Who this guide is for
The EU AI Act (Regulation 2024/1689) is now fully in force for prohibited practices (August 2024), GPAI model obligations (August 2025), and high-risk AI systems under Annex III (August 2026 for most categories, August 2027 for Annex I product-embedded AI). If you build or deploy AI systems that affect EU users, this guide gives you a structured obligations map — organised by risk tier and role.
Two key roles under the Act:
- Provider: develops an AI system and places it on the EU market or puts it into service in the EU — including as an integrated component of a product or service
- Deployer: uses an AI system in the course of a professional activity (not the developer; the user organisation)
A SaaS company that builds and sells an AI-powered product is a provider. A company that uses OpenAI, Anthropic, or another model via API and deploys the resulting system to its customers is typically a deployer of the foundation model — but a provider of its own AI-powered application. The distinction matters because provider obligations are more extensive.
The four risk tiers
| Risk Tier | What it covers | Key obligations | Fine exposure |
|---|---|---|---|
| Unacceptable | Prohibited AI practices — social scoring by public authorities, subliminal manipulation, real-time biometric in public spaces (most uses), emotion inference at work/schools, scraping facial images for recognition databases, predictive policing from profiling | Prohibited — do not build or deploy | Up to €35M or 7% global turnover |
| High-Risk (Annex III) | 8 use case areas: biometrics, critical infrastructure safety, education & vocational training, employment & HR, access to services (credit, benefits), law enforcement, migration & border, justice & democratic processes | Risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness, conformity assessment, CE marking, registration, post-market monitoring | Up to €15M or 3% global turnover |
| Limited Risk | Chatbots, AI-generated content (deepfakes), emotion recognition (not high-risk context), AI content recommendation systems | Art. 50 transparency obligations: disclose AI interaction to users, label AI-generated content | Up to €7.5M or 1.5% global turnover |
| Minimal Risk | Spam filters, AI in video games, content recommendation (most), B2B analytics tools that don't affect natural persons | AI literacy (Art. 4) only — train staff who work with AI; voluntary compliance with codes of practice | Minimal — but Art. 4 is mandatory |
Providers vs deployers: obligations comparison
| Obligation | Article | Provider | Deployer |
|---|---|---|---|
| Risk management system (lifecycle) | Art. 9 | ✅ Required | — |
| Data governance for training data | Art. 10 | ✅ Required | — |
| Technical documentation (Annex IV) | Art. 11 | ✅ Required | — |
| Automatic logging capability | Art. 12 | ✅ Required (build in) | ✅ Retain ≥6 months |
| Transparency / instructions for use | Art. 13 | ✅ Required | — |
| Human oversight measures | Art. 14 | ✅ Build in | ✅ Implement measures |
| Accuracy, robustness, cybersecurity | Art. 15 | ✅ Required | — |
| Quality management system | Art. 17 | ✅ Required | — |
| Conformity assessment (Annex VI/VII) | Art. 43 | ✅ Required | — |
| EU Declaration of Conformity + CE marking | Art. 47-48 | ✅ Required | — |
| Registration in EU AI database | Art. 49 | ✅ Required | ⚠️ Annex III §1, 6, 7 only |
| DPIA where GDPR Art. 35 triggered | Art. 26(6) | — | ✅ Required |
| Inform employees of AI use (employment context) | Art. 26(7) | — | ✅ Required |
| Disclose AI interaction (chatbots) | Art. 50(1) | ✅ Required | ✅ Required |
| Label AI-generated content (deepfakes) | Art. 50(2) | ✅ Required | — |
| Post-market monitoring system | Art. 72 | ✅ Required | — |
| Serious incident reporting | Art. 73 | ✅ Required | ✅ Required |
| AI literacy training for staff | Art. 4 | ✅ Required (all) | ✅ Required (all) |
Art. 50 transparency: what limited-risk companies must do right now
If your product includes a chatbot, voice assistant, or any AI designed to interact with natural persons, Art. 50(1) requires you to ensure users are informed they are interacting with an AI — unless it is obvious from context (e.g. a clearly labelled robot with no attempt to mimic human appearance or voice).
Practically, this means:
- A clear disclosure on the chat interface: "You are chatting with an AI assistant"
- Not using a human name and avatar that implies a real person
- Disclosure on first interaction — not buried in the privacy policy
If your product generates or manipulates images, audio, or video content, Art. 50(2) requires that content to be labelled in a machine-readable format as AI-generated. This applies to deepfake generators, image synthesis tools, voice cloning, and AI video creation tools.
High-risk AI: Annex III use cases SaaS founders most often misjudge
The most commonly misclassified use cases:
Employment and HR tools (Annex III §4): Any AI used in recruitment, CV screening, interview performance assessment, employee performance monitoring, promotion decisions, or task allocation falls under high-risk. If you sell to HR departments and your AI evaluates candidates or employees — you are a provider of a high-risk AI system. This applies regardless of whether a human makes the final decision.
Access to services — credit scoring (Annex III §5(b)): AI used to evaluate creditworthiness, determine credit scores, or affect access to financial services is high-risk. FinTech companies integrating AI into underwriting workflows need to treat this carefully.
Educational assessment (Annex III §3): AI that determines access to educational institutions, evaluates learning outcomes, or assesses students is high-risk. EdTech companies with AI assessment features should review this category carefully.
GPAI model obligations: what's live since August 2025
General Purpose AI (GPAI) models — foundation models and LLMs — have been subject to Art. 53 obligations since August 2025. If you are a GPAI model provider (not just a deployer of someone else's model), you must:
- Technical documentation (Annex XI): General description of the model, training methodology, training data categories, evaluation results, known limitations
- Information for downstream providers (Annex XII): Sufficient information for companies building on your model to comply with their own AI Act obligations
- Copyright policy: Document your approach to EU copyright compliance, including your opt-out mechanism for text and data mining under Art. 4 Directive 2019/790
- Training content summary: Publish a sufficiently detailed summary of training data used
For GPAI models designated as having systemic risk (trained with more than 10^25 FLOPs, or designated by the Commission), additional obligations under Art. 55 apply: adversarial testing through red-teaming, incident reporting to the Commission, and cybersecurity measures.
Most companies using existing GPAI models via API (OpenAI, Anthropic, Google, Mistral) are deployers of GPAI models, not providers. The Art. 53 obligations fall on OpenAI, Anthropic, and Google — not on the SaaS application built on top of them.
AI literacy (Art. 4): the obligation everyone forgets
Art. 4 is mandatory for all providers and deployers, regardless of risk tier. It requires that providers and deployers ensure their staff and persons working on their behalf have sufficient AI literacy — appropriate to their role, technical knowledge, and the context of the AI systems they work with.
For most SaaS companies, this means:
- Staff involved in building AI features need to understand AI Act risk classification, prohibited practices, and their specific obligations
- Staff deploying AI tools internally (e.g. using AI for HR screening) need to understand the deployer obligations and the specific AI system they're using
- Training records should be kept as evidence
EU AI Act and GDPR: the intersection
| Scenario | EU AI Act Obligation | GDPR Obligation |
|---|---|---|
| High-risk AI processes personal data | Art. 9-15 (full high-risk requirements) | Art. 35 DPIA may be triggered (required by deployer) |
| Automated decision-making with legal effects | Art. 26(6) deployer DPIA obligation; Art. 14 human oversight | Art. 22 — right to human review, to contest, lawful basis |
| GPAI training on personal data | Art. 10 data governance; Art. 53 training data summary | Art. 6 lawful basis; Art. 9 special category; Art. 5 data minimisation |
| Chatbot interacting with customers | Art. 50(1) disclose AI nature | Art. 13 transparency — disclose processing in privacy notice |
| Bias in AI training data | Art. 10(2)(f) examine datasets for discriminatory biases | Art. 5(1)(a) fairness; Art. 35 DPIA for high-risk processing |
Minimum viable compliance checklist for SaaS founders
| Step | Action | Applies to | Effort |
|---|---|---|---|
| 1 | Classify your AI system(s) into the correct risk tier | All | 1-2 days |
| 2 | Check for prohibited practices — confirm you're not building any | All | Half day |
| 3 | Add chatbot/AI interaction disclosure to all user interfaces (Art. 50) | Limited Risk + | 1 day dev |
| 4 | Train staff on AI literacy — document it (Art. 4) | All | 1 day |
| 5 | Draft and maintain technical documentation (Annex IV) for high-risk systems | High-Risk | 1-2 weeks |
| 6 | Implement risk management system (lifecycle documentation) | High-Risk | 2-4 weeks |
| 7 | Conduct conformity assessment and draw up EU Declaration of Conformity | High-Risk | 1-3 months |
| 8 | Register in EU AI database before placing on market | High-Risk Provider | 1 day |
| 9 | Establish post-market monitoring system and incident reporting procedure | High-Risk | 1-2 weeks |
| 10 | Conduct DPIA (as deployer) if high-risk AI processes personal data | High-Risk Deployer | 1-2 weeks |
Use the EU AI Act Compliance Checklist Generator to run a scored self-assessment mapped to your role and risk tier. The AI Risk Register Generator helps document risks for high-risk AI systems. If automated decision-making is involved, the AI Privacy Impact Assessment Generator covers the GDPR Art. 35 DPIA requirement.