European AI Act: A Builder's Guide

Compliance as a product strategy?!

Author

Jeremy Lezac
June 02, 2025

This is your moment to turn compliance into product clarity, transform regulatory friction into strategic alignment, and show your customers, and your future self, that you’re building with intention, not improvisation.

This week’s reads walk the line between systems thinking, AI policy, pricing strategy, and product reality. Let’s dive in.

Table of Contents

Best Reads of the Week

  • Context is all you need - While I despite the idea of always-on AI wearable, the shift from models to data to context is genuinely interesting. The article strikes a refreshing balance between potential and end-user risk on context as the ultimate leverage in AI-powered products.

  • The Consumer Landscape Is Changing - I’m usually out of sync with consumer trends, so catching up on new tendencies, even if some are predictable when you work in AI, is still insightful.

  • Are more layoffs coming? - The last part gives you a practical lens to assess if (or when) layoffs might come back to bite you.

  • To Do Your Best Work, Use the 85% Rule - A consistent 85% effort beats sprinting at 100% and burning out. Always.

  • Pricing: How much would you sell it? - Tight and packed with actionable advice. If your pricing is just cost + a random 30% margin, this is a must-read.

  • Hubris is a bitch - What do you do when your beliefs are so deeply ingrained that you stop thinking critically?

European AI Act: A Builder's Guide

If you are not aware, the European AI Act entered into force on 1 August 2024 and will be fully applicable by 2 August 2026.
And while EU lawmakers are said to considering a pause of the rollout of the AI act, you can still distill this regulation into a system of best practices which should not slow you down but accelerate enterprise sales and build product-market trust.

A Risk-Based Framework

The Act classifies AI systems into four risk levels:

  • Unacceptable Risk - predictive policing, social scoring, or systems that manipulate behavior at scale are banned.

  • High-risk - anything touching credit, employment, health, education: heavily regulated.

  • Limited-risk - chatbots, deepfakes, emotion detection: allowed, but with transparency and traceability requirements.

  • Minimal-risk - spam filters, AI in games: mostly untouched, for now.

As you can see, it’s not about whatever your AI “works”, it’s about impact:

  • What type of harm could this system create?

  • Who is affected, directly and indirectly?

  • How explainable is the AI system?

The text may read as legalese but the questions aren’t. It’s product strategy. It’s ethical design. It’s what every AI team should already be doing.

Not European? You are still concerned.

The AI Act doesn’t care if you are a 10-person startup or a multinational. It doesn’t even care if you are not in the EU as it applies to any provider selling in Europe.

To stress it again properly:

  • You don’t need an EU office to fall under the law.

  • If your system is used or sold in Europe (directly or via API), you fall under the law.

  • If you are the model builder, the wrapper, the infrastructure provide… yeah, you fall under the law.

Even if you don’t care about its application, hoping EU lawmakers put a pause on the rollout for several years, your customers, partners and even investors are going to care long before regulators show up at your doors.

As for the GDPR, getting in front of the regulation is not only about avoiding fines, it could unlock bigger contracts, faster procurement and create actual trust in your AI systems.

Compliance as a product strategy: A structured approach

Let’s break down a practical, high-level approach to stay compliant, especially if your system could fall into the “high-risk” zone.

Risk Mapping:

Start by tagging features across your product:

  • Identify which components use AI (e.g. scoring models, recommendation engines).

  • Map each one to the risk tiers above.

  • Maintain a simple risk register so you can review regulatory impact at a glance.

  • Spot any prohibited use cases early and plan how to remove or adapt them.

Data Governance:

Good data governance isn’t a one-time task but you have to start somewhere:

  • Document your data sources and how they were collected.

  • Track data transformations and ensure version control.

  • For high-risk systems: ensure training data is relevant, annotated, and representative.

  • Build data provenance reports and tie them to datasets.

Transparency & Explainability:

Even low-risk systems must offer transparency:

  • Ensure your model can explain its outputs, via interpretable models or post-hoc tools (e.g. SHAP, LIME, PFI).

  • Don’t stop at technical documentation. Build user-facing summaries of how decisions are made.

  • If users can’t understand why an AI made a decision, you haven’t closed the loop.

Human Oversight 

AI systems must remain controllable:

  • Build override mechanisms and intervention triggers into your product.

  • Enable human-in-the-loop workflows for sensitive actions.

  • Internally: log decisions and flag anomalies.

  • Externally: give end-users a clear way to challenge or reverse decisions.

Lifecycle Monitoring 

If there is one single think that separate AI systems to classical software systems is AI systems don’t stop evolving and drifting:

  • Monitor for performance degradation, edge cases, and unintended consequences.

  • Log model decisions, track drift metrics, and benchmark against production data.

  • Schedule regular performance and fairness audits to stay ahead of issues.

Documentation

TTreat documentation as a first-class product stream:

  • Track assumptions, risk assessments, training data sources, evaluation methods.

  • Update documentation across releases. Not as an afterthought, but as part of the dev cycle.

You’ll thank yourself when systems scale or face scrutiny.

From Compliance to Craft

At a high level, what is requested by the EU AI Act isn’t radically new, it codifies what good product and technical teams should already be doing.

Yes, the legal language is so hard to figure out.
Yes, the obligations are strict.

But step back and you will see the fundamentals are familiar:

  • Solid engineering: versioning, logging, monitoring, testing

  • Structured process: Risk frameworks, data governance, lifecycle planning

  • Techno-social systems awareness: How your system affects users, trust, and decisions

Treat compliance as a “cross-functional design challenge”, not an external constraint mixed with a legal checklist. Future-proof your product and position your team or your company as one that not only build fast but with wisdom.

The market is waking up to the risks and power of AI, use it as a competitive advantage.

Outro section

Let others wait (or complaint) for regulation. You build trust now.

The AI Act isn’t just a legal hurdle, it’s a mirror for how seriously you take your craft. Risk mapping, data governance, explainability, monitoring: Product maturity signals, not just “bureaucratic chroes”.

If you're building AI systems that touch real people and real decisions, treat this not as red tape, but as your blueprint for clarity, credibility, and long-term leverage.

Don’t just be compliant. Be credible. Be ready.

More to explore:

Share your thoughts:
How did you like today’s newsletter?
You can share your thoughts at [email protected] or share the newsletter using this link.

Reply

or to participate.