The Commission's new Annex III guidance just made buying AI riskier than building it. If you procure HR or credit-scoring tools in the EU, you are now legally on the hook for what they do.
elcome to issue one. The Commission just dropped a 47-page guidance document that most companies haven't read. We did. Below: what actually changes, what doesn't, and the Munich startup that tried to register a chatbot as a notary.
Let’s go.
yours, Flux
Flux Weekly is a 6-minute briefing for people who have to actually make AI work in Europe. Sole traders to enterprise, one issue every Friday morning.
- New Manager course module 4 shipped. 12 minutes. Covers Article 26 obligations for deployers, which is what most of you actually are. Take the lesson›
- Updated The compliance scan now flags 14 new risk patterns introduced by the May guidance. Re-run yours if you scanned before 15 May.
- ICYMI Workshop in Rotterdam last week. 38 attendees, mostly mid-market HR and procurement. Two hours, three case studies, lots of coffee. Recap on the blog›
The Commission just told you how to figure out if your AI is high-risk. It's not what most vendors are telling you.
The clarification. The document clarifies three things that were genuinely ambiguous. How to classify AI used in employment screening. Whether internal HR tools count as "placing on the market." What "substantial modification" means when you fine-tune a third-party model.
The headline change. If you're using a general-purpose AI to do something that would be high-risk if you built it yourself (CV screening, credit scoring, access decisions), you are now the deployer of a high-risk system. The vendor's tier doesn't shield you.
Does your AI inform a decision that affects a person's job, credit, education, or essential service?
- ✓Commission guidance on Annex III lands.
- ✓Italian DPA fines a chatbot vendor €2,400,000 for biometric inference.
- ✓Mistral ships an EU-hosted enterprise tier.
- ~US executive order on AI procurement signed (intent).
- ~UK AISI publishes voluntary evaluation framework.
- ~OpenAI confirms it's still negotiating EU data residency.
- 1guardrails-ai/guardrailsValidation
The validation framework everyone keeps reinventing. Stops your LLM from saying things it shouldn't, in a way that's actually testable.
Why we like it. Documented, EU-friendly, used in production by teams we trust.
- 2microsoft/presidioPrivacy
Anonymization toolkit for PII. Critical if you're feeding customer data into anything.
Why we like it. Battle-tested, supports 28 languages including the EU big ones.
- 3EleutherAI/lm-evaluation-harnessEvaluation
Benchmark your model the way the AI Office benchmarks theirs.
Why we like it. Becoming the de facto standard for high-risk system evaluations.
The vendor who wouldn't sign the addendum
By [Founder Name]
A mid-sized Dutch retailer asked us last week to review their AI procurement stack. Twelve vendors. Eleven signed the deployer-obligations addendum without pushing back. The twelfth, a US-headquartered HR tool, wouldn't touch it. "We don't operate under EU AI Act jurisdiction," their counsel wrote.
The retailer has 4,200 EU employees. The tool screens internal promotions. The retailer absolutely operates under EU AI Act jurisdiction, and so does the vendor by extension the moment a CV passes through their API.
We told the retailer two things. One, you have leverage right now that you won't have in August. Two, "we don't operate under" is not a legal position, it's a press release.
They're switching vendors. The replacement is European. Ask the addendum question before you sign, not after.
[Founder Name] · Founder, Agentic Fluxus
Short answer.Yes. They cover different things. The DPIA (GDPR Article 35) protects the data subject. The FRIA (AI Act Article 27) protects the human affected by the AI's output. Same workflow, different lens. If the AI is high-risk and processes personal data, you owe both.
What is actually blocking your AI Act compliance?
A Munich legal-tech tried to register a chatbot as a notary. Signed statement of authenticity. Signed by the chatbot.
EU regulator chatbot replied in Italian to a Greek complainant who wrote in English. Twice.
Procurement officer asked vendor for proof of EU compliance. Vendor sent a screenshot of their own marketing site.