H-Studio logo
ENDE
Start a project

EU AI Act readiness — the technical foundations, not the legal opinion

"The EU delayed the AI Act" is half-true and dangerously imprecise. Some obligations moved sixteen months; others didn't move at all and land in 2026. We build the technical evidence layer — risk screening, transparency, audit trails, sub-processor visibility — so your team and your lawyers review documented decisions instead of retrofitting under a deadline.

Scope of this page

What this is — and what it is not

This is technical readiness work — the architecture, documentation and evidence an auditor, lawyer or internal compliance team needs to do their job without reverse-engineering an undocumented product.

  • What we do

    We build the architecture, documentation and evidence — risk screening, transparency, sub-processor visibility, audit trails — so that when your advisors look, there is something documented to review.

  • What we don't

    No legal advice, formal risk classification, conformity assessments or certification. Those stay with your legal, data-protection or compliance advisors.

Frame: EU / DACH only. Our Russian (152-ФЗ) and Indonesian (UU PDP) presences handle their own legal frames on their regional sites — we don't apply one jurisdiction's rules to another's market.

Where the timeline actually stands (mid-2026)

"Delayed" is the most expensive misread of 2026

Under the Digital Omnibus on AI — provisionally agreed in May 2026 and being formally adopted — parts of the AI Act slipped, parts did not. The exact dates are still settling, so confirm the current position with your legal advisors. As it stands:

  • In force since August 2024 — the framework itself
  • Since February 2025 — prohibited AI practices and AI-literacy obligations
  • Since August 2025 — obligations for general-purpose AI (GPAI) model providers
  • 2 August 2026 — Article 50 transparency obligations, NOT deferred: users must be told when they're interacting with AI, when content is AI-generated, and when emotion-recognition or biometric categorisation is in use
  • 2 December 2026 — watermarking / machine-readable marking of generative output, plus new Article 5 prohibitions (AI-generated CSAM and non-consensual intimate imagery)
  • 2 December 2027 — high-risk obligations for stand-alone Annex III systems (deferred from August 2026)
  • 2 August 2027 — national regulatory sandboxes
  • 2 August 2028 — high-risk AI embedded in regulated products (Annex I)

The trap: teams heard "delayed," relaxed, and stopped preparing for the transparency and labelling duties that are bearing down on schedule. The relief is real for high-risk; it does not cover what's due in 2026.

01  ·  Operating model

How we approach AI Act readiness — evidence, not paperwork theatre

Effort goes where the regulation actually bites — not into a compliance programme the law doesn't require.

  • 01Screen before you scramble — we first establish what your AI features actually are: prohibited, high-risk, transparency-obligation or minimal-risk.
  • 02Most B2B AI is not high-risk — and we'll tell you when it isn't, so you don't build a compliance programme the law doesn't require.
  • 03Transparency is the 2026 priority — the Article 50 duties and generative-output marking are the near-term work for most product teams. We implement them, not just document them.
  • 04Evidence that survives review — risk screening, sub-processor inventory, evaluation evidence and audit trails, built so an auditor or lawyer can read them, not a quarter-long retrofit.
  • 05Legal stays legal — classification, conformity assessment and interpretation remain with your advisors. We build what they review.
02  ·  What we deliver

What we deliver

01

AI Act risk screening

Classification of each feature: prohibited / high-risk / transparency-obligation / minimal-risk · GPAI provider-dependency review where relevant · Plain-language reasoning your advisors can validate · Re-screen as features change

02

Transparency implementation (Article 50)

AI-interaction disclosure where users deal with AI · AI-generated content labelling · Emotion-recognition / biometric-categorisation notices where applicable · Generative-output marking / provenance readiness for the December 2026 duty

03

Provider & data visibility

Sub-processor inventory ready for DPA / due-diligence review · Which providers see which data, which models, which regions · EU-hosted / local options mapped to data sensitivity

04

Evaluation evidence

Evaluation on representative inputs · Eval harness so evidence is reproducible, not anecdotal · Documented limitations and failure modes

05

Audit trails & oversight

Audit logs for AI-assisted actions that affect users · Human-oversight points on sensitive or irreversible outputs · Traceable record an auditor can follow

06

Documentation pack

Model cards where applicable · Architecture and data-flow documentation · A readiness file your legal / compliance team can pick up directly

03  ·  How we work

How we work

  1. Step 01

    Inventory & screening

    We map every AI feature, its data flows and its provider dependencies, and screen each against the AI Act's risk tiers.

  2. Step 02

    Gap & priority map

    We separate what's genuinely required at your stage from what isn't, and sequence it against the real 2026 / 2027 dates.

  3. Step 03

    Technical implementation

    We implement transparency, marking, logging and oversight, and assemble the evidence — sub-processor inventory, evaluations, audit trails.

  4. Step 04

    Readiness file & handover

    We hand your legal and compliance team a documented file they can review and maintain — not a black box.

04  ·  Outcomes

Outcomes we optimise for

A defensible, documented position — not paperwork theatre.

05  ·  When it fits

When AI Act readiness work makes sense

Choose this when:

  • You ship AI features in a product used by real customers
  • Customers, partners or investors are starting to ask AI-governance questions
  • You're unsure whether your AI is high-risk and need a defensible screening
  • You need the Article 50 transparency and marking duties actually implemented, not just noted
  • A funding round, enterprise procurement or security review is on the horizon
  • You want the technical evidence ready before your lawyers need it
06  ·  Problem

Why "the AI Act got delayed" is a trap

The May 2026 Omnibus generated exactly the wrong headline.
Disclaimer

Where our work ends and your advisors' begins

We build technical foundations and evidence. We do not run conformity assessments, issue formal risk classifications, provide legal opinions or certify compliance. Formal classification and interpretation of the AI Act and GDPR remain with your legal, data-protection or compliance advisors. Our deliverables exist so that work starts from documented architecture and evidence rather than a retrofit. Dates and obligations described here reflect the position as we understand it in mid-2026 and are still being finalised — confirm the current state with your advisors.

Reference stack

What we use to produce the evidence

Evidence & evaluation
  • Evaluation harness (Promptfoo / Ragas)
  • Observability & logging (Langfuse / Helicone / OpenTelemetry)
  • Structured audit logging
  • Sub-processor & data-flow documentation
  • Provenance / content-marking tooling where the December 2026 duty applies
Hosting & data residency
  • EU-hosted (Azure OpenAI West Europe, Bedrock Frankfurt, EU-hosted Mistral)
  • Local (Hetzner GPU) where data residency requires
  • Provider choice mapped to data sensitivity, never partner status

Vendor- and provider-neutral. Hosting and provider choices follow the data, never partner status.

Proof · how we already build

AI Act readiness isn't a bolt-on for us

The evidence it needs — documented architecture decisions, sub-processor inventory, auditability across user and admin actions, tested critical paths — is already how we build diligence-ready products across our DACH work. AI Act readiness extends that discipline to your AI features specifically.

See how we build MVPs
FAQ

FAQ

  1. Partly. High-risk obligations were deferred to 2027/2028. Transparency duties (Article 50) and generative-output marking were not — they apply in 2026. The relief is real but narrower than the headlines suggested.

  2. Most B2B SaaS AI features are not automatically high-risk, but it depends on use. We provide a documented technical screening; formal classification stays with your legal advisors.

  3. No. We build the technical foundations and evidence. Legal interpretation, conformity assessment and certification stay with your advisors and the relevant bodies.

  4. For most product teams: the Article 50 transparency duties and preparing for generative-output marking, both landing in 2026. We implement these, not just document them.

  5. They overlap on data handling, sub-processors and audit. We build the technical evidence that serves both; legal interpretation of either stays with your advisors.

  6. Typically 2–3 weeks for screening and a gap-and-priority map, depending on how many AI features and providers are in scope. Implementation is sized to what the screening surfaces.

  7. Yes — see AI Automation (existing systems) or MVP Development (new builds). Readiness can be built in from the start rather than retrofitted.

  8. This page is EU / DACH. Our Russian and Indonesian presences handle 152-ФЗ and UU PDP in their own legal frames — we don't apply one jurisdiction's rules to another's market.

Adjacent plates

Related services

  1. 01AI AutomationThe AI features the readiness work covers.Open
  2. 02Agent-Ready ArchitectureAgent actions create the same audit and transparency surface.Open
  3. 03Startup MVP BuildsBuild AI Act readiness in from day one.Open
  4. 04B2B SaaS EngineeringDiligence-ready foundations larger customers ask about.Open
  5. 05Data Engineering & AnalyticsThe evidence and logging layer behind it.Open
  6. 06AI Evals, Observability & GuardrailsThe evaluation evidence and audit trails that feed AI Act readiness.Open
What does the AI Act require?

Not sure what the AI Act actually requires of your product?

A readiness review screens your AI features, separates genuine relief from what's bearing down in 2026, and gives your team and your lawyers a documented starting point — in 2–3 weeks.

Book an AI Act readiness review
Related articles

Keep reading from the blog.

More insights and best practices on this topic.

View all articles
H
29 May 2026

How to Build Software That Survives German Compliance

Not 'passes GDPR' — survives audits, legal reviews, and real enterprise pressure. Why German compliance is an architectural property, the GDPR articles that make it one (privacy by design, DPIA, records of processing), and the system patterns that survive scrutiny.

Read
S
26 May 2026

SaaS Architecture Best Practices for B2B CTOs

SaaS architecture best practices that keep B2B platforms scalable, secure and efficient — multi-tenancy, APIs, Zero Trust and tooling that holds up under enterprise load.

Read
D
25 May 2026

Designing Audit-Ready Architecture: A 2026 Guide

Learn how to design audit-ready architecture. Our 2026 guide helps architects and developers build strong traceability...

Read
W
22 May 2026

What is Seed Stage SaaS: Fundamentals for Founders

What seed-stage SaaS really is — the phases, the KPIs investors check, the funding instruments (with the DACH specifics), and how to deploy capital toward Series A.

Read

H-Studio builds EU AI Act technical readiness for B2B and SaaS product teams in DACH — risk screening, Article 50 transparency implementation, generative-output marking readiness, sub-processor inventories, evaluation evidence and audit trails. We build the technical foundations and documentation your legal and compliance advisors review — not conformity assessments or legal opinions — with the post-Omnibus 2026 timeline in clear view.