What is the EU AI Act?

The EU AI Act (Regulation EU 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on August 1, 2024, and applies to all companies operating AI systems in the European Union from August 2, 2026. Non-compliance carries fines of up to €35 million or 7% of global annual turnover.

Who does the EU AI Act apply to?

The EU AI Act applies to any company that develops, deploys, or uses AI systems within the EU — regardless of where the company is headquartered. This includes Series A and Series B startups using AI in their products, HR tools, credit scoring, medical devices, or customer-facing applications.

How long does EU AI Act compliance take?

Traditional compliance timelines with large law firms range from 6 to 18 months and cost €50,000 or more. Verumt delivers a complete audit-ready compliance package in 12 weeks, starting at €2,500 — designed specifically for startups and SMEs that need to move fast without enterprise-scale budgets.

What does EU AI Act compliance include?

A full compliance package includes: AI system risk classification (prohibited, high-risk, limited-risk, minimal-risk), gap analysis against Articles 9–15, technical documentation, conformity assessment support, and board-ready reports. Verumt covers all of this in a single 12-week engagement.

Does the EU AI Act apply to my startup?

Yes, if your startup develops, deploys, or uses AI systems that affect users in the European Union — regardless of where your company is incorporated. The Act applies from August 2, 2026.

What are the penalties for non-compliance with the EU AI Act?

Fines for non-compliance range from €7.5 million (or 1.5% of global annual turnover) for minor violations, up to €35 million (or 7% of global annual turnover) for the most serious breaches.

How is Verumt different from a law firm?

Verumt combines legal expertise with technical knowledge — our team includes both compliance lawyers and engineers. This allows us to deliver audit-ready compliance in 12 weeks at a fraction of the cost of traditional law firms (from €2,500 vs. €50,000+).

What AI systems are considered high-risk under the EU AI Act?

High-risk AI systems include those used in hiring and HR decisions, credit scoring, medical diagnosis, biometric identification, and systems used in critical infrastructure. Article 6 and Annex III of the EU AI Act define the full list.

When does EU AI Act compliance need to be completed?

The full regulation applies from August 2, 2026. However, investor due diligence and enterprise sales cycles mean that most Series A/B companies need to be audit-ready 6–12 months before the deadline — meaning the window to act is now.

How much does EU AI Act compliance cost for a Series A or Series B startup?

Verumt's compliance packages start at €2,500 for a single AI system and €5,900 for up to five AI systems. Traditional law firms charge €50,000 or more for comparable scope with timelines of 6 months or longer.

CTO Guide

EU AI Act Compliance Guide for CTOs

← Back to EU AI Act Complete Guide

Everything a Chief Technology Officer needs to know to make their AI systems EU AI Act compliant before August 2, 2026 — without stopping your sprints.

Reviewed by the Verumt technical compliance team · Last updated: March 2026 · Sources: EU AI Act (EUR-Lex)

What Does the EU AI Act Mean for CTOs?

The EU AI Act (Regulation EU 2024/1689) is not just a legal problem — it is an engineering problem. CTOs are responsible for classifying every AI system in their stack, producing technical documentation, implementing human oversight mechanisms, and ensuring their development lifecycle (SDLC) meets Article 9 risk management requirements. Failure to comply by August 2, 2026 exposes the company to fines of up to €35 million or 7% of global annual revenue.

Step 1: Classify Every AI System in Your Stack

The EU AI Act assigns every AI system to one of four risk categories. Your compliance obligations depend entirely on which category each system falls into. Start by listing every AI system your company builds or uses — including third-party APIs, embedded models, and AI-powered features.

Risk Category	Examples	Obligations
Prohibited	Social scoring, real-time biometric surveillance	Banned outright — cannot be deployed
High-Risk	HR/recruitment AI, credit scoring, medical diagnosis, biometric ID	Articles 9–15: risk management, technical documentation, human oversight, conformity assessment
Limited-Risk	Chatbots, deepfake tools, emotion recognition	Transparency obligations — users must know they're interacting with AI
Minimal-Risk	Spam filters, recommendation engines, most SaaS AI features	No mandatory requirements — voluntary codes of conduct

Step 2: Technical Documentation Requirements (Article 11)

For every high-risk AI system, Article 11 of the EU AI Act requires technical documentation that must be maintained throughout the system's lifecycle and made available to regulators on request. This documentation must cover system architecture, training data, performance metrics, and risk mitigation measures.

Required documentation includes:

General description of the AI system and its intended purpose
Description of system architecture and components
Training, validation, and testing datasets (data governance per Article 10)
Risk management system records (Article 9)
Human oversight measures (Article 14)
Accuracy, robustness, and cybersecurity metrics (Article 15)
Post-market monitoring plan

Step 3: Integrate Compliance into Your SDLC

The most common CTO mistake is treating EU AI Act compliance as a one-time audit rather than an ongoing engineering practice. Article 9 requires a risk management system that is established, implemented, documented, and maintained across the AI system's full lifecycle — meaning compliance must be built into your development process.

Practical SDLC integration:

Design phase: Risk classification checklist before any AI feature enters the roadmap
Development phase: Data governance review (Article 10) for training datasets
Testing phase: Accuracy, robustness, and bias testing with documented results
Deployment phase: Human oversight mechanisms activated, logging enabled
Post-deployment: Post-market monitoring per Article 72

Step 4: Human Oversight Requirements (Article 14)

Article 14 requires that high-risk AI systems are designed to allow human oversight — meaning a qualified person can monitor, understand, intervene, override, or shut down the system. This is an engineering requirement, not just a policy requirement. Your UI and system architecture must make oversight technically possible.

How Long Does Technical Compliance Take?

Approach	Timeline	Engineering Cost	Risk
Internal engineering team only	6–12 months	High (diverts sprints)	High — gaps likely without legal expertise
Big law firm + internal team	6–18 months	Very high	Medium
Verumt (tech + legal)	12 weeks	Low — we do the heavy lifting	Low — gap analysis translates to Jira tickets

Frequently Asked Questions for CTOs

Does the EU AI Act apply to AI features built on top of third-party APIs (OpenAI, Anthropic, etc.)?+

Yes. If your company deploys an AI-powered feature to EU users, you are the "deployer" under the EU AI Act — regardless of whether the underlying model is built by a third party. Your obligations depend on the risk category of the use case, not the underlying technology.

What if our AI system is minimal-risk — do we still need to do anything?+

Minimal-risk systems have no mandatory obligations under the EU AI Act. However, you still need to document your risk classification decision so you can demonstrate to regulators or investors that you assessed the system and determined it falls outside the high-risk categories.

How does EU AI Act compliance affect our enterprise sales cycle?+

Enterprise buyers — especially in fintech, healthtech, and HR tech — are increasingly requiring EU AI Act compliance documentation as part of procurement due diligence. Being audit-ready can accelerate enterprise deals by up to 3x by eliminating a key objection in the procurement process.

Can we get compliant before August 2026 without slowing our engineering velocity?+

Yes, if compliance is handled by external specialists rather than diverted from your engineering team. Verumt's approach translates compliance requirements directly into Jira-ready tickets and documentation templates — so your team implements what's needed without context-switching away from product development.

What is a conformity assessment and do we need one?+

A conformity assessment is the process by which a high-risk AI system is verified to meet EU AI Act requirements before being placed on the market. For most high-risk systems, this is a self-assessment — you don't need an external auditor unless your system falls into specific categories (like biometric identification) that require third-party assessment.

How much does EU AI Act compliance cost for a Series A/B startup?+

Verumt's compliance packages start at €2,500 for a single AI system (Starter) and €5,900 for up to five AI systems (Professional). Traditional law firms charge €50,000 or more for equivalent work with timelines of 6 months or longer.

Also see: EU AI Act Checklist for General Counsel · EU AI Act FAQ

Get your AI stack audit-ready in 12 weeks

Gap analysis delivered as Jira tickets. Compliance integrated into your SDLC without stopping sprints.

Book a technical assessment