EU AI Act Compliance Blog
Practical guidance for AI startups navigating EU AI Act compliance.
EU AI Act for SaaS Startups: Your First 90 Days
A practical, no-fluff plan to get a SaaS startup from 'we have no idea where we stand' to a defensible EU AI Act position in 90 days — without hiring a consultancy. Three phases: map, fix, prove.
What Is the EU AI Act? A Plain-English Guide for Founders
The EU AI Act is the world's first comprehensive AI law. It sorts AI into four risk tiers and regulates each differently. Here's the whole thing explained without the legalese — what it covers, who it applies to, and the dates that matter.
EU AI Act vs ISO 42001: Do You Need Both?
ISO/IEC 42001 is the new AI management system standard everyone's certifying for. But it doesn't make you EU AI Act compliant. Here's how the binding law and the voluntary standard fit together — and where 42001 actually helps.
What Actually Counts as a 'High-Risk' AI System Under the EU AI Act?
High-risk isn't about how advanced your model is — it's about what decision it touches. Here's the full Annex III list, the Article 6 classification logic, and the one exemption that can take you back out of high-risk.
EU AI Act Fines Explained: How Much Can You Actually Be Penalised?
The headline number is €35M or 7% of global turnover — but that's only for the worst category. Here's the full three-tier penalty structure under Article 99, who decides the amount, and the SME discount most founders miss.
What Does 'Human Oversight' Actually Require? (Article 14)
Article 14 says high-risk AI must be built so a human can effectively oversee it — but 'a human in the loop' isn't enough on its own. Here's what real oversight means, the automation-bias trap, and the four-eyes rule for biometrics.
EU AI Act vs GDPR: What's the Difference and Where Do They Overlap?
The GDPR protects personal data. The EU AI Act regulates AI systems and their risks. They overlap constantly — and complying with one does not get you compliance with the other. Here's how they fit together for a real product.
How to Label AI-Generated Content and Deepfakes (Article 50)
Article 50 requires two different things: tell people when content is a deepfake, and embed machine-readable marking so detectors can spot AI output. Here's what counts, the C2PA standard, the art exception, and the two deadlines.
The AI Literacy Obligation Nobody's Talking About (Article 4)
Article 4 applies to every company that builds or uses AI — not just high-risk ones — and it's been in force since February 2025. Here's what 'sufficient AI literacy' actually requires and how to satisfy it without overthinking it.
The EU Database: Registering Your High-Risk AI System (Article 49)
Before a high-risk AI system goes on the market, it usually has to be registered in a public EU database. Here's what Article 49 requires, what becomes public, who registers, and why it's the step founders forget until launch day.
What's Banned Under the EU AI Act? Article 5 Prohibited Practices Explained
Eight AI practices are outright illegal in the EU as of February 2025 — no compliance path, no documentation, just banned. Here's the full Article 5 list and where the edges are blurrier than they look.
Does the EU AI Act Apply to US and Non-EU Companies?
Yes — and the trigger isn't where you're based, it's whether your AI's output reaches people in the EU. Here's exactly when Article 2 pulls a US, UK, or other non-EU company into scope, and what it means for your product.
Who Needs a Fundamental Rights Impact Assessment (FRIA)? Article 27
The FRIA is a deployer obligation most providers have never heard of. It applies to public bodies and certain high-risk deployers — and you can build it on top of your existing DPIA. Here's who needs one and what goes in it.
Do You Need CE Marking and a Conformity Assessment for Your AI?
If your AI system is high-risk, yes — you must run a conformity assessment, draw up an EU declaration of conformity, and affix the CE marking before you can sell it. Here's which assessment route applies to software AI, and why most can self-assess.
How to Report a Serious AI Incident Under the EU AI Act (Article 73)
If your high-risk AI system causes serious harm, you have as little as two days to report it. Here's what counts as a 'serious incident', the exact deadlines, who you report to, and how this differs from post-market monitoring.
EU AI Act Timeline: Every Deadline From 2025 to 2027
The EU AI Act doesn't switch on all at once — it phases in across four key dates from February 2025 to August 2027. Here's exactly what applies when, so you know which deadline is actually yours.
If You Build on the OpenAI or Anthropic API, Are You Regulated by the EU AI Act?
Using GPT or Claude through an API doesn't make you a GPAI model provider — but it can still make you a provider or deployer of a high-risk AI system. Here's where the obligations actually land when you build on someone else's model.
Open-Source AI and the EU AI Act: What's Exempt and What Isn't
The EU AI Act gives open-source AI a real exemption — but it's full of holes. Bans, high-risk uses, and transparency rules still apply. Here's exactly where the open-source carve-out helps and where it does nothing for you.
What Does EU AI Act Compliance Actually Cost?
The scary five- and six-figure estimates floating around assume you're high-risk. Most companies aren't. Here's an honest breakdown of what compliance costs by risk tier — and why classification is the single biggest cost lever.
Is Your Software Even 'AI' Under the EU AI Act? (Article 3 Definition)
Before you worry about risk tiers, check whether your product even meets the EU AI Act's definition of an 'AI system'. Plenty of 'AI-powered' software doesn't — and some that doesn't market itself as AI does. Here's the Article 3 test.
The EU AI Act's Authorised Representative Requirement: What Non-EU Startups Are Missing
Article 22 requires every non-EU high-risk AI provider to designate an EU-established authorised representative before market placement. Here's what that actually means in practice.
Article 50 Is Three Months Away. Is Your Chatbot Ready?
Article 50's chatbot transparency obligation applies to ALL AI systems with conversational interfaces — not just high-risk ones. August 2026 is the deadline. Here's what your product needs to change.
When Does Retraining Your Model Trigger a New EU AI Act Conformity Assessment?
Article 3(23) defines 'substantial modification' — and crossing that line means restarting your conformity assessment under Article 43. Here's where the line is in practice.
Article 25 and the Liability Handoff: When Your API Customer Becomes the AI Provider
Article 25 of the EU AI Act describes when a deployer becomes a provider — inheriting full compliance obligations. If you sell API access to AI capabilities, this affects your customers and your contracts.
Is Your HR AI Actually High-Risk? The Annex III Category 4 Test, Decoded
Annex III category 4 covers AI in employment and recruitment — but the trigger is 'appreciable impact on career prospects,' not 'makes the final hiring decision.' Here's how to apply the test.
Article 9(8) and the Bias Testing Obligation GDPR Never Asked For
Article 9(8) of the EU AI Act requires systematic bias testing — not just fairness consideration. And the May 2026 Omnibus added a GDPR exemption that makes this testing easier to do legally.
EU AI Act August 2026 Deadline: What You Actually Need to Do
A practical compliance checklist for founders of high-risk AI startups. What must be ready before 2 August 2026 — and what can wait.
When Your General-Purpose AI Becomes a High-Risk AI System (And Who's Responsible)
Article 6(2) of the EU AI Act makes a deployer's intended use case the trigger for high-risk classification of GPAI systems. Here's where liability sits and what model providers must do.
EU AI Act Regulatory Sandboxes: How Article 57 Works and How to Get In
Articles 57-63 give sandbox participants real protections — regulatory guidance, a GDPR lawful basis for testing data, and limited liability. Here's what's operational and how to apply.
Article 11(3) and the SME Documentation Form: What Small AI Providers Can Actually Simplify
Article 11(3) gives SMEs the right to use simplified technical documentation — but the Commission hasn't published that form yet. Here's what you should do in the meantime, and what the simplified form is likely to contain.
What Is Annex IV Technical Documentation Under the EU AI Act?
A plain-English breakdown of all 9 categories of technical documentation required by Article 11 and Annex IV of the EU AI Act — what each section contains and what reviewers look for.
Article 72 vs Article 12: The EU AI Act's Two Logging Obligations Aren't the Same Thing
Article 72 (post-market monitoring) and Article 12 (automatic logging) are distinct obligations that most compliance guides conflate. Confusing them leaves you exposed. Here's how they actually work.