EU AI Act 2025 Compliance Guide for Startups and Founders
The EU AI Act 2025 compliance requirements are already in force, and the first deadlines have started. If you build or sell AI products in the European market, you must understand what is prohibited, what duties apply in 2025, and how to prepare for the bigger enforcement wave in 2026. This guide explains the banned AI practices, the rules for General Purpose AI (GPAI) models, and what startups and founders should do step by step.
Key Deadlines for EU AI Act 2025 Compliance
- 2 February 2025: Banned AI practices enforced. AI literacy obligations began.
- 2 August 2025: Governance rules and GPAI model requirements started. Transitional relief applies until 2 August 2027 for existing models.
- 2 August 2026: Main application date for most obligations, including high-risk AI system compliance.
- 2 August 2027: Extended timeline for high-risk AI embedded in regulated products like medical devices and machinery.
Who You Are Under the EU AI Act
AI Providers
If you place AI systems on the EU market, you face the strictest duties. For high-risk AI, you need:
- Risk management and data governance
- Technical documentation and logging
- Human oversight measures
- Accuracy, robustness, and cybersecurity guarantees
- CE marking and EU declaration of conformity
AI Deployers
If you use AI systems under your control, you must:
- Operate systems according to instructions
- Keep logs and monitor performance
- Provide qualified human oversight
- Complete a Fundamental Rights Impact Assessment (FRIA) where required
GPAI Model Providers
Since August 2025, GPAI providers must:
- Publish technical documentation and training data summaries
- Adopt a copyright policy for text and data mining
- For systemic-risk models: perform evaluations, red-teaming, incident reporting, and apply strong cybersecurity
- Align with the GPAI Code of Practice (published July 2025)
Banned AI Practices Under EU AI Act 2025 Compliance
From February 2025, these uses are prohibited:
- Manipulative AI that harms users
- Exploiting vulnerabilities of children or disabled people
- Social scoring by governments or companies
- Untargeted facial recognition scraping
- Emotion recognition in schools or workplaces
- Predictive policing based on profiling
Penalty risk: up to €35M or 7 percent of global turnover for prohibited uses.
Startup Checklist for 2025
For all companies
- Map and classify each AI feature (prohibited, high-risk, limited risk, GPAI).
- Train staff in AI literacy.
- Update contracts with vendors and customers to define provider vs deployer duties.
For GPAI providers
- Create model documentation and training data summary.
- Publish a copyright policy.
- Stand up incident reporting and evaluation processes.
- Consider joining the GPAI Code of Practice.
Preparing for EU AI Act 2026 Compliance
High-risk AI in areas like hiring, education, credit scoring, migration, and infrastructure must comply by 2 August 2026.
Provider duties
- Risk management system across lifecycle
- Data governance for training, validation, and testing
- Technical documentation and event logging
- Human oversight design and user instructions
- Accuracy, robustness, and cybersecurity declarations
- Conformity assessment, EU declaration of conformity, CE marking
Deployer duties
- Operate systems as instructed
- Keep logs and monitor performance
- Provide qualified oversight
- Complete FRIA where required
If high-risk AI is embedded in regulated products, you have until August 2027.
GPAI Models with Systemic Risk
Models with very high compute and societal impact indicators must:
- Perform evaluations and risk mitigation
- Report serious incidents to regulators
- Apply stronger cybersecurity protections
- Follow the Commission’s GPAI Code of Practice
Action Plan for Founders
Next 30 Days
- Build your AI system register
- Remove prohibited features
- Assign owners for provider, deployer, GPAI duties
This Quarter
- GPAI providers: finalize model cards, documentation, copyright policy, and incident reporting plan
- High-risk providers: begin risk management, data governance, and technical documentation
By Early 2026
- Dry run conformity assessment
- Prepare user instructions, oversight, logging, and monitoring
- Deployers: complete FRIA templates and prepare user notices
Frequently Asked Questions on EU AI Act 2025 Compliance
Does the Act apply to non-EU companies?
Yes, if you sell AI into the EU or your system outputs are used there, you must comply.
When did GPAI obligations begin?
On 2 August 2025, with a transition until 2027 for existing models.
What is AI literacy under the Act?
It means ensuring operators and staff understand risks and safe use of AI.
What are the fines for non-compliance?
Up to €35M or 7 percent of turnover for prohibited uses, and €15M or 3 percent for other breaches.
Resources for EU AI Act 2025 Compliance
- EU Commission AI Act timeline
- AI Act Explorer: full text and summaries
- European Parliament explainer
- GPAI Code of Practice (July 2025)
- Guidelines on prohibited AI practices