AI Act Compliance Guide for Startups & Companies

Regulation (EU) 2024/1689 of 13 June 2024, known as the AI Act, entered into force on 1 August 2024 and applies progressively until August 2027. The first horizontal piece of AI legislation worldwide, it imposes strict obligations on providers and deployers of AI systems placed on the market or used in the European Union, even when established outside the EU.

INFLUXIO advises startups, scale-ups, SaaS publishers and user companies on compliance, technical documentation and defense in case of inspection, in Paris and Brussels, with a response within 24 hours.

The AI Act applies as soon as an AI system is placed on the market, put into service or used in the Union, regardless of where the provider is established. A US startup offering a large language model accessible to European users is in scope. A French scale-up integrating a third-party model in its product is too.

Three use cases trigger application: placing on the market, putting into service, and use of the outputs in the Union. The stakes are not only regulatory: compliance conditions access to European public contracts, investor confidence at funding rounds, cyber insurance and contracts with large accounts themselves subject to the regulation.

Non-compliance can lead to fines of up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher.

The AI Act follows a risk-based approach. Each AI system is classified in one of the following four categories, determining the level of applicable obligations.

Qualification determines all your obligations. A provider develops an AI system or has it developed with a view to placing it on the market or putting it into service under its own name or trademark. A deployer (formerly user) is any natural or legal person using an AI system in the course of its professional activity.

Beware of qualification switching: a deployer who substantially modifies a high-risk AI system, places it on the market under its own name or modifies its intended purpose is re-qualified as a provider (Article 25) and inherits all related obligations.

This mechanism particularly affects SaaS publishers that integrate and customise third-party models, and is one of the most frequent blind spots in an AI Act audit.

Providers of high-risk AI systems bear a comprehensive set of obligations under Articles 8 to 22, 47, 48 and 49 of the regulation. Our firm drafts the documentation, structures governance and prepares the CE marking.

Article 26 requires deployers to use high-risk AI systems in accordance with the instructions for use, to ensure effective human oversight, monitor operation and report any serious incident to the provider and the competent authority. Public deployers and certain private actors must carry out a fundamental rights impact assessment (Article 27) before first use.

Natural persons exposed to a high-risk AI system must be informed. Individual decisions producing legal effects must be explainable (Article 86). Articulation with the GDPR is constant: the AI Act does not replace obligations of lawful processing, legal basis, information and data subjects' rights provided by the General Data Protection Regulation.

General Purpose AI models (Articles 51 to 55) are subject to a specific regime applicable from 2 August 2025. Any GPAI provider must publish a summary of the content used for training, comply with EU copyright and maintain up-to-date technical documentation.

Models presenting a systemic risk, presumed above the threshold of 10^25 floating-point operations (FLOPs), bear reinforced obligations: systemic risk assessment, adversarial testing, reporting of serious incidents to the European AI Office, and cybersecurity guarantees.

The General-Purpose AI Code of Practice, published on 10 July 2025 and structured in three chapters (transparency, copyright, safety and security), constitutes the presumption-of-conformity route until harmonised standards are adopted. Non-signatory providers will have to demonstrate equivalent compliance, with a heightened litigation risk.

Article 50 requires clear labelling of AI-generated or AI-modified content: deepfakes, synthetic audio, image, video or text produced at scale and published. Providers must implement technical marking solutions (watermarking, C2PA metadata) that are machine-readable. Deployers must bring this information to the public's attention.

This obligation combines with parallel regimes of copyright (TDM opt-out under Directive 2019/790), right to one's image, criminal identity theft, and provisions of the French Act of 21 May 2024 on AI-generated pornographic content.

INFLUXIO handles these issues in an integrated way with its intellectual property and e-reputation teams.

The AI Act applies progressively, in steps, requiring each milestone to be anticipated in the company's product and legal roadmap.

The sanctions regime, among the strictest in EU law, is based on ceilings modulated by the severity of the breach.

The AI Act sits within a dense regulatory landscape.

It combines with the GDPR (processing of personal data), the Digital Services Act (content moderation and recommendation systems), the Digital Markets Act (gatekeepers), the Data Act (access to data generated by connected devices and cloud services) and the revised directive on liability for defective products (Directive (EU) 2024/2853), which now expressly covers software and AI systems.

The proposed specific directive on civil liability for AI (AI Liability Directive) was withdrawn by the European Commission in 2025 for lack of agreement; compensation for damage caused by AI therefore falls under the renewed product liability regime and national civil liability laws. INFLUXIO conducts cross-cutting audits to avoid contradictions and exploit synergies between these regimes.

An operational roadmap that can be broken down into internal workstreams or steered with our firm, to turn regulatory obligation into a competitive advantage.

The competent national authorities designated by France from 2 August 2025 have extensive investigative powers: requests for access to documentation, audits, administrative sanctions.

The CNIL has been given, through an amendment to the French Data Protection Act of 6 January 1978, the role of market surveillance authority for several high-risk AI systems (biometrics, human resources, scoring) as well as for personal data processing.

Other sector regulators intervene depending on the field: the DGCCRF (in particular for prohibited practices under Article 5), ARCOM (audiovisual), ACPR (finance), HAS and ANSM (health) or the Ministry of Labour. The DGE provides strategic coordination. The European AI Office supervises GPAI at EU level. Appeals lie before the administrative courts.

Civil actions for damages can be brought before the Paris Judicial Court or the Court of Economic Activities depending on the parties. Where a breach of the AI Act overlaps with an offence (fraud, breach of trust, attacks on automated data processing systems), our business criminal law team works alongside the business litigation team.

Our firm intervenes at every stage of the compliance cycle, from the first audit to defense before the supervisory authority or the competent court.