EU AI Act: What German Startups Need to Know Before August 2026
The EU AI Act is fully enforceable from August 2, 2026. Risk categories, obligations, penalties up to EUR 35M, and startup-specific exemptions that matter.
Key Summary
The EU AI Act becomes fully enforceable on August 2, 2026. Most startups fall into the minimal or limited risk category and face only two obligations: documented AI literacy training (required since February 2025) and transparency labeling for chatbots or AI-generated content. High-risk AI systems used in recruitment, credit scoring, or insurance face a full compliance stack that takes 8 to 14 months to implement. Fines reach up to EUR 35 million or 7% of global turnover, but are capped proportionally for startups.
The EU AI Act is fully enforceable from August 2, 2026. If your startup uses AI in any form, you need to understand which rules apply to you. Most startups fall into the low-risk category and face minimal obligations. But getting it wrong on the few rules that do apply can cost up to EUR 35 million.
The Four Risk Categories
The AI Act classifies every AI system into one of four categories. Your obligations depend entirely on which category your product falls into.
Unacceptable risk (banned). These AI practices are prohibited outright since February 2, 2025. They include social scoring systems, real-time biometric identification in public spaces, emotion recognition in the workplace, and AI that manipulates behavior through subliminal techniques. If your product does any of these, stop.
High risk. AI systems used in areas listed in Annex III of the regulation: recruitment and HR decisions, credit scoring, insurance risk assessment, access to essential services, law enforcement, and migration management. These systems face the heaviest requirements.
Limited risk. Chatbots, deepfake generators, and other AI that interacts with people. The main obligation is transparency: users must know they are interacting with AI.
Minimal risk. Spam filters, translation tools, autocorrect, simple image processing. No regulatory obligations under the AI Act.
Most startup products fall into minimal or limited risk. If you build a SaaS tool that uses AI for internal analytics, text generation, or customer support chatbots, you are likely in the limited-risk category. The key question is whether your AI makes or supports decisions about people in the high-risk sectors listed above.
What Startups Must Do
Everyone: AI Literacy (Article 4)
This applies to every company that deploys AI, regardless of risk category. Since February 2, 2025, organizations must ensure that staff operating AI systems or using their outputs have sufficient AI competence. In practice, this means documented training for employees who work with AI tools.
This is the most commonly overlooked requirement. It applies even if you only use third-party AI tools like ChatGPT or GitHub Copilot internally.
Limited Risk: Transparency
If your product includes a chatbot or generates synthetic content, you must disclose that to users. A simple "This response was generated by AI" notice is typically sufficient. Deepfakes and AI-generated images must be labeled as such.
High Risk: The Full Compliance Stack
If your AI system falls into the high-risk category, the requirements are substantial:
| Requirement | What It Means |
|---|---|
| Risk management system | Documented process for identifying and mitigating risks |
| Data governance | Training data must be relevant, representative, and error-free |
| Technical documentation | Full documentation of the system's design, purpose, and limitations |
| Record-keeping | Automatic logging of system operations |
| Transparency | Users must receive clear instructions for use |
| Human oversight | A human must be able to interpret and override the system |
| Accuracy and robustness | The system must perform reliably and resist manipulation |
| Conformity assessment | Before market placement, either self-assessment or third-party audit |
Implementation typically takes 8 to 14 months. If your system might be high-risk, start now.
Penalties
| Violation | Maximum Fine |
|---|---|
| Prohibited AI practices (Art. 5) | EUR 35 million or 7% of global annual turnover |
| High-risk AI obligations | EUR 15 million or 3% of global annual turnover |
| Incorrect information to authorities | EUR 7.5 million or 1% of global annual turnover |
For SMEs and startups, fines are capped at the lower of the fixed amount or the percentage. A startup with EUR 2 million in revenue faces a maximum of EUR 140,000 for high-risk violations (3% of EUR 2 million), not EUR 15 million.
Startup-Specific Relief
The AI Act includes provisions specifically for smaller companies:
Regulatory sandboxes. Each EU member state must establish at least one AI regulatory sandbox by August 2, 2026. Startups and SMEs get prioritized, cost-free access to these controlled testing environments where you can develop and test AI systems under regulatory supervision without full compliance exposure.
Reduced fees. Conformity assessments and regulatory fees are reduced for SMEs.
Simplified documentation. The European Commission is developing simplified technical documentation templates for smaller companies.
Proportionality. Fines are proportional to company size, as described above.
Timeline
| Date | What Happens |
|---|---|
| February 2, 2025 | Prohibited practices banned; AI literacy obligation starts |
| August 2, 2025 | Rules for general-purpose AI models (like GPT) apply |
| August 2, 2026 | Full AI Act enforcement, including high-risk obligations |
| August 2, 2027 | Extended transition for high-risk AI in already regulated products (medical devices, machinery) |
The German Situation
Germany's national implementing law is the KI-MIG, approved by the federal cabinet as a Regierungsentwurf on 11 February 2026. The Bundesnetzagentur (Federal Network Agency) becomes the central market surveillance and notifying authority and hosts the coordination centre KoKIVO. BaFin remains the market surveillance authority for AI in regulated financial services under Art. 74(6) KI-VO; law-enforcement uses sit in an independent Kammer at the BNetzA. The EU-level rules apply directly regardless of national passage timing.
What To Do Now
Bottom Line
Most startups will face only two AI Act obligations: AI literacy training (already required) and transparency labeling (if you have a chatbot or generate content). The high-risk category affects a smaller subset, mostly in HR tech, fintech, and insurtech. If you are in that group, the compliance burden is real and you should start now. For everyone else, classify your systems, train your team, label your AI, and move on. If your AI system ships as part of a product with digital elements, the Cyber Resilience Act layers its own cybersecurity and 24-hour reporting obligations on top from September 2026.
Legal Sources
- §Art. 5 EU AI Act — Prohibited AI practices
- §Art. 6 EU AI Act — High-risk AI systems classification
- §Art. 4 EU AI Act — AI literacy obligation for all deployers
- §Art. 99 EU AI Act — Penalties and fines
- •BMDS, Gesetz zur Durchführung der KI-Verordnung (KI-MIG), Kabinettsbeschluss 11.02.2026 — German implementation law: designates Bundesnetzagentur (BNetzA) as the central market surveillance authority and notifying authority, creates KoKIVO coordination centre; BaFin retains competence for regulated financial-services AI under Art. 74(6) KI-VO; independent KI-Marktüberwachungskammer at BNetzA handles law-enforcement uses under Art. 74(8) KI-VO
- •Commission Regulation (EU) 2024/1689, Art. 99(6) — For SMEs and start-ups, the fine in each tier applies at the lower of the fixed amount or the percentage of global turnover, reversing the default 'whichever is higher' rule
Frequently Asked Questions
- When does the EU AI Act apply to startups?
- The AI Act is fully enforceable from August 2, 2026. Prohibited AI practices and the AI literacy obligation already apply since February 2, 2025.
- What are the AI Act risk categories?
- The AI Act defines four categories: unacceptable (banned), high risk (heavy compliance), limited risk (transparency required), and minimal risk (no obligations). Most startup products fall into minimal or limited risk.
- What is the AI literacy requirement under the AI Act?
- Article 4 requires every company deploying AI to ensure staff have sufficient AI competence. This applies even if you only use third-party tools like ChatGPT internally. It has been mandatory since February 2, 2025.
- How much can startups be fined under the AI Act?
- Maximum fines are EUR 35 million or 7% of global turnover for prohibited practices, and EUR 15 million or 3% for high-risk violations. For startups, fines are capped at the percentage of actual revenue.
- Are there AI Act exemptions for startups?
- Startups get prioritized, cost-free access to regulatory sandboxes, reduced conformity assessment fees, simplified documentation templates, and proportional fines based on actual revenue.
See Also
- Cyber Resilience Act: What German Tech Startups Must Do Before 11 September 2026
- GmbH vs. UG: Which Legal Entity Should You Choose for Your German Startup?
- KI-MIG: Who Enforces the AI Act in Germany
- EU Inc.: What the New European Legal Form Means for German Founders
- GDPR for B2B SaaS: The Seven Rules German Startups Get Wrong
- NIS2 for German Startups: Who Must Register, What to Do, What It Costs
- EU Platform Work Directive: What German Startups Need to Know Before December 2026
Related Reading
- 8 minBAG Workday Ruling: HR Data Processing Without § 26 BDSGAfter BAG 8 AZR 209/21 (8 May 2025) § 26 (1) BDSG is inapplicable as Art. 88 DSGVO opening clause. German startups must base HR data on Art. 6 (1) DSGVO directly.
- 8 minCookie Consent in Germany: What Startup Founders Need to KnowCookie consent in Germany needs two layers: TDDDG for device storage, GDPR for the processing afterwards. What banners must show and what auditors flag.
- 8 minNIS2 for German Startups: Who Must Register, What to Do, What It CostsNIS2 is in force since 6 December 2025. The BSI registration deadline (6 March 2026) has lapsed. Here is the founder-first scoping and action playbook.
Compliance question?
Register filings, data protection, regulatory obligations. Let's check.
Book a call