Compliance11 June 2026 · 7 min read Includes interactive tool

The EU AI Act for product managers: compliance as a design principle, not a brake

Marc GasserSerial Founder · GTM & Marketing

PillarProduct Strategy

Relevant phases

01Discover02Define03Build04OperateFast Lane

The EU AI Act (in force since 1 August 2024) regulates by risk class: prohibited practices, high risk, limited and minimal risk. Fines reach 35 million euros or 7 per cent of global turnover for prohibited practices, and 15 million or 3 per cent for high-risk violations.
The deadlines are moving: with the Digital Omnibus (provisional agreement 7 May 2026), high-risk obligations slip to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). Read the extra time as a postponement and you repeat the GDPR laggards' mistake.
For PMs the Act is above all a documentation law: inventory, risk classification, transparency, logging, human oversight. If your spec-to-code path is already traceable, you cover a large part as a by-product.

Key findings

The AI literacy duty (Article 4) has applied since 2 February 2025 – together with the prohibitions. Training is not optional polish but the first binding duty for practically every company using AI.
Most SaaS functions fall under limited or minimal risk – where transparency duties dominate. High risk begins where AI decides about people: credit, hiring, critical infrastructure, medicine.
Compliance documentation and good product practice overlap heavily: versioned specs, audit trails and regression tests are the same artefacts the Act wants to see.

Which risk class hits your product?

The AI Act thinks in purposes, not technologies. Prohibited are practices such as social scoring or manipulative systems. High risk covers systems that decide about people – creditworthiness, hiring, exam scoring, critical infrastructure. Limited risk mainly means transparency: chatbots must identify themselves, AI-generated content must be labelled. The rest – the large majority of typical SaaS features – is minimal risk.

The product-strategy consequence: the risk class is designable. Whether your feature “decides” or “suggests”, whether a human approves or automation acts – these are product decisions that directly determine which duties apply. A human-in-the-loop step can make the difference between the high-risk regime and a transparency duty. That is exactly why classification belongs in the define phase, not in legal after launch.

What applies now – and what the Digital Omnibus shifts

Since 2 February 2025 the prohibitions and the AI literacy duty apply; since 2 August 2025, the rules for general-purpose models. High-risk obligations were originally set for 2 August 2026 – but on 7 May 2026 the Council, Parliament and Commission provisionally agreed in the Digital Omnibus to shift them: Annex III systems now from 2 December 2027, systems embedded in products under Annex I from 2 August 2028. Formal adoption is expected in the coming weeks.

The fine logic remains sharp: up to 35 million euros or 7 per cent of global turnover for prohibited practices, up to 15 million or 3 per cent for high-risk violations. For DACH companies, though, the primary risk isn't the fine – it's the deal: enterprise customers now ask about AI Act conformity in procurement the way they ask for ISO certificates. No answer, no contract – long before any regulator shows up.

Interactive tool

AI Act readiness check for your product

We keep a complete inventory of all AI functions in the product.
Each AI system is assigned a risk class with a documented rationale.
A person responsible for AI governance is named.
Staff working with AI are trained (AI literacy duty, Art. 4).
Users can tell when they interact with AI or see AI-generated content.
Decisions and model versions are logged traceably.
Data provenance and legal basis per data source are documented (GDPR).
AI clauses with model and API suppliers are contractually settled.

Your result0 of 8Flying blind

Without an inventory and risk classification, any compliance statement is a guess. Start with the inventory – it costs days, not months.

Tick what is already in place in your product today – the result shows how far you are from a solid AI Act baseline.

The five building blocks that belong in the product

Inventory. A living list of all AI functions with purpose, model, data sources and risk class. Without an inventory, every further duty is groping in fog.

Transparency. Users must be able to tell when AI is involved – in the interface, not the small print. That doubles as good expectation management and lowers support load.

Logging. Which model version answered when, with what context? Without that trail you can neither reconstruct errors nor answer an auditor.

Human oversight. Define per feature where a human can intervene and where one must approve. That is product design – and at the same time the most effective lever on the risk class.

Supply chain. Model providers, API services, hosting: settle contractually who carries which duties and which assurances you can pass on. In DACH, the question of EU hosting and data residency belongs in the same clause.

Recommendations

Build the inventory this week. Record every AI function with purpose, model, data and risk class. It is the cheapest compliance measure with the biggest effect – and the basis for everything else.
Design the risk class actively. Check in the define phase whether a human-in-the-loop step takes your feature out of the high-risk regime. Compliance architecture is product work.
Use the omnibus time instead of burning it. The shifted high-risk deadlines are construction time for logging, documentation and supplier contracts – not an invitation to reopen the topic in 2027.
Make conformity sellable. A one-page AI governance factsheet for procurement (risk classes, hosting, logging, oversight) wins more DACH deals than another feature.

Scope & caveats

Status of the deadlines: provisional Digital Omnibus agreement of 7 May 2026; formal adoption was still pending at the time of writing. Details may still change in the legislative process – track the final publication in the Official Journal.
This article is product-strategy guidance, not legal advice. Classifying specific systems – especially near the high-risk boundary – belongs in the hands of specialised lawyers.
Switzerland is not directly bound by the AI Act, but effectively is: sell into the EU or serve EU users and you are in scope – and Swiss enterprise customers increasingly copy the requirements into their own procurement.

The AI Act rewards teams that work cleanly anyway: documented specs, traceable decisions, logging from day one. Build compliance into the cycle as a design principle and you sell faster in DACH – and sleep better when the auditor calls.

Matching use cases from the library

From the article straight into practice: these use cases put the concepts to work with Teklens.

03BuildSpec conformance checkChecks on every PR whether the code actually implements the story and PRD — drift is caught before the merge.View use case 03BuildLiving docsGenerates living documentation from code and PRDs — support, onboarding and customer docs stay current.View use case 03BuildRelease notes generatorCreates structured release notes from many tickets in seconds — a 30-minute review instead of 4–8 hours of writing.View use case 04OperateRunbooks & postmortemsGenerates runbooks with root-cause analysis — and turns closed incidents into postmortem drafts.View use case

The lab letter

No new piece without you.

New articles, new interactive tools, new evidence – in your inbox first. And when you reply, we reply: you write directly with the authors, not with a no-reply.

No spam, no sharing, unsubscribe any time.