EU AI Act Compliance — What Startups Need to Know | Stack of Truths

🇪🇺 EU AI ACT / COMPLIANCE

EU AI Act Compliance — What Startups Need to Know ✓ Stack of Truths Compliant

📅 May 14, 2026 ⏱️ 8 min read 🦞 Pedro Jose 🇪🇺 Regulation (EU) 2024/1689

The European Union AI Act (Regulation (EU) 2024/1689) is here. It’s not coming — it’s already enforceable. And if you’re building or deploying AI systems in the EU (or serving EU customers), you need to comply. Yesterday.

Fines? Up to €35 million or 7% of global annual turnover — whichever is higher. That’s more than GDPR.

But here’s the good news: compliance isn’t as scary as it sounds. And if you’re already working with Stack of Truths, you’re ahead of the curve.

⚠️ The Clock Is Ticking: The EU AI Act entered into force on August 1, 2024. Prohibited AI practices are already banned. High-risk AI system requirements are phasing in through 2026. Non-compliance fines are active now.

What Is the EU AI Act?

The EU AI Act is the world’s first comprehensive AI law. It regulates AI systems based on risk level:

Unacceptable risk — Banned outright (social scoring, subliminal manipulation, real-time biometric surveillance in public spaces)
High risk — Strict requirements (critical infrastructure, employment, education, law enforcement, migration, justice)
Limited risk — Transparency obligations (chatbots, deepfakes, emotion recognition)
Minimal risk — No requirements (spam filters, video games, AI-enabled recommendation engines)

If your AI system falls into the high-risk category, you need to comply with Articles 8-15: risk management, data governance, technical documentation, transparency, human oversight, robustness, accuracy, and cybersecurity.

Does This Apply to You?

Yes, if:

You place AI systems on the EU market (even if based outside the EU)
You use AI systems in the EU (even if your company is outside)
Your AI system’s output affects people in the EU

That covers most B2B and B2C AI startups serving European customers.

Key Articles You Need to Know

Article	Requirement	Deadline
Article 5	Prohibited AI practices (banned immediately)	Feb 2025 ✓
Article 8-15	High-risk AI requirements	Aug 2026
Article 13	Transparency & user information	Aug 2026
Article 14	Human oversight (design & deploy)	Aug 2026
Article 15	Accuracy, robustness & cybersecurity	Aug 2026
Article 17	Quality management system	Aug 2026
Article 29	Post-market monitoring	Aug 2026
Article 43	Conformity assessment (third-party for some AI)	Aug 2026
Articles 53-55	General Purpose AI (GPAI) — foundation models	Aug 2025 ✓

                📌 Key Date: August 2, 2026 — All high-risk AI system requirements become fully enforceable. If your AI system is high-risk, you need to be compliant by then. Start now.
            

Article 5 — Prohibited AI (Already Illegal)

These are banned immediately. Do not build or deploy:

Subliminal manipulation causing harm
Exploitation of vulnerabilities of specific groups (age, disability)
Social scoring by public authorities
Real-time remote biometric identification in public spaces (with narrow exceptions)
Emotion recognition in workplace/education (except medical/safety)
Predictive policing based on profiling (location, past behavior)
Biometric categorization for sensitive characteristics (race, political views, religion)
Untargeted scraping of facial images from internet/CCTV

Stack of Truths will not test or support AI systems engaged in prohibited practices. If we discover a client’s AI engages in these, we terminate the engagement immediately and may report to supervisory authorities.

Article 13 — Transparency & User Information

Your AI system must be transparent. Users need to know:

They’re interacting with an AI system (not a human)
The system’s capabilities and limitations
The intended purpose of the system
How decisions are made (to the extent feasible)

How Stack of Truths helps: Our AI pentest reports include transparency gap analysis. We identify where your system fails to meet Article 13 requirements and provide remediation steps.

Article 14 — Human Oversight

High-risk AI systems must be designed for effective human oversight. That means:

Humans can understand the AI’s output
Humans can override or ignore AI decisions
Humans can intervene when the AI behaves unexpectedly
No fully automated decision-making without human review

How Stack of Truths helps: I personally review every finding before it reaches your report — no raw AI output. This is human oversight in action. Our pentests also evaluate whether your system allows adequate human control.

// Example: Human oversight check in your AI agent
def execute_tool_call(tool_name, params, require_approval=True):
    if require_approval and tool_name in ["transfer_funds", "delete_user", "send_email"]:
        human_input = input(f"Approve {tool_name} with params {params}? (y/n): ")
        if human_input.lower() != 'y':
            return {"error": "Human rejected"}
    return call_tool(tool_name, params)

Article 15 — Accuracy, Robustness & Cybersecurity

This is where Stack of Truths specializes. The EU AI Act requires:

Accuracy: Your AI system performs as intended (with documented accuracy metrics)
Robustness: Your AI system handles errors, failures, and adversarial inputs
Cybersecurity: Your AI system is protected against manipulation and attacks

Article 15 explicitly calls out prompt injection, data poisoning, and model evasion as threats that must be mitigated.

                🦞 Stack of Truths Core Service: Our AI penetration testing directly addresses Article 15 requirements. We test for:
                ✅ Prompt injection (20+ vectors) — Article 15 cybersecurity
✅ Data exfiltration — Article 15 robustness
✅ Tool chain abuse — Article 15 cybersecurity
✅ Adversarial inputs — Article 15 robustness

                Our NIST AI RMF-aligned methodology maps directly to EU AI Act requirements.
            

Article 29 — Post-Market Monitoring

Compliance isn’t one-time. Article 29 requires continuous monitoring of AI systems after deployment. You need to:

Regularly test for new vulnerabilities
Monitor performance over time
Report serious incidents to authorities
Update documentation as the system evolves

How Stack of Truths helps: Our Security Retainer (€1,500/month) provides quarterly pentests, monthly vulnerability scans, and incident response — exactly what Article 29 demands for ongoing compliance.

Articles 53-55 — General Purpose AI (Foundation Models)

If you’re using GPT-4, Claude, Llama, Gemini, or similar foundation models, you have additional obligations:

Document model capabilities and limitations
Comply with copyright and transparency requirements
Implement cybersecurity safeguards
Assess and mitigate systemic risks (for very large models)

How Stack of Truths helps: Our AI pentests evaluate how you’ve secured your foundation model integration — including API key protection, prompt injection mitigations, and output filtering.

How Stack of Truths Supports Your Compliance Journey

I’ve designed every service to align with EU AI Act requirements. Here’s how:

Service	EU AI Act Article	What You Get
Lite AI Pentest (€750)	Art 15 (cybersecurity)	Basic prompt injection, API key exposure, quick fixes
Full AI Pentest (€3,000)	Art 13-15, 29	40+ page report mapped to NIST AI RMF, debrief
AI Red Team (€5,000)	Art 13-15, 29, 43	2 weeks adversarial testing, conformity evidence
Security Retainer (€1,500/month)	Art 29 (post-market monitoring)	Quarterly pentests, monthly scans, incident response

✅ Stack of Truths Compliance Checklist for Clients:

✓ All AI pentests manually validated — no automated-only findings
✓ NIST AI RMF-aligned methodology (maps to EU AI Act)
✓ GPG-signed, tamper-proof reports — audit-ready
✓ GDPR compliant data processing (based in The Netherlands)
✓ Will not test prohibited AI systems (Article 5)
✓ Retainer provides continuous monitoring (Article 29)

What You Should Do Right Now

Classify your AI system — Is it high-risk under the EU AI Act? (Annex III lists high-risk use cases)
Document everything — The Act requires technical documentation (Article 11). Start now.
Get a baseline pentest — You can’t prove cybersecurity compliance without testing.
Implement continuous monitoring — Annual tests won’t satisfy Article 29.
Work with compliant vendors — Stack of Truths is EU AI Act compliant and based in The Netherlands.

🔴 Don’t Wait Until August 2026: The EU AI Act is already enforceable for prohibited AI. High-risk requirements are coming fast. Fines are active now. Start your compliance work today — not the month before the deadline.

The Bottom Line

The EU AI Act isn’t optional. It’s the law. And unlike GDPR, which many companies ignored until fines started landing, this one has teeth from day one.

But here’s the secret: compliance isn’t about ticking boxes. It’s about building AI systems that are actually secure, transparent, and trustworthy. That’s what I help you do anyway.

If you’re already working with Stack of Truths, you’re ahead. If you’re not — let’s talk. I’ll help you understand where you stand, what you need to fix, and how to stay compliant without burning your budget.

Don’t be the first startup fined €35 million because you didn’t test for prompt injection.

🦞 Need help with EU AI Act compliance?

I offer AI penetration testing that maps directly to Articles 13-15 and 29. DM me first. Quick chat. Then we book a call if we’re a fit.

🐦 DM @StackOfTruths ✉️ pedrojose@stackoftruths.com

No Calendly. Just a human who breaks AI agents (and helps you stay compliant). Based in The Netherlands 🇳🇱

Post on X

🦞 Stacking truths daily 🤡