Got the 'we'll audit and certify your AI' email? A practical map of what the EU AI Act really requires, split between the products you build and the website you market them on.
If you run anything with "AI" in it, you have probably had the email by now. A consultant, an "affiliate teacher", or a certification body offering to audit your AI and certify it against the EU AI Act. The pitch leans on urgency and on the size of the fines. Most of it is half true, and the half that is true is rarely the part they are selling.
This is a practical map. It separates what the AI Act actually requires from the noise, and it splits the question into the two places it really lands: the products you build, and the website you market them on. We wrote it after auditing our own site and getting the same emails you are getting.
The single most common thing sold is a certificate. For most AI, that certificate does not exist.
The AI Act regulates AI systems, sorted by risk. Only high-risk systems go through a conformity assessment and carry a CE marking. For most high-risk categories that assessment is internal: you do it yourself, document it, and sign a declaration of conformity. A third party, a "notified body" designated by a member state, is only required for a narrow set such as certain biometric systems. There are very few notified bodies, and a generic consultancy is not one.
So when someone offers to "certify your company or your AI as AI Act compliant", ask one question: are you a notified body, and which category requires you? For almost everything, the honest answer is that what they sell is a private assurance report, not a recognised certification. That can still be useful. It is just not what the word "certificate" implies.
Every AI system falls into one of four buckets:
| Tier | What it means | Examples |
|---|---|---|
| Prohibited | Banned outright. In force since Feb 2025. | Social scoring, manipulative techniques, emotion recognition at work or school, untargeted face scraping. |
| High-risk | Heavy obligations. Apply from Aug 2026. | Recruitment and hiring AI, worker-management decisions, creditworthiness, biometrics, safety components. |
| Limited (transparency) | Tell people. From Aug 2026. | Chatbots and voice agents (disclose it is AI), AI-generated or manipulated content (label it). |
| Minimal | No specific AI Act duties. | Most internal tooling, analytics, document processing, code assistance. |
The useful takeaway: most AI work is minimal or limited risk. The obligations cluster in a few categories. If you build hiring or worker-allocation AI, you are in the heavy tier. If you build a chatbot, you owe a disclosure line. If you build a reconciliation tool or a code reviewer, the AI Act mostly leaves you alone. Your other duties, like GDPR, do not.
This trips up agencies and dev shops constantly. The AI Act assigns duties by role. The provider builds or substantially modifies the system. The deployer puts it to use.
If you build a high-risk system for a client, you are usually the provider, and the documentation and conformity duties are yours, not theirs. That needs to be written into the contract: who is provider, who is deployer, who maintains the technical file, who registers the system. Inheriting a client's high-risk obligations by accident is a real way to get hurt.
Here is the part the audit emails skip. A marketing website triggers very little of the AI Act. If your site has no chatbot, the "disclose it is AI" rule is not even engaged. AI-generated copy and images on a blog are low risk.
What does apply to a website is GDPR and the ePrivacy rules, and that is where almost everyone is actually non-compliant. The classic failure: the cookie banner is decorative. Analytics and advertising tags (Google Analytics, Google Ads, LinkedIn, your CRM) load on the first page view, before the visitor chooses anything, and keep running after they click "Reject". Under ePrivacy, non-essential cookies need prior consent, and "Reject" has to actually reject.
We checked our own site and found exactly this. The fix is not legal, it is technical: set Google Consent Mode to denied by default, and do not load the tags at all until the visitor opts in. After the fix, a fresh visit sets zero non-essential cookies until consent, and declining clears them. That is the bar, and it is a few hours of engineering, not a certification.
The other website item worth a pass is accessibility (the European Accessibility Act, in force since June 2025). A WCAG 2.1 AA check is cheap insurance. On a dark theme the usual culprit is muted grey text that fails the 4.5:1 contrast ratio.
This is where the AI Act matters, and where outside help can be worth paying for, if it is the right help.
For a high-risk system (hiring AI is the common one), the obligations are real but mostly self-serve documentation: a risk-management process, data governance and bias testing, a technical file, automatic logging, human oversight by design, accuracy and security, then an internal conformity assessment, a declaration, and registration in the EU database. Notice the theme: most of it is engineering discipline you should be doing anyway, written down. Human-in-the-loop and full audit trails, which a good build already has, are not box-ticking. They are half the requirement.
For limited-risk systems, the cost is a sentence. A voice agent says "you are speaking with an AI assistant". Generated content is marked as generated. Do it now; it is mandatory from August 2026.
And if you build on Claude, GPT or any foundation model, you are a downstream deployer of general-purpose AI, not the GPAI provider. The model provider carries the GPAI obligations. Your job is to use the documentation they give you, not to recreate it.
So this is timely, not overdue. If your roadmap includes hiring AI or anything in the high-risk list, August 2026 is the date to plan against. For everything else, you have transparency lines to add and good documentation habits to keep.
The AI Act is not a reason to panic, and it is not a product you buy your way out of. It rewards the same things good engineering already rewards: knowing what your system does, keeping a person in the loop where it matters, writing it down, and being honest about it.
Built a few AI tools and now fighting duplication and drift? The case for an internal AI marketplace: what goes in it, how to layer it, and how to curate it.
Miguel Vicente Jr
The six prerequisites that decide whether an AI use case is worth building, with a scoring rubric, two worked examples, and the red flags that say walk away.
Miguel Vicente Jr
A practical playbook for optimising operations with AI: find the one slow step, automate it, keep a person in the loop, and measure the before and after.
Miguel Vicente JrWant to apply these ideas in your business? Talk to our AI consultants.
Book a call
