Diligence 2026: What EU Investors Will Now Check in AI Startups
Any article can be bookmarked on the site to read later.
Reading mode enlarges the text, removes all unnecessary things from the page and allows you to concentrate on the material. Here you can turn it off at any time.
Picture a typical pitch deck from a Ukrainian AI startup. Seed or Series A. An investor from Berlin or Amsterdam flips through the slides, asks about retention, CAC, unit economics. Then comes a new question:
«What risk level does your AI system fall under the EU AI Act? What documentation do you have on your training data?»
A year ago, that question didn’t exist. From August 2026 onwards, it will be a standard item in any serious due diligence for AI companies that want to operate in the EU market or raise capital from European funds.
The EU AI Act is the world’s first binding law on artificial intelligence with real enforcement. It entered into force in August 2024, but rolled out in phases. On 7 May 2026, the EU adopted the AI Omnibus — a package of clarifications and amendments that, among other things, adjusted certain deadlines.
Here is the current timeline:
- February 2025 — ban on the most dangerous practices. Social scoring of citizens, manipulative AI systems, certain forms of real-time biometric surveillance — all already prohibited.
- August 2025 — rules for general-purpose AI models. If you use or develop large language models (ChatGPT-style systems), transparency and documentation requirements already apply to you.
- August 2026 — transparency obligations for AI systems interacting with users: companies must disclose to people that they are talking to an AI, not a human.
- December 2027 — full requirements for «high-risk» systems (Annex III). This is where the majority of startups in recruitment, education, healthcare, finance, and legal tech sit.
An important nuance: the AI Omnibus pushed the high-risk deadline from August 2026 to December 2027, 16 months later.
The postponement was driven by several factors simultaneously. First, the conformity assessment infrastructure — the network of accredited Notified Bodies responsible for conducting certification — was not ready: EU member states had not designated enough bodies to handle the expected volume of assessments. Second, the harmonised technical standards that companies need to demonstrate compliance are still being developed by CEN and CENELEC and remain incomplete. Third, the AI Office itself — the EU body responsible for supervision and enforcement — is still building its operational capacity. In short: the legal framework existed on paper, but the practical infrastructure to implement it did not.
Fines under the AI Act follow a tiered structure. The highest level, up to €35 million or 7% of global annual turnover, applies to the most serious violations: deploying prohibited systems (Article 5) or placing a high-risk system on the EU market without CE marking or a conformity assessment. The mid-tier, up to €15 million or 3% of turnover, covers most other non-compliance: failures by deployers, breaches of transparency obligations, and non-compliance by providers of general-purpose AI models. The lowest tier, up to €7.5 million or 1.5% of turnover, applies to providing incorrect or misleading information to supervisory authorities. For startups, even the lowest tier can be existential. Proportionality applies, but regulators have discretion.
The EU’s approach is risk-based: the greater the potential impact of your AI system on people, the stricter the requirements. A chatbot that helps pick furniture and a system that screens job candidates operate in completely different regulatory realities — even if both use the same underlying model.
Why This Applies to You, Even If You’re Based in Ukraine
A common misconception: «We’re not in the EU, so this doesn’t apply to us».
It does. The EU AI Act has extraterritorial reach — exactly like GDPR. If your AI product is used by people in the EU, if your SaaS customer is registered in Berlin or Warsaw, if your system makes decisions affecting EU citizens — you are already within scope. Your company’s physical address is irrelevant.
My experience working with IT companies points to four key scenarios where the AI Act becomes a real risk for Ukrainian businesses:
Мій досвід роботи з IT-компаніями показує чотири основні сценарії, коли AI Act стає прямим ризиком для українського бізнесу:
Scenario 1
You sell B2B AI solutions to EU clients. Your client — say, an HR platform in the Netherlands — is now required to verify the compliance of its AI suppliers. They will come to you with a list of questions, or simply walk away from the contract.
Scenario 2
Your SaaS is used by European companies as end users. If your system falls into the high-risk category, the requirements apply to you as a provider.
Scenario 3
You’re raising investment from European funds. Due diligence looks different now. It’s no longer just about financial metrics.
Scenario 4
You’re applying for EU grants (Horizon Europe, EIC Accelerator, etc.). AI Act compliance is effectively becoming a prerequisite for participation.
Relevant context: Ukraine, through its WINWIN 2030 strategy, has deliberately chosen to align with EU requirements, and since October 2025 has been participating in the European AI Board as an observer.
The New Due Diligence: What Investors Are Now Asking
Almost ten years ago, investors started systematically asking about personal data processing after GDPR was adopted. From my own experience and the observations of colleagues in legal practice: by the early 2020s, the absence of basic privacy documentation had stopped being a technical detail and had become a real deal-stopper at round closings and client contract signings. Today, the same process is starting for AI governance.
Here’s what technically literate investors already check — or will soon be checking:
Risk classification of the system
The first and most critical question: which category does your product fall into? Minimal risk (gaming AI, spam filters), limited (chatbots), high-risk (HR, education, healthcare, credit scoring), or unacceptable (prohibited practices). If a founder can’t answer this question, it’s a red flag.
Training data sources
Where did the data come from? Is there consent for its use? Does it include personal data of EU citizens? Did anyone document the process? The problem is that most startups only start thinking about this when asked — not in advance.
Technical documentation
The AI Act requires detailed documentation for high-risk systems: model architecture, training and testing data, accuracy metrics, known limitations. This isn’t an academic exercise — it’s what an auditor or conformity assessment body reviews before issuing CE marking.
Human oversight
Does your system include a mechanism that allows a human to intervene, override, or correct an AI decision? For high-risk systems, this is a mandatory requirement. For investors, it’s an indicator of product maturity.
Governance processes and internal policies
Who is responsible for AI compliance in the company? Is there an AI use policy? An incident response procedure? These questions are already being asked in due diligence by funds that understand regulatory risk is operational risk.
Compliance roadmap
Even if you’re not yet fully compliant — having a clear plan and understanding your gaps significantly strengthens your position in negotiations.
What It Costs — and What Waiting Costs
One immediate caveat: all figures here are indicative. Costs depend on system complexity, existing documentation, jurisdiction, and specific service providers. Treat them as rough order-of-magnitude estimates for initial planning, not as a budget.
- Internal assessment — for most startups this means a lawyer or compliance consultant working alongside the technical team. Rough range: €10,000–50,000, depending on system complexity and the state of existing documentation. Timeline: 2–4 months.
- Third-party assessment — and here’s a nuance that is frequently misunderstood. For most high-risk AI systems (Annex III — HR, education, healthcare, credit scoring), the AI Act actually allows self-assessment without involving a third party. Independent external assessment is only mandatory in narrower cases: biometric identification systems, or AI embedded in physical products already subject to other EU technical regulations (medical devices, lifts, etc.). In those cases, a so-called Notified Body is required — an independent accredited organisation authorised by an EU member state to conduct certification. Think organisations like TÜV or Bureau Veritas. Indicative cost: €50,000–200,000, timeline 6–12 months.
A baseline AI governance package (policies, documentation, risk analysis, procedures) for a typical B2B AI startup — indicatively €15,000–40,000 if organised properly.
Here are a few scenarios I have seen in practice.
An investor at term sheet stage asks for AI compliance documentation. It doesn’t exist. The round doesn’t collapse, but it gets delayed by 3–4 months while the team scrambles to put everything together from scratch, under pressure, with a consultant at double the rate. During that time, a competitor who had the documentation ready closes their round.
An enterprise client from the EU sends a vendor questionnaire with questions about AI risk classification, training data, and human oversight mechanisms. Without answers, the contract doesn’t get signed. Preparing those answers takes weeks if the system isn’t documented in advance — and sometimes surfaces issues that block the deal entirely.
After December 2027, a company running a high-risk system without proper documentation becomes the subject of a regulatory review. The cost of emergency remediation, legal support, and potential fines far exceeds what proactive preparation would have cost.
The common thread across all three scenarios: compliance done under pressure costs more and delivers worse results than compliance done in advance.
What to Do Right Now: 5 Steps for Founders
- Take inventory of your AI systems. Build a simple table: which AI components exist in your product, what exactly they do, what data they were trained on, what decisions they make. Very often, it turns out a startup is running several AI systems — some of which the team has long forgotten about.
- Determine your risk level. Use the official EU AI Act Compliance Checker or consult a lawyer. The key question: does your system affect employment, education, access to credit, healthcare, justice, or fundamental rights? If yes — you are likely in the high-risk category.
- Document your data sources and models. Where did the training data come from? Is there a license or consent? Which foundation model are you using (proprietary, open source, API from OpenAI/Anthropic)? If you’re using third-party foundation models — review their terms of use regarding AI Act compliance. This can affect your own liability position.
- Implement baseline AI governance processes. Minimum: an AI use policy for the team, a procedure for vetting new AI tools, a designated person responsible for AI compliance (this can be the CTO or a lawyer), a basic incident response plan. It sounds like bureaucracy — in practice it takes a week and significantly improves your position in any due diligence.
- Prepare an AI compliance pack for investors. A short investor memo (2–3 pages): classification of your systems, documentation status, key risks and remediation plan, AI Act compliance roadmap. Investors who understand the topic will appreciate the transparency. Those who aren’t asking yet — will be soon.
