Skip to main content

EU AI Act

The EU Artificial Intelligence Act (EU AI Act) enters enforcement on August 2, 2026. It imposes obligations on developers and deployers of AI systems in regulated EU contexts. vybdocs addresses the technical obligations through automated rule enforcement and signed audit trails.

August 2, 2026

This is the date EU AI Act obligations for high-risk AI systems become enforceable. If your product uses AI to assist in generating code that affects regulated sectors (finance, healthcare, critical infrastructure, HR, law enforcement), you need a compliance posture in place before this date.

What the EU AI Act requires of AI-assisted development

The Act distinguishes between AI systems (the models) and deployers (organizations using AI systems). If your team uses Cursor, Claude Code, Copilot, or similar tools to generate code that powers a regulated application, you are a deployer with obligations under Article 9 and Article 13.

Key obligations:

Art. 9 — Risk management system
Establish, implement, document, and maintain a risk management system for AI-generated outputsArt. 9.5 — Testing against specifications
AI system outputs must be tested against pre-defined specifications before deploymentArt. 10 — Data quality and governance
Training/output data must meet accuracy and relevance standards for the intended purposeArt. 12.1 — Record-keeping
High-risk AI systems must automatically generate logs enabling post-market monitoringArt. 13 — Transparency
AI system capabilities and limitations must be documented

How vybdocs maps to these obligations

Article 9.2 — Risk management system

Article 9.2 requires a "risk management system" that is "a continuous iterative process run throughout the entire lifecycle of a high-risk AI system."

vybdocs provides:

  • Pre-defined specifications: .vyb/spec.yaml is your declared AI output specification
  • Continuous enforcement: vyb check runs on every commit, throughout the development lifecycle
  • Iterative process: the spec can be updated; all changes are version-controlled and logged

Example rule mapping:

- id: llm-003
  name: require-ai-audit-log
  severity: block
  pattern: "(openai|anthropic|claude|gpt).*\\.(create|invoke|generate)"
  remediation: >
    All AI model calls must log the result via auditLog.record().
    Required fields: userId, timestamp, modelId, promptHash, outputHash.
  maps-to:
    - framework: eu-ai-act
      control: Art.9.2

Article 9.5 — Testing against specifications

Article 9.5 requires testing AI system outputs "against previously defined metrics and probabilistic thresholds appropriate to the intended purpose."

For AI-assisted code generation, the "specifications" are your engineering constraints. Every vyb check run is a documented test of AI-generated output against your declared spec.

Article 12.1 — Record-keeping

Article 12.1 requires AI systems to "automatically generate logs" that "include, at minimum" certain information about system operation.

The vybdocs Evidence Pack satisfies this for AI-assisted code:

  • Timestamp of the check
  • Identity of the diff (commit SHA)
  • Rules evaluated (the "specification" tested against)
  • Pass/fail per rule
  • Cryptographic signature for non-repudiation
  • Hash-chain for tamper evidence

Article 13 — Transparency

The .vyb/spec.yaml and the Evidence Pack together constitute documented evidence of:

  • What AI systems are used (can be noted in the spec)
  • What constraints they must satisfy
  • Whether those constraints were met

Applying the EU AI Act pack

# For EU-regulated financial services (most stringent):
vyb init --pack eu-fintech

# For general EU SaaS with AI components:
vyb init --pack eu-saas-general

Both packs include the llm-* rules category with EU AI Act mappings.

Coverage report

Check your EU AI Act coverage:

vyb check --coverage-report

Look for gaps in the EU AI Act section. Common gaps:

  • Art.13.1 — transparency disclosure (requires an AI disclosure rule)
  • Annex.III — sector-specific requirements (requires vertical-specific rules)

Timeline

DateMilestone
February 2, 2025Prohibited AI practices prohibited
August 2, 2025GPAI model obligations apply
August 2, 2026High-risk AI system obligations apply
August 2, 2027Embedded system obligations

If your product involves AI-assisted generation of code for credit scoring, healthcare triage, recruitment, critical infrastructure, or law enforcement, you are in scope for August 2026.

Next: HIPAA