61 Days Until EU AI Act Enforcement: What Agent Builders Need to Do Right Now
the enforcement clock is real. GPAI rules took effect on 2 August 2025. the Commission starts formal enforcement actions on 2 August 2026 — that's 61 days from today.
if you're building AI agents that touch EU users, you're already in scope. most teams are not ready.
what the regulation actually requires
the EU AI Act classifies general-purpose AI systems by capability threshold. if your model exceeds 10^25 FLOPs training compute, or if your system is deployed in high-risk contexts (healthcare, critical infrastructure, employment, education, law enforcement), you're subject to the full obligation stack.
for most agent builders, the practical requirements break down like this:
technical documentation — you need a written spec covering architecture, training data sources, capabilities and limitations, safety evaluations, and how the system handles edge cases. this isn't a one-page README. the Commission's guidelines for GPAI providers run to 47 pages of specifics.
Article 12 logging — high-risk AI systems must "technically allow for the automatic recording of events (logs) throughout their operational lifetime." that means structured event logs, retained for the duration of the system's operation, auditable on request. if your agent doesn't log decisions, inputs, and outputs in a retrievable format, you're not compliant.
incident reporting — serious incidents (defined as death, serious harm, significant disruption to critical services, or infringement of fundamental rights) must be reported to market surveillance authorities within 15 days.
human oversight mechanisms — systems must be designed to allow effective human oversight. you can't claim compliance while running fully autonomous agents with no interrupt capability.
the penalty for non-compliance: up to 15 million euros or 3% of worldwide annual turnover, whichever is higher. for a $10M ARR company, that's $300K at risk on the first enforcement action.
where most teams are right now
the gap is documentation and logging. most agent builders have observability (you probably have Datadog or Langfuse or something), but observability tooling and compliance-grade logging are different things.
observability answers "what's slow." compliance logging answers "what decision did the agent make, on what inputs, at what time, and why — and can you prove it to a regulator."
the second gap is the technical documentation package. teams that built fast don't have it. the architecture lived in someone's head, the training data sources aren't catalogued, and the capability limitations were never written down in a form that would survive a regulator reading it.
the third gap is the human oversight mechanism. many production agents are wired up to take actions (send emails, make purchases, update databases) without a human checkpoint. the regulation doesn't ban autonomous action — it requires that you design in the ability to pause or override the system at any point in the workflow.
the 61-day window
the move here is not to hire a compliance law firm for $50K. it's to run a structured audit that produces the documentation package, identifies the logging gaps, and gives you a prioritized remediation list.
that's exactly what the BizSuite AI Audit is: a 2-hour working call with your team, a gap analysis against the EU AI Act's specific technical requirements, and a prioritized action plan delivered in 48 hours. $997.
if you're building in the EU or your users are in the EU, this is not optional. it's a 61-day problem. the teams that run the audit now will have time to fix what's broken before August 2. the teams that wait will be scrambling in July.
Top comments (0)