The Stateless Founder

Your 30-Day EU AI Act Compliance Plan (Before August 2026)

Listen Later
Your 30-Day EU AI Act Compliance Plan (Before August 2026)
Episode Overview

With 100 days until the EU AI Act's general application date (August 2, 2026), nomad agencies and micro-SaaS deployers need a practical compliance plan that doesn't stall growth. Santi and Kira break down the MVCP — Minimum Viable Compliance Plan — a tactical 30-day checklist for AI deployers.

Key Topics Covered
The Stakes
  • August 2, 2026: General application date for most EU AI Act rules
  • 7% of global revenue: Maximum fines for violations (not profit — revenue)
  • For a $300K agency: That's $21,000 in potential fines
    • Deployer vs Provider: Know Your Role
    • Deployers: Use AI models (calling APIs, fine-tuning through consoles)
    • Providers: Build and distribute AI models
    • Most nomad agencies: Deployers with bounded, manageable obligations
    • Watch the line: Heavy modification/rebranding can shift you to provider status
      • The 30-Day MVCP Checklist
      Days 1-4: AI Use Disclosure
      • Plain-language page on your site (/ai-disclosure)
      • Cover: AI tools used, model providers, data categories, human fallbacks
      • Link in footer, onboarding flow, and SOWs
      • Example: LetsLand's public AI disclosure page
        • Days 5-8: Model and Data Inventory
        • Spreadsheet/Notion database of every AI use case
        • Track: Model name, provider, version, API endpoint, data types, storage
        • Link vendor DPAs (Data Processing Agreements) to each entry
        • Pro tip: Automate compliance tracking with rollups and flags
          • Days 8-13: Evidence Log and Logging
          • Set up request/response logs with timestamps, model versions, request IDs
          • Weekly evidence journal: key runs, anomalies, provider incidents, overrides
          • Store centrally with access controls, 6-month minimum retention
          • Build paper trail showing "we were paying attention"
            • Days 14-18: Incident and Risk Playbook
            • Document top failure scenarios: hallucinations, bias, PII leaks, outages
            • For each: first-hour checklist, notification procedures, fallbacks
            • Attach playbook to every SOW as an annex
            • Mindset shift: Not a jinx — it's a runbook
              • Days 16-20: DPIA and FRIA Triggers
              • DPIA: Data Protection Impact Assessment (GDPR linkage via Article 26)
              • FRIA: Fundamental Rights Impact Assessment (Article 27, specific contexts)
              • Flag triggers in your inventory for future client engagements
                • Days 20-30: Team Training and Review Cadence
                • 30-minute walkthrough with anyone touching AI
                • Run dry-run incident simulation
                • Set quarterly calendar reminders for reviews
                  • Pricing Compliance Into Revenue
                  Retainer Line Item
                  • "AI compliance operations": $75/month per client
                  • Covers quarterly reviews, log retention, disclosure updates
                  • 20 clients = $1,800 MRR for ~3 hours work per quarter
                    • MVCP as a Service
                    • Fixed-scope sprint: 2 weeks, $2,500
                    • Deliver: disclosure page, inventory, templates, playbook, implementation schedule
                    • Clear disclaimer: Operational guidance, not legal advice
                      • What to Ignore (For Now)
                      • GPAI provider obligations: Already in effect (August 2025) but only for model providers
                      • High-risk system staging: Continues into 2027-2030 for specific use cases
                      • Complex QMS requirements: Provider-focused, not deployer obligations
                        • Resources Mentioned
                        • EU AI Act Service Desk: Free Commission resource for classification questions
                        • 30-Day MVCP Starter Kit: Templates and checklists (link in show notes)
                        • LetsLand AI Disclosure: Example of plain-language transparency page
                          • Action Items
                          This Week
                          1. Check your site: Do you have an AI disclosure page?
                          2. If no: Day one priority — 500 words covering AI use, providers, human contact
                          3. Link it: Footer, onboarding flow, and reference in SOWs
                            4. This Month
                            • Implement the full 30-day MVCP checklist
                            • Price compliance overhead into your retainers
                            • Consider offering MVCP services to other nomad businesses
                              • Important Disclaimers

                              Not legal advice: This is operational guidance based on our reading of EU Commission resources. For high-risk classification questions or provider territory concerns, consult qualified counsel.

                              Quarterly reviews matter: This isn't one-and-done. The regulation continues evolving through 2027-2030, requiring ongoing attention.

                              Connect
                              • Next episode: Wednesday
                              • Resources: All templates and checklists available on the Resources page
                              • Questions: EU AI Act Service Desk for official guidance
                                • ...more
                                View all episodesView all episodes
                                Download on the App Store
                                The Stateless FounderBy Santi, Kira