Selling AI into European enterprises as a US startup
- EU reviews are structurally deeper because the buyer inherits deployer duties under the AI Act and the GDPR.
- Prohibited practices and AI literacy have applied since Feb 2025; GPAI since Aug 2025; main high-risk deferred to Dec 2027 under the May 2026 Digital Omnibus.
- Expect classification, technical documentation, foundation-model provenance, monitoring and role-split questions.
- Say "ready", never "certified" — classified, documented, mapped, kept current beats any badge.
- The Act is a filter most competitors fail; readiness is the door, not the tax.
Why the EU review is different
When a European enterprise deploys your AI, it takes on legal duties of its own under the EU AI Act as a deployer, and under the GDPR where your system touches personal data or automated decisions. Its reviewers therefore need to know your system's risk classification, the documentation behind it, and how obligations divide between you and them, before contract. Add data-residency expectations, data protection officers in the approval chain, and in some countries works councils with a say on workplace AI, and the EU review is structurally deeper than its US counterpart. None of this is hostility; it is their own exposure being managed through you.
The dates that matter, as they stand
The Act entered into force in August 2024 and applies in phases. Prohibited practices and AI literacy duties have applied since February 2025, and general-purpose AI obligations since August 2025. Under the May 2026 Digital Omnibus agreement, expected to be formally adopted later this year, the main high-risk obligations were deferred to December 2027, with product-embedded systems following in 2028, and certain new transparency duties arriving in December 2026. Two practical consequences: European buyers are procuring now for systems that must be compliant mid-contract, so readiness questions arrive today; and the timeline is provisional in parts, which is precisely why buyers favour vendors who evidently track it.
What they will actually ask
Expect, at minimum: the risk classification of your system in their intended use, with reasoning; whether technical documentation exists and can be shared under NDA; if you build on foundation models, the provenance and the provider's transparency documentation; how you monitor the system and handle incidents; and how responsibilities split contractually between your role and theirs. A US vendor hearing these for the first time in a live deal loses weeks; one arriving with a classification memo and a documentation index turns the same questions into a fast yes.
Say "ready", never "certified"
Do not claim to be "EU AI Act compliant" as a badge; for most systems there is no such certificate to hold, and sophisticated buyers know it. The credible formulation is specific: classified against the Act, documentation prepared, obligations mapped between deployer and provider, kept current as the Act's dates and delegated acts evolve. That sentence, evidenced, beats any badge.
The asymmetry is the opportunity
The EU AI Act is commonly framed as a barrier for US startups. In procurement it functions as the opposite: a filter most of your competitors fail. European enterprises must buy AI and must evidence governed procurement of it; the vendor who removes that burden gets shortlisted for reasons that have nothing to do with feature comparisons. Readiness is not the tax on the deal. It is the door.
Key terms
- Deployer
- The enterprise putting an AI system into use under its authority; carries its own duties under the EU AI Act separately from the provider.
- Risk classification
- The Act's tiering (prohibited, high-risk, limited-risk, minimal) applied to a specific system in a specific intended use.
- Digital Omnibus
- The May 2026 political agreement deferring the main high-risk obligations to December 2027 and product-embedded systems to 2028, subject to formal adoption.
- GPAI
- General-purpose AI models; provider transparency and documentation duties have applied since August 2025 and cascade down to deployers.
- Technical documentation
- The Annex IV file for high-risk AI systems: intended purpose, design, data, evaluation, monitoring and change control.