Skip to content
Niall Cook
← Notes

What the EU AI Act means for AI startups — even outside Europe

If you build or offer AI systems that anyone in the EU can use, the EU AI Act already matters to you — regardless of where your company is based.

A two-person US startup with an API used by an EU customer? In scope.

A UK team shipping a model to an EU client? Also in scope.

There’s no small-business carve-out and no free pass for “early stage”.

Some provider obligations already apply. Most will apply from 2 August 2026. Rules for general-purpose AI (GPAI) models started on 2 August 2025.

What’s already in force

  • Ensure your organisation and staff have a “sufficient level of AI literacy” proportionate to their role (Article 4)
  • Check that none of your systems fall into a prohibited “unacceptable-risk” category (Article 5)

If you provide a general-purpose AI model:

  • Publish detailed technical documentation, including training data sources and limitations (Article 53)
  • Give downstream deployers the information they need to meet their own obligations (Article 53(2))

If your GPAI model poses systemic risk, you must also:

  • Perform model evaluations, assess and mitigate systemic risks, and report serious incidents (Article 55)

From 2 August 2026 — if you provide any AI system

  • Ensure the system complies with the Act before placing it on the EU market or putting it into service (Article 16)
  • Implement and maintain a documented quality-management system (Article 17)
  • Prepare and update technical documentation (Article 11)
  • Ensure the system can automatically record logs to support compliance checks (Article 12)
  • Design it with human oversight, robustness, accuracy and cybersecurity suited to its purpose (Articles 14–15)
  • Provide clear instructions for use to deployers (Article 13)
  • Carry out a conformity assessment and affix the CE marking before placing any high-risk system on the market (Articles 43, 49)
  • Monitor system performance after launch and take corrective actions as needed (Article 61)
  • Immediately notify market-surveillance authorities of any serious incidents once a causal link is established (Article 73)

If your system is classed as high-risk, you must also:

  • Ensure training, validation and testing data are relevant, representative, free of errors and bias, and documented (Article 10)
  • Keep logs for at least six months or as otherwise required by law (Article 12(2))

Penalties

Breaching the bans on prohibited practices (Article 5) can mean fines of up to €35 million or 7% of global turnover.

Placing a non-compliant high-risk system on the market (Articles 16, 43) can lead to fines of up to €30 million or 6%.

Other provider violations (Articles 4, 10–17, 53–55, 61, 73) can mean fines of up to €15 million or 3%.

Two steps to start now

Audit your products

  • Identify every AI system or model you develop or offer that could be used in the EU Check none fall into Article 5’s prohibited categories

Build compliance into development

  • Start documenting training data, design decisions and risk controls
  • Put a basic quality-management process in place, even if your team is small

The message for AI startups is simple:

If EU users can access your system or its output, this law already reaches you. The smartest companies are baking compliance into their products now — not scrambling to retrofit it in 2026.

Important: This does constitute any form of legal advice. All information is understood to be correct at the time of writing. E&OE.