EU AI Act Compliance for Startups: 2026 Priority Checklist

# EU AI Act Compliance for Startups: 2026 Priority Checklist This page gives AI startups a sequenced, effort-calibrated checklist for EU AI Act compliance in 2026 and 2027, separating what is already in force from what comes next. --- ## What the EU AI Act Actually Says The EU AI Act (Regulation 2024/1689) entered into force on August 1 2024. Obligations phase in across three main dates: - **February 2 2025**: Article 5 prohibited AI practices are already in force. These include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and subliminal manipulation. If your system does any of these, you have been non-compliant since February 2025. - **August 2 2026**: GPAI model obligations (Articles 51-55 and Article 53 in particular) and transparency obligations for AI systems that interact with people or generate content (Article 50) become enforceable. - **December 2 2027**: High-risk AI system obligations under Annex III become enforceable for new systems. Existing high-risk systems already on the market before August 2 2026 have until August 2 2027. The Act also establishes the EU AI Office, which has enforcement authority over GPAI model providers. --- ## Who This Applies To The Act applies to **providers** and **deployers** of AI systems placed on the EU market or affecting people in the EU. **Provider**: You built the AI system or model and make it available, even if only embedded in your SaaS product. If you fine-tuned an open-source model, or if you call an LLM API and wrap it into a product with your own prompts and logic, regulators may treat you as a provider of a derived system. **Deployer**: You use an AI system built by someone else in your business operations or product. For a 20-200 person company, the most common scenarios are: 1. You call an LLM API (OpenAI, Anthropic, Mistral, etc.) and expose it to end users. You are a deployer of the GPAI model but may be a provider of the AI system built on top of it. 2. You have an AI feature that makes or recommends decisions affecting users, such as scoring, ranking, or categorising people. This may trigger Annex III if the domain matches (employment, education, credit, essential services, law enforcement, migration, justice). 3. You generate content, summaries, or synthetic media shown to users. Article 50 transparency obligations apply. Company size does not exempt you from the Act, but it does affect proportionality under the GPAI rules (Article 53(2) allows lighter obligations for providers of GPAI models below certain thresholds, though this applies to model providers, not system builders). --- ## What the Obligations Actually Require ### Article 50 (Transparency) -- due August 2 2026 If your AI system interacts with users in a way they might mistake for a human, or if it generates text, images, audio, or video, you must: - Disclose to users that they are interacting with an AI (chatbots, voice agents). - Label AI-generated content in a machine-readable format (synthetic images, video, audio). - For deepfakes or synthetic media of real people, provide explicit disclosure. **Effort estimate**: 4-12 hours. This is mostly UI copy and a small metadata or watermarking implementation. If you already show "AI-generated" labels, you may only need to add machine-readable markup. ### Article 53 (GPAI Obligations) -- due August 2 2026 If you are a **provider of a GPAI model** (you trained or fine-tuned a general-purpose model and make it available to others), you must: - Maintain technical documentation of the model. - Provide information and documentation to downstream providers. - Comply with EU copyright law and publish a summary of training data (Article 53(1)(d)). - For high-capability models above the 10^25 FLOPs threshold, additional requirements apply including adversarial testing. **Who this hits at startups**: Mostly not applicable unless you are literally training and releasing a foundation model. If you are calling an API from a GPAI provider, those obligations fall on the provider (OpenAI, Anthropic, Mistral, etc.), not on you. **Effort estimate if applicable**: 20-80 hours for documentation, legal review of training data provenance, and copyright compliance. ### Annex III (High-Risk AI Systems) -- due December 2 2027 Annex III lists specific domains where AI systems are considered high-risk. The list includes: - Biometric identification and categorisation. - Management and operation of critical infrastructure. - Education and vocational training (access to education, evaluating performance). - Employment and workers management (recruiting, promoting, task allocation, monitoring). - Access to essential private and public services (credit scoring, insurance, benefits). - Law enforcement, migration, asylum. - Administration of justice. If your AI system makes or significantly influences decisions in these domains affecting people in the EU, you are likely a high-risk system provider. **What high-risk requires**: Risk management system (Article 9), data governance practices (Article 10), technical documentation (Article 11), logging and audit trail (Article 12), transparency to deployers (Article 13), human oversight measures (Article 14), and accuracy and robustness standards (Article 15). Before market placement: conformity assessment and registration in the EU database. **Effort estimate**: 80-300 hours depending on how much documentation and process you already have. This is not a one-person weekend task. Build a roadmap now and start in Q3 2026. --- ## Key Deadlines Summary | Obligation | Article/Annex | Deadline | Who it hits | |---|---|---|---| | Prohibited practices | Article 5 | February 2 2025 (already in force) | Everyone | | AI interaction disclosure | Article 50 | August 2 2026 | Any AI touching users | | AI-generated content labelling | Article 50 | August 2 2026 | Any generative AI feature | | GPAI model documentation | Article 53 | August 2 2026 | Model providers only | | High-risk system obligations | Annex III | December 2 2027 | Systems in listed domains | --- ## What to Do Now: Five Specific Actions **1. Check Article 5 now (already in force)** Review whether any feature involves social scoring, mass biometric surveillance, or subliminal manipulation. If yes, legal review immediately. **2. Audit your generative AI touchpoints for Article 50 (due August 2 2026)** List every user-facing feature that uses an LLM, generates images, or produces synthetic audio or video. For each one, confirm you have a visible disclosure and, for synthetic media, a machine-readable label. Add it to your next sprint if missing. Estimated effort: 4-12 hours total. **3. Assess your GPAI exposure (due August 2 2026)** If you call LLM APIs, you are a deployer, not a GPAI provider. Confirm this with your legal contact. If you fine-tuned and released a model to third parties, that changes the analysis. **4. Map your product against Annex III (start now, due December 2 2027)** Go through the Annex III list and honestly assess whether any system makes or recommends decisions about people in the listed domains. If yes, begin scoping your risk management and technical documentation work. You have until December 2027, but 80-300 hours of work needs a plan. **5. Document your compliance decisions** The Act rewards documentation. Keep a record of what you assessed, what you concluded, and why. This is your first line of defence in any audit and costs almost nothing to start. --- ## Get a Clear Picture in 10 Minutes Use the free ActComply risk screener to see which obligations apply to your system: https://www.getactcomply.com/check You answer questions about your product and get a prioritised list of which articles apply, at what deadline, and what effort to expect. No email required to see your results.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener