What the EU AI Act Actually Requires From Founders in 2026

The Founding Team Assumption That Creates the Most Risk

Most founders believe the EU AI Act is a large-enterprise problem. It is not.

The regulation applies to any organisation that deploys an AI system in the EU market - regardless of where the company is incorporated, how many employees it has, or what stage it is at. A Series A company headquartered in Sydney with 300 EU users is subject to the same obligations as a listed German conglomerate.

The assumption that the Act does not apply until a company reaches a certain size or maturity level is one of the most consistently observed misconceptions in our diagnostics. And it is the assumption that creates the most risk, because it delays action until after obligations have already been breached.

What the Act Actually Requires - The Short Version

The EU AI Act establishes a tiered risk framework. Your obligations depend on what category your AI system falls into.

Unacceptable risk systems are prohibited outright. These include AI that manipulates behaviour through subliminal techniques, systems that exploit vulnerabilities of specific groups, social scoring by governments, and real-time biometric surveillance in public spaces. If your product does any of these things, it cannot operate in the EU under any conditions.

High-risk systems face the most detailed requirements. If your AI makes or materially influences decisions in categories including credit, employment, healthcare, education, insurance, critical infrastructure, or law enforcement, you are operating a high-risk system. The requirements include: a documented risk management system, data governance procedures, technical documentation, automatic event logging, transparency to users, human oversight capability, and accuracy and robustness standards.

General purpose AI systems - including foundation models above the 10^25 FLOP training threshold - have their own transparency and documentation obligations. If you are building on top of foundation models at scale, you are likely a deployer and the Act's deployer obligations apply to you.

Minimal risk systems have limited mandatory requirements but the Act encourages voluntary codes of conduct.

The Four Requirements Most Founders Are Not Meeting

1. Technical documentation before deployment

Article 11 requires that high-risk AI systems have comprehensive technical documentation before they are placed on the market or put into service. This includes the system description, intended purpose, design choices, development process, training data description, performance metrics, and risk management documentation.

Most founding teams have this information scattered across engineering notes, Notion pages, and the memory of the people who built the system. Scattered institutional knowledge is not technical documentation in the regulatory sense. It does not exist for the purposes of an audit.

2. Automatic logging capability

Article 12 requires that high-risk AI systems automatically generate logs sufficient to enable post-hoc audit of system operation. The logs must capture at minimum: the period of each use, the reference database the system queried, and the input data that led to outputs that resulted in verification of identity.

Unstructured log output piped to a general-purpose logging service typically does not satisfy this requirement. The question is not whether you are logging - it is whether what you are logging is structured, queryable, and sufficient to reconstruct decision sequences under regulatory scrutiny.

3. Human oversight that is more than a policy statement

Article 14 requires that high-risk AI systems be designed to allow natural persons to effectively oversee the system during the period in which it is in use. The system must enable operators to interrupt or halt the system, and to override or prevent outputs in specific circumstances.

The distinction that matters: having a policy that says human review is possible is not the same as having a documented, tested workflow that proves human review actually occurs. Regulators and enterprise procurement teams are increasingly sophisticated enough to ask for the latter.

4. Conformity assessment before market entry

Article 43 requires that high-risk AI systems undergo a conformity assessment before they are placed on the EU market. For most high-risk categories this is a self-assessment supported by technical documentation. For biometric and certain other categories third-party assessment is required.

This is not a box to check at Series C. It is an obligation that applies from the moment you deploy a high-risk system to EU users.

What the Enforcement Timeline Actually Looks Like

The Act's application dates are structured in phases.

Prohibited practices provisions have applied since August 2024. If your system falls into a prohibited category, it has been illegal in the EU for over a year.

Obligations for general purpose AI models apply from August 2025. If you deploy or build on foundation models, those obligations are active now.

High-risk system obligations under the main body of the Act apply from August 2026. This is the deadline most founding teams are treating as the compliance start line. It is not. The preparation period required to meet the documentation, logging, and conformity assessment requirements means meaningful work needs to start now to be ready by August 2026.

National competent authorities across EU member states are actively building enforcement capacity. The first significant enforcement actions targeting AI systems specifically are expected in the second half of 2026.

The Due Diligence Question You Will Be Asked

Every Series B or later funding round that includes EU institutional investors will include a question about EU AI Act compliance status. Every enterprise sales process involving an EU-headquartered buyer is already including that question.

The founders who will navigate these conversations most effectively are not those who have perfect compliance. They are those who have documentation - a structured assessment of their current posture, an honest identification of gaps, and a credible remediation roadmap.

A documented posture with known gaps and a remediation plan is a defensible position. An absence of any assessment is not.

The Minimum Documentation Stack

For a founder operating in the EU market with any form of high-risk AI system, the minimum documentation stack is:

• •A system classification analysis mapping your AI against Annex III categories
• •A risk management system document covering your assessment of risks and controls
• •Technical documentation covering system design, training data, and performance metrics
• •Evidence of your logging infrastructure and what events it captures
• •A human oversight procedure document with named roles and tested workflows
• •A conformity assessment record, even if self-assessed

None of this needs to be perfect on day one. All of it needs to exist and be dated.