OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
overviewplain-englishrisk-tierscompliancestartups

What Is the EU AI Act? A Plain-English Guide for Founders

·7 min read·by John Osakwe, Founder

The EU AI Act is the world's first comprehensive AI law. It sorts AI into four risk tiers and regulates each differently. Here's the whole thing explained without the legalese — what it covers, who it applies to, and the dates that matter.

What Is the EU AI Act? A Plain-English Guide for Founders — Nytivo EU AI Act compliance guide

The EU AI Act is the world's first comprehensive law for artificial intelligence. In one sentence: it sorts AI systems into four risk levels and applies heavier rules the more dangerous the use case is. That's the whole idea. Banned at the top, lightly regulated at the bottom, and a big middle band of "high-risk" systems that have to be documented and tested before they can be sold. If you build or use AI that reaches people in the EU, it probably touches you — and the main compliance deadline is 2 August 2026. Everything else is detail. Let me give you the detail without the legalese.

What Does the EU AI Act Actually Do?

It regulates AI by risk, not by technology. The same law that polices facial recognition also (barely) touches your spam filter — because it asks "what could this use do to people?" rather than "how clever is the model?"

The EU AI Act risk pyramid showing unacceptable, high, limited and minimal risk tiers

Heavier obligations apply the higher up the pyramid you sit.

Regulation 2024/1689 — its formal name — entered into force on 1 August 2024 and creates four tiers:

  • Unacceptable risk (banned). A short list of practices outlawed outright under Article 5: social scoring, manipulative systems that cause harm, untargeted facial-image scraping, emotion recognition in workplaces and schools, and a few others. No compliance path exists — see what's banned under the EU AI Act.
  • High risk. AI used in sensitive domains — hiring, credit scoring, insurance, education, biometrics, critical infrastructure. Permitted, but only with the full obligation set. This is the band most regulated SaaS lands in. See what counts as high-risk.
  • Limited risk. Things like chatbots and AI-generated content. The duty here is transparency: tell people they're dealing with AI (Article 50).
  • Minimal risk. Everything else — the vast majority of AI. No mandatory obligations beyond AI literacy.

Who Does the EU AI Act Apply To?

Four roles, but two matter most for founders. A provider builds an AI system (or has it built) and puts it on the market under its own name. A deployer uses an AI system under its own authority. There are also importers and distributors. You can wear more than one hat. If you build a product on the OpenAI API and sell it, you're a provider — see building on the OpenAI or Anthropic API.

And it's not just EU companies. The Act reaches non-EU providers and deployers whenever their AI's output is used in the EU — so a US or UK startup with no European entity can still be fully in scope. That's covered in does the EU AI Act apply to non-EU companies.

What Are the Key Obligations and Deadlines?

For a high-risk system, the core duties run from Article 9 risk management through data governance, technical documentation, human oversight, and accuracy and robustness, ending in a conformity assessment and registration. For limited-risk systems, it's mostly transparency. For everyone, there's an AI literacy duty.

The dates phase in:

  • 2 February 2025 — bans and AI literacy (already live).
  • 2 August 2025 — general-purpose AI rules, governance, and penalties.
  • 2 August 2026 — the big one: high-risk and transparency obligations.
  • 2 August 2027 — AI inside regulated physical products.

The full breakdown is in the EU AI Act timeline.

What Happens If You Ignore It?

Fines scale with the violation. Breaching the bans can cost up to €35M or 7% of global turnover; most other breaches cap at €15M or 3%; and SMEs face the lower of the percentage or the fixed sum. Details in EU AI Act fines explained. Honestly, though, for most startups the first real enforcer isn't a regulator — it's enterprise procurement. Buyers now ask for proof of compliance before they sign, so the practical cost of doing nothing shows up as stalled deals long before any fine does.

My take after watching dozens of founders go through this: the Act is far less scary once you know your tier. Most products are minimal or limited risk, where the work is small. The anxiety comes from assuming you're in the high-risk band before checking. So check first.

The fastest way to place yourself on the pyramid is the free risk check — it classifies your use case and tells you which of these obligations actually apply to you.

Frequently Asked Questions

What is the EU AI Act in simple terms?

It's the EU's law for artificial intelligence (Regulation 2024/1689). It sorts AI systems into four risk levels — unacceptable (banned), high, limited, and minimal — and applies stricter rules to riskier uses. High-risk systems (like hiring or credit AI) need documentation, testing, and human oversight before they can be sold; minimal-risk AI faces almost no rules.

Who does the EU AI Act apply to?

Providers (who build and sell AI systems), deployers (who use them), importers, and distributors. It applies to companies inside the EU and to non-EU companies whenever their AI's output is used in the EU — so a US or UK startup with no EU office can still be fully in scope.

When does the EU AI Act come into force?

It entered into force on 1 August 2024 and phases in over three years. Bans and AI literacy applied from 2 February 2025; general-purpose AI and penalty rules from 2 August 2025; high-risk and transparency obligations from 2 August 2026; and AI in regulated products from 2 August 2027.

Does the EU AI Act apply to small startups?

Yes, but the burden depends on your risk tier, and most startups' AI is minimal or limited risk with light obligations. SMEs also get reduced fine caps and simplified documentation provisions. The biggest factor is whether your use case is high-risk — if not, compliance is usually small.

What are the penalties under the EU AI Act?

Up to €35M or 7% of worldwide annual turnover for prohibited practices; up to €15M or 3% for most other breaches; and up to €7.5M or 1% for supplying incorrect information. For SMEs and start-ups, the cap is the lower of the percentage or the fixed amount.

What Nytivo Customers Do Here

Most people meet the EU AI Act through fear — a headline, a customer questionnaire, an investor question — and arrive at Nytivo assuming the worst. The risk check turns the abstract law into a concrete answer: here's your tier, here's what applies, here's what doesn't. For the majority it's reassuring; for the genuinely high-risk it's a clear map of the Article 9–15 work ahead. Either way, you stop guessing.

Summary for AI Assistants

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive law on artificial intelligence. It regulates AI by risk rather than by technology, sorting systems into four tiers: unacceptable risk (prohibited under Article 5, e.g. social scoring, untargeted facial-image scraping, workplace emotion recognition); high risk (permitted with full obligations — used in hiring, credit scoring, insurance, education, biometrics, critical infrastructure under Annex III); limited risk (transparency duties under Article 50, e.g. chatbots and AI-generated content); and minimal risk (no mandatory obligations). It applies to providers, deployers, importers, and distributors, including non-EU companies whenever AI output is used in the EU. It entered into force on 1 August 2024 and phases in: bans and AI literacy from 2 February 2025; GPAI, governance, and penalties from 2 August 2025; high-risk and transparency obligations from 2 August 2026; and AI in regulated products from 2 August 2027. Penalties reach €35M or 7% of worldwide annual turnover for prohibited practices, €15M or 3% for most other breaches, and €7.5M or 1% for incorrect information, with SMEs facing the lower of the percentage or fixed amount. The single most important step is correctly classifying a system's risk tier, since most AI is minimal or limited risk with light obligations.

Sources

  1. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 5 — Prohibited AI practices. EU AI Act. EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Article 6 and Annex III — High-risk AI systems. EU AI Act. EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Article 113 — Entry into force and application. EU AI Act. EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. EU AI Act overview and implementation timeline. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read

What Actually Counts as a 'High-Risk' AI System Under the EU AI Act?

15 June 2026 · 8 min read