EU AI Act Compliance Checklist for SaaS Founders: What You Need to Do in 2026

The EU AI Act Timeline: What's Already In Force

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. But it applies in phases:

Date	What Applies
2 February 2025	Article 5 prohibited AI practices in effect
2 August 2025	GPAI model obligations (Art. 51–56) + governance provisions in effect
2 August 2026	High-risk AI system obligations (Annex III) in effect
2 August 2027	High-risk AI systems embedded in regulated products (Annex I)

The most important thing to understand: the prohibited practices (Article 5) are already in force. If your AI system does anything on the prohibited list, it must stop now.

Step 1: Classify Your AI System

The EU AI Act uses a four-tier risk classification. Your obligations depend entirely on which tier you're in:

Unacceptable Risk (Art. 5 — Prohibited)

Already illegal since 2 February 2025. No SaaS company should be doing any of these:

AI systems that use subliminal techniques or manipulative/deceptive methods to distort behaviour
Systems that exploit vulnerabilities of specific groups (age, disability, socioeconomic situation)
Social scoring systems by or on behalf of public authorities
Real-time remote biometric identification in publicly accessible spaces (with very narrow law enforcement exceptions)
AI systems to infer emotions in workplaces or educational institutions (with narrow exceptions)
Biometric categorisation systems inferring sensitive attributes (race, political opinions, trade union membership, religious beliefs, sexual orientation)
Predictive policing based solely on profiling or personality trait assessment
Web scraping or CCTV facial recognition to create or expand facial recognition databases

High Risk (Annex III — Aug 2026)

Most SaaS founders don't build high-risk systems, but check carefully. High-risk under Annex III includes:

Biometric identification or categorisation of natural persons
AI in critical infrastructure management (energy, water, transport, financial systems)
AI used in education for admission, assessment, or evaluation of students
Employment AI: recruitment, CV screening, interview selection, performance monitoring, promotion decisions
AI determining access to essential services (credit scoring, health insurance, social benefits)
Law enforcement use (risk assessment, evidence evaluation, crime prediction)
Migration, asylum, and border control
Administration of justice

If you sell HR tech with AI screening, you're likely high-risk. If you sell a credit scoring model, you're likely high-risk. If you're a general B2B productivity or customer support SaaS, you're almost certainly not.

Limited Risk (Art. 50 — Already Applies)

This is where most SaaS AI features land. Limited-risk systems have transparency obligations under Article 50:

Art. 50(1): Systems that interact with natural persons must inform them they are interacting with an AI — unless it's obvious from context.
Art. 50(2): AI-generated content (deepfakes, synthetic audio/video/images) must be labelled as artificially generated.
Art. 50(3): Emotion recognition systems must inform affected persons.
Art. 50(4): Biometric categorisation systems must inform affected persons.

Minimal Risk

Spam filters, AI in games, AI-assisted writing tools without automated decisions — no specific obligations beyond the voluntary EU AI Act Code of Practice.

Step 2: Determine Your Role — Provider or Deployer

Your obligations differ significantly based on your role:

Aspect	Provider (Art. 3(3))	Deployer (Art. 3(4))
Who they are	Develops AI system and places it on the market	Uses AI system in professional context
Typical SaaS scenario	You build an AI feature in your product using your own model or a fine-tuned model	You integrate OpenAI, Claude, or another provider's model into your product
High-risk obligations	Full obligations: risk management, technical docs, conformity assessment, CE marking, registration	Lighter: use as intended, human oversight, DPIA if required, register if public authority
Limited-risk obligations	Implement Art. 50 transparency; document system	Ensure Art. 50 notices are in place; don't use in prohibited ways
Can be both?	Yes — if you build an AI system and also use it in your own operations, you're both provider and deployer

Important nuance: If you integrate a third-party GPAI model (OpenAI, Anthropic, Google, etc.) and place your own AI system on the market built on that model, you are the provider of that system for EU AI Act purposes — not just a deployer. The GPAI model provider (OpenAI) has its own obligations under Art. 53, but you have full provider obligations for your system.

Step 3: The Article 50 Transparency Checklist

If your AI system falls into limited risk (chatbots, content generation, recommendations), here's your Art. 50 checklist:

Chatbots & Virtual Agents (Art. 50(1))

☐ Users are clearly informed they are interacting with an AI system before or at the start of interaction
☐ The disclosure is in plain language, not buried in terms of service
☐ If using third-party LLM, you're not relying on the GPAI provider's disclosure alone
☐ Disclosure is not waived by natural context (Art. 50(1) allows exception where it's "obvious" — document your reasoning)

AI-Generated Content (Art. 50(2))

☐ Content generated by AI that could be mistaken for human-created content is labelled
☐ Deepfakes (synthetic audio/video/images of real persons) clearly disclosed
☐ Exception for legitimate artistic/creative purposes is documented if relied upon

What Your Transparency Notice Should Contain

A proper EU AI Act transparency notice (which should appear in your app's UI, help docs, or as a standalone page) should include:

Name and description of the AI system
The provider's identity and contact details
What the system does and does not do (capabilities and limitations)
Whether the system makes or influences decisions about the user
Level of human oversight
How to request human review (if applicable)
How to contact the provider for AI-related queries

Generate a complete transparency declaration with the ComplyKit EU AI Act Transparency Declaration Generator.

Step 4: High-Risk System Checklist (If Applicable — Aug 2026)

If your system is Annex III high-risk, here's what you need by August 2026:

☐ Risk management system (Art. 9) — ongoing, documented throughout lifecycle
☐ Technical documentation (Art. 11 + Annex IV) — detailed system description, architecture, training data
☐ Data governance practices (Art. 10) — training, validation, testing datasets documented
☐ Transparency and instructions for use (Art. 13) — clear documentation for deployers
☐ Human oversight measures (Art. 14) — deployed with ability for human review and override
☐ Accuracy, robustness, and cybersecurity (Art. 15) — performance documented, adversarial robustness considered
☐ Quality management system (Art. 17) — written procedures for all obligations
☐ Conformity assessment (Art. 43) — self-assessment or third-party depending on use case
☐ EU declaration of conformity (Art. 47)
☐ CE marking (Art. 48)
☐ Registration in EU AI database (Art. 49)
☐ Post-market monitoring system (Art. 72)
☐ Incident reporting to national supervisory authority (Art. 73)

Step 5: GPAI Model Obligations (Art. 51–56 — Aug 2025)

GPAI (General-Purpose AI) model obligations apply to providers of foundation models that are placed on the EU market. If you're OpenAI, Anthropic, Mistral, or similar — this is you. If you're using those models in your SaaS, you're a downstream deployer/provider, not a GPAI model provider.

However, you may have obligations if:

You fine-tune a foundation model and make it available to others — you may become a GPAI model provider
Your GPAI model has "systemic risk" (trained on 10^25 FLOPs or more) — additional red-teaming and incident reporting obligations

For most SaaS founders: review the transparency information your GPAI provider (OpenAI, Anthropic, etc.) publishes under Art. 53, and ensure your downstream use is within the intended use stated in that documentation.

Step 6: GDPR Intersection

The EU AI Act doesn't replace GDPR — they overlap. Key intersections:

GDPR Art. 22: If your AI makes automated decisions with legal or similarly significant effect on individuals, Art. 22 rights apply (right to human review, explanation, contest). This is separate from EU AI Act but often triggered by the same systems.
GDPR Art. 35 DPIA: High-risk AI systems often require a DPIA. The EDPB has noted that high-risk AI under the EU AI Act is a strong indicator that a DPIA is required under GDPR. Use the DPIA Generator.
GDPR Art. 13/14: Your privacy policy must disclose AI-based processing, automated decision-making, profiling, and the logic involved. Update your Privacy Policy.

What to Do This Week

If you're a SaaS founder with AI features and haven't started yet:

Classify your AI system — limited risk (most SaaS), high-risk (HR/credit/health), or minimal risk. If you're unsure, default to limited risk and check the Annex III list carefully.
Check Article 5. Review the prohibited practices list. If any apply, stop immediately.
Implement Art. 50 disclosures. If your system interacts with users, add the AI disclosure in your UI. 5 minutes of work, now legally required.
Update your Privacy Policy to disclose AI processing, automated decisions, and any profiling. Generate an updated Privacy Policy.
Generate a Transparency Declaration. Use the EU AI Act Declaration Generator to create your Art. 50 notice and compliance documentation.
Flag high-risk use cases for August 2026 prep if applicable.

The EU AI Act is not going away. The fines are real: up to €35M or 7% of global annual turnover for prohibited practices; up to €15M or 3% for other obligations violations. For most SaaS companies, the immediate work is simple: classify your system, add a transparency disclosure, and update your privacy policy.

⚠️ This guide is for informational purposes only and does not constitute legal advice. The EU AI Act is in phased application and guidance continues to evolve. Consult qualified EU AI Act legal counsel for advice specific to your system and business context.