Trying to apply the EU AI Act to a real product (and why it’s harder than it looks)

Act Navigator — Thu, 09 Apr 2026 21:24:10 +0000

I didn’t expect to spend this much time thinking about the EU AI Act.

It started with a pretty innocent question. We’re building a product that uses AI, and at some point I figured I should probably check if this whole regulation thing applies to us.

I assumed I’d skim a couple of articles, maybe read a summary, and move on with my life.

That didn’t happen.

At first, everything looks very clean. You’ve got categories, definitions, risk levels… it almost feels reassuring. Like someone has already done the hard thinking for you.

Then you try to apply it to your actual product.

That’s where things start to wobble a bit.

I found myself going back and forth on questions that should be simple, but somehow aren’t:

Are we even in scope here?
What exactly counts as an “AI system” in what we’ve built?
If we’re using third-party models, is that our problem or someone else’s?
Are we supposed to be documenting things already, or is that future-us’ problem?

The more I read, the less binary it all felt.

A lot of the content out there is solid, to be fair. But it’s clearly written either by lawyers or for companies with actual compliance teams.

Which makes sense. Just not particularly helpful when you’re a small team trying to ship product without accidentally becoming a case study in EU regulation.

I wasn’t looking for a perfect interpretation of the law. I just wanted a rough answer to:

“Where do we stand, realistically?”

The thing that tripped me up the most is how broad some of the definitions are.

“AI system” sounds obvious until you try to draw the line in your own codebase.

Is a rules engine included?
What about something that just calls an LLM API?
What if AI is only a small feature and not the core of the product?

You can make a reasonable argument in multiple directions, which is… not ideal when you’re trying to make decisions.

At some point I realised I’d spent enough time thinking about this that I might as well try to structure it.

So I built a small internal tool.

Not because I thought “the world needs this”, but because I needed a way to stop going in circles.

It’s honestly very simple under the hood. No magic. No models. Just a rule-based flow that mirrors how the regulation is structured.

You answer a few questions about what your system actually does — how it’s used, where it’s used, how it interacts with people — and it walks you through what that might mean in terms of risk classification.

It’s basically a decision tree, dressed up to feel slightly less like a spreadsheet.

The interesting part wasn’t building it. It was where it breaks.

Edge cases are everywhere.

Things like SaaS products that embed third-party AI don’t map neatly to “provider” vs “deployer”. Features that are only partially AI-driven sit in this weird grey zone. And some of the definitions in the regulation are clearly written to be flexible, which means you eventually have to rely on judgment anyway.

So it’s not perfect. It’s not meant to be.

But it did help me go from “this is vague and slightly stressful” to “ok, I think we’re roughly here”.

Which, honestly, was enough.

I cleaned it up a bit and put a version online here:
https://www.actnavigator.com

If nothing else, it’s a quicker way to think through the EU AI Act without needing to read 200 pages of legal text (which I can confirm is not how most founders want to spend their evenings).

Curious how others are handling this.

Are you already doing something about the AI Act, or is it still sitting somewhere between “important” and “we’ll deal with it later”?

Because I have a feeling a lot of us are in that exact spot.

DEV Community: Act Navigator

Trying to apply the EU AI Act to a real product (and why it’s harder than it looks)