What Do VCs Ask About EU AI Act Before Closing? 10 Questions You Must Be Ready to Answer
AI Law · Investor Due Diligence
What Do VCs Ask About EU AI Act Before Closing? 10 Questions You Must Be Ready to Answer
After August 2025, EU AI Act compliance became a standard line item in Series A and B due diligence questionnaires. Here are the 10 real questions investors ask — and exactly how to answer them.
1
Why investors now ask about EU AI Act
Post-August 2025 · Digital Omnibus
2
10 DD questions + legal answers
Click each to reveal the right answer
3
Documents to prepare before term sheet
7-item checklist · interactive
4
Get your DD package prepared
WCR Legal · AI regulatory opinions
5
Common questions
Timelines · investor templates · gaps
!
Digital Omnibus ≠ safe harbour
Investors still ask · be prepared now
Section 1
Why Investors Started Asking About EU AI Act After August 2025
Since August 2025, EU AI Act obligations for high-risk AI systems have been formally in force. That changed the calculus for institutional investors with EU limited partners, EU portfolio exposure, or global portfolio companies deploying AI to EU users. AI regulatory risk is no longer a footnote — it is now a named risk in fund LPA disclosures and a standing question in investment committee memos. AI Regulatory Opinions from WCR Legal are increasingly requested by founders as pre-fundraise deliverables to satisfy investor DD requirements before the term sheet stage.
Digital Omnibus Update — May 2026
The Digital Omnibus reached political agreement on 7 May 2026 — Annex III high-risk obligations are proposed to be delayed to December 2027. But the agreement is not yet enacted law. The existing text of the EU AI Act remains fully in force. Sophisticated investors know this distinction. You will still be asked all 10 questions below. Being unprepared because you assumed Digital Omnibus creates a safe harbour is the wrong posture in a fundraise.
EU AI Act due diligence has become a predictable part of Series A and B processes for companies with any of the following: EU operations, EU customers, EU-domiciled employees processing AI outputs, or AI systems in Annex III categories (HR, education, credit, biometrics, critical infrastructure). Investors are not expecting full compliance — they are assessing whether you understand your exposure and have a credible roadmap. The 10 questions below reflect what real DD questionnaires now ask.
Section 2
10 Questions Investors Ask — Click Each to See the Right Answer
Each card below shows the exact investor question on the front. Click to expand and see the legally accurate answer you should be prepared to give — including what documents support the answer and what gaps look like to a sophisticated legal DD reviewer.
1
Classification · Annex III
Is your AI system high-risk under Annex III of the EU AI Act?
+
Article 6 · Annex III
Common deal-stopper
This question requires a written classification analysis, not a verbal answer. Investors expect you to have reviewed every Annex III category (8 areas: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) against your system’s intended use.
If your answer is “no, we’re not high-risk”: you need an Article 6(3) documentation package showing how you arrived at that conclusion — with reference to each applicable Annex III category you ruled out.
If your answer is “yes”: you need a compliance roadmap showing Annex IV technical documentation, conformity assessment, CE marking pathway, and post-market monitoring plan.
Investor red flag: “We checked and we’re fine” with no written analysis. See our EU AI Act High-Risk SaaS Classification guide for the exact analysis methodology.
2
Non-High-Risk Claim · Documentation
If you believe your AI is not high-risk — have you documented why?
+
Article 6(3) · Article 50
Frequent gap
Article 6(3) of the EU AI Act requires providers who believe their system does not fall into Annex III to document that determination. “We decided we’re not high-risk” is not enough — the analysis must be recorded, dated, and linked to specific Annex III categories.
The documentation must also cover Article 50 (transparency obligations for AI systems that interact with natural persons). Even non-high-risk systems may have GPAI components with separate obligations.
A gap analysis memo prepared by legal counsel is the standard deliverable. Investors treat the absence of this document as a governance gap, not just a legal gap.
What to prepare: A 3–5 page classification memorandum per AI system, signed off by counsel, reviewing all 8 Annex III categories and explaining the basis for any “not high-risk” conclusion.
3
Supply Chain · Provider vs Deployer
Who is the provider and who is the deployer in your AI supply chain?
+
Article 3 · Article 25
Supply chain liability
Provider (Article 3(3)): the entity that places a high-risk AI system on the market or puts it into service — bears primary compliance obligations including Annex IV technical documentation, CE marking, and post-market monitoring. If you built the model or the application that is the AI system, you are likely the provider.
Deployer (Article 3(4)): the entity that uses a high-risk AI system under its own authority. Deployers have lighter obligations, but they must conduct fundamental rights impact assessments in certain cases (Article 27) and must not modify the system in ways that change its risk classification.
If you build on a third-party foundation model (OpenAI, Anthropic, Google), you may be a provider of the downstream application while being a deployer of the base model. The supply chain map must show where obligations split.
What investors want to see: A one-page supply chain diagram showing each AI component, who built it, and whether your company is provider or deployer for each layer. Article 25 governs responsibility allocation in the chain.
4
AI Inventory · Governance
Do you have an AI system inventory?
+
Article 4 · Article 11
Quick win
An AI system inventory is not explicitly mandated by the EU AI Act in that name — but it is the logical output of the Article 4 AI literacy requirement and the precondition for Article 11 technical documentation. Investors ask for it because it demonstrates you have governance infrastructure, not just a product.
A minimal DD-ready inventory contains: system name, intended purpose, deployment context, Annex III classification result, provider/deployer designation, and current compliance status (pre-compliance, in-progress, compliant).
For Series A/B companies, a clean spreadsheet-format inventory with a classification memo attached per system is sufficient. Absence of any inventory is a red flag at this stage.
This is a quick win: A one-day exercise with counsel produces an inventory that answers Q1, Q2, Q3, and Q4 simultaneously. Most investors are satisfied by a 5–10 row table with classification rationale attached.
5
Roadmap · Milestones
What is your EU AI Act compliance roadmap?
+
Article 11 · Article 43
Investor priority
Investors are not expecting full compliance at Series A/B — they are assessing whether you have a credible, time-bound plan. A roadmap with no dates or a roadmap that assumes Digital Omnibus delays are enacted law will be flagged.
Key milestones to include: (1) AI system inventory complete, (2) classification memos signed off, (3) Annex IV technical documentation initiated (if high-risk), (4) internal AI usage policy published (Article 4 compliant), (5) conformity assessment timeline (if applicable), (6) post-market monitoring plan drafted.
Reference the August 2026 high-risk deadline explicitly in your roadmap. Investors will be tracking this against your fundraise timeline.
Format: A Gantt-style or milestone table showing 6–18 months of compliance activity, owner per milestone, and current status. Budget line for external counsel adds credibility.
6
Prohibited Practices · Audit
Prohibited AI practices — have they been audited? The deadline was February 2025.
+
Deadline: February 2025
Article 5
Article 5 (prohibited AI practices) became enforceable on 2 February 2025. This is the earliest enforcement date in the EU AI Act. Prohibited practices include: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and emotion recognition in workplace/education contexts.
Investors ask this because the February 2025 date is now in the past. If you have not conducted a prohibited practices audit, you are already in a period of potential non-compliance — not a future risk, a present one.
The audit output should confirm which Article 5 categories are inapplicable to your systems and why, with a legal basis for each exclusion. See our internal AI usage policy guide for how to embed prohibited practice controls into your governance.
If you have not done this yet: Do not say “we plan to.” Commission a legal memo retroactively — investors care about current state, and a completed audit memo dated before closing is always better than none.
7
Digital Omnibus · Contingency
What if Digital Omnibus doesn’t pass into law? What’s your plan B?
+
Legislative risk
May 2026 update
Political agreement on Digital Omnibus (including proposed delay of Annex III obligations to December 2027) was reached on 7 May 2026. But political agreement is not enacted law. It must pass through formal legislative stages (plenary vote, Council adoption, publication in the Official Journal) before it has legal effect. This process typically takes several months.
A sophisticated investor will ask: if Digital Omnibus stalls or is amended, are you exposed? The right answer is to show that your compliance posture does not depend on the delay — i.e., your August 2026 roadmap is on track regardless.
Plan B framing: “We are tracking Digital Omnibus as a potential delay, but our compliance milestones are scoped to the current law. If the delay is enacted, it reduces near-term cost; if it is not, we are already on track.”
Investor logic: A company whose entire compliance plan is “Digital Omnibus will save us” is making a legislative bet. Investors underwriting that company are also making that bet — most won’t.
8
ISO 42001 · QMS
Do you have ISO 42001 or a QMS in place?
+
ISO 42001:2023
Governance signal
ISO 42001 (AI Management System) is increasingly requested by enterprise clients and referenced in VC due diligence as a signal of AI governance maturity. It is not required by the EU AI Act, but it creates significant overlap with Annex IV documentation, Article 9 risk management, and Article 17 quality management system requirements.
“In place” means one of: (a) certified by an accredited body, (b) implementation in progress with a target certification date, or (c) QMS equivalent adopted internally with controls mapped to ISO 42001 clauses. Investors accept (b) and (c) at Series A/B; pure certification is not expected at early stage.
If you have no AIMS or QMS: be specific about what governance structures you do have (internal AI usage policy, risk register, model cards) and frame ISO 42001 as a post-close initiative with a timeline. See our ISO 42001 vs NIST AI RMF comparison for which framework to prioritise given your market.
Quick credibility signal: An internal AI usage policy (Article 4-aligned) plus a written risk register for your AI systems demonstrates governance infrastructure even without certification. Absence of both is the real red flag.
9
Contract Exposure · Enterprise Clients
What are your EU AI Act-related contractual obligations to enterprise clients?
+
Article 25 · Article 28
Growing exposure area
Enterprise clients in regulated industries (finance, healthcare, HR platforms) are increasingly inserting EU AI Act clauses into SaaS MSAs and DPAs. These clauses typically require: (a) provider classification representations, (b) audit rights over AI system documentation, (c) compliance roadmap disclosure, and (d) indemnity for regulatory fines arising from AI Act violations.
Investors want to understand: how many enterprise agreements contain AI Act provisions? Have you agreed to indemnity clauses that could crystallise into material liability? Do you have a standard AI compliance rider that controls the terms you accept?
Under Article 25, deployers (your enterprise clients) can contractually shift provider obligations to you if you have “authorised” such a shift. Accepting unreviewed AI Act clauses from large enterprise buyers is a common and material risk at Series A/B stage.
What to prepare: A one-page summary of AI Act clauses in your top 5–10 enterprise agreements. If you have a standard AI compliance rider, share it. If you don’t, prepare one before the raise.
10
Post-Market Monitoring · Article 72
What is your post-market monitoring plan?
+
Article 72 · Article 73
High-risk only
Article 72 requires providers of high-risk AI systems to establish a post-market monitoring system — an ongoing process for collecting, documenting, and analysing data on the performance of the AI system after deployment. This is not a one-time audit; it is a continuous obligation.
A minimal post-market monitoring plan covers: performance metrics tracked post-deployment, feedback loops from deployers and end-users, serious incident reporting procedure (Article 73), and update/version control process when system performance degrades or risk profile changes.
For non-high-risk systems: post-market monitoring is not mandated, but investors may still ask about your model performance monitoring and incident response procedures as a proxy for operational maturity.
If you are pre-deployment: Show the designed monitoring architecture and reporting cadence. If you are post-deployment: show the metrics you are currently tracking. Either is acceptable; no plan at all is not.
Section 3
Documents You Need Ready Before Term Sheet
Investors who use structured AI Act DD questionnaires will request these documents as part of the legal data room. Mark what you have ready — and use the gaps to prioritise what to prepare before your next investor conversation.
Series A/B AI Act DD Checklist
Click each item to mark as ready
0 / 7
AI system inventory + classification rationale
Per-system table with Annex III analysis and provider/deployer designation — supports Q1, Q2, Q3, Q4
Q1–Q4
Article 6(3) classification memo (if claiming non-high-risk)
Legal counsel opinion reviewing each Annex III category with written exclusion basis — one memo per system
Q1–Q2
EU AI Act compliance roadmap with milestones
Dated milestones, ownership, and current status — must reference August 2026 deadline and be independent of Digital Omnibus
Q5 · Q7
Internal AI usage policy (Article 4-compliant)
Published policy covering prohibited practices audit, AI literacy obligations, and governance structure
Q6 · Q8
Supply chain provider/deployer map
One-page diagram showing each AI component, who built it, and compliance responsibility allocation under Article 25
Q3
Enterprise client AI clause summary
Summary of EU AI Act provisions in top 5–10 enterprise MSAs — flags indemnity exposure and Article 25 obligation shifts
Q9
ISO 42001 / QMS status memo
Written summary of current AIMS or QMS coverage — certification status, implementation progress, or equivalent governance controls
Q8
Preparing for a fundraise with EU AI exposure? WCR Legal prepares AI regulatory opinion packages that directly satisfy investor DD requirements — including classification memos, compliance roadmaps, and supply chain analysis.
Talk to us before your raise →
Get Your EU AI Act DD Package Prepared Before Term Sheet
WCR Legal delivers investor-ready AI regulatory opinions, classification memos, and compliance roadmaps that answer every question in this article. Founders use our AI Regulatory Opinion service as a pre-fundraise deliverable — typically prepared in 2–3 weeks. Our AI due diligence service also supports investors conducting DD on AI-first companies.
Frequently Asked Questions
EU AI Act investor DD
1
At what stage do investors start asking EU AI Act questions — seed, Series A, or later?
+
In practice, structured EU AI Act due diligence questions are most common at Series A and Series B for companies with material EU exposure — EU operations, EU customers, or AI systems in regulated categories. Seed-stage investors occasionally ask directional questions (“are you high-risk under Annex III?”) but rarely request documentation. At Series B and above, some institutional investors with EU LPs are beginning to require classification memos and compliance roadmaps as conditions to closing. The trend is toward earlier and more structured DD with each new fund cycle.
2
Does Digital Omnibus delay mean I can tell investors I have until December 2027?
+
No. Digital Omnibus reached political agreement on 7 May 2026 but is not yet enacted law. Even if enacted, the proposed delay applies specifically to Annex III high-risk obligations — it does not affect Article 5 (prohibited practices, February 2025 deadline), Article 4 (AI literacy, February 2025), or general provider/deployer obligations already in force. Telling investors you have until December 2027 without these caveats is inaccurate and will be challenged by any investor with legal counsel who has read the Digital Omnibus text. The correct framing is that you are tracking the delay as a potential benefit but are on track regardless.
3
What is an AI Regulatory Opinion and why do investors ask for it?
+
An AI Regulatory Opinion is a formal legal memorandum prepared by AI law counsel that assesses a company’s AI systems against applicable regulatory frameworks — typically EU AI Act classification, GPAI model obligations, and cross-jurisdictional risks. Investors request it because it provides a signed legal analysis that can be placed in the data room, replaces open-ended founder representations with counsel-backed conclusions, and demonstrates that the company has engaged specialist legal advice rather than self-assessed. It is the AI equivalent of a tax opinion in a cross-border M&A transaction.
4
We are a US company with EU customers — do EU AI Act obligations apply to us?
+
Yes. The EU AI Act has extraterritorial reach under Article 2. It applies to providers that place AI systems on the EU market regardless of where the provider is established — meaning a US-headquartered company deploying AI to EU-based users or organisations is subject to EU AI Act obligations as a provider. This is the same jurisdictional model as GDPR. Investors with EU exposure understand this; a US-domiciled founder claiming EU AI Act does not apply because they are not EU-based is a flag rather than a defence. The relevant analysis is whether your AI system is placed on the EU market or deployed for use within the EU.
5
How long does it take to prepare a full investor DD package for EU AI Act?
+
For a Series A company with 1–3 AI systems and no prior classification analysis, a complete DD package (inventory, classification memos, prohibited practices audit, compliance roadmap, and supply chain map) typically takes 2–4 weeks with dedicated external counsel. An AI Regulatory Opinion covering the same scope can be produced in 2–3 weeks. The bottleneck is usually internal information gathering — collecting accurate descriptions of training data, model architecture, deployment context, and enterprise contract AI clauses. Starting this process at least 6 weeks before a planned raise is advisable. See our AI due diligence service for the full scope of what can be prepared pre-raise.
Post Comment