February 2, 2025 marks the first enforcement provisions of the EU’s AI Act going into force. The initial phase targets what the regulation classifies as “unacceptable risk” AI systems — including social scoring, real-time biometric surveillance in public spaces, and manipulative AI designed to exploit vulnerabilities. Penalties for violations can reach €35 million or 7% of global annual turnover, whichever is higher. For a seed-stage startup, that is not a fine. It is an extinction event.

What actually changes today

The AI Act uses a tiered risk framework. Today’s enforcement covers only the top tier — prohibited practices. The heavier obligations around “high-risk” AI systems (hiring tools, credit scoring, medical diagnostics) will not kick in until August 2026. General-purpose AI model rules land in August 2025.

But the psychological weight of today’s date extends far beyond the banned categories. According to a survey from the European Digital SME Alliance, more than 60% of small and medium-sized tech companies say they are not adequately prepared for compliance with any phase of the AI Act. Nearly half reported that they had not yet conducted a risk classification of their own AI systems — a foundational first step.

The numbers suggest a gap that is not just technical but cognitive. Many companies were built in an environment where European AI regulation was theoretical. Today, it is operational.

Why most startups say they are not ready

The readiness problem has three roots.

Regulatory ambiguity

Despite years of legislative debate, critical details remain unclear. The EU’s AI Office is still developing guidelines, codes of practice, and technical standards that will define what compliance actually looks like in practice. Startups building AI-powered products are, in many cases, trying to hit a target that is still being drawn.

Resource constraints

Large enterprises have already stood up dedicated AI compliance teams. Early-stage startups lack that luxury. Legal counsel specialising in AI regulation is expensive and scarce. For a team of twelve burning through runway, hiring a compliance officer presents a contradiction — revenue is needed to survive, but compliance is needed to operate.

A misaligned timeline

Startup development cycles and regulatory timelines operate on fundamentally different clocks. Products pivot quarterly. Regulations take years to draft and then arrive all at once — 144 pages of legislation referencing dozens of yet-to-be-published standards.

The broader competitive anxiety

This enforcement moment arrives amid growing unease about Europe’s position in the global AI race. While EU regulators have been finalising compliance frameworks, Chinese AI companies have been shipping products at a staggering pace — the recent launch of DeepSeek’s R1 model rattled markets and prompted fresh debate about whether Europe is regulating itself into irrelevance.

That anxiety is real, but it can also be overstated. Regulation and innovation are not necessarily zero-sum. GDPR was predicted to cripple European tech; instead, it created a global standard and a cottage industry of privacy-tech companies. The AI Act could follow a similar trajectory — painful in the short term, strategically advantageous over time.

Still, the timing matters. With stock markets jittery amid trade tensions and geopolitical uncertainty, European AI startups face a fundraising environment where investors are already cautious. Adding regulatory uncertainty does not help.

What startups can actually do right now

Founders who act decisively in the next six months — before the general-purpose AI rules land in August — could turn compliance into a competitive advantage.

First, determine where a product sits in the AI Act’s risk framework. The AI Act Explorer maintained by the Future of Life Institute is a practical starting point. If a product is nowhere near the prohibited categories, today’s enforcement date is mostly symbolic — but August 2025 and August 2026 are not.

Second, start building audit trails now — training data provenance, model decision logs, risk assessments. The AI Act places heavy emphasis on transparency, documentation, and human oversight. Investors increasingly want to see governance maturity as well.

Third, track the EU AI Office’s codes of practice currently being developed with industry input. Early visibility into what compliance looks like before the rules are finalised is a tangible advantage.

Finally, frame compliance work not as overhead but as de-risking. Smart VCs are already factoring regulatory readiness into due diligence. In a tightening market, that narrative matters.

The road ahead

Today’s enforcement is the beginning, not the climax. The most consequential provisions — governing high-risk systems, foundation models, and general-purpose AI — are still months away. The startups that treat this moment as a wake-up call rather than a crisis will be best positioned when the full regulatory weight lands.

Europe chose to regulate AI early and comprehensively. Whether that proves visionary or self-defeating depends less on the law itself and more on whether the ecosystem — founders, investors, and regulators — can build the infrastructure of trust that makes the whole framework functional.