EU AI Act guide for founders: obligations and deadlines

EU AI Act guide for founders: obligations and deadlines

The EU AI Act is now in force, and if your startup ships AI features to European users, you are already subject to parts of it. For founders, the Act is not just a compliance task to delegate. It creates company-level liability, shapes your fundraising narrative, and directly affects how enterprise customers in regulated industries evaluate your product. Getting ahead of it is a competitive advantage as much as a legal requirement.

What the EU AI Act requires

The Act uses a tiered risk model. Annex III lists the high-risk AI use cases: recruitment, credit scoring, education, biometric identification, access to essential services, and others. If your product operates in these areas, you face the heaviest obligations under Articles 9 through 17, covering risk management, data governance, technical documentation, transparency, and human oversight. The deadline for Annex III compliance is December 2, 2027. If your startup builds or fine-tunes a general purpose AI model (GPAI), Article 53 obligations apply from August 2, 2026. Fines for GPAI non-compliance are severe: up to EUR 15 million or 3% of global annual revenue. Article 50, which requires labelling of AI-generated content, also takes effect August 2, 2026. Even low-risk AI systems must comply with basic transparency requirements under Article 50 if they generate text, images, or audio.

What this means for your business

For seed and Series A founders, the most immediate risk is enterprise deals falling through due to missing compliance documentation. Procurement teams at larger EU companies are already requesting AI Act conformity evidence as part of vendor due diligence. Not having it can stall or kill a contract. For founders approaching Series B and beyond, investors are beginning to factor regulatory risk into valuations, particularly for AI-native companies. A startup with clear Annex III classification, documented risk management processes, and an audit trail is a materially lower-risk investment than one that has not started. The Act also creates an opportunity: startups that achieve compliance early can use it as a trust signal with risk-averse customers in healthcare, finance, and HR tech, exactly the verticals willing to pay premium prices.

Steps to get compliant

1. Classify your AI systems today. Use the risk tiers in the Act (prohibited, high-risk under Annex III, GPAI, limited-risk, minimal-risk) and map every AI feature your product ships. This single step tells you what you actually need to do.
2. Assign a compliance owner. This does not need to be a full-time hire at early stage. It can be your CTO, a part-time legal advisor, or a compliance tool. What matters is that someone owns it and has a deadline.
3. Prioritise the August 2, 2026 deadlines. GPAI obligations and Article 50 labelling requirements are the nearest hard dates. If either applies to your product, act now.
4. Build compliance into your sales process. Add AI Act documentation (conformity self-assessment, Annex III classification rationale) to your security and compliance pack so procurement teams have what they need.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener