The EU AI Act takes full effect on 2 August 2026. Most SaaS teams I talk to are in “we’ll deal with it later” mode. Partly that’s denial. Mostly it’s that the official text is 458 pages of lawyer-prose with the implementation details buried.
So we wrote an engineer-readable version and open-sourced it today:
Repo: github.com/GatisOzols/eu-ai-act-checklist (MIT, no signup)
This post walks through what’s in it, why we built it, and the four article references most teams underestimate.
What’s in the repo
11 files, ~24KB total. One afternoon to run through start to finish for a single-product SaaS.
README.md
checklist.md — 7-step self-audit, plain English
annex-iii-categories.json — 8 high-risk areas, machine-readable
classify.py — Decision-tree classifier for risk tier
penalty-bands.json — Article 99 penalty tiers as JSON
chatbot.html — Article 50(1) disclosure template
generated-content.md — Article 50(2) synthetic content template
deepfake.md — Article 50(4) deepfake template
emotion-recognition.md — Article 50(3) emotion / biometric template
translations.json — Disclosure labels in 6 EU languages
LICENSE — MIT
The classifier
The most interesting file is classify.py. It walks you through five questions about each AI feature in your product and returns the risk tier under the regulation.
It’s intentionally tiny: no dependencies, no framework, runs anywhere Python runs. Output is plain text you can paste into your audit record.
Example output for an AI resume-scoring feature:
HIGH-RISK under Annex III §4. Article 6 obligations apply (risk management, technical documentation, record-keeping, human oversight, accuracy/robustness, conformity assessment, CE marking, EU database registration).
What teams underestimate
Most “EU AI Act readiness” content I read online stops at “disclose your chatbot.” Article 50(1) is the obvious one. Four others matter more for engineers.
Article 12 — record-keeping isn’t “we log stuff”
Article 12 requires automatic event logging across the AI system’s lifecycle. The specific fields are in Annex IV section 9:
Period of each use (start, stop)
Reference database checked, where applicable
Input data when the search led to a match
Identification of natural persons involved in result verification, where Article 14(5) applies
Minimum retention is 6 months under Article 12(2), but most teams should plan for 12-24 months because Member State authorities can extend.
The word “tamper-proof” isn’t in the statute, but it’s the practical bar. The auditor will ask “can you prove these logs weren’t edited.” So design for it from day one: hashed lines, append-only storage, signed batches, whatever your stack supports. Retrofitting this after launch is painful.
Article 14 — human oversight is process plus UI, not just policy
Article 14(4) lists what the supervising person must be able to do:
Understand the system’s capacities and limitations enough to monitor operation (4a)
Stay aware of automation bias (4b)
Interpret output correctly (4c)
Decide not to use the output or override it (4d)
Intervene on operation or interrupt through a “stop” button or similar procedure (4e)
That last requirement is concrete and often skipped. If your agent runs in a long-running loop, the supervising operator needs a kill switch that is visible, accessible, and produces a safe state. Most internal tools we’ve looked at don’t have this and need to retrofit.
For documentation: write down who the oversight person is, the SLA between alert and intervention, what the stop procedure actually does, and how oversight personnel are trained.
Article 50 — four sub-paragraphs, four different triggers
Article 50 transparency obligations are not one rule, they’re four:
50(1) — AI interacting with humans (chatbots, voice assistants): disclose at the start of interaction, clear and distinguishable
50(2) — Synthetic content generation (text, image, audio, video): mark output machine-readable, plus visible label on publication
50(3) — Emotion recognition or biometric categorisation: inform users they’re being subjected to it
50(4) — Deepfakes (real persons depicted): disclose as artificially generated
Each has a different practical implementation. The repo has separate templates per sub-paragraph. Don’t reuse a chatbot disclosure for a deepfake feature, the requirements are different.
Article 86 — explainability for end users
This is the GDPR Article 22 analog. End users (not deployers, end users) have the right to a “clear and meaningful explanation of the role of the AI system in the decision-making procedure and the main elements of the decision taken” when the decision is based on high-risk AI output AND produces legal or similarly significant effects.
Most teams treat this as a customer-support overhead. It isn’t. Article 86 is enforceable from 2 August 2026 with the rest of the main wave.
The minimum-viable explanation per the recitals: which features contributed, what the alternative outcomes would have been, what the user can do to change the outcome. Counterfactuals satisfy this. Pure feature-importance plots usually don’t.
Penalty bands
Article 99 sets three tiers:
Prohibited AI (Article 5): up to €35M or 7% of global annual turnover, whichever is higher
High-risk or Article 50 violations: up to €15M or 3%
Misleading information to authorities: up to €7.5M or 1%
SME proportionality applies under Article 99(6), but the upper bound still binds.
Why we built it
We run a productized €997 EU AI Act audit at disclos.eu — a 5-business-day deliverable for SaaS founders who want someone else to do the legwork. While building the audit methodology, we kept seeing the same gap: there was no engineer-readable starting point that wasn’t a paid platform or a €15k law firm engagement.
The 80% of EU SaaS that’s under €1M ARR has nothing to work with. So we open-sourced our internal checklist. The audit service stays paid, the repo stays free under MIT, and the licensing means anyone (including competitors) can fork it.
Contributing
If you want to help, the highest-leverage contributions are:
Translations of the Article 50 disclosure labels for the remaining 18 EU languages.
Annex III mapping refinements, particularly edge cases around agentic systems that touch §4 (employment) and §5 (essential services).
Real-world classification examples (anonymized) of how teams classified ambiguous features.
Open an issue first for anything substantial so we can discuss scope.
Free tools alongside the repo
For non-developer team members who don’t want to run Python, we also publish three browser-based tools (no signup):
EU AI Act penalty calculator
Annex III high-risk triage
Article 50 disclosure generator (24 EU languages)
Repo link, one more time
github.com/GatisOzols/eu-ai-act-checklist
MIT. ~24KB. No signup. The deadline is 65 days out.
If your team is in “we’ll deal with it later” mode, this is the lightest possible way to stop kicking the can.
About
I'm Gatis Ozols, building Disclos from Riga. Disclos is a productized €997 EU AI Act compliance audit for SaaS companies. 5 business days, refund-guaranteed.
Not a lawyer. We work with EU counsel for the formal interpretation. The checklist in this post is the engineer-readable starter we wished existed when we first started talking to SaaS founders about the Act.
Free tools (no signup): disclos.eu/tools
Contact: gatis@disclos.eu
