DEV Community

Spencer Claydon
Spencer Claydon

Posted on • Originally published at foundra.ai

EU AI Act Startup Requirements: What Applies August 2026

You've probably seen both headlines. "EU delays AI Act rules by over a year." And also: "AI Act deadline hits August 2, 2026." Both are true, and that's exactly why founders are confused about EU AI Act startup requirements right now. The EU just rewrote its own rulebook mid-rollout, some obligations slipped to late 2027, others are landing in a few weeks, and if you have users in Europe and AI anywhere in your product, you're in scope whether you've read a single article of the regulation or not.

Here's the short version: the heavy "high-risk" compliance regime got postponed to December 2027. The transparency rules did not. Those apply from August 2, 2026. If your product has a chatbot, generates content, or you publish AI-written material, you have homework due in about two weeks.

Let's sort out which bucket you're in.

What just changed with the Digital Omnibus?

The Digital Omnibus on AI is a package of amendments to the EU AI Act that postpones the high-risk compliance deadlines and tweaks several other provisions. It's not a proposal anymore. The European Parliament adopted it on June 16, 2026, the Council signed off on June 29, and it entered into force in July 2026.

The backstory matters. The AI Act became law in August 2024 with a staggered rollout, and by late 2025 the supporting infrastructure (technical standards, guidance, national regulators) was visibly behind schedule. So the European Commission proposed hitting pause on the hardest parts. After a failed trilogue round in April 2026, negotiators reached agreement on May 6, and formal adoption followed in June.

The three changes founders should care about:

  1. High-risk obligations for Annex III systems (recruitment tools, credit scoring, education, and similar) moved from August 2, 2026 to December 2, 2027.
  2. High-risk obligations for AI embedded in regulated products (medical devices, machinery, vehicles) moved to August 2, 2028.
  3. A new prohibition on "nudifier" apps and AI-generated CSAM was added to Article 5, with a transitional period until December 2, 2026. If you're building image or video generation, you're now expected to assess whether this misuse is a foreseeable outcome of your system and build safeguards against it.

There's also a win for small companies: the Omnibus created a "small mid-cap" category (under 750 employees and under €150 million turnover) that gets the same compliance reliefs as classic SMEs, including simplified technical documentation for high-risk systems. Almost every startup reading this qualifies.

What EU AI Act rules still hit on August 2, 2026?

Article 50, the transparency obligations, applies from August 2, 2026, and the Digital Omnibus barely touched it. This is the part that catches founders off guard, because Article 50 doesn't care whether your AI is "high-risk." It applies to any AI system used in four specific situations.

The four buckets:

  1. AI that talks to people. Chatbots, voice assistants, AI agents. Users must be informed they're dealing with AI.
  2. AI that generates synthetic content. Text, images, audio, video. Outputs must carry machine-readable markings so detection tools can identify them as AI-generated.
  3. Emotion recognition and biometric categorisation. If you deploy these, you must tell the people exposed to them.
  4. Deepfakes and AI-generated text on matters of public interest. Both need visible disclosure, with some carve-outs we'll get to.

Per the Future of Life Institute's compliance data, transparency is the second most common obligation companies trigger under the whole Act, affecting roughly a third of assessed organisations. For a typical SaaS startup, Article 50 isn't a footnote. It's the main event.

One piece of relief from the Omnibus: systems already on the market before August 2, 2026 get a grace period until December 2, 2026 to implement the machine-readable marking requirement. New systems launched after August 2 get no such buffer.

Does your chatbot need to say it's a bot?

Yes, unless it's already obvious. If your startup provides an AI system that interacts directly with people, you must design it so users know they're talking to AI, and the disclosure has to land at or before the first interaction. A label buried in your terms of service doesn't count. Neither does tiny footer text.

There's an exception when the AI nature is "obvious" to a reasonably well-informed person. But the Commission's draft guidelines say to assess that from your actual audience's perspective, not your own. A technical founder finds it obvious that support chat is AI-powered. A 60-year-old first-time user of your insurance app might not.

The guidelines also confirm that AI agents fall under this rule. If you're building agentic workflows where you can't predict whether the agent will end up talking to a human, the safe design is to disclose in every interaction.

Practically, this is a UX task, not a legal project. Intercom-style "AI Agent" badges, a first-message disclosure, a persistent label in the chat header. Pick one, make it visible, ship it before August 2.

Do you have to label AI-generated content?

It depends on whether you're the provider of the generation system or just publishing its output. This distinction trips up more founders than anything else in the Act, so let's split it.

If you provide a generative AI feature (your product generates text, images, audio, or video for users), you must ensure outputs are marked in a machine-readable format and detectable as AI-generated. This is watermarking and metadata, not a visible stamp. The technical standards are being finalised through a Code of Practice on AI-generated content, which proposes a standardised "AI" label for the EU. Wrapping the OpenAI or Anthropic API doesn't automatically exempt you: if the system goes to market under your name, the obligation follows you.

If you publish AI-generated content, two rules matter. Deepfakes (AI content resembling real people, places, or events that could pass as authentic) must be visibly disclosed. And AI-generated text published "with the purpose of informing the public on matters of public interest" must be disclosed too.

Now the carve-out every content-marketing founder should memorise: that text disclosure rule does not apply where the content has gone through human review and a person holds editorial responsibility for it. The review has to be substantive, not a two-second skim and an approve click. So a startup blog where a human edits, fact-checks, and signs off on AI-drafted posts is generally outside the disclosure obligation. A fully automated news site with zero human oversight is squarely inside it.

Also useful: the draft guidelines say clearly fantastical content (dragons, flying humans, obviously impossible scenes) isn't a deepfake. Your AI-generated product illustrations are fine.

What got pushed to 2027 and 2028?

The entire high-risk compliance regime: conformity assessments, risk management systems, technical documentation, CE marking, post-market monitoring. Standalone Annex III systems now have until December 2, 2027. AI embedded in Annex I regulated products has until August 2, 2028.

Annex III is where a lot of B2B startups live without realising it. It covers AI used in recruitment and candidate screening, credit scoring, insurance pricing, education admissions and grading, and border control, among others. If you're building an AI hiring tool, you just got 16 extra months. That's real breathing room: a proper conformity assessment takes months of documentation work, and the harmonised standards you're supposed to assess against still aren't finished.

Two warnings before you close the tab and forget about it.

First, the delay is a deferral, not a repeal. The architecture survived intact, and December 2027 arrives faster than you think, especially if you're also trying to hit product and fundraising milestones.

Second, don't confuse buckets. An AI recruitment tool with a chatbot interface has high-risk obligations due December 2027 and transparency obligations due August 2, 2026. The delay on one doesn't touch the other.

Does the EU AI Act apply to startups outside the EU?

Yes, if your AI system is placed on the EU market or its output is used in the EU. This is the same extraterritorial logic as GDPR, and it works the same way in practice: a Delaware C-corp with EU customers is in scope, no EU office required.

The practical test isn't your incorporation documents, it's your user base. If you have paying customers in Berlin or your free tier gets signups from France, EU users are interacting with your AI system and the transparency rules apply to those interactions. Some US startups will geo-fence their AI features instead of complying, the same way some publishers blocked EU traffic in 2018. For most SaaS companies, that's a bad trade: you'd be walling off a market of 450 million people to avoid adding a chatbot disclosure.

What are the penalties for ignoring this?

Transparency violations can draw fines of up to €15 million or 3% of global annual turnover, whichever is higher. For prohibited practices under Article 5, it's up to €35 million or 7%. The Act does soften this for smaller companies: for SMEs, fines are capped at whichever of those amounts is lower.

Will EU regulators fine a 5-person startup €15 million on August 3? No. Enforcement ramps gradually, national authorities are still staffing up, and regulators historically go after visible targets first. But that's the wrong risk calculation for a founder anyway. The realistic near-term costs are different: an enterprise customer's procurement team asking for your AI Act compliance posture during a sales cycle, a competitor reporting your unlabelled chatbot, or a due-diligence flag during your seed round. Compliance questions are already showing up in B2B security questionnaires next to the SOC 2 and GDPR rows.

What should founders actually do before August 2?

Run a one-hour audit. That's the honest scope of this for most early-stage startups. Here's the sequence.

Map your AI surface. List every place AI touches a user: chat interfaces, generation features, AI-written content on your blog, automated emails. This takes 20 minutes and most founders have never done it. Treat it like any other piece of strategic planning, the same way you'd map your funnel or your competitors. (I built Foundra for exactly this kind of structured thinking, and while it won't do legal compliance for you, there are planning guides on adjacent founder decisions at foundra.ai/key-reads.)

Fix the chatbot disclosure. If users can talk to AI in your product, add a clear label at first interaction. One sprint ticket.

Sort your content pipeline. If humans review and take editorial responsibility for your AI-drafted marketing content, document that workflow (who reviews, who signs off). If nobody reviews it, either add a human or add a disclosure.

Check your generation features. If your product generates content, start on machine-readable marking now. If you launched before August 2, 2026, you have until December 2 to finish. Follow the Code of Practice; it's voluntary but it's going to be the benchmark regulators measure against.

Calendar the high-risk check. If anything you build touches Annex III territory (hiring, credit, education, insurance), put a December 2026 milestone in your roadmap to start conformity assessment prep. Not because the deadline is close, but because starting a year out is the difference between a controlled process and a panic.

Key takeaways

  • The Digital Omnibus is now law: high-risk AI obligations moved to December 2, 2027 (Annex III) and August 2, 2028 (Annex I products).
  • Article 50 transparency rules were NOT delayed. They apply from August 2, 2026.
  • Chatbots must disclose they're AI at first interaction. Generative features need machine-readable output marking (grace period to December 2, 2026 for systems already on the market).
  • AI-drafted marketing content with substantive human review and editorial responsibility generally needs no AI label.
  • The Act applies to non-EU startups whose AI output is used in the EU.
  • Transparency fines run up to €15 million or 3% of turnover (SMEs pay the lower of the two), but the near-term risk is failed enterprise procurement and due diligence, not fines.
  • New since the Omnibus: a ban on nudifier apps and AI-generated CSAM, with safeguard expectations for image and video generation startups.

FAQ

Does the EU AI Act apply to US startups?

Yes, when the AI system is placed on the EU market or its output is used in the EU. Having EU users is enough; you don't need an EU entity. It works like GDPR's extraterritorial reach.

My product wraps the OpenAI API. Am I a provider or a deployer?

If you put an AI system on the market under your own name or brand, you're a provider for that system, even though the underlying model is someone else's. That means the design obligations (chatbot disclosure, output marking) sit with you, not with OpenAI.

Do AI-written blog posts need an "AI-generated" label?

Usually not, for two reasons. The text disclosure rule only triggers when content is published to inform the public on matters of public interest, and it's waived where a human substantively reviews the content and holds editorial responsibility. A human-edited startup blog clears the carve-out. A fully automated content farm doesn't.

What happened to the original August 2026 high-risk deadline?

The Digital Omnibus, adopted in June 2026, moved it. Standalone high-risk systems under Annex III (recruitment, credit scoring, education and similar) now comply by December 2, 2027. AI embedded in regulated products under Annex I complies by August 2, 2028.

What counts as a deepfake under the Act?

AI-generated or manipulated image, audio, or video that resembles real people, objects, places, or events and would falsely appear authentic. Obviously fantastical or impossible content is excluded. Artistic and satirical works get a lighter disclosure standard.

Is the watermarking requirement in force on August 2, 2026?

For new systems, yes. Systems already on the market before August 2, 2026 get until December 2, 2026 to implement machine-readable marking. The visible-disclosure rules (chatbots, deepfakes) have no grace period.

Top comments (0)