The EU AI Act’s high-risk provisions become enforceable on August 2, 2026. If your business sells AI-powered products or services to customers in the European Union, you have roughly ninety days to get your compliance posture in order.
Most founders haven’t started. That’s a problem — not because the fines are dramatic (though they can be), but because the preparation work is genuinely time-consuming and touches parts of your stack you probably haven’t documented yet.
Here’s what you actually need to know and do before the deadline hits.
What the High-Risk Provisions Require
The EU AI Act classifies AI systems into risk tiers: prohibited, high-risk, limited-risk, and minimal-risk. The August 2 deadline specifically targets high-risk systems — those used in areas like employment, credit scoring, education, law enforcement, and critical infrastructure.
If your AI system falls into the high-risk category, you need to satisfy requirements across several areas:
- Data governance: Detailed documentation of your training data, including provenance, quality, and known biases. This isn’t a one-time report — it’s an ongoing practice.
- Bias detection and mitigation: Demonstrate that you’ve tested for discriminatory outcomes and have processes to correct them.
- Technical documentation: A comprehensive record of how the system works, what it was trained on, and how it performs under different conditions.
- Transparency: Users must be informed when they’re interacting with an AI system. If your product generates content, recommendations, or decisions, the AI involvement needs to be disclosed.
- Human oversight: High-risk systems must include mechanisms for human intervention and override.
- Accuracy, robustness, and cybersecurity: Demonstrate that the system performs reliably and is protected against adversarial manipulation.
The penalties for non-compliance can reach up to €35 million or 7% of global annual turnover for the most serious violations. For most startups, the reputational and operational impact of non-compliance matters more than the fine itself — losing access to EU markets or enterprise customers who require compliance from their vendors is the real risk.
Who Actually Needs to Care
Not every business using AI is affected by the high-risk provisions. Here’s a quick filter:
You’re likely affected if:
- Your AI system makes or supports decisions about hiring, credit, insurance, or education
- Your product is used in healthcare diagnostics or treatment recommendations
- You provide AI-based biometric identification or categorization
- Your system is used in critical infrastructure management (energy, water, transport)
- You sell AI tools to customers in regulated industries who need their vendors to be compliant
You’re probably not affected if:
- You use AI internally for content generation, summarization, or basic automation
- Your AI system is a chatbot or recommendation engine in a non-regulated context
- You’re building tools that don’t make consequential decisions about individuals
The classification matters. If you’re unsure, the EU has published detailed guidance on risk categorization, and it’s worth spending an hour mapping your products against it rather than assuming you’re exempt.
The Compliance Checklist
Here’s a practical sequence for founders who need to prepare:
1. Map your AI systems to risk categories
List every AI system your company builds, deploys, or sells. Classify each against the EU AI Act’s risk tiers. Be honest — if there’s ambiguity, err on the side of caution and treat the system as higher-risk until you’ve confirmed otherwise.
2. Audit your training data
Document where your training data comes from, how it was collected, what consent was obtained, and what quality checks were applied. If you’re using third-party datasets, verify their provenance and licensing terms.
This is typically the most time-consuming step for startups, because many teams don’t have formal data documentation.
3. Implement bias testing
Run your models through fairness and bias testing across relevant demographic dimensions. Document the results, including any disparities found and the steps taken to address them.
You don’t need to achieve perfect parity — the Act requires that you’ve made reasonable efforts to detect and mitigate bias, and that you can demonstrate your process.
4. Build your technical documentation package
Create a comprehensive technical file for each high-risk system. This should include architecture descriptions, training methodologies, performance metrics, known limitations, and testing results.
Think of it as a detailed product spec that a regulator could use to understand how your system works and where its boundaries are.
5. Set up transparency and disclosure mechanisms
If your AI system interacts with end users, implement clear disclosure that AI is being used. If it generates content or decisions, label that output appropriately.
6. Design human oversight controls
Ensure that high-risk AI decisions can be reviewed, overridden, or escalated by a human. This means building actual UI and workflow mechanisms, not just having a theoretical process.
7. Establish ongoing monitoring
Compliance isn’t a one-time project. Set up processes for continuous monitoring of your AI systems’ performance, accuracy, and fairness. Plan for periodic re-audits and documentation updates.
Common Mistakes Founders Make
Assuming you’re exempt because you’re small. The EU AI Act applies based on what your AI system does, not how big your company is. A five-person startup selling a high-risk AI system into the EU faces the same requirements as a multinational.
Waiting for “final guidance” before starting. The regulation is finalized. The implementing guidance is largely available. Waiting for more clarity is a procrastination strategy, not a compliance strategy.
Treating this as a legal exercise only. Compliance touches engineering, data management, product design, and operations. Your legal team can’t do this alone — it requires cross-functional coordination.
Over-documenting the wrong things. Focus on what the regulation actually requires: data governance, bias testing, technical documentation, transparency, and human oversight. Don’t waste time building elaborate governance theater that doesn’t address the specific requirements.
Ignoring your supply chain. If you use third-party AI models, APIs, or datasets, you need to understand their compliance posture too. Your compliance is only as strong as your weakest dependency.
What “Good Enough” Looks Like for a Startup
For startups, the practical goal isn’t perfection — it’s demonstrable effort and reasonable compliance.
“Good enough” means:
- You’ve classified your AI systems and can explain the classification
- You have documented training data provenance and quality processes
- You’ve run bias testing and can show the results and remediation steps
- You have a technical documentation package that a knowledgeable regulator could review
- You’ve implemented transparency disclosures and human oversight mechanisms
- You have a plan for ongoing monitoring and periodic re-audits
If you can demonstrate all of this with reasonable documentation, you’re in a defensible position — even if every detail isn’t perfect on day one.
The Three-Month Sprint
Here’s a rough timeline for founders starting from scratch:
Weeks 1–2: Map your AI systems, classify them by risk tier, and identify gaps against the requirements.
Weeks 3–5: Audit training data, implement bias testing, and begin building technical documentation.
Weeks 6–8: Set up transparency mechanisms, human oversight controls, and ongoing monitoring processes.
Weeks 9–10: Review everything, fix gaps, and prepare your compliance package.
Weeks 11–12: Final review, stress-test your documentation, and brief your team on ongoing compliance responsibilities.
It’s tight, but it’s doable — especially if you’ve already been practicing reasonable AI governance informally.
What Happens Next
The August 2 enforcement date is a starting point, not an endpoint. Expect the regulatory landscape to continue evolving, with more implementing guidance, sector-specific standards, and cross-border harmonization over the next two years.
The businesses that build compliance into their development practices now won’t just avoid penalties — they’ll have a competitive advantage when enterprise customers and partners start requiring EU AI Act compliance from their vendors.
Start this week. The deadline isn’t going to move.
Work With Us
Need help preparing for EU AI Act compliance? OpenVerb helps founders and operators navigate AI governance, build compliance frameworks, and implement practical oversight systems. [Get in touch](https://openverb.com/contact) to discuss your compliance readiness.