← All guides
EU AI Act9 min read9 May 2026

EU AI Act for SaaS Founders: What You Need to Know in 2026

The EU AI Act is now in force. Most SaaS products fall into the limited or minimal risk tier — but GPAI model obligations and transparency requirements kicked in August 2025. Here's what you actually need to do.

The short version

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive horizontal AI regulation in the world. It entered into force on 1 August 2024 and applies to anyone who places an AI system on the EU market, puts one into service in the EU, or whose AI system's output is used in the EU — regardless of where the provider is based.

For most SaaS founders, the headline is reassuring: your product is almost certainly not in the high-risk or banned categories. But that doesn't mean you can ignore the Act. Transparency obligations, GPAI model rules, and documentation requirements apply to a much wider set of products than the headline numbers suggest.

Here's a practical breakdown of what actually applies to your SaaS in 2026.

Timeline: what's already in force, what's coming

  • 1 August 2024 — the Act entered into force.
  • 2 February 2025 — prohibitions on unacceptable-risk AI systems and AI-literacy obligations for staff began applying.
  • 2 August 2025 — obligations for general-purpose AI (GPAI) models, governance rules, and penalties became applicable. Member states had to designate competent authorities.
  • 2 February 2026 — high-risk AI systems classified under Annex III start to fall under the full obligations regime in stages.
  • 2 August 2026 — the Act becomes fully applicable, including obligations for high-risk systems already on the market and the rest of the framework.
  • 2 August 2027 — obligations apply to AI systems that are safety components of regulated products (Annex I).

If you're reading this in 2026, the GPAI rules and transparency obligations are already live. The high-risk regime is rolling in. Plan accordingly.

The four risk tiers — where does your SaaS fit?

1. Unacceptable risk — banned

These are AI systems that are simply prohibited in the EU. Examples include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions), emotion recognition in workplaces and schools, and AI that exploits vulnerabilities of children or persons with disabilities.

If your SaaS is not building any of these, you're fine. If you are, you have a much bigger problem than this article.

2. High-risk — conformity assessment required

High-risk systems are listed in Annex III and include AI used in: critical infrastructure, education and vocational training (e.g. exam scoring, admissions), employment (CV screening, hiring, performance evaluation), essential private services (credit scoring, insurance pricing), law enforcement, migration and border control, justice administration, and democratic processes.

If your product makes consequential decisions about people in any of those domains, you're high-risk. Obligations include: a risk-management system, data governance, technical documentation, automatic logs, human oversight, accuracy/robustness/cybersecurity standards, post-market monitoring, registration in the EU database, and conformity assessment before placing on the market.

This is a significant compliance lift — budget for it.

3. Limited risk — transparency obligations

This is where most consumer-facing SaaS with AI features land. The main rule: users must know when they are interacting with an AI. Specifically:

  • Chatbots and AI assistants: users must be informed they are interacting with an AI, unless it's obvious from the context.
  • Emotion-recognition or biometric-categorisation systems: users must be told the system is processing them.
  • Deepfakes / synthetic media: AI-generated or AI-manipulated images, audio, or video must be labelled as such (with narrow exceptions for art, satire, and law enforcement).
  • AI-generated text published in the public interest: must be disclosed as AI-generated unless it has gone through human editorial review.

If you have an AI chatbot, an AI writing assistant, or any synthetic media generation feature, you're in this tier. The disclosure obligation kicks in at first interaction.

4. Minimal risk — no specific obligations

Spam filters, AI-powered search ranking, content recommendation, basic personalisation, AI in video games, inventory optimisation — these have no specific obligations under the Act. The Commission encourages voluntary codes of conduct, but there's nothing legally required for this tier.

That said: if minimal-risk AI processes personal data, GDPR still applies. The AI Act doesn't replace GDPR; it sits alongside it.

GPAI model obligations — the rule that surprised people

If you are a provider of a general-purpose AI model (i.e. you train and release a foundation model), you have specific obligations from August 2025: technical documentation, instructions for downstream providers, a publicly available summary of training data, and respect for EU copyright law. Models with "systemic risk" (currently defined as those trained with more than 10²25 FLOPs) have additional duties around evaluation and incident reporting.

Most SaaS founders aren't training foundation models, so this doesn't apply directly to you. But if you integrate a GPAI model into your product (e.g. you wrap GPT-4, Claude, or Gemini), you become a "deployer" of that GPAI model. Your obligations are lighter — but you still need to:

  • Disclose to users that they are interacting with an AI (limited-risk transparency).
  • Have an internal AI usage policy describing how you use the model.
  • Not use it for prohibited purposes (the unacceptable-risk list above).
  • Comply with downstream documentation passed up by the GPAI provider.

What founders should actually do in 2026

Concrete, actionable, founder-sized:

  1. Map your AI use cases. Make a one-page document listing every place AI is used in your product, what model is behind it, what data goes in, and what output comes out. This is the foundation for every other compliance step — and it takes an hour.
  2. Classify each use case. For each item on the map, write the risk tier (banned / high-risk / limited-risk / minimal-risk) and your reasoning. If anything looks high-risk, get a lawyer involved.
  3. Add AI disclosure to your UI. Where users interact with an AI feature (chatbot, AI assistant, generated content), surface a clear notice. "You're chatting with an AI assistant" is enough for most cases.
  4. Update your Terms of Service. Add an AI clause: what AI features you offer, what the user is responsible for (no prohibited uses, no decisions with legal effects without human review), and limitations of liability for AI-generated outputs.
  5. Update your Privacy Policy. Disclose AI processing as a purpose, the legal basis (legitimate interests or consent depending on the use case), the model providers acting as sub-processors, and whether prompts are used for model training.
  6. Internal AI usage policy. Even a half-page document on what your team can and cannot do with AI tools (e.g. don't paste customer data into prompts, don't use AI for hiring decisions without human review) goes a long way.
  7. AI literacy training. Article 4 requires providers and deployers of AI systems to ensure their staff have a sufficient level of AI literacy. A short internal session and a written policy is enough for most small teams.
  8. Label synthetic media. If you generate images, audio, or video, ship a watermark or visible label. Provider-side watermarking from OpenAI/Google/Stability tools is increasingly standard — use it.

Penalties

The fines are GDPR-grade and then some:

  • Up to €35 million or 7% of global turnover for putting prohibited (unacceptable-risk) AI systems on the market.
  • Up to €15 million or 3% of global turnover for breaches of high-risk system obligations and most other obligations.
  • Up to €7.5 million or 1% of global turnover for supplying incorrect information to authorities.

Whichever is higher applies. Member-state authorities can take into account proportionality for SMEs and startups, but the headline numbers are real.

Where this leaves a founder

If you're building a typical SaaS with AI-assisted features (a chatbot, AI writing, summarisation, smart search, content recommendation), you are most likely in the limited-risk or minimal-risk tier. Your immediate to-do list is short: clear AI disclosures in the UI, a paragraph in your privacy policy and terms of service, and an internal AI usage policy.

What you should not do is panic, hire a Big Four consultant, or pay for an AI Act "certification" — there is no such certification for limited-risk systems. There's just disclosure, documentation, and good housekeeping.

Action steps for ComplyKit users: generate or refresh your Privacy Policy and Terms of Service with AI processing disclosed. Add a one-line AI notice to your chatbot UI. Document your AI use cases in a Notion doc.

ComplyKit's EU AI Act compliance documentation generator is on the roadmap. In the meantime, ensure your Privacy Policy and Terms of Service address your AI data processing.

More guides