We open-sourced our EU AI Act compliance checklist, and most teams misread Article 12

A developer has open-sourced an engineer-readable EU AI Act compliance checklist, revealing that most teams misread Article 12's record-keeping requirements. The repository, available on GitHub under an MIT license, includes a seven-step self-audit, a decision-tree classifier for risk tier assessment, and templates for transparency disclosures. The project highlights that Article 12 requires automatic, tamper-proof event logging across the AI system's lifecycle, with minimum retention of six months, while Article 14 mandates a visible kill switch for human oversight.

The EU AI Act takes full effect on 2 August 2026. Most SaaS teams I talk to are in “we’ll deal with it later” mode. Partly that’s denial. Mostly it’s that the official text is 458 pages of lawyer-prose with the implementation details buried. So we wrote an engineer-readable version and open-sourced it today: Repo: github.com/GatisOzols/eu-ai-act-checklist MIT, no signup This post walks through what’s in it, why we built it, and the four article references most teams underestimate. What’s in the repo 11 files, ~24KB total. One afternoon to run through start to finish for a single-product SaaS. README.md checklist.md — 7-step self-audit, plain English annex-iii-categories.json — 8 high-risk areas, machine-readable classify.py — Decision-tree classifier for risk tier penalty-bands.json — Article 99 penalty tiers as JSON chatbot.html — Article 50 1 disclosure template generated-content.md — Article 50 2 synthetic content template deepfake.md — Article 50 4 deepfake template emotion-recognition.md — Article 50 3 emotion / biometric template translations.json — Disclosure labels in 6 EU languages LICENSE — MIT The classifier The most interesting file is classify.py. It walks you through five questions about each AI feature in your product and returns the risk tier under the regulation. It’s intentionally tiny: no dependencies, no framework, runs anywhere Python runs. Output is plain text you can paste into your audit record. Example output for an AI resume-scoring feature: HIGH-RISK under Annex III §4. Article 6 obligations apply risk management, technical documentation, record-keeping, human oversight, accuracy/robustness, conformity assessment, CE marking, EU database registration . What teams underestimate Most “EU AI Act readiness” content I read online stops at “disclose your chatbot.” Article 50 1 is the obvious one. Four others matter more for engineers. Article 12 — record-keeping isn’t “we log stuff” Article 12 requires automatic event logging across the AI system’s lifecycle. The specific fields are in Annex IV section 9: Period of each use start, stop Reference database checked, where applicable Input data when the search led to a match Identification of natural persons involved in result verification, where Article 14 5 applies Minimum retention is 6 months under Article 12 2 , but most teams should plan for 12-24 months because Member State authorities can extend. The word “tamper-proof” isn’t in the statute, but it’s the practical bar. The auditor will ask “can you prove these logs weren’t edited.” So design for it from day one: hashed lines, append-only storage, signed batches, whatever your stack supports. Retrofitting this after launch is painful. Article 14 — human oversight is process plus UI, not just policy Article 14 4 lists what the supervising person must be able to do: Understand the system’s capacities and limitations enough to monitor operation 4a Stay aware of automation bias 4b Interpret output correctly 4c Decide not to use the output or override it 4d Intervene on operation or interrupt through a “stop” button or similar procedure 4e That last requirement is concrete and often skipped. If your agent runs in a long-running loop, the supervising operator needs a kill switch that is visible, accessible, and produces a safe state. Most internal tools we’ve looked at don’t have this and need to retrofit. For documentation: write down who the oversight person is, the SLA between alert and intervention, what the stop procedure actually does, and how oversight personnel are trained. Article 50 — four sub-paragraphs, four different triggers Article 50 transparency obligations are not one rule, they’re four: 50 1 — AI interacting with humans chatbots, voice assistants : disclose at the start of interaction, clear and distinguishable 50 2 — Synthetic content generation text, image, audio, video : mark output machine-readable, plus visible label on publication 50 3 — Emotion recognition or biometric categorisation: inform users they’re being subjected to it 50 4 — Deepfakes real persons depicted : disclose as artificially generated Each has a different practical implementation. The repo has separate templates per sub-paragraph. Don’t reuse a chatbot disclosure for a deepfake feature, the requirements are different. Article 86 — explainability for end users This is the GDPR Article 22 analog. End users not deployers, end users have the right to a “clear and meaningful explanation of the role of the AI system in the decision-making procedure and the main elements of the decision taken” when the decision is based on high-risk AI output AND produces legal or similarly significant effects. Most teams treat this as a customer-support overhead. It isn’t. Article 86 is enforceable from 2 August 2026 with the rest of the main wave. The minimum-viable explanation per the recitals: which features contributed, what the alternative outcomes would have been, what the user can do to change the outcome. Counterfactuals satisfy this. Pure feature-importance plots usually don’t. Penalty bands Article 99 sets three tiers: Prohibited AI Article 5 : up to €35M or 7% of global annual turnover, whichever is higher High-risk or Article 50 violations: up to €15M or 3% Misleading information to authorities: up to €7.5M or 1% SME proportionality applies under Article 99 6 , but the upper bound still binds. Why we built it We run a productized €997 EU AI Act audit at disclos.eu — a 5-business-day deliverable for SaaS founders who want someone else to do the legwork. While building the audit methodology, we kept seeing the same gap: there was no engineer-readable starting point that wasn’t a paid platform or a €15k law firm engagement. The 80% of EU SaaS that’s under €1M ARR has nothing to work with. So we open-sourced our internal checklist. The audit service stays paid, the repo stays free under MIT, and the licensing means anyone including competitors can fork it. Contributing If you want to help, the highest-leverage contributions are: Translations of the Article 50 disclosure labels for the remaining 18 EU languages. Annex III mapping refinements, particularly edge cases around agentic systems that touch §4 employment and §5 essential services . Real-world classification examples anonymized of how teams classified ambiguous features. Open an issue first for anything substantial so we can discuss scope. Free tools alongside the repo For non-developer team members who don’t want to run Python, we also publish three browser-based tools no signup : EU AI Act penalty calculator Annex III high-risk triage Article 50 disclosure generator 24 EU languages Repo link, one more time github.com/GatisOzols/eu-ai-act-checklist MIT. ~24KB. No signup. The deadline is 65 days out. If your team is in “we’ll deal with it later” mode, this is the lightest possible way to stop kicking the can.