EU AI Act Compliance Becomes Focus for Founders

- The Act's obligations are being phased in over time: a ban on "unacceptable risk" AI practices began on February 2, 2025; rules for general-purpose AI models applied starting August 2, 2025; and compliance for most high-risk systems is required by August 2, 2026. - Non-compliance carries severe financial penalties that can exceed GDPR fines, with violations involving prohibited AI practices resulting in fines of up to €35 million or 7% of a company's total worldwide annual turnover, whichever is higher. - For startups in healthtech and fintech, AI systems are often classified as "high-risk." This includes AI used for medical diagnostics, credit scoring, and evaluating access to essential public and private services. - Providers of high-risk AI systems face strict requirements, including establishing a continuous risk management system, ensuring high-quality data governance to minimize bias, maintaining detailed technical documentation, enabling human oversight, and ensuring high levels of cybersecurity and accuracy. - The regulation has an extraterritorial reach, known as the "Brussels Effect," meaning Turkish companies that place an AI system on the EU market or whose system's output is used in the EU must comply, regardless of where they are based. - To aid compliance, an EU AI Office has been established to support implementation, and a "Code of Practice" was published in July 2025 to provide practical guidance for providers of general-purpose AI models. - Startups should budget for compliance, with estimates suggesting an allocation of 10-25% of the AI development budget for high-risk systems and 5-10% for limited-risk systems. - The Act completely bans certain "unacceptable risk" AI, including systems for government-led social scoring, AI that manipulates human behavior to circumvent free will, and most uses of real-time remote biometric identification in publicly accessible spaces by law enforcement.