EU AI Act for engineering teams: what your codebase must prove before 2 August 2026 — Article 11, 12 & 14 evidence, an in-scope decision tree, and a checklist.
Before 2 August 2026, any engineering organisation running a high-risk AI system must be able to hand an auditor Article 11 technical documentation, Article 12 automatic logs, and Article 14 human-oversight records — or face fines up to €35M or 7% of global turnover. The catch: Article 12 logging is architectural. It records events as they happen and cannot be reconstructed after the fact.
This is engineering-readiness guidance, not legal advice — whether a system is in scope, and whether you are a provider or a deployer, are legal determinations. Consult qualified counsel and your compliance function for your specific obligations.
What the EU AI Act asks of engineering teams — and when
The EU AI Act has been in force since 1 August 2024, but the parts that touch your codebase land on one fixed date. Prohibited-practice bans and the AI-literacy duty went live 2 February 2025; general-purpose AI (GPAI) obligations on 2 August 2025. The one your roadmap has to plan around is 2 August 2026, when high-risk obligations and Article 50 transparency become enforceable (EU AI Act; CRAFT Method Evidence Pack §3).
The financial exposure is not theoretical. Fines reach €35M or 7% of global turnover for prohibited practices, €15M or 3% for high-risk breaches, and €7.5M or 1% for supplying misleading information (EU AI Act, Evidence Pack §3). Two obligations — Article 11 documentation and Article 12 logging — accumulate evidence continuously, so you cannot bulk-generate six months of logs the week before an audit. That is why compliance teams rank the Act's architectural parts as the ones that cannot be retrofitted in 90 days.
Are you in scope? An engineering decision tree
Most teams' first question is the right one: does this even apply to us? The honest engineering answer is probably not by default — but here is exactly when it flips, and the flip is a legal call to confirm with counsel.
Standard coding assistants are not Annex III high-risk by default (Evidence Pack §3). A developer using Copilot, Cursor, or Claude Code to write application code is not, on that basis alone, operating a high-risk AI system. It flips to high-risk when the AI is:
- Used to evaluate or monitor developers as workers — scoring, ranking, or gating engineer performance for employment decisions;
- A safety component in a regulated product — the AI output is embedded where it affects safety;
- Fine-tuned or rebranded — which can requalify you from deployer to provider.
If you train, fine-tune, or place a general-purpose model on the market, Article 53 GPAI obligations already apply — a Model Documentation Form plus a public training-data summary against a mandatory template (Evidence Pack §3). The takeaway: scope is not static. The day you fine-tune a model or point AI at developer-performance data, your obligations change. Build the machinery now so a scope change is a config event, not a six-month project. Unsure where your practices stand? The free CRAFT Method scorecard gives you a baseline in five minutes.
Articles 11, 12 & 14: what your pipeline must produce
Three articles carry the engineering weight. Read the table by row to see what one article demands; the right-hand column is the artifact your pipeline has to emit.
| Article | What it requires | What engineering must produce | Retention |
|---|---|---|---|
| Article 11 — Technical documentation | A current, maintained description of the system: purpose, models and versions, architecture, data flow, oversight and logging design, test evidence | A standing documentation index — system description, model inventory, machine-readable ADRs, provenance / AIBOM, test-and-validation evidence — with an owner per document | 10-year expectation |
| Article 12 — Automatic logging | High-risk systems automatically record events over their lifetime: invoking user, model version, inputs and outputs, reviewer, disposition | Structured log entries emitted automatically on every AI-assisted action, immutable / tamper-evident, and queryable | 6-month minimum |
| Article 14 — Human oversight | Systems designed so a human can understand the output, decide on it, and override or stop it | A named reviewer, a stop / rollback path, and a captured accept / modify / reject decision per AI-affecting change | Tied to the Art. 12 record |
(Article assignments per the Evidence Pack's engineering reading of the EU AI Act, §3; confirm your classification with counsel.)
The through-line: Article 11 is an index you keep, not a document you write in July 2026 — retained for a decade, it is truthful only if each entry was captured when it happened. Article 14 is the regulatory form of the review gate AI velocity erodes: AI does not merge itself. Article 12 sits underneath both — every oversight decision has to land in a log. It is the same governance discipline described in AI-native development, made auditable.
Why Article 12 logging can't be retrofitted
The one sentence that should move a compliance timeline forward: a log is a record of something that already happened. If your pipeline did not capture the invoking user, model version, and human disposition when an AI-generated change was merged, that record does not exist and cannot be created later. The evidence for every AI-assisted change shipped before you stand up logging is permanently absent (Evidence Pack §3).
Documentation (Article 11) and sign-off (Article 14) you can partly back-fill from a point in time. Logs you cannot back-fill at all. That asymmetry sets the ordering: stand up logging and provenance first, because it is the only evidence that is worthless if you start late. It matters beyond the Act too — 45% of AI-generated code fails security tests (Veracode 2025), and the same provenance that answers Article 11 lets you trace which model produced a vulnerable line when a CVE lands. See AI-generated code security risks for that side of the evidence.
Emit each entry automatically, with an integrity hash for tamper-evidence — a log that depends on someone remembering to add it is not automatic.
Your 2 August 2026 readiness checklist
You cannot build every control before the deadline, and you do not need to. Sequence the non-retrofittable evidence first.
- Now (cannot retrofit): emit Article 12 logs on every AI-assisted action; turn on provenance / AIBOM capture so model, data, and artifact are recorded from today. This serves Articles 11, 12 and 53 at once.
- Confirm scope with counsel: provider vs deployer, high-risk or not — using the decision tree above.
- Make oversight provable: adopt an Article 14 sign-off, wire its disposition into the log, and set explicit agent authority limits — what ships autonomously vs. what needs sign-off.
- Assemble the standing evidence: populate the Article 11 documentation index with an owner and retention per row; capture AI-affecting decisions as machine-readable ADRs.
- If GPAI applies: produce the Article 53 Model Documentation Form and public training-data summary from your AIBOM.
- Dry-run the audit: pick one component and produce its Article 11 docs, Article 12 logs, and Article 14 sign-offs. The gaps you find are your real backlog.
The adjacent clocks reward the same work. Insurance exclusions have been live since 1 January 2026 (Verisk CG 40 47/48), and underwriters now ask for the same three things — provenance, human-in-loop logs, and governance evidence (Evidence Pack §3). ISO/IEC 42001 and the NIST AI RMF cross-reference the same artifacts. You are not building evidence for one regulation; you are building the machinery every 2026 clock asks for, once. To map your gaps in your own context, the CRAFT Method enterprise diagnostic scores all five practices and produces your evidence map.
Frequently asked questions
Does the EU AI Act apply to software engineering teams using Copilot or Cursor?
Not by default. Standard coding assistants are not classified as Annex III high-risk on their own (Evidence Pack §3). The Act's high-risk obligations flip on when AI is used to evaluate developers as workers, acts as a safety component in a regulated product, or when you fine-tune or rebrand a model and become its provider. Scope is a legal determination — confirm it with counsel.
What must engineering teams do before 2 August 2026?
For any in-scope high-risk system: produce Article 11 technical documentation (10-year retention), emit Article 12 automatic logs (invoking user, model version, inputs and outputs, reviewer, disposition; 6-month minimum retention), and evidence Article 14 human oversight. Start with logging and provenance, because those are the only pieces you cannot retrofit (Evidence Pack §3).
Why is Article 12 logging architectural rather than a feature you add later?
A log records an event as it happens. If the invoking user, model version, and human disposition were not captured at merge time, that record never existed and cannot be reconstructed. Every AI-assisted change you ship before logging is live is permanently unlogged — which is why the CRAFT Method Evidence Pack flags it as impossible to retrofit in 90 days.
What are the fines under the EU AI Act?
Up to €35M or 7% of global turnover for prohibited practices, €15M or 3% for high-risk breaches, and €7.5M or 1% for supplying misleading information (EU AI Act, Evidence Pack §3). The high-risk obligations become enforceable on 2 August 2026.