The Act: New & Old explores how Europe wrote the first comprehensive AI law on Earth, and how that law is now colliding with the urgency to build. But knowing the law exists is different from knowing whether your systems comply with it.
As we approach the August 2, 2026 enforcement deadline for high-risk systems, the window for "guessing" is closing. Here are five concrete actions you can take immediately — whether you're an individual builder on Lovable, a small team, or an organization deploying AI-powered tools in the EU.
1 · Classify Your System: Is It High-Risk?
Start here. Under the EU AI Act's Annex III, high-risk systems include AI that:
- Influences hiring, promotion, or termination decisions
- Assesses creditworthiness or insurance eligibility
- Determines access to education or training
- Analyzes biometric data or influences civil rights
- Processes personal data at scale in ways that affect significant life outcomes
Action item
- [ ] Spend 30 minutes asking: Does my system influence a decision that affects someone's rights, access, or opportunities? If yes, you aren't just a user; you are likely a "Provider" or "Deployer" of a high-risk system.
Tool: Use the EU AI Act Compliance Checker for a formal assessment.
2 · Conduct a Dual Impact Assessment (DPIA + FRIA)
If your system processes personal data, a Data Protection Impact Assessment (DPIA) is a GDPR requirement. However, for high-risk AI in 2026, you must also consider the Fundamental Rights Impact Assessment (FRIA).
| Focus | |
|---|---|
| DPIA | Data privacy and security |
| FRIA | Societal risks — algorithmic bias, discrimination, or threats to human dignity |
Action item
- [ ] Document the data flow, identify risks to individuals (not just their data), and list your safeguards. This is your accountability "paper trail" for regulators.
3 · Secure a Data Processing Agreement (DPA) from Every Vendor
If you use Lovable, OpenAI, or Anthropic, they are your sub-processors. A DPA establishes who is responsible if a breach occurs.
Action items
- [ ] Download and sign the Lovable DPA at lovable.dev/data-processing-agreement.
- [ ] Maintain a "Vendor Map" of every AI API your app calls. In 2026, ignorance of your supply chain is not a legal defense.
4 · Build Your Technical Documentation & Quality Management
Documentation separates "we tried" from "we complied." For high-risk systems, you need a technical file that proves your system is accurate, robust, and cyber-secure.
The 2026 Standard
To make this easier, look into ISO 42001 (the international standard for AI Management). Following this "Gold Standard" creates a Presumption of Conformity, making it much harder for regulators to challenge your process.
Action item — create a "living document" that lists:
- [ ] How humans can override the AI (Human Oversight)
- [ ] How you tested for bias (Data Governance)
- [ ] Your plan for Post-Market Monitoring (how you'll track the AI's performance once it's live)
5 · Implement Transparency & Labeling
By 2026, "hidden" AI is illegal in the EU. If a human is interacting with an AI, they must know it.
Action items
- [ ] UI/UX: Add clear disclosures (e.g., "This response was generated by AI").
- [ ] Deepfakes / Media: If your tool generates images or audio that look real, they must be digitally watermarked or labeled as AI-generated.
- [ ] The CE Mark: If you are a Provider of a high-risk system, you will eventually need to affix a CE Mark to your product once you've completed your self-assessment.
What's Next?
These five items won't make you 100% compliant — genuine compliance is a marathon — but they will:
- Grant you a "First-Mover" Advantage: Most organizations are still scrambling; having your documentation ready by August 2026 puts you ahead.
- Protect your Brand: Transparency builds user trust, which is the most valuable currency in the AI era.
- Create a Defensible System: If a regulator knocks, you have a PDF ready to show them.
If you're building on Lovable
Lovable handles the infrastructure security and data residency. You own the "Application Layer" — the transparency, the impact assessments, and the human oversight. Together, this creates a system that is both innovative and legally defensible.
Resources to Keep Handy
- EU AI Act Service Desk: official link
- ISO 42001 Overview: the roadmap for AI Management Systems.
- GDPR Article 35: guidelines for DPIAs.
The One Thing to Remember
Compliance isn't a checkbox you tick at the end of a project; it's a feature you build into the code.
The companies that will win in the EU market are those that treat Safety and Transparency as a competitive advantage, not a regulatory burden.
Last updated: May 2026. Note: High-risk system enforcement begins **August 2, 2026.
By Soumia — LinkedIn · Portfolio
Are you working on something similar? Drop a comment — I'm curious what you're building and what you're seeing in your own work.
Top comments (0)