EU AI Act for Startups: Do You Need to Comply Before Product-Market Fit?

If you are building a startup that uses AI, you have probably heard about the EU AI Act. You might have also heard wildly different takes on whether it applies to you — from "startups are exempt" (they are not) to "you need a full compliance programme before launch" (you do not).

The truth is somewhere in between, and it depends entirely on what your AI does, who it affects, and where you are in your company's lifecycle.

Does the EU AI Act apply to startups?

Yes. The EU AI Act does not have a startup exemption. There is no revenue threshold, no employee count minimum, no "Series A or later" trigger. If you place an AI system on the EU market or put one into service in the EU, the regulation applies to you.

This catches a lot of founders off guard. The Act follows the product, not the company. A two-person startup selling an AI hiring tool to EU companies has the same core obligations as a 10,000-person enterprise doing the same thing.

When obligations actually start

Here is the good news for early-stage startups: obligations only kick in when you actually place a system on the market or put it into service. If you are still building, still in beta with a closed group, or have not launched in the EU yet, you have no binding obligations — yet.

The key milestones:

• Pre-launch / internal testing: No obligations. You can develop freely. But building compliance into your architecture now is much cheaper than retrofitting later.
• Closed beta with EU users: Grey area. If testers are using it in real decisions, it could be considered "put into service." If it is purely for testing with synthetic data, probably not.
• Public launch in the EU: Full obligations apply from day one. You cannot launch first and comply later.
• US-only launch serving EU users indirectly: If the output of your AI is used with respect to people in the EU, the Act can still apply. Geographic restrictions in your ToS help but are not bulletproof.

What startups get: SME provisions

The EU AI Act does include specific provisions for small and medium enterprises (SMEs), which covers most startups. These are cost breaks and support mechanisms, not obligation waivers:

• Reduced conformity assessment fees: Notified bodies must offer proportionate fees for SMEs. The exact reductions will be set by delegated acts, but expect meaningful discounts.
• Regulatory sandboxes: Member states must establish at least one AI regulatory sandbox by August 2, 2026. Startups get priority access. These let you develop and test high-risk AI under regulatory supervision without full compliance obligations during the sandbox period.
• Simplified documentation: The Commission may publish simplified technical documentation templates for SMEs. If these exist when you need them, use them.
• Priority access to guidance: National competent authorities must provide dedicated support channels for SMEs.

Pre-launch compliance checklist for startups

If you are building an AI product that will serve EU users, here is what to do at each stage:

Before you build (days, not weeks)

• Classify your AI system using the risk classifier — know whether you are minimal, limited, or high-risk before writing code
• Determine if you are a provider, deployer, or both
• If high-risk: design logging, transparency, and human oversight into your architecture from day one

During development (before launch)

• Document your training data decisions — Article 10 data governance is much easier to comply with if you track this from the start
• Build automatic logging from the beginning — retrofitting logging into a production system is painful and expensive
• Write your instructions for use alongside the product, not after launch
• If high-risk: start your risk management system (Article 9) early — it is meant to be a continuous process, not a one-time document

At launch

• Transparency disclosures must be live on day one (Article 50)
• If high-risk: conformity assessment must be complete before market placement — you cannot launch and then do the assessment
• If high-risk: register in the EU database before market placement (Article 49)

What investors are asking

EU AI Act compliance is increasingly appearing in due diligence. If you are raising capital, expect these questions:

• Have you classified your AI system under the EU AI Act?
• Is your system high-risk, and if so, what is your compliance timeline?
• Do you have AI governance policies and processes?
• What is your potential fine exposure?
• Is compliance cost included in your financial projections?

Having clear answers to these questions — even if the answer is "we are minimal risk and here is why" — signals maturity. Not having answers signals a blind spot that could become a material risk.

The bottom line: the EU AI Act does not punish startups for being small. It regulates AI systems based on what they do, not who built them. Build compliance into your product from the start, and it becomes a competitive advantage rather than a retrofit cost. Start with classification — everything else follows from there.