we can discuss scope.\n\nFree tools alongside the repo\n\nFor non-developer team members who don’t want to run Python, we also publish three browser-based tools (no signup):\n\nEU AI Act penalty calculator\n\nAnnex III high-risk triage\n\nArticle 50 disclosure generator (24 EU languages)\n\nRepo link, one more time\n\ngithub.com/GatisOzols/eu-ai-act-checklist\n\nMIT. ~24KB. No signup. The deadline is 65 days out.\n\nIf your team is in “we’ll deal with it later” mode, this is the lightest possible way to stop kicking the can.", "url": "https://wpnews.pro/news/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12", "canonical_source": "https://dev.to/disclos/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-article-12-jj9", "published_at": "2026-05-29 06:00:58+00:00", "updated_at": "2026-05-29 06:13:13.207739+00:00", "lang": "en", "topics": ["ai-policy", "ai-products", "ai-tools", "ai-ethics", "ai-safety"], "entities": ["GatisOzols", "EU AI Act", "MIT"], "alternates": {"html": "https://wpnews.pro/news/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12", "markdown": "https://wpnews.pro/news/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12.md", "text": "https://wpnews.pro/news/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12.txt", "jsonld": "https://wpnews.pro/news/we-open-sourced-our-eu-ai-act-compliance-checklist-and-most-teams-misread-12.jsonld"}}