Your AI vendor already complied. You didn't.

Talk to enough SaaS founders and you get the same shrug. EU AI Act? That's OpenAI's headache. You call an API, the model is theirs, so the rules are theirs too.

Nice story. It falls apart on 2 August 2026, and it lands on your bill.

That date is 47 days out as I write this. Call it seven weeks. The bit that catches almost everyone is Article 50, the transparency rules.

Article 50 does not care whether you trained a model or just plugged one in. It lands on whoever puts the AI in front of EU users. That's you.

What your model provider already sorted

Back on 2 August 2025, the rules for general purpose AI models kicked in. Articles 51 to 55 of Regulation 2024/1689. Those hit the people who actually build the models, so OpenAI, Anthropic, Google, Meta, Mistral.

Documentation, training data summaries, copyright policy, a heap of extra work for the biggest models. Done. A year ago.

All of that covers the model. None of it covers your product. The moment you wrap a model in a feature and ship it, a fresh set of obligations starts piling up, and your name is on those.

What actually hits you on 2 August 2026

2 August 2026 is Article 50 day. The transparency rules switch on, the penalties go live under Article 99, and the AI Office finally gets teeth.

The high risk regime is a separate track with a later date. The AI Omnibus moved it to 2 December 2027, so if you were bracing for Annex III this August, you can stand down. Article 50 is the one with no exit, and it is the one landing in seven weeks.

If your product talks to users, spits out content, or runs on AI somewhere users can't see it, Article 50 has your name on it whether you're high risk or not.

Provider, deployer, or both at once

The Act sorts you into roles. A provider puts an AI system on the market under its own name. A deployer just uses one.

Founders assume that because they didn't build the model, they must be a deployer, and deployers get the soft version. Read it again. Wrap a model, stick your brand on it, sell it, and congratulations, you're now the provider of that system and the deployer of the model underneath at the same time.

Most SaaS live in that overlap. "We just use OpenAI" describes half your situation and quietly skips the half with the paperwork.

There's a nastier edge. Fine tune or seriously modify a model and Article 25 can drop full provider duties on you, and nobody has nailed down what counts as serious yet. So if you're doing anything past prompt engineering, get someone to look before August, not in September.

What Article 50 actually asks of you

Four parts. None of them is rocket science.

50(1): if your AI talks to users, tell them it's AI, unless that's already painfully obvious.

50(2): if you generate text, images, audio or video, mark it as AI generated in a machine readable way. The expected standard is C2PA. Europe hasn't finalised the fine print, which is not your excuse to do nothing.

50(3): if you run emotion recognition or biometric categorisation, tell the people on the receiving end.

50(4): if you make deepfakes, say so.

For a normal SaaS with a chatbot and a bit of generated content, the actual work is small and boring. One clear notice the first time someone hits your AI. An "AI generated" label or metadata flag on whatever your tool produces.

Plus a privacy notice paragraph that says, in plain words, what the model does with inputs, where the training data comes from, and how long you keep things.

The engineering is an afternoon. It doesn't get done because nobody on the team knows what to write, and writing is exactly the part the regulation is fussy about.

And notice what you can't push upstream. OpenAI can't drop a disclosure inside your chatbot. Anthropic can't label the output sitting on your customer's screen. This stuff lives at your product surface, which is the whole reason your vendor hitting its deadline does nothing for yours.

The 47 day version

You don't need a consultant to get moving. You need an afternoon and a spreadsheet.

  1. List every AI feature you ship. Chatbot, search, recommendations, autocomplete, summaries, voice, and yes the internal tools too.
  2. Label each one provider, deployer, or both.
  3. Run each through Article 50. Note which part applies and the disclosure you owe.
  4. Check if you fine tune anything. If you do, flag it for an Article 25 look.
  5. Write the documents. A public AI disclosure on your site, an internal AI policy, and that privacy notice paragraph.

A SaaS that isn't high risk can knock this out in two to three weeks of deeply unglamorous work. If you're doing CV screening, credit scoring, automated grading or exam proctoring, you're in the high risk regime as well. That is a heavier job, but the Omnibus moved its deadline to 2 December 2027, so Article 50 this August is still the thing to deal with first.

Want a second pair of eyes, that's the job. Disclos runs a fixed scope EU AI Act audit for SaaS. €997 one time, five business days, a written report against every article of Regulation 2024/1689 that actually touches your product. Refund if your SaaS isn't compliant by 2 August 2026 after following the report.

Rather do it solo, fair enough. The open source checklist is on GitHub and the free scope tool sits at disclos.eu/check. Either way, run the spreadsheet this week. Seven weeks feels like loads of room, right up until you're staring at disclosures you've never written before.

Frequently asked questions

Does the EU AI Act apply to my SaaS if I just use OpenAI's API?

Yes. Using a model through an API makes you a deployer, and wrapping it in your own product makes you the provider of that system. Article 50 transparency duties land on you on 2 August 2026 regardless of whose model sits underneath.

We have almost no EU users. Are we off the hook?

Probably not. Article 2 catches AI output that is used in the EU even when your company and servers are based elsewhere. If someone in the EU reads or uses what your tool generated, that output was used in the EU.

Did the high risk rules also start on 2 August 2026?

No. The AI Omnibus moved the Annex III high risk regime to 2 December 2027 and the embedded product regime to 2 August 2028. Article 50, Article 5, the GPAI provider obligations, and the governance framework were not delayed and still apply from 2 August 2026.

What are the penalties for breaching Article 50?

Up to 15 million euros or 3% of global annual turnover under Article 99. Startups and SMEs pay the lower of the two figures. Supplying incorrect information to authorities is a separate band of up to 7.5 million euros or 1%.

What does Article 50 actually require?

Four things. Tell users when they are interacting with AI, mark AI generated content in a machine readable way, disclose emotion recognition or biometric categorisation to the people subject to it, and label deepfakes as artificially generated.

Sources

Last updated: 2026-06-16