EU AI Act Compliance for Product Manufacturers¶
If your products contain software that makes decisions, recognizes patterns, generates outputs, or interacts with users — even basic features like predictive text, smart sensors, or automated quality grading — you are now regulated under the EU Artificial Intelligence Act (Regulation [EU] 2024/1689).
This is not a law for Silicon Valley alone. The EU AI Act applies to every manufacturer, importer, and distributor placing AI-enabled products on the European market. And because the Act is integrated with the New Legislative Framework (NLF), AI compliance is now directly tied to your CE Mark. If your AI system does not meet the Act's requirements, your product cannot legally carry the CE Mark — and cannot be sold in the European Union.
Why the EU AI Act Matters to Hardware Manufacturers¶
Many product companies don't think of themselves as "AI companies." But the Act's definition of an "AI system" is intentionally broad. It covers any machine-based system that infers from input how to generate outputs such as predictions, content, recommendations, or decisions.
This means the Act captures a surprisingly wide range of products:
- Smart home appliances: A thermostat that learns your schedule and automatically adjusts temperature.
- Industrial machinery: A CNC machine that uses vision systems to detect defects and adjust cutting paths.
- Consumer electronics: A camera that identifies faces to optimize autofocus and exposure.
- Wearables: A smartwatch that detects irregular heart rhythms and alerts the user.
- Automotive components: An advanced driver-assistance system (ADAS) that warns of lane departure.
- Software products: A SaaS platform that uses machine learning to forecast inventory demand.
If your product incorporates any of these capabilities, you must classify your AI system by risk level and comply with the corresponding obligations.
The Four-Tier Risk Classification System¶
The EU AI Act creates a risk-based pyramid that determines your compliance burden:
Tier 1: Unacceptable Risk (Prohibited)¶
AI systems that pose a clear threat to fundamental rights are outright banned. This includes: - Social scoring systems used by public authorities. - Real-time remote biometric identification in publicly accessible spaces (with narrow law enforcement exceptions). - AI systems that exploit vulnerabilities of children or persons with disabilities. - Subliminal manipulation causing physical or psychological harm.
If your product falls here, it cannot be sold in the EU. Period.
Tier 2: High Risk (Heavy Regulation)¶
High-risk AI systems are the primary focus of the Act. Your product is classified as high-risk if it is: 1. A safety component of a product already covered by EU harmonization legislation (e.g., medical devices under MDR, machinery under the Machinery Regulation, toys under the Toy Safety Directive), OR 2. A standalone system listed in Annex III of the Act, covering areas such as biometric identification, critical infrastructure management, education, employment, law enforcement, migration, and access to essential services.
High-risk systems must undergo mandatory third-party conformity assessment by a Notified Body before receiving the CE Mark.
Tier 3: Limited Risk (Transparency Obligations)¶
Systems like chatbots and AI-generated content (including deepfakes) face lighter transparency requirements: - Users must be informed they are interacting with an AI system. - AI-generated content must be clearly labeled. - Emotion recognition systems must disclose their use to individuals.
Tier 4: Minimal Risk (No Specific Obligations)¶
The vast majority of AI systems — such as spam filters, AI-powered video games, and inventory management algorithms — face no additional regulatory obligations, though voluntary codes of conduct are encouraged.
The High-Risk Trap for Product Companies
Many manufacturers are surprised to learn that adding an AI-based quality control camera to a production line machine can push the entire product into the high-risk category. Because the camera is a "safety component" of the machine (which falls under the Machinery Regulation), the AI system inherits high-risk classification and requires Notified Body assessment. This is not theoretical — customs authorities will check your CE documentation.
Core Obligations for High-Risk AI Providers¶
If your product is classified as high-risk, you must implement a comprehensive compliance program before affixing the CE Mark:
1. Risk Management System¶
You must establish, implement, document, and maintain a continuous risk management process throughout the AI system's lifecycle. This includes identifying foreseeable risks to health, safety, and fundamental rights, and implementing proportionate mitigation measures.
2. Data Governance and Quality¶
Your training, validation, and testing datasets must meet strict standards for relevance, representativeness, accuracy, and completeness. Biased data leading to discriminatory outputs is explicitly prohibited. You must maintain detailed data provenance records.
3. Technical Documentation¶
You must compile a comprehensive technical file describing the system's design, development methodology, performance metrics, and risk mitigation measures. This documentation must be held for 10 years and provided to market surveillance authorities upon request.
4. Record-Keeping and Traceability¶
High-risk AI systems must automatically log events (including time, date, and context of each use) throughout their operational lifetime. These logs must enable traceability and post-market monitoring.
5. Transparency and User Information¶
You must provide clear instructions for use, describing the system's capabilities, limitations, expected accuracy, and known failure modes. Users must understand when and how the AI makes decisions affecting them.
6. Human Oversight¶
Your system must be designed with built-in human oversight mechanisms. A human operator must be able to understand, monitor, and override the AI's outputs when necessary.
7. Accuracy, Robustness, and Cybersecurity¶
Your system must achieve an appropriate level of accuracy, be resilient to errors and adversarial inputs, and be protected against cybersecurity threats (aligning closely with the Cyber Resilience Act (CRA)).
The CE Mark Integration¶
The EU AI Act is explicitly designed to integrate with existing CE marking processes. For high-risk AI systems:
- You must conduct a conformity assessment — either self-assessment based on internal controls (for most Annex III systems) or third-party assessment by a Notified Body (for safety components of regulated products).
- You must draw up an EU Declaration of Conformity explicitly citing the AI Act.
- You affix the CE Mark to the product, declaring compliance with all applicable EU legislation — including the AI Act.
How Sustalium Helps You Navigate AI Compliance¶
Managing AI compliance documentation across product lines, software versions, and regulatory frameworks is extraordinarily complex. Sustalium provides a structured AI Act compliance platform designed for product teams, not lawyers.
- Risk Classification Wizard: Not sure whether your AI feature is high-risk? Sustalium's guided questionnaire walks you through the Act's classification logic, referencing Annex III and your applicable product safety legislation.
- Technical Documentation Builder: The platform generates the mandatory technical file sections pre-structured for AI Act compliance, including data governance records, risk management logs, and performance metrics.
- Integrated CE Declaration: Because AI Act compliance is tied to CE Marking, Sustalium integrates your AI documentation into a single Declaration of Conformity alongside your existing CE Mark requirements, ensuring a unified compliance package.
- Ongoing Monitoring Alerts: When the EU updates harmonized standards for AI, Sustalium flags your affected documentation for review.
Future-Proof Your AI Products
Don't let missing AI documentation block your CE Mark and halt your EU sales.
With Sustalium, you can generate a legally compliant AI Act conformity dossier and integrated CE Declaration for just €10 per document.
Frequently Asked Questions¶
When does the EU AI Act come into full effect?
The Act entered into force in August 2024. The prohibition on unacceptable-risk AI systems takes effect first. Obligations for high-risk AI systems phase in over 24 to 36 months from entry into force, meaning full compliance will be mandatory between 2026 and 2027 depending on the product category.
My product uses AI only as a minor feature. Is it still regulated?
Yes. The Act applies to the AI component regardless of its proportion to the overall product. Even a single AI feature — like a voice recognition chip in a kitchen appliance — triggers classification and potentially compliance obligations.
Does the AI Act apply to free and open-source software?
Generally, open-source AI models released under free and open-source licenses are exempt unless they are classified as high-risk or are monetized through a commercial service. However, if you integrate an open-source model into a commercial product, your integrated product is fully subject to the Act.
How does the AI Act interact with the Cyber Resilience Act?
The two laws are complementary. The CRA mandates cybersecurity and SBOM requirements for products with digital elements. The AI Act adds AI-specific requirements for risk management, data governance, and transparency. Products containing AI must comply with both.
Related Articles¶
- Preparing for the EU Cyber Resilience Act (CRA): SBOM Requirements — Understand the cybersecurity obligations that sit alongside AI compliance.
- How to Create a CE Declaration of Conformity: A Step-by-Step Guide — Learn the core process for drafting EU product compliance documents.
- Demystifying Compliance: Regulations, Directives, Norms & Frameworks — Understand where the AI Act fits within the EU regulatory hierarchy.
Last updated: June 14, 2026