A builder DM'd me last week with a screenshot of a Reddit thread. "Someone said the EU AI Act doesn't apply to indie developers. Is that true?" The post he linked had 400 upvotes. It was completely wrong.

The Act becomes fully applicable on August 2, 2026 — about ten weeks from now. Fines for non-compliance run up to €35 million or 7% of global turnover. There are SME-friendly provisions (reduced fees, sandbox access), but no exemption from the law itself. The Act classifies regulated entities by their role in the AI value chain — not by how big they are or whether they have a legal team.

If you build an AI agent and sell, license, or distribute it under your name to anyone operating in the EU, you are a provider. The Act treats you exactly the same as it treats Microsoft. The fines scale with revenue; the obligations don't.

This isn't legal advice. It's a "here's what's about to land" briefing for operators who don't have a Brussels lawyer on retainer.

What "Provider" Actually Means

The Act defines four roles: provider, deployer, importer, distributor. Most indie operators are providers and don't realize it.

Provider. Someone who develops an AI system and places it on the market under their own name or trademark. If your landing page says "WYS Inbox Agent — built by [your company]," congratulations, you're a provider. The largest set of obligations falls here.

Deployer. A business that uses an AI system in the course of their professional activity. Your customer is the deployer. Their obligations are smaller than yours, but they exist.

Importer / distributor. Mostly relevant for hardware and physical AI systems. If you're shipping software via a website, this probably doesn't apply.

The trap most operators fall into: assuming that because they use OpenAI or Anthropic as the underlying model, Anthropic is the provider and they're just a deployer. Wrong. Building an agent on top of a foundation model and selling it under your name makes you a provider of a new AI system. The foundation model provider has their own obligations; yours stack on top.

Which Risk Category Your Agent Lands In

The Act sorts AI systems into four risk categories. Almost every indie agent sits in one of the bottom two.

Unacceptable risk (banned). Social scoring, real-time biometric surveillance, manipulation of vulnerable groups. Don't build these. Banned since February 2025.

High risk. Agents used in education (admission scoring), employment (CV screening, performance evaluation), credit decisions, law enforcement, critical infrastructure, biometric identification. If your agent screens candidates or scores credit, you are high-risk and your compliance load is substantial.

Limited risk. Agents that interact with humans, generate or manipulate content (deepfakes, synthetic audio), or work as chatbots. The bulk of indie agents — customer support, content generation, lead enrichment — sit here. Obligations are mostly about transparency: disclose that the user is interacting with an AI.

Minimal risk. Agents that don't fall in the above buckets. Most internal automation falls here. Practically unregulated.

Read your agent against this list. If it's high-risk, the compliance work is real — you need a quality management system, technical documentation, post-market monitoring, and a conformity assessment. If it's limited-risk, the work is much lighter but non-zero.

What Compliance Actually Looks Like for Limited-Risk Agents

The good news: for the agent you're probably building, the practical work fits on one page.

Transparency disclosure. Users interacting with your agent must be told they're talking to an AI. A line in the chat header, a sentence in the email footer, an item on the landing page. Easy.

AI-generated content labeling. If your agent generates or substantially modifies content (text, images, audio, video) intended to be published, the output should be machine-readable as AI-generated. Most LLM providers now embed metadata for this — make sure you're not stripping it.

A short data sheet. A two-page markdown file in your repo and on your site: what the agent does, what data it processes, what model it uses, what the limitations are, who to contact. Call it a "model card" — borrow the format from Hugging Face. The Commission's compliance checker tool effectively asks for this.

A processing record. A list of personal data the agent touches, why, and for how long. This overlaps with GDPR Article 30 — if you already have an Article 30 record, you're 80% of the way there.

A human-oversight policy. A paragraph explaining how a human can override, audit, or intervene in the agent's actions. Doesn't have to be elaborate — "Customers can pause the agent in the dashboard at any time; outputs are logged for 90 days and available for review."

That's the practical floor. None of it requires a lawyer. All of it should exist by August 2.

What High-Risk Looks Like (And How to Avoid It)

If your agent touches any of the high-risk categories, the compliance load multiplies. Quality management system, technical documentation packet, conformity assessment, post-market monitoring, registration in the EU database. This is months of work, not days.

The cleaner play for most indie operators: deliberately design the agent to not be high-risk. Three concrete moves.

Don't make autonomous hiring decisions. A CV-screening agent that produces a shortlist is high-risk. A CV-screening agent that summarizes CVs for a human recruiter is limited-risk. Same workflow, different framing, different regulation. Frame the output as "decision support," not "decision."

Don't score credit or insurance. Agents that calculate creditworthiness or insurance eligibility are high-risk by name. Adjacent workflows (collecting documents, drafting correspondence, scheduling appointments) are limited-risk. Stay in the adjacent ones.

Don't classify or rank humans. Anything that produces a per-person score — performance, suitability, risk — is high-risk. If you need ranking-like functionality, restructure the workflow so the human assigns the ranking and the agent supports the analysis.

When in doubt, add the human layer. A high-risk system with a human-in-the-loop that has actual veto power is often re-classifiable as limited-risk. Build the veto in.

What to Do This Week

The deadline is August 2. If you're shipping agents in the EU, here's the realistic prep list for the next ten weeks.

Week 1. Read the Commission's compliance checker tool. Run your agent through it. Most of your obligations will appear on a single page.

Week 2. Add transparency disclosure everywhere your agent interacts with users. Header text, footer text, first-message disclosure, landing page note. Five minutes per surface.

Week 3. Write the model card. Two pages of markdown. Publish at /model-card or /ai-info on your site.

Week 4. Write the GDPR Article 30 record if you don't have one. Most agents process personal data; pretending otherwise is the most common compliance failure.

Weeks 5–8. If you're high-risk, retain a compliance consultant. If you're limited-risk, use the time to refine your output labeling and improve audit logging.

Weeks 9–10. Test your processes. Ask a friend to walk through your agent as a user and verify the disclosures show up. Verify your incident-response plan exists (it's required even if minimal). Verify you can produce an export of an agent's run history within 24 hours of a customer request.

Ongoing. Subscribe to the European AI Office's updates. The Act is unusual in that secondary legislation (delegated acts, technical standards) is still being published. What's compliant today gets refined as the Office issues guidance.

The Quiet Strategic Win

The EU AI Act will scare a lot of indie operators out of the market — and into hand-waving compliance theater that produces nothing. The operators who actually do the limited-risk floor properly get a sales weapon: enterprise buyers in regulated industries will only buy from compliant providers, and "we comply with the EU AI Act" becomes a line on your deck that closes mid-market deals.

The Act isn't designed to crush small builders. The SME-friendly fines, sandbox access, and compliance checker tool make that explicit. But the floor exists. Hit it now, document what you hit, and the next eighteen months of enterprise sales become measurably easier than your competitors' eighteen months.

August 2 is a real date. Treat it like one.