You shipped an AI app on Lovable, Bolt, v0, Replit Agent, or Cursor. The EU AI Act treats you as a provider of an AI system, not a deployer — and the August 2026 transparency obligations under Article 50 apply to your product whether or not you ever opened the Official Journal. Classify your app in 90 seconds against the four risk tiers and the duties each one triggers.
The promise of Lovable, Bolt, v0, and Replit Agent is real. You type a sentence, and forty minutes later there is a working AI product on a custom domain, taking payments, talking to GPT-5 or Claude 4.6 over an API, and gathering users in three timezones. The compliance footprint of that product, on the other hand, is exactly the same as the footprint of an AI app shipped by a 200-person Series B startup with general counsel on retainer. The EU AI Act does not care that your stack was generated.
What it cares about is who placed the AI system on the market under their own name, what the system does, and which of the four risk tiers it falls into. The answer to question one is almost always you. The answer to question two is whatever your product page says. The answer to question three is what most AI app builders have never sat down and worked out — which is exactly what this assessment is for.
The deadline that matters is not the much-discussed August 2025 GPAI date, which lands on the model vendors. It is August 2, 2026, when Article 50 transparency duties apply to providers of AI systems that interact with humans or generate synthetic content. That covers approximately every AI app ever shipped on Lovable, Bolt, or v0.
You built a customer-support, lead-qualification, or onboarding chatbot in an afternoon. Is it limited-risk (almost certainly yes) or high-risk (only if it makes essential-service decisions like credit, insurance, education access, or employment)? The assessment walks the Annex III categories one by one and tells you whether the use case lands inside or outside, plus the exact Article 50 disclosure language you owe end users on first interaction.
If your app generates synthetic images, audio, video, or text shown to end users — the headline feature of half the apps built on Bolt this year — the output must be marked in machine-readable form as artificially generated. The assessment maps your generator type to the right provenance approach: C2PA manifest, SynthID-style invisible watermark, visible UI label, or a combination. It also flags the deepfake subset under Article 50(4), which carries an additional visible-disclosure duty.
Vibe-coded apps cause real confusion here. You did not train a model, so it feels wrong to be called a provider. But the Act defines a provider as anyone who develops an AI system or has one developed and places it on the market under their own name. Generating the code via Lovable or Bolt counts. The assessment walks the provider-versus-deployer test in plain language, and shows the obligation delta between the two roles so you know what is actually on your plate.
Enterprise procurement teams, EU-based customers, and any serious investor in 2026 will ask for your EU AI Act classification before they sign. The assessment exports a one-page summary — risk tier, applicable articles, transparency obligations, GPAI dependency disclosures — that drops cleanly into a Trust Center page, a DPA addendum, or a security questionnaire response without you having to write any of it from scratch.
The dangerous case is a builder who thinks their app is limited-risk and ships it into a high-risk corridor without realizing — an AI tutor that gates course enrollment (Annex III point 3), a CV screener (point 4), a creditworthiness assistant (point 5). The assessment runs the Annex III checklist explicitly, in plain prompts, so the landmines surface before launch rather than after a regulator letter.
| Tier | What it covers | Typical AI builder app | Key article |
|---|---|---|---|
| Unacceptable | Social scoring, manipulative dark patterns, real-time public biometric ID | Rare. Most vibe-coded apps are nowhere near this. | Article 5 |
| High-risk | Annex III: biometric ID, critical infra, education, employment, essential services, law enforcement, migration, justice | CV screeners, lending assistants, AI tutors gating access, medical triage bots | Article 6 |
| Limited-risk | Systems that interact with humans, generate synthetic content, or do emotion / biometric categorization | Most chatbots, image generators, voice agents, AI writers built on Lovable / Bolt / v0 | Article 50 |
| Minimal-risk | Everything else | AI-enhanced spam filters, AI-powered video games, internal-only AI tools | — |
The honest reality for the median AI builder app: limited-risk under Article 50. That means your obligations boil down to three things: tell users they are talking to an AI, mark generated content as artificial in machine-readable form, and keep your house in order on the underlying GPAI dependency. Manageable in an afternoon, expensive to skip.
| Option | Price | Built for indie AI builders? | Output |
|---|---|---|---|
| TinyTools EU AI Act Risk Assessment | Free, no signup | Yes — defaults assume LLM-backed apps | One-page classification + Article-by-Article duties |
| EU AI Act compliance SaaS (Holistic, Credo, Fairly) | $8k–$45k / year | Built for regulated enterprises | Full GRC workflow, audit trail |
| Specialist law firm (DLA Piper, Bird & Bird tier) | $8k–$25k / engagement | No — minimum scope assumes enterprise | Written legal opinion |
| EU AI Office self-classification guidance PDF | Free | No — written for lawyers | 180 pages of guidance, no opinionated output |
For a Lovable / Bolt / v0 app earning under $500k ARR, the right tool is opinionated and free. Reach for a lawyer when (and only when) the assessment lands you in Article 6 high-risk territory.
The EU AI Act is not going to wait for the small AI app builders to catch up. The dates are set, the fines are calibrated, and the August 2026 transparency obligations cover the exact shape of product Lovable, Bolt, v0, Replit Agent, and Cursor ship by default. The 90 seconds it takes to run this assessment is the cheapest insurance you will ever buy on a product.