EU AI Act guide for VCs and investors: portfolio AI risk

What the EU AI Act says

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework governing artificial intelligence. It came into force on August 1 2024, with obligations rolling in across a phased timeline through 2027. For investors in EU-based AI startups, the regulation is not a distant compliance concern. It is a material risk factor that belongs in every due diligence checklist today.

The Act creates a tiered risk system. At the top are prohibited AI practices, which have been illegal since February 2 2025. These include social scoring by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), and AI systems that exploit psychological vulnerabilities to manipulate behaviour. Any portfolio company operating in these spaces is already in breach.

Below that are high-risk AI systems, defined primarily by Annex III of the Act. These include AI used in hiring and employment decisions, credit scoring and insurance underwriting, essential private and public services, education and vocational training, and components of critical infrastructure. High-risk systems face the heaviest compliance obligations, including conformity assessments, technical documentation, human oversight mechanisms, and registration in the EU database. The deadline for high-risk compliance is December 2 2027.

General Purpose AI (GPAI) models, including large language models and foundation models, face their own obligations. Providers of GPAI models must publish summaries of training data, comply with EU copyright law, and, for the most capable models, conduct adversarial testing and report serious incidents. GPAI fines and Article 50 transparency obligations for AI-generated content both take effect on August 2 2026.

Who this applies to

The Act applies to any AI system or GPAI model that is placed on the EU market or affects EU users, regardless of where the developer is based. A London or New York-headquartered startup with EU customers is in scope.

The Act distinguishes between two primary roles. Providers are organisations that develop an AI system or GPAI model and place it on the market, including as a component in another product. Deployers are organisations that use an AI system in their own operations or services. The compliance obligations differ significantly between these two roles, but both carry legal exposure.

For a VC portfolio, this matters because the liability profile of a company changes depending on whether it is building AI (provider) or integrating third-party AI into its product or workflow (deployer). Many startups are both simultaneously: they build a product on top of a foundation model (making them a deployer of the GPAI model) while also offering that product to their own enterprise customers (making them a provider of an AI-enabled application).

What the obligation requires concretely

For providers of high-risk AI systems, the core obligations are: conduct a conformity assessment before market launch, maintain technical documentation, implement a quality management system, register the system in the EU AI Act database, and place a CE mark on the product. Post-market monitoring and incident reporting are ongoing obligations.

For deployers of high-risk AI systems, the key obligations are: implement human oversight, use the system only for its intended purpose, inform employees when AI is used in decisions that affect them, and conduct fundamental rights impact assessments in certain contexts.

For GPAI model providers, from August 2 2026: publish a summary of training data, maintain technical documentation, establish a policy to comply with EU copyright law, and label AI-generated content in a machine-readable way. Systemic-risk GPAI models (those trained above a compute threshold) face additional requirements including red-teaming and incident reporting.

Key deadlines

  • February 2 2025 (already in force): Article 5 prohibited practices. Any system using manipulation, social scoring, or real-time biometric surveillance in public spaces is illegal now.
  • August 2 2026: GPAI obligations begin. Article 50 transparency requirements for AI-generated content also apply from this date. Fines for GPAI violations: up to EUR 15 million or 3% of global annual turnover.
  • December 2 2027: Full high-risk AI obligations apply to Annex III systems. Fines for high-risk non-compliance: up to EUR 30 million or 6% of global annual turnover. Fines for prohibited practices: up to EUR 35 million or 7% of global annual turnover.

How investors should assess AI Act exposure during due diligence

The starting point is product classification. For each portfolio company or target investment, ask: does the product fall under Annex III? Is it a GPAI model or an application built on top of one? Is the company acting as a provider, a deployer, or both?

Then assess readiness against the relevant deadline. A company building a GPAI model with no data provenance documentation is facing an August 2026 cliff. A company selling AI-assisted hiring tools with no conformity assessment underway is facing a December 2027 compliance programme that will consume significant engineering and legal resource.

Key questions to ask founders in due diligence include:

  • Has your legal team mapped your product to the EU AI Act risk tiers?
  • If you use a third-party foundation model, do you have a copy of the provider's technical documentation?
  • Do you have a conformity assessment plan for any Annex III applications?
  • Do you have a process for labelling AI-generated content ahead of August 2026?
  • Who owns AI compliance internally, and what is the budget allocated?
  • Have you registered or do you have plans to register in the EU AI Act database?

On the cap table side, check whether existing investors have flagged AI Act compliance as a condition in shareholder agreements or representations and warranties. In EU M&A and late-stage rounds, AI Act compliance is increasingly appearing as a closing condition. A company with unresolved high-risk AI obligations may face valuation haircuts or deal delays.

Portfolio-wide AI governance framework

For VCs managing a portfolio of five or more AI-enabled companies, point-in-time due diligence is not enough. The regulation is evolving, with delegated acts and implementing regulations being added through the European Commission's AI Office. A portfolio-wide AI governance review should cover three things.

First, a classification audit. Map every portfolio company's products against the Act's risk tiers. Identify which companies are providers versus deployers. Flag any that may be operating near prohibited practice territory.

Second, a timeline risk assessment. Cross-reference each company's compliance roadmap against the key deadlines. Companies that have not started conformity assessment work by mid-2026 for Annex III systems will face a sprint with high cost and execution risk.

Third, a governance baseline. Encourage portfolio companies to appoint a named AI compliance owner, establish a technical documentation practice, and subscribe to guidance from the EU AI Office. These are low-cost steps that significantly reduce regulatory risk ahead of enforcement.

Why the December 2027 deadline affects long-term valuations

The December 2027 deadline for high-risk AI is three years away from the Act's entry into force, but it will arrive quickly for companies with complex AI products. Conformity assessments for Annex III systems require technical documentation that must be built into the development lifecycle, not retrofitted. Companies that wait until 2026 to start will face two to three years of compliance cost compressed into twelve months, alongside the risk of enforcement action or market withdrawal obligations.

For investors with a four to seven year hold horizon, a portfolio company that cannot demonstrate EU AI Act compliance by late 2027 faces restricted market access, potential fines, and reputational damage at exactly the point in the investment cycle when exit readiness matters most. Compliance is not just an operational concern. It is a valuation driver.

What to do now

Investors should take three immediate steps. First, add AI Act risk classification to the standard due diligence questionnaire for any EU-market AI investment. Second, request a written AI Act compliance plan from portfolio companies with products that may fall under Annex III or involve GPAI models. Third, track the August 2 2026 deadline specifically: any portfolio company developing or integrating a GPAI model needs a compliance plan in place well before that date.

The regulation is enforced by national market surveillance authorities, with oversight from the EU AI Office for GPAI models. Enforcement is expected to ramp as the major deadlines pass. The companies that will be penalised first are those in high-risk categories that made no compliance effort, and those operating prohibited systems that are already illegal.

For a practical starting point, use the free ActComply risk screener to check your portfolio companies' obligations: https://www.getactcomply.com/check. It takes under five minutes and gives a clear read on which tier each product falls into and what actions are required.

Further reading: EU AI Act fines and penalties, Annex III high-risk AI systems, EU AI Act deadlines 2026 and 2027.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener