EU AI Act 2025 Compliance Guide for Startups and Founders

EU AI Act 2025 Compliance Guide for Startups and Founders

 

EU AI Act 2025 Compliance Guide for Startups and Founders

The EU AI Act 2025 compliance requirements are already in force, and the first deadlines have started. If you build or sell AI products in the European market, you must understand what is prohibited, what duties apply in 2025, and how to prepare for the bigger enforcement wave in 2026. This guide explains the banned AI practices, the rules for General Purpose AI (GPAI) models, and what startups and founders should do step by step.

Key Deadlines for EU AI Act 2025 Compliance

  • 2 February 2025: Banned AI practices enforced. AI literacy obligations began.
  • 2 August 2025: Governance rules and GPAI model requirements started. Transitional relief applies until 2 August 2027 for existing models.
  • 2 August 2026: Main application date for most obligations, including high-risk AI system compliance.
  • 2 August 2027: Extended timeline for high-risk AI embedded in regulated products like medical devices and machinery.

Who You Are Under the EU AI Act

AI Providers

If you place AI systems on the EU market, you face the strictest duties. For high-risk AI, you need:

  • Risk management and data governance
  • Technical documentation and logging
  • Human oversight measures
  • Accuracy, robustness, and cybersecurity guarantees
  • CE marking and EU declaration of conformity

AI Deployers

If you use AI systems under your control, you must:

  • Operate systems according to instructions
  • Keep logs and monitor performance
  • Provide qualified human oversight
  • Complete a Fundamental Rights Impact Assessment (FRIA) where required

GPAI Model Providers

Since August 2025, GPAI providers must:

  • Publish technical documentation and training data summaries
  • Adopt a copyright policy for text and data mining
  • For systemic-risk models: perform evaluations, red-teaming, incident reporting, and apply strong cybersecurity
  • Align with the GPAI Code of Practice (published July 2025)

Banned AI Practices Under EU AI Act 2025 Compliance

From February 2025, these uses are prohibited:

  • Manipulative AI that harms users
  • Exploiting vulnerabilities of children or disabled people
  • Social scoring by governments or companies
  • Untargeted facial recognition scraping
  • Emotion recognition in schools or workplaces
  • Predictive policing based on profiling

Penalty risk: up to €35M or 7 percent of global turnover for prohibited uses.

Startup Checklist for 2025

For all companies

  • Map and classify each AI feature (prohibited, high-risk, limited risk, GPAI).
  • Train staff in AI literacy.
  • Update contracts with vendors and customers to define provider vs deployer duties.

For GPAI providers

  • Create model documentation and training data summary.
  • Publish a copyright policy.
  • Stand up incident reporting and evaluation processes.
  • Consider joining the GPAI Code of Practice.

Preparing for EU AI Act 2026 Compliance

High-risk AI in areas like hiring, education, credit scoring, migration, and infrastructure must comply by 2 August 2026.

Provider duties

  • Risk management system across lifecycle
  • Data governance for training, validation, and testing
  • Technical documentation and event logging
  • Human oversight design and user instructions
  • Accuracy, robustness, and cybersecurity declarations
  • Conformity assessment, EU declaration of conformity, CE marking

Deployer duties

  • Operate systems as instructed
  • Keep logs and monitor performance
  • Provide qualified oversight
  • Complete FRIA where required

If high-risk AI is embedded in regulated products, you have until August 2027.

GPAI Models with Systemic Risk

Models with very high compute and societal impact indicators must:

  • Perform evaluations and risk mitigation
  • Report serious incidents to regulators
  • Apply stronger cybersecurity protections
  • Follow the Commission’s GPAI Code of Practice

Action Plan for Founders

Next 30 Days

  • Build your AI system register
  • Remove prohibited features
  • Assign owners for provider, deployer, GPAI duties

This Quarter

  • GPAI providers: finalize model cards, documentation, copyright policy, and incident reporting plan
  • High-risk providers: begin risk management, data governance, and technical documentation

By Early 2026

  • Dry run conformity assessment
  • Prepare user instructions, oversight, logging, and monitoring
  • Deployers: complete FRIA templates and prepare user notices

Frequently Asked Questions on EU AI Act 2025 Compliance

Does the Act apply to non-EU companies?
Yes, if you sell AI into the EU or your system outputs are used there, you must comply.

When did GPAI obligations begin?
On 2 August 2025, with a transition until 2027 for existing models.

What is AI literacy under the Act?
It means ensuring operators and staff understand risks and safe use of AI.

What are the fines for non-compliance?
Up to €35M or 7 percent of turnover for prohibited uses, and €15M or 3 percent for other breaches.

Resources for EU AI Act 2025 Compliance