TL;DR: Most core obligations under the EU AI Act are now enforceable as of 2 August 2026, the main application date for the regulation. If your startup builds, deploys, or integrates AI systems inside the EU, you are already subject to binding obligations. Prohibited practices have been banned since February 2025. General-purpose AI model rules applied from August 2025. High-risk AI system requirements under Annex III are now enforceable, with fines reaching up to €35 million or 7% of global annual turnover. Some obligations for high-risk AI systems embedded into existing regulated products (medical devices, machinery, vehicles) carry an extended deadline of 2 August 2027, and certain details are still being finalised through harmonised standards and official guidance.
This guide breaks down exactly what category your startup falls into, what you are required to do, and what it means in practice, for your product team, your content team, your designers, and your developers.
Why This Is Not a Future Problem
The EU AI Act is not a proposal under discussion. It is the law, in force today, and enforcement is active.
Adopted in May 2024 and published in the Official Journal of the European Union on 12 July 2024, the Act entered into force on 1 August 2024. What followed was a carefully staged rollout, time that, for most obligations, has now run out.
Like GDPR before it, the AI Act has extraterritorial scope:
If your AI system is used in the EU or affects EU-based individuals, your startup is in scope regardless of where you are incorporated. A SaaS product built in Athens, a content platform built in Tallinn, or a US startup with European users, all are subject to the same rules.
The Timeline: What Is Already Enforceable
- 2 February 2025 - Prohibited AI practices banned outright. AI literacy obligations for staff came into force.
- 2 August 2025 - Governance rules activated. Full obligations for providers of general-purpose AI (GPAI) models, think any foundation model, large language model, or multimodal system, became enforceable.
- 2 August 2026 - The main application date. Transparency obligations under Article 50 now fully in force. High-risk AI system requirements now enforceable for Annex III use cases. Every EU Member State required to have at least one operational AI regulatory sandbox.
- 2 August 2027 - Final deadline for high-risk AI systems embedded into products already regulated under existing EU product safety law (medical devices, machinery, vehicles).
One important caveat:
In November 2025 the European Commission proposed a “Digital Omnibus” package that could push certain Annex III high-risk deadlines to as late as December 2027. This proposal is still being negotiated. Do not use it as a reason to delay. Official EU guidance is unambiguous: treat 2 August 2026 as the binding deadline.
The Four Risk Tiers: Where Does Your Product Sit?
The entire compliance architecture of the AI Act is built on a four-tier risk classification.
Your obligations depend entirely on which tier your AI system falls into. This is the first practical task for every product team: classify what you have built or are building.
Unacceptable Risk - Banned Systems
These have been prohibited since 2 February 2025. No startup operating in the EU can build or deploy them.
Examples:
- An app that analyses facial expressions during job interviews to infer candidates’ emotional states or personality traits
- A platform that builds psychological profiles of users from their browsing behaviour to serve manipulative advertising targeting people with anxiety disorders
- A government-facing system that scores citizens on their social behaviour and restricts their access to public services based on that score
- A tool that uses real-time biometric identification to scan crowds in public spaces (with narrow law enforcement exceptions)
If any part of your product roadmap involves these functionalities, you must cease and redesign immediately.
High-Risk AI Systems - The Heaviest Obligations
High-risk systems are permitted but subject to the most demanding compliance requirements. The relevant pathway for most startups is the list of specific use cases in Annex III of the Act.
Examples of what qualifies as high-risk:
- A recruitment SaaS that uses AI to screen CVs, rank candidates, or predict interview performance; high-risk. The product manager cannot ship this feature without a conformity assessment, technical documentation, and human oversight mechanisms in place.
- An edtech platform that uses AI to determine which students gain access to courses, assigns grades automatically, or detects cheating without human review; high-risk.
- A fintech tool that uses AI to decide creditworthiness, set loan terms, or assess insurance risk for individual users; high-risk.
- A proptech platform that uses AI to evaluate tenant applications and recommend approvals or rejections; high-risk.
- A healthcare AI tool that flags patient risk levels or recommends clinical pathways, even if the final decision rests with a doctor; high-risk.
For all of these, the following obligations are now fully in force: a completed conformity assessment, comprehensive technical documentation, a quality management system, a post-market monitoring plan, registration in the EU AI database, and a tiered serious incident reporting obligation under Article 73, 15 days for standard serious incidents, 2 days for widespread infringements or critical infrastructure disruptions, and 10 days in the event of a death.
Note: the 15-day window is the standard threshold, not 72 hours, that is the GDPR data breach timeframe and the two must not be confused.
What this means for a product manager running one of these products:
Every new AI feature in a high-risk use case must go through a compliance review before shipping. The sprint process needs a compliance checkpoint. Technical documentation must be maintained and updated as the model changes. Human oversight is not optional, it must be architecturally built into the product.
What this means for a developer on one of these teams:
Training data provenance must be documented. Model performance metrics, including bias and error rates across different demographic groups, must be tracked and reportable. Logging must be robust enough to allow post-incident reconstruction of what the AI decided and why.
Limited Risk - Transparency Obligations
This is where the majority of digital agency work, SaaS marketing tools, e-commerce AI features, and content generation sits. The obligations are lighter but real, and they are now fully in force. The core requirement under Article 50: users must be informed when they are interacting with an AI system, and AI-generated content must be identifiable.
What this means in practice, broken down by role:
For UX designers:
The law requires that users be informed when they are interacting with an AI system, not a human. It does not prescribe the exact UI pattern, placement, or wording. What the law prohibits is a design that actively conceals the AI nature of the interaction.
In practice, the most defensible implementation is surfacing disclosure at the point of first interaction, an opening message, a persistent label, or a clearly visible indicator, rather than burying it in terms of service.
A design pattern that mimics a human agent without any disclosure at the point of interaction is non-compliant. One that discloses clearly, even briefly, satisfies the obligation regardless of the specific format chosen.
For content managers:
The obligation is split into three scenarios:
- AI-generated social media images for brand campaigns
Not required for standard commercial use, but good practice and increasingly expected by informed audiences. - AI-generated content published to inform the public on matters of public interest
Mandatory label. This is a binding legal obligation under Article 50(4). The law requires disclosure when AI-generated text is published with the purpose of informing the public on matters of public interest. What clearly falls in scope: news reporting, political analysis, public health information, and editorial content on social or civic issues, all must be labelled. What clearly falls outside: product pages, ad copy, and standard marketing materials. What sits in a genuine grey zone: a general knowledge blog post, an SEO article on an industry topic, or an educational explainer published on a company website. The phrase “matters of public interest” is not yet fully defined in case law or official guidance, and the Code of Practice currently being finalised will likely shape how broadly regulators interpret it in practice. The legally precise position: the obligation is real and binding at the core, but its outer edges remain unsettled. - Standard commercial creative content
Not automatically required, but with conditions. An AI-generated product image for an e-commerce client, an AI-assisted social media graphic, or a marketing video where the AI nature is either obvious or irrelevant to the audience, no mandatory label under the current text. The law focuses on the risk of deceiving the public, not on flagging every pixel touched by an AI tool. An AI-generated lifestyle image of a coffee cup does not require a label. An AI-generated video of a named CEO endorsing a product, where the CEO is real and no such endorsement was given, does.
For marketing managers, broken down by content type:
- AI-generated ad visuals for an e-commerce brand
No mandatory label for standard product imagery; if the visual features a realistic synthetic human face presented as a real identifiable person, labelling is necessary. - AI voiceover for a client’s explainer video
If it uses a synthetic voice that mimics a specific real person’s voice without their consent, labelling and consent obligations apply; a generic AI voice used as a standard voiceover tool currently requires no label. - AI-written blog article published as informational content
Depends on content type. If the article covers news, public affairs, health, or civic topics, disclosure is legally required under Article 50(4). If it is a marketing blog, a product update, or commercial content, the obligation does not apply. For general industry commentary or educational content on a company blog, the scope is not yet fully settled, the conservative position is to disclose, and the Code of Practice being finalised in mid-2026 will likely clarify where the line falls. - AI-assisted copy where a human has substantially edited and revised the output
Article 50 does not explicitly state that human editorial control removes the disclosure obligation. However, the draft Code of Practice developed by the EU AI Office includes language indicating that disclosure for AI-generated text on matters of public interest is required unless the content has undergone human review and is subject to editorial control. This is not yet finalised law, the Code of Practice is still being completed and is not itself legally binding, but it represents the regulatory direction of travel and is the strongest available basis for arguing that a heavily human-edited output falls outside the mandatory disclosure scope. Document your editorial process regardless. - AI-generated social media images for brand campaigns
Not required for standard commercial use, but good practice and increasingly expected by informed audiences.
Minimal Risk - No Specific Obligations
Most AI applications fall here and face no binding requirements. AI-powered spam filters, product recommendation engines, search ranking tools, content tagging systems, and most analytics features sit in this tier. That said, documenting why you classified a system as minimal risk creates a defensible record if regulators ever question the assessment.
The Provider vs. Deployer Distinction: Which One Are You?
This distinction matters more than most founders realise, and getting it wrong means misunderstanding your entire compliance scope.
A provider is a company that develops an AI system and places it on the EU market under its own name. If you build an AI-powered HR screening tool and license it to other businesses, you are a provider. You bear the full weight of provider obligations: technical documentation, conformity assessments, EU database registration, post-market monitoring.
A deployer is a company that uses an AI system, including a third-party system, in a professional context. If your marketing team uses an AI content generation platform, if your customer service team uses an AI chatbot built on a third-party API, or if your operations team uses an AI scheduling tool, you are a deployer for each of these systems.
Deployer obligations are lighter but real:
- Implement appropriate human oversight and be transparent with the users who interact with those systems.
Additionally, under Article 27, if you are a public body, a private entity providing public services, or a private company deploying high-risk AI systems in the areas of employment or access to essential services (Annex III points 5(b) and (c)), you are also required to carry out a fundamental rights impact assessment before deployment, a formal evaluation of how the system could affect individuals’ rights, which must then be reported to the relevant market surveillance authority.
Many digital teams assume that because they are “just using” an AI API rather than building a model, they have no obligations. That assumption is incorrect.
Using an AI tool to generate client-facing content, deploying a third-party AI chatbot on a client website, or integrating an AI-powered personalisation engine into an e-commerce platform, all of these make you a deployer under the Act, with the obligations that come with that role.
AI Literacy: The Obligation Most Companies Have Already Missed
The AI literacy requirement has been in force since 2 February 2025. Every person in your organization who works with, oversees, or deploys AI systems must have a level of AI understanding proportionate to their role.
This is not about turning everyone into an AI engineer. It is about ensuring that the people making decisions with or about AI understand what those systems do, what their limitations are, and what risks they carry.
In practice:
- A content manager using an AI writing tool must understand that the tool can hallucinate facts, reproduce training data biases, and generate outputs that require verification, not just approval.
- A UX designer deploying an AI recommendation feature must understand how that feature makes decisions and what happens when it makes wrong ones.
- A product manager shipping an AI feature must understand the risk classification of that feature and what compliance requirements it triggers.
- A marketing manager using an AI image generation tool must understand which outputs require labelling and which do not.
Documenting your literacy programme, even informal sessions, written guidelines, or internal wikis, creates an audit trail demonstrating compliance.
Regulatory Sandboxes: The Opportunity Most Startups Are Ignoring
Every EU member state was legally required to have at least one operational AI regulatory sandbox by 2 August 2026 under Article 57. In practice, implementation varies across member states, some have fully operational sandboxes with open application processes, while others are still in the process of standing theirs up.
Check your national competent authority’s website for current availability and application details before assuming access. These are controlled environments where companies, specifically prioritising startups and SMEs, can develop, test, and validate AI systems under regulatory supervision, with temporary flexibility on certain requirements.
For a startup building in a potentially high-risk area, an AI-powered health screening tool, an AI credit assessment feature, an AI recruiting product, sandbox participation is not just a compliance mechanism. It provides direct access to regulatory guidance, a supervised development process that enterprise buyers and investors increasingly value, and the ability to test the boundaries of the regulation in a protected environment before full market deployment.
What Compliance Actually Costs
The AI Act was explicitly designed with SME and startup proportionality in mind. Conformity assessment fees are required to be proportional to company size. For SMEs, the upper bound of any fine is set by whichever figure is lower, the fixed amount or the percentage of turnover, the inverse of the formula applied to large companies. The European Commission is also developing simplified technical documentation templates specifically for SMEs, accepted by national authorities for conformity assessments.
For most digital startups, the near-term compliance cost is not financial, it is operational. The real investment is time: time to classify your AI systems, time to add disclosure language to your interfaces, time to document your editorial and development workflows, and time to brief your teams. For startups already building with transparency and user trust as design principles, much of this work is closer to done than they think.
The Competitive Argument for Acting Now
The AI Act will function in the market exactly as GDPR did: early movers who build compliance into their operations will turn it into a sales asset; late movers will face retrofit costs and deal friction. Enterprise buyers, particularly in financial services, healthcare, and B2B SaaS, are already asking suppliers direct questions about AI Act compliance before signing contracts.
A startup that can answer those questions with documented evidence, a completed AI system classification, transparency disclosures in place, a functioning quality management system, a clear policy on AI-generated content, converts a regulatory requirement into a competitive signal. In a market where AI is now table stakes, demonstrable trustworthiness is the differentiator.
Resources
- European Commission, “AI Act - Shaping Europe’s Digital Future”: digital-strategy.ec.europa.eu
- European Parliament, “EU AI Act: First Regulation on Artificial Intelligence”: europarl.europa.eu
- EU AI Act Independent Tracker, “Implementation Timeline”: artificialintelligenceact.eu
- EU AI Act Independent Tracker, “Small Businesses’ Guide to the AI Act”: artificialintelligenceact.eu
- European Commission, “Navigating the AI Act - FAQ”: digital-strategy.ec.europa.eu
- Kennedys Law, “The EU AI Act Implementation Timeline: Understanding the Next Deadline for Compliance”, March 2026: kennedyslaw.com
- Legal Nodes, “EU AI Act 2026 Updates: Compliance Requirements and Business Risks”, February 2026: legalnodes.com
- Software Improvement Group (SIG), “A Comprehensive EU AI Act Summary”, January 2026: softwareimprovementgroup.com




