The EU AI Act compliance conversation has been dominated by enterprise narratives — Fortune 500 companies, dedicated compliance teams, six-figure consulting engagements. That framing has left most SaaS founders with a distorted picture of what compliance actually costs and what it actually requires for a bootstrapped or early-stage company.
Here is the unvarnished reality: if your AI system is high-risk under the EU AI Act, you have legal obligations that cannot be wished away by being small. But if you understand exactly what those obligations are, the minimum viable compliance path for a startup is far more accessible than the enterprise narrative suggests.
First, check if you actually need this. Not every AI product is high-risk. Take the 5-minute risk classification quiz before spending time or money on compliance documentation. If your system qualifies for the Article 6(3) non-high-risk exemption, you need a €49 exemption memo — not a €50,000 consultant engagement.
The EU AI Act applies to providers who place AI systems on the EU market or put them into service within the EU. Where you are incorporated is irrelevant. A US SaaS company whose product is used by EU customers is subject to the regulation if the AI system falls within its scope.
Three questions determine whether you need to act before December 2, 2027:
The compliance cost structure varies dramatically by the path you take. Here is an honest breakdown.
| Compliance Path | Cost | Timeline | What You Get |
|---|---|---|---|
| Specialist EU AI Act consultancy (full engagement) | €30,000–€60,000 | 6–12 weeks | Bespoke documentation pack, legal review, ongoing support |
| In-house legal + engineering team | €6,000–€18,000 internal cost | 4–8 weeks | Documentation produced internally, no external review |
| External legal review only (documentation pre-drafted) | €2,000–€5,000 | 1–2 weeks | Legal sign-off on a pre-drafted compliance pack |
| Generator tool + legal review | $197 + €2,000–€3,000 | 1–3 days + 1 week review | Structured draft reviewed and approved by counsel |
| Generator tool only (internal review) | $197 | Under 1 hour | Structured draft for internal review — not a final filing |
The €200,000+ figure cited in some EU compliance reports represents the total first-year compliance cost for a 50-to-100-person provider maintaining a full risk management system, quality management system, post-market monitoring infrastructure, and ongoing legal counsel. That number is real but irrelevant for a bootstrapped founder with one AI product and no compliance team.
The minimum viable compliance path for a startup is: generate structured documentation → review with a qualified lawyer → retain and update as the system evolves. The regulatory goal is demonstrable good-faith compliance, not enterprise-scale governance infrastructure.
For a high-risk AI system under Annex III, the mandatory documents are:
Beyond these three documents, you also need:
Several compliance components that dominate the enterprise conversation are either not mandatory for startups or can be deferred without immediate regulatory exposure.
Third-party notified body assessment: For most Annex III high-risk AI systems, self-certification under Annex VI is permitted. You do not need to pay a notified body to assess your conformity. The exceptions — real-time remote biometric identification, certain Annex I safety-critical systems — almost certainly don't apply to your SaaS product.
Enterprise GRC platforms: Tools like OneTrust ($50,000–$500,000/year) and Credo AI ($30,000–$150,000/year) are built for organisations managing dozens of AI systems across complex regulatory environments. A startup with one AI product does not need a governance platform — it needs three well-structured documents.
Dedicated compliance headcount: Article 26 requires deployers to designate a person responsible for compliance, but providers of single-product SaaS tools can fulfil this at the CTO or founder level. You do not need a Chief AI Ethics Officer to comply with the EU AI Act.
On May 7, 2026, the EU Council and European Parliament reached a provisional political agreement (the Digital Omnibus) extending the Article 11/13/47 compliance deadline for standalone Annex III high-risk AI systems to December 2, 2027. This agreement is provisional pending formal adoption, widely expected before August 2026. The fines under Article 99 — up to €15 million or 3% of global turnover — have not changed.
The extended deadline is not a reason to wait. Getting documentation done now — rather than joining the 2027 rush — is still the rational choice. The fine exposure for a €5 million ARR startup is up to €150,000 (3% of €5M). The documentation costs €197 to generate and €2,000–€5,000 to have reviewed by counsel. The risk-adjusted case for acting now is not close.
The 2027 rush is coming. Most companies will use the extra time to procrastinate. EU AI Act compliance consultants will be booked out months in advance as December 2027 approaches. If you plan to engage external legal review, generate your draft now — counsel is cheaper and more available today than they will be in late 2027.
Based on the legal requirements and the practical constraints of a bootstrapped or early-stage team, here is the minimum viable compliance stack for a SaaS startup with one high-risk AI system:
Total cost: $197 + €2,000–€3,000 legal review. Total time: 2–3 weeks. That is the realistic minimum viable EU AI Act compliance path for a SaaS startup with a single high-risk AI system — not €200,000 and six months.
Article 11 Technical Documentation, Article 13 Instructions for Use, and Article 47 Declaration of Conformity — generated from your system inputs in under an hour.
Then hand the draft to your lawyer for review. That's the startup compliance stack.
Generate My Compliance Pack — $197 →One-time fee. No account. No subscription. Art. 11/13/47 deadline: December 2, 2027.
If your system is being used by EU users — even in beta, even for free — it has been "put into service" within the EU under Article 3(11). The compliance obligations attach to deployment, not revenue. A pre-revenue startup offering a free beta of a hiring AI tool to EU customers is within scope of the regulation.
Geo-blocking EU users is a valid commercial decision, but it must be enforced at the infrastructure level — not just the UI. If EU users can access your product via VPN or by providing a non-EU address, you have not removed yourself from scope. More importantly, for most SaaS products, blocking the EU market is a significant commercial sacrifice relative to the cost of compliance.
Partially. If you use a third-party AI system without modifying it, your vendor (as the provider) bears the Article 11, 13, and 47 obligations. But you, as the deployer, have separate obligations under Article 26 — including using the system in accordance with the Instructions for Use, implementing human oversight measures, and monitoring the system's performance. Your vendor's compliance does not substitute for your own Article 26 obligations.
Technically yes — the regulation does not require documentation to be produced or reviewed by a lawyer. But the documentation must be accurate and complete, and an incorrect or misleading declaration can trigger fines under Article 99 Tier 3 (€7.5M or 1% of turnover). For a startup, a €2,000–€3,000 legal review of a pre-drafted pack is inexpensive insurance against that exposure.
Continue reading
Deadline: August 2, 2026
Article 50 transparency obligations apply to every AI tool serving EU users — regardless of whether you are high-risk. Generate your formal compliance record for $39.
Generate Article 50 Compliance Record — $39 →