EU AI Act · Readiness

EU AI Act Readiness
for AI Startups

The EU AI Act is the world's first binding AI law. We classify your AI systems, assess your obligations, build the governance documentation, and keep you compliant as the law matures.

Book a working session → ISO 42001 for AI Startups
Last updated: 16 June 2026

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. Adopted in March 2024 and in force from August 2024, it classifies AI systems into risk tiers and imposes obligations on AI providers, deployers, and importers operating in the EU — proportional to risk level. It has extra-territorial reach: it applies to any AI system deployed in the EU, regardless of where the provider is based.

EU AI Act risk tiers: where does your AI system sit?

🚫 Prohibited

Unacceptable risk

AI systems banned entirely — e.g. social scoring, real-time biometric surveillance in public spaces, subliminal manipulation. Enforceable from February 2025.

⚠️ High risk

Significant obligations

AI in education, employment, credit, insurance, critical infrastructure, law enforcement, migration, justice. Conformity assessment, data governance, transparency, human oversight required. Enforceable August 2026.

ℹ️ Limited risk

Transparency obligations

AI that interacts with humans (chatbots, deepfakes). Must disclose AI nature to users. Relatively light obligations. Most AI startups fall here or in minimal risk.

✓ Minimal risk

No mandatory obligations

AI spam filters, recommendation systems, AI in video games. No mandatory requirements, but voluntary codes of conduct encouraged.

What we implement

🗂️

AI system inventory

Full inventory of AI systems across your products and operations, with documentation of purpose, inputs, outputs, and deployment context.

⚖️

Risk classification

Classification of each AI system against EU AI Act risk tiers — Prohibited, High-risk, Limited, Minimal — with documented rationale.

📋

Conformity assessment

For high-risk AI: conformity assessment documentation, technical documentation pack, EU declaration of conformity.

🔍

Transparency documentation

User-facing AI disclosures, capability and limitation documentation, intended use statements.

📊

Data governance

Training data documentation, bias assessment, data quality controls — required for high-risk AI systems.

👁️

Human oversight

Human oversight mechanisms design and documentation — a core requirement for high-risk AI systems under Annex III.

📝

GPAI documentation

For General Purpose AI model providers: technical documentation, training content policy, copyright compliance documentation.

🔄

Ongoing monitoring

Post-market monitoring plan, incident reporting procedures, and regulatory change tracking as EU AI Act provisions continue to come into force.

EU AI Act readiness: key steps

1

AI system inventory

Identify every AI system in your products and operations — including third-party AI you deploy. Most startups undercount this significantly on first pass.

2

Risk classification

Classify each system against EU AI Act risk tiers. This determines your obligations. High-risk classification triggers significant documentation and conformity assessment requirements.

3

Gap assessment

Compare current documentation and governance against what each risk tier requires. Identify what is missing, what is partial, and what timeline applies to each obligation.

4

Governance implementation

Build the policies, documentation, processes, and oversight mechanisms your risk classification requires. For high-risk systems, this includes conformity assessments and technical documentation packs.

5

Ongoing compliance

The EU AI Act is phased — new obligations come into force through 2027. Set up a monitoring process to track regulatory developments and update your governance as provisions mature.

EU AI Act enforcement timeline

EU AI Act Readiness Checklist

The 44-point checklist covering AI system inventory, risk classification, conformity assessment requirements, GPAI obligations, and enforcement timeline. Enter your email to receive it.

You pay for compliance. Not the hours.

Outcome-based pricing — fixed fee agreed upfront. No hourly meters.

01 · Diagnostic

EU AI Act gap assessment

Fixed fee
· credited toward implementation
  • AI system inventory and risk classification
  • Obligation mapping by risk tier
  • Remediation roadmap and budget
Start assessment →
03 · Fractional CISO

Ongoing AI governance

Monthly retainer
· cancellable quarterly
  • Regulatory change monitoring
  • Customer AI governance queries
  • Incident reporting support
Talk to a partner →

We combine EU AI Act readiness with ISO 42001 certification for AI startups who want both governance documentation and a certification body's independent validation.

Frequently asked questions

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for AI. It classifies AI systems into risk tiers — Prohibited, High-risk, Limited risk, and Minimal risk — and imposes obligations on AI providers, deployers, and importers operating in the EU, proportional to risk level.

When does the EU AI Act apply?

The Act is phased. Prohibited AI practices: enforceable February 2025. GPAI model obligations: August 2025. High-risk AI systems (Annex III): August 2026. Remaining provisions: August 2027. AI startups should assess their obligations now — preparation for August 2026 obligations should start at least 12 months ahead.

Does the EU AI Act apply to UK companies?

Yes. The EU AI Act has extra-territorial reach. Any AI provider whose systems are deployed in the EU must comply — regardless of where the company is based. UK-based AI startups with EU customers or users are subject to the Act's obligations for those AI systems.

What is a high-risk AI system under the EU AI Act?

High-risk AI systems are those used in specific sectors or purposes listed in Annex III: education, employment, credit, insurance, essential services, critical infrastructure, law enforcement, migration, and administration of justice. High-risk systems require conformity assessments, technical documentation, human oversight mechanisms, and data governance controls.

How does ISO 42001 help with EU AI Act compliance?

ISO 42001 is not yet a harmonised standard for EU AI Act conformity, but it provides the systematic AI risk management and governance framework the Act requires. Organisations certified against ISO 42001 have the documented processes, risk assessments, and governance structures that underpin EU AI Act compliance — and will be significantly better positioned when the final QMS conformity standard is released.

What are the penalties for non-compliance with the EU AI Act?

Fines for prohibited AI practices: up to €35 million or 7% of global annual turnover. Fines for other high-risk violations: up to €15 million or 3% of global annual turnover. Fines for providing incorrect information to authorities: up to €7.5 million or 1.5% of turnover. For startups, the higher of the two figures applies.

Related services and guides

Not sure where your AI systems sit
under the EU AI Act?

We'll classify your systems, map your obligations, and tell you exactly what you need to build. 45 minutes.

Book a working session →