← All guides
EU AI Act9 min read16 May 2026

EU AI Act Liability for SaaS Founders: What You're Actually On the Hook For

The EU AI Act introduces fines up to €35 million or 7% of global revenue. This guide explains how liability works under the AI Act, who is a 'provider' vs 'deployer', and what SaaS founders building on top of AI APIs must do now.

The EU AI Act Is Live — Here's What Changed in 2026

The EU AI Act entered into force on 1 August 2024. By February 2025, the GPAI (general-purpose AI) provisions and governance framework were in effect. The high-risk AI system requirements — the part most SaaS founders need to worry about — apply from August 2026. Prohibited practices have been banned since February 2025.

This isn't a compliance checkbox exercise. The EU AI Act introduces product liability-style obligations for AI systems — meaning the organisation that deploys or provides the AI system bears responsibility for its outputs, regardless of whether they built the underlying model.

Who Is a "Provider" vs a "Deployer"?

The AI Act distinguishes between:

RoleDefinitionSaaS Context
ProviderEntity that develops or places an AI system on the EU market or puts it into service — including by having it developed by another partyIf you build a product using GPT/Claude/Gemini APIs and make it available to EU customers under your own brand, you are the provider — not OpenAI/Anthropic.
DeployerEntity that uses an AI system under its own authority, for a purpose that is not personal/non-professional activityIf you use an AI tool internally (e.g. AI for your own recruitment, AI for HR decisions about employees), you are a deployer — with specific obligations.
Importer / DistributorEntity in the EU distribution chain; specific obligations when the provider is established outside the EULess relevant for most SaaS founders.

Critical point: If you ship a SaaS product to EU users that includes AI features — whether you built the model or not — you are the provider under the AI Act. OpenAI or Anthropic are your suppliers; you bear provider obligations to your customers and EU regulators.

The Risk Classification System

The AI Act classifies AI systems into four tiers:

1. Prohibited AI (Banned — effective February 2025)

These are banned outright. Fines for violations: up to €35 million or 7% of global annual turnover.

  • Subliminal manipulation to distort behaviour in ways that cause harm
  • Exploitation of vulnerabilities (age, disability) to distort behaviour
  • Social scoring by public authorities
  • Real-time remote biometric identification in public spaces (law enforcement only, with narrow exceptions)
  • Emotion recognition in workplace or education contexts
  • AI-generated or manipulated content used to circumvent consent in sexual or intimate image contexts

For SaaS founders: emotion detection features (mood detection, frustration detection) in employee or student contexts are banned. Behavioural manipulation features that exploit psychological vulnerabilities are banned.

2. High-Risk AI (Most regulatory burden — effective August 2026)

High-risk AI systems are listed in Annex III of the AI Act. SaaS-relevant high-risk categories:

  • Biometric identification and categorisation (not prohibited remote biometric — but real-time identity verification at scale)
  • Critical infrastructure management — AI managing power grids, water, transport
  • Education and vocational training: AI determining access, evaluating learning outcomes, assessing students
  • Employment and HR: AI used for recruitment, CV filtering, interview assessment, performance evaluation, promotion/termination decisions
  • Access to essential services: Credit scoring, insurance risk assessment, social benefits decisions
  • Law enforcement: Risk assessment of individuals for crime, evidence evaluation, lie detection
  • Border control: Risk assessment, identity verification at borders
  • Justice and democracy: AI assisting courts, elections, referendums

If your SaaS falls into any of these categories, you face the full high-risk regime: conformity assessment, technical documentation, EU Declaration of Conformity, CE marking, registration in the EU AI database, and ongoing monitoring.

High-Risk Provider Obligations

ObligationWhat It Means
Risk management systemDocumented, iterative process to identify and mitigate risks throughout the AI lifecycle
Data governanceTraining data quality, bias assessment, dataset documentation
Technical documentationAnnex IV documentation package — system design, training methodology, performance metrics, limitations
Logging / audit trailAutomatic logs enabling ex-post review of system operation (minimum retention: high-risk + sensitive contexts = minimum per applicable law)
Transparency to deployersInstructions for use, capabilities, limitations, intended purpose, known biases
Human oversightTechnical measures enabling deployers to understand, monitor, and override the AI system
Accuracy, robustness, cybersecurityPerformance metrics, error rates, adversarial robustness testing
Conformity assessmentSelf-assessment (most cases) or third-party notified body audit (some biometric / law enforcement cases)
EU Declaration of ConformityFormal declaration + CE marking on the AI system
EU AI database registrationRegister before placing on the market
Post-market monitoringCollect and analyse data on system performance in real-world use; report serious incidents to market surveillance authority
Incident reportingSerious incident = report to national market surveillance authority without undue delay

3. Limited-Risk AI (Transparency obligations only)

These apply to chatbots, deepfakes, and emotion recognition outside the banned contexts:

  • Chatbots / conversational AI: Users must be informed they are interacting with an AI system (unless obvious from context)
  • AI-generated content (text, images, audio, video): Must be disclosed as AI-generated (machine-readable watermarking standard to be set by EU)
  • Emotion recognition / biometric categorisation: Inform affected persons the system is operating

This affects almost every SaaS product with a chatbot, AI writing feature, or AI-generated content. The disclosure requirement is live.

4. Minimal-Risk AI (No specific obligations)

AI-powered spam filters, recommender systems without high-risk classification, AI-enabled search — minimal or no specific obligations. Voluntary codes of practice encouraged.

GPAI (General Purpose AI Models) — Applies to Model Providers

GPAI obligations fall on the model developers (OpenAI, Anthropic, Google, Meta) — not on SaaS builders using their APIs, unless you fine-tune or significantly modify the model. GPAI providers with systemic risk (>10^25 FLOPs training compute) face additional obligations including adversarial testing and incident reporting. As a SaaS founder using a GPAI API, you're a downstream provider — you bear provider obligations toward your users; the GPAI provider bears obligations toward you.

Practical AI Act Checklist for SaaS Founders (2026)

  1. Classify your AI systems: For each AI feature, determine its risk tier. If high-risk, start your compliance programme now.
  2. Audit prohibited practices: Do any features use subliminal manipulation, exploit vulnerabilities, or use emotion recognition in workplace/education contexts? Kill or redesign them now — these are already banned.
  3. Add AI disclosure to your UI: Any chatbot or AI interaction must be disclosed. Update your product and privacy policy.
  4. Update your privacy policy: Describe AI-based processing, automated decision-making (if any), and the logic involved.
  5. Conduct DPIAs for AI features: AI processing of personal data at scale meets DPIA triggers under GDPR. Run the DPIA before launch.
  6. Review your API agreements: Ensure your OpenAI/Anthropic/Google agreements allow your use case. GPAI providers' usage policies affect what you can build.
  7. Document your AI systems: Even for minimal-risk systems, start building technical documentation habits. Auditors and enterprise buyers will ask for this.
  8. Check your Terms of Service: Disclose AI use, set appropriate expectations about AI output accuracy, and include disclaimers about automated decision-making.

Fines and Enforcement

Violation TypeMaximum Fine
Prohibited AI practices€35 million or 7% of global annual turnover
High-risk AI obligations violations€15 million or 3% of global annual turnover
Providing incorrect/misleading information to authorities€7.5 million or 1% of global annual turnover
SME / startup capLower of the percentage-based cap (same %) or the fixed euro amount (whichever is lower)

The AI Office (established within the European Commission) leads GPAI model enforcement. National market surveillance authorities enforce high-risk AI in their jurisdictions. First enforcement actions are expected in 2026.

The Bottom Line for SaaS Founders

If you ship AI features to EU users, you are a provider under the AI Act — full stop. The model vendor is not your shield. The practical priorities for 2026:

  1. Kill any prohibited practices immediately
  2. Add chatbot/AI interaction disclosure to your UI
  3. Determine if any feature falls in the high-risk categories — if yes, begin your compliance programme
  4. Update your Terms of Service and Privacy Policy for AI processing disclosures
  5. Run DPIAs for AI features processing personal data

👉 Update your Privacy Policy to include AI processing disclosures — required under both GDPR and the EU AI Act's transparency obligations.

👉 Update your Terms of Service to address AI features, accuracy disclaimers, and automated decision-making.

Key Takeaways

  • If you ship AI features to EU users under your own brand, you are the AI Act provider — not your API vendor.
  • Prohibited practices (emotion recognition in workplaces/schools, subliminal manipulation) are already banned as of February 2025.
  • Chatbot / AI interaction disclosure is already required — add it to your UI now.
  • High-risk AI system obligations apply from August 2026 — classification and compliance programme should start now.
  • Fines reach €35 million or 7% of global revenue for prohibited practice violations.

More guides