EU AI Act Compliance Guide for Startups (2025)
The EU AI Act introduces risk-based obligations for AI systems. If you ship, embed, or use AI in Europe, you need to know your risk level, who you are under the law (provider or deployer), and which documents and controls are required before launch. This guide explains the essentials in plain English and lets you run a free 60-second scan to generate a checklist and a shareable PDF.
1) What the AI Act covers (and when it applies)
Applies to AI systems placed on the EU market or used in the EU.
Obligations depend on risk: prohibited → high-risk → limited/transparency → minimal.
You still need to consider GDPR, consumer protection, and sector rules (finance, health, etc.).
2) Am I high-risk? (Annex III in plain English)
High-risk typically includes AI that affects people's access to jobs, credit, education, healthcare, policing, or essential services. Examples:
- Employment/HR (screening, ranking, interviewing)
- Creditworthiness and insurance decisions
- Education grading or admissions
- Healthcare triage/diagnostics used for decisions
- Critical infrastructure operations (transport, energy)
- Law-enforcement and migration assessments
Not sure? Run the scan—describe your use-case and you'll get a provisional risk classification plus next steps.
Is Your AI High-Risk? Annex III Checklist
Use this checklist to determine if your AI system falls under Annex III high-risk categories.
Critical Infrastructure
- • AI systems intended to be used as safety components in the management and operation of road traffic and the supply of water, gas, heating and electricity
Education & Employment
- • AI systems intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions
- • AI systems intended to be used for recruitment or selection of natural persons, notably for advertising job vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests
Essential Services & Law Enforcement
- • AI systems intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions
- • AI systems intended to be used by law enforcement authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties
3) Provider vs Deployer: who must do what
Provider (the one who develops/places the system on the market) handles design-time obligations—technical documentation, risk management, CE marking (if high-risk), instructions for use.
Deployer (uses someone else's AI) must perform a context-specific risk analysis, ensure instructions are followed, and maintain monitoring and records.
Internal link:
→ Provider vs Deployer (support post #2)4) If you're high-risk: minimum checklist (plain English)
- Risk Management System (RMS): identify hazards/harms, mitigation, tests.
- Data governance: representative, relevant, and documented datasets; bias testing.
- Technical documentation: architecture, training data summary, evaluation, controls.
- Human oversight: who can intervene, how overrides work.
- Accuracy/robustness/security: targets, tests, and logs.
- Post-market monitoring: incidents, feedback, corrective action.
- Conformity assessment + CE marking (for high-risk before marketing).
5) If you're limited-risk (transparency)
Tell users they're interacting with AI; label synthetic content where applicable; provide basic instructions and opt-out where required.
6) Quick start: 60-second scan (+ PDF)
Explain that the scanner turns a plain-language description into a risk classification and action list, then offers a shareable PDF and badge.
7) FAQ (short)
Do small teams need this?
Yes, obligations depend on risk, not size.
Is the Act final?
Core obligations are set; updates may refine details.
Does GDPR still apply?
Yes—privacy law is separate and cumulative.
Free EU AI Act Templates
Download our free templates to help you comply with EU AI Act requirements.