Do I need to comply with the EU AI Act?
Do I need to comply with the EU AI Act?
If your startup builds, deploys, or distributes an AI-powered product to users in the European Union, the EU AI Act almost certainly applies to you. The regulation took effect on August 1, 2024, and its obligations are rolling out in phases through 2027. Whether you are a SaaS company in Berlin, a fintech in Amsterdam, or a healthtech in Paris, the Act covers AI systems placed on the EU market or put into service within the EU, regardless of where your company is headquartered.
What the EU AI Act requires
The Act creates a tiered compliance framework based on the risk level of your AI system. Unacceptable-risk systems (Article 5) are prohibited entirely as of February 2, 2025. General Purpose AI models (GPAI) face obligations under Articles 51 to 56, with deadlines from August 2, 2026. High-risk AI systems listed in Annex III, such as those used in hiring, credit scoring, medical devices, and critical infrastructure, must meet obligations under Articles 9 through 17 covering risk management, data governance, technical documentation, transparency, and human oversight. The Annex III compliance deadline is December 2, 2027, extended via the Digital Omnibus Act in May 2026. AI systems that interact with users or generate synthetic content must meet transparency requirements under Article 50 by August 2, 2026.
What this means for your business
For most product teams, the first task is classification. A B2B SaaS tool that uses an LLM to draft emails for users is likely a limited-risk system subject only to Article 50 transparency labelling. A recruitment platform that scores CVs automatically is likely a high-risk system under Annex III, Point 4, triggering the full Article 9 to 17 obligations. Getting the classification wrong in either direction is costly: under-compliance risks fines; over-compliance wastes engineering resources. Startups that import or use third-party AI models also carry provider obligations under Article 25, meaning you cannot simply assume your model vendor handles compliance on your behalf.
Steps to get compliant
1. Classify your AI system: map every AI feature in your product against Annex III categories and the risk tiers defined in Article 6. This is the single most important step. 2. Identify your role: are you a provider (you built the model or system), a deployer (you use a model in your product), or an importer? Each role carries different obligations under Articles 16, 25, and 26. 3. Build a compliance roadmap by deadline: prioritise Article 50 transparency requirements by August 2, 2026, then work toward Annex III technical documentation and risk management obligations before December 2, 2027. 4. Document everything: the Act requires technical documentation (Article 11) and logs of system operation (Article 12) for high-risk systems. Start building these records now, not at the deadline.
Free EU AI Act risk assessment
Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.