Does the EU AI Act Apply to Vibe-Coded Apps?

You described what you wanted, an AI agent wrote most of it, and you shipped in a weekend. Now there are real users — some in the EU — and a nagging question: does the EU AI Act apply to something I vibe-coded?

Short answer: the Act does not care how you wrote the code. Hand-written, no-code, or vibe-coded with Cursor or Claude Code — it makes no difference. What matters is what your app's AI feature does, who you are in the supply chain, and whether EU users are involved. So yes: a vibe-coded app can be fully in scope. Here is how to figure out exactly where you stand.

The myth: "an AI wrote my code, so the AI Act applies"

This trips people up in both directions. Using an AI to write your code is not what triggers the EU AI Act. The Act regulates AI systems you put into use — the chatbot, the recommender, the content generator, the screening tool your app contains and ships — not your choice of IDE. So the real question is not "did I use AI to build it" but "does my app put an AI system in front of people, and are any of them in the EU?"

Three questions that decide whether you are in scope

Does your app use AI as a feature? A chatbot, generated text/images/audio, a classifier, a recommendation or risk-scoring model, emotion or biometric features — any of these is an "AI system" under the Act.
Do EU users touch it — or its output? The Act reaches you if you put the system on the EU market or if its output is used in the EU, even when your company sits outside the EU (Article 2). Shipping a global web app almost always means yes.
What is your role — provider or deployer? Built or substantially modified the AI system (including fine-tuning or wrapping a model into a product)? You are likely a provider, with the heavier obligations. Just using someone else's AI system in your own product/operations? You are a deployer, with lighter but real duties.

If you answered yes to 1 and 2, the Act applies — the only question left is which tier, and what that costs you.

Not sure on your role or the "output used in the EU" test? Run the free, no-account EU AI Act applicability checker — it walks Article 2 in about a minute.

Ist Ihr KI-System hochriskant?

Finden Sie es in 2 Minuten heraus — kostenlos, ohne Anmeldung.

Jetzt prüfen

Which risk tier is your vibe-coded app in?

The Act sorts AI systems into four tiers. Most indie and startup apps land in one of the middle two:

Unacceptable (banned). Social scoring, manipulative or exploitative systems, most real-time biometric ID in public. If your fun side-project does this, stop — these are prohibited outright (in force since Feb 2025).
High-risk (Annex III). AI used in employment/hiring, credit and lending, education, essential services, critical infrastructure, law enforcement, and similar. A vibe-coded résumé-screener or loan-eligibility tool is high-risk — the heaviest obligations apply.
Limited / transparency (Article 50). Chatbots, AI-generated content, deepfakes, emotion recognition. Most consumer AI apps live here. The duty is disclosure: tell users they are interacting with AI, and label AI-generated/manipulated content.
Minimal. Spam filters, AI in games, most everyday features — no specific obligations beyond general good practice.

A quick gut-check with examples:

A support chatbot on your SaaS → transparency (Art. 50): disclose it is AI.
An AI image/video generator → transparency: label the output as AI-generated.
An AI that screens job applicants or scores creditworthiness → high-risk: the full programme (risk management, data governance, human oversight, technical documentation).

To get your actual tier with the cited Article, run the free AI Act assessment — risk level, obligations, and references in a couple of minutes, no account.

The deadlines (after the Digital Omnibus)

Timing shifted in 2026 — use the current dates, not last year's:

Prohibited practices (Article 5): in force since 2 February 2025.
General-purpose AI model obligations: since 2 August 2025.
Transparency / Article 50: apply from 2 August 2026 — the tier most consumer apps care about.
High-risk (standalone Annex III): 2 December 2027, after the Digital Omnibus postponement (embedded-product systems → 2 August 2028).

So if your vibe-coded app is a chatbot or generates content, the transparency clock is the near one. If it is high-risk, you have until late 2027 — but the work (documentation, data governance, human oversight) is the kind you want to build in early, not retrofit.

What you actually owe, by tier

Transparency tier: a clear AI disclosure to users + labeling of AI-generated content. Small, but real — and easy to miss when you ship fast. (Legalithm can generate the Article 50 disclosure for you.)
High-risk tier: a risk-management process, data governance, logging, human oversight, and an Annex IV technical-documentation file. This is a programme, not a checkbox — start the record now.
Provider vs deployer: providers carry most of the above; deployers mainly ensure they use the system as intended, keep humans in the loop, and inform affected people. The EU AI Act guide breaks the duties down Article by Article.

Check it where you build it

You do not need a lawyer to find out where you stand. Legalithm runs the EU AI Act check in your coding loop — a free CLI, an offline MCP server for Cursor and Claude Code, and a GitHub Action — classifying your feature with the cited Article and writing a dated compliance/legalithm.json record into your repo:

npx legalithm setup   # wire it into Cursor, Claude Code, and CI
npx legalithm init     # classify + write the cited, dated record

See the developer docs to start in your editor, and the companion post Is the code your AI wrote safe and compliant to ship? for the full pre-ship checklist.

Honest limits

Legalithm detects patterns and cites the Article it matched; when it is not confident, it flags the result for human review instead of guessing. It is a cited starting point that tells you when to bring in a qualified person — not legal advice, and not a certification. For high-risk systems especially, get a human in the loop.

Bottom line: vibe coding does not exempt you from anything. The EU AI Act follows the feature, not the keyboard — and the fastest way to know where a weekend build stands is to check it in the same loop you built it in.

Vibe Coding

AI-generated code

AI Act

Applicability

Article 50

High-Risk

Weiterlesen

Who Owns AI-Generated Code? Copyright, Licensing, and the Copyleft Trap

Can you use the code your AI wrote — commercially, and safely? The honest answer mixes copyright that may not exist, tool terms you should read, and copyleft licenses that can quietly contaminate your codebase. A practical guide for shipping AI-generated code.

Is the Code Your AI Wrote Safe — and Compliant — to Ship?

Vibe coding ships fast, but AI-generated code leaks secrets, pulls in copyleft licenses, and can quietly trigger EU AI Act obligations. A practical pre-ship checklist — with the cited Articles — to catch it before it reaches production.

Do I Need to Comply With the EU AI Act? (2026)

Do you need to comply with the EU AI Act? Yes if you're a provider, deployer, importer or distributor with an EU nexus — even non-EU firms. Check your scope.