The EU AI Act, Explained for Startups

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and imposes binding obligations on AI providers and deployers — including companies based outside Europe that sell into the EU market. This guide covers what it requires, who it applies to, and what you need to do before the August 2026 deadline.

What is the EU AI Act?

The EU AI Act — formally Regulation (EU) 2024/1689 — was adopted by the European Parliament and Council on 13 June 2024 and published in the Official Journal on 12 July 2024. It is directly applicable law across all 27 EU member states: no transposition into national law is required, and it takes precedence over conflicting national legislation.

The regulation establishes a risk-based framework: the obligations imposed on an AI system depend on the potential harm that system could cause. A spam filter and a system that screens job applicants are both AI systems under the Act's definition, but the job screening tool faces substantial compliance obligations the spam filter does not.

The Act defines an AI system broadly: a machine-based system designed to operate with varying levels of autonomy that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments. The definition is intentionally technology-neutral — it covers today's large language models as well as narrow ML classifiers and future systems that don't yet exist.

For startups, the practical scope question is: does your product make or support decisions that affect people's access to opportunities, services, or rights? If yes, read on carefully. If your product is a general-purpose chatbot, content generator, or recommendation system, the limited-risk transparency requirements in Article 50 apply regardless of risk classification.

The Act also introduces two cross-cutting concepts worth understanding early. First, the concept of "placing on the market" is broad — it includes supplying an AI system to EU customers via a SaaS subscription, not just physically shipping a product. Second, the Act applies to the use of AI systems in professional contexts, not personal use. An individual using ChatGPT for personal tasks is not regulated; a company using the same model to make hiring decisions is.

Key Deadlines: When Each Part of the Act Applies

The EU AI Act does not apply all at once. It is phased in over three years, with the most consequential deadline — Annex III high-risk AI systems — falling on 2 August 2026.

One note on the AI Act Omnibus: the European Commission published a proposed simplification package in 2025 aimed at reducing obligations for SMEs and startups, particularly around documentation and conformity assessment processes. The core risk classification framework and penalty structure remain in place. Nytivo blog for updates as implementing acts are finalised.

Risk Tiers — Where Does Your AI System Fall?

The Act creates four risk categories. Your compliance obligations are determined entirely by which category your system falls into. The categories are not self-declared — they are defined by objective criteria in the regulation text, and national authorities can challenge a provider's self-classification.

Prohibited AI (Article 5) — Banned entirely

Article 5 lists AI practices that are banned with no path to compliance — no SME exemption, no transitional arrangement, no conformity assessment that could make them lawful. These have applied since 2 February 2025:

• AI systems that deploy subliminal techniques beyond conscious perception to manipulate a person's behaviour in a harmful way
• Systems that exploit vulnerabilities of specific groups — age, disability, socioeconomic situation — to distort their behaviour in a way that causes or is likely to cause harm
• Social scoring systems used by public authorities to evaluate individuals based on social behaviour or personal characteristics
• Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (with narrow exceptions for serious crimes)
• AI used to infer sensitive characteristics — political views, religious beliefs, sexual orientation, race — from biometric data
• Facial recognition databases created by scraping images from the internet or CCTV footage without targeted collection
• AI systems that predict criminal behaviour based on profiling or personality traits rather than objective, verifiable facts

If your system falls into any of these categories, it cannot be placed on the EU market under any circumstances.

High-Risk AI (Annex III) — Full compliance required by Aug 2026

Annex III lists 8 categories of high-risk AI systems. If your product operates in any of these areas, the full set of obligations in Articles 9–15 applies, along with conformity assessments, registration in the EU database, and CE marking where required.

• 1.Biometrics — Remote biometric identification, categorisation of natural persons by race, sex, political orientation, or other sensitive attributes, and emotion recognition systems.
• 2.Critical infrastructure — AI that manages or operates road traffic, water, gas, electricity, heating, or digital infrastructure where failures could endanger life or disrupt essential services.
• 3.Education and vocational training — Systems that determine access to educational institutions, assess student performance, evaluate qualifications, or monitor exam integrity.
• 4.Employment and HR — Recruitment and CV screening, interview assessment, promotion decisions, performance evaluation, task allocation, and monitoring of employee behaviour. This is the category most commonly missed by startups building productivity or HR tools.
• 5.Essential services — Credit scoring, insurance risk assessment, emergency service dispatching, and prioritisation of individuals for public benefits. Fintech and insurtech startups take note.
• 6.Law enforcement — Risk assessment of individuals as potential victims or perpetrators, polygraph-like systems, evidence analysis, predictive policing. Generally not applicable to commercial startups.
• 7.Migration and border control — Systems used to assess irregular migration risk, examine applications for asylum or visa, or support border surveillance.
• 8.Justice and democracy — AI used to assist courts in interpreting facts or applying law, AI that influences electoral outcomes, systems for dispute resolution affecting legal rights.

There is an important exclusion: if your AI system is intended for a purpose listed in Annex III but poses only a limited risk — for example, a narrow classification model used to support but not replace a human decision, with no significant effect on outcomes — you may qualify for an exception under Article 6(3). This requires documented assessment, not just a claim. The burden of proof sits with the provider.

Limited Risk (Article 50) — Transparency obligations only

Article 50 applies to three categories of AI that pose limited risk but require transparency:

• Chatbots and conversational AI — Must disclose to users that they are interacting with an AI, not a human.
• Synthetic media (deepfakes) — AI-generated images, audio, or video intended to be mistaken for authentic content must be labelled as AI-generated.
• AI-generated text about current events — Disclosure requirements apply when the text is published publicly and could influence public perception of real events.

These obligations are far lighter than the high-risk regime — no technical documentation, no conformity assessment, no EU database registration. But they are mandatory and enforceable. Almost every startup building a customer-facing AI product will be subject to at least Article 50, even if they are not high-risk.

Minimal Risk — No specific obligations

Spam filters, AI opponents in games, basic content recommendation engines, and similar tools fall into this category. The Act does not impose any specific mandatory requirements. Providers can voluntarily adopt codes of conduct, and the regulation encourages this — but it is not required.

What High-Risk AI Systems Must Do (Articles 9–15)

If your system is high-risk, Articles 9 through 15 establish the core compliance obligations. These must be satisfied before you place the system on the EU market or put it into service. Click any article card for the full breakdown.

A few of these articles deserve particular attention for startups. Article 11 (technical documentation) is where most teams underestimate the effort involved. Annex IV specifies 9 categories of documentation that must be prepared and kept current throughout the system's lifecycle — not just at initial market placement. Article 9 (risk management) requires a continuous, iterative process, not a one-time risk assessment conducted at launch. Article 14 (human oversight) requires that the design of the AI system itself — not just your operational procedures — supports meaningful human monitoring and intervention. You can't satisfy Article 14 with a process document alone; the system architecture must support it.

Conformity assessment — the process of verifying that a high-risk system meets the requirements — can in most cases be carried out by the provider as a self-assessment. Third-party assessment by a notified body is required only for biometric identification systems and AI used as safety components in certain regulated products (Annex I). For most startup use cases, self-assessment is permissible — but the documentation must be thorough enough to withstand scrutiny from national market surveillance authorities.

Who Does the EU AI Act Apply To?

Providers (Article 3(3))

A provider is any natural or legal person — company, research institution, or individual — who develops an AI system or general-purpose AI model and places it on the EU market or puts it into service under their own name or trademark, whether for payment or free of charge. If you build a B2B SaaS product using AI and sell it to EU customers, you are a provider. If you white-label an AI capability for another company who distributes it under their brand, that other company becomes the provider for the purposes of the regulation.

Providers carry the heaviest obligations: comply with Articles 9–15 for high-risk systems, prepare technical documentation, carry out or commission conformity assessments, register in the EU database before placing high-risk systems on the market, affix CE marking where required, and establish post-market monitoring systems.

Deployers (Article 3(4))

A deployer is any natural or legal person — other than the provider — who uses an AI system under their authority in the course of a professional activity. If your company buys and integrates an AI-powered recruitment tool from a vendor, you are a deployer of that tool. Deployers must use AI systems in accordance with instructions of use, assign human oversight where required, monitor performance in production, and report serious incidents to the provider and national authorities.

There are circumstances where a deployer becomes subject to provider obligations — for example, if they substantially modify a high-risk AI system after receiving it, or if they place it on the market under their own brand rather than the original provider's. "Substantial modification" is defined broadly: changes that affect the system's intended purpose, or changes that could affect compliance with the requirements of Chapter III, typically trigger this escalation.

Non-EU companies

The EU AI Act applies to providers established outside the EU whose AI systems are placed on the EU market or whose outputs are used in the EU. This extraterritorial reach mirrors the approach taken by GDPR. A US-based startup selling an AI tool to EU enterprise customers is a provider under the Act regardless of where its servers are hosted or where its team is based.

Non-EU providers must appoint an authorised representative established in the EU (Article 22). The authorised representative acts as the provider's point of contact with national competent authorities and takes on legal responsibility for compliance — meaning EU authorities have a local entity they can reach for enforcement action.

What Happens If You Don't Comply?

Article 99 establishes three tiers of administrative fines. In each case, the higher of the absolute amount or the percentage of global annual turnover applies — this structure ensures that large companies face proportionate penalties while still providing a ceiling for smaller organisations.

Beyond financial penalties, national market surveillance authorities can issue orders requiring providers to withdraw non-compliant AI systems from the EU market, restrict or prohibit their use, and require remediation at the provider's expense. For startups whose revenue depends on EU enterprise customers, a market access ban is potentially more damaging than a financial penalty.

Enforcement is handled at member state level: each country designates a national competent authority. The European AI Office — established within the European Commission by the Act itself — has oversight responsibility for GPAI models and coordinates enforcement across member states to reduce forum shopping and divergent interpretations.

GPAI Models — A Separate Category (Articles 51–55)

The Act creates a separate regime for general-purpose AI (GPAI) models: large foundation models trained on broad data at scale and capable of performing a wide range of distinct tasks. GPT-4, Claude, Gemini, Llama, and comparable models fall into this category. GPAI model obligations have applied since 2 August 2025.

All GPAI model providers must maintain technical documentation sufficient to assess compliance; provide information and documentation to downstream providers building applications on their model; and comply with EU copyright law, including publishing summaries of training data used.

GPAI models that pose systemic risk — defined as models trained with a cumulative computational training power exceeding 10²⁵ FLOPs — face additional obligations: model evaluation including adversarial testing and red-teaming before deployment; incident notification to the European AI Office within defined timeframes; cybersecurity protection measures; and energy consumption reporting. The European AI Office publishes and maintains the list of models designated as systemic-risk.

For most startups, the critical question is not whether you are building a GPAI model (you almost certainly are not), but whether the GPAI model you are building on top of is compliant. If your application is a high-risk AI system built on a foundation model, you still carry the full provider obligations under Articles 9–15 for your application layer. The GPAI provider is responsible for the model layer; you are responsible for your application. These are separate compliance obligations, not alternatives.