EU AI system definition guidelines: how this affects real products
The European regulator published guidelines on defining an AI system. What this means for companies that build or use AI-powered products.
One of the practically important questions under the EU AI Act is exactly where the line falls between an "AI system" and ordinary software. The regulator published updated guidelines on this, and I see that among companies building products or using AI tools, it is generating more questions than answers.
The core tension is this: if your product qualifies as an "AI system" under the EU AI Act definition, it is subject to transparency, documentation, risk management requirements, and depending on the area of application, possible pre-market certification. If it does not - you operate under standard software law.
What the regulator means by AI system
The guidelines clarify the key criteria: the system must operate on the basis of machine learning or approaches listed in Annex I, must make decisions or produce content with a certain degree of autonomy, and must have real-world effects - on people, processes, or decisions.
An important point: not every integration with an LLM API makes your product an AI system. If you use a language model as an interface for searching a knowledge base, and a human always makes the final decision - that is a different regime than a system that independently classifies applications or makes operational decisions automatically.
Three scenarios worth examining
Scenario one: you embed AI in a product for B2B clients. The question is not only whether your product is an AI system, but also how the client uses it. The same tool can be advisory for one client and fully automated for another. This affects who bears the compliance responsibility.
Scenario two: you use AI tools internally. If a tool influences decisions about employees, clients, or access to services - compliance questions arise regardless of whether you bought the tool or built it. An organisation that uses an AI system also carries obligations.
Scenario three: you are building an AI product for high-risk domains. Healthcare, lending, hiring, critical infrastructure - requirements are substantially stricter here, and qualification as an AI system brings specific pre-market certification obligations.
What to do practically right now
If you have a product or internal tool with AI components, it is worth running a simple check:
- What does the AI component do: help a human make a decision, or make the decision itself?
- Does that decision affect rights, access to services, or significant conditions for people?
- In which geographies does your product operate and who are your clients - are you within the EU AI Act perimeter or not?
- Who in the company understands how the AI component is technically built and can describe it to a regulator or client?
- Is there documentation on the models, training data, and decision logic?
Why this matters now, not "later"
The EU AI Act transition period is ending in stages, and requirements for high-risk systems are already taking effect. Companies that start working through this now have time to bring documentation and processes into order without urgency. Those who delay will be doing it under pressure, when mistakes cost more.
I notice that most founders I work with have nothing against compliance - they simply do not know which question to start with. The question "is our product an AI system?" is a reasonable starting point.