DISCLOS / THE LAW
THE EU AI ACT: WHAT IT ACTUALLY SAYS, AND WHAT YOU NEED TO DO.
Regulation (EU) 2024/1689 entered into force on 1 August 2024. Article 50 transparency obligations apply from 2 August 2026. High-risk Annex III obligations apply from 2 December 2027 under the AI Omnibus. This is not a summary. This is the operational reading for SaaS founders who need to act.
Jump to article
TRANSPARENCY OBLIGATIONS FOR CERTAIN AI SYSTEMS
WHO IT APPLIES TO
Every SaaS with a chatbot, AI-generated content, emotion recognition, or biometric inference.
WHAT IT REQUIRES
Users must be clearly informed — at the point of use — that they are interacting with an AI system. This must be stated before or at the beginning of the interaction. Buried terms don't satisfy this.
WHAT TO DO
Add a visible, persistent AI disclosure label to every AI touchpoint. Use plain language. Translate for EU languages. Implement before 2 August 2026.
VERBATIM TEXT
"Providers of AI systems intended to interact directly with natural persons shall ensure that AI systems are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system."
ARTICLE 50, EU AI ACT
PROHIBITED AI PRACTICES
All AI system providers and deployers operating in the EU.
Certain AI applications are outright banned: subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric identification in public spaces (with limited exceptions), and emotion recognition in workplaces or educational institutions.
Audit your AI features against the prohibited list. If any product feature could be construed as subliminal manipulation or exploiting user vulnerabilities, remove it or consult a lawyer immediately.
"The following AI practices shall be prohibited: the placing on the market, the putting into service or the use of AI systems that deploy subliminal techniques beyond a person's consciousness or purposely manipulative or deceptive techniques."
ARTICLE 5, EU AI ACT
HIGH-RISK AI SYSTEMS — CLASSIFICATION RULES
AI systems used in hiring, credit scoring, education, law enforcement, critical infrastructure, medical devices, biometric identification.
High-risk systems carry the heaviest obligations: conformity assessments, technical documentation, human oversight requirements, logging, post-market monitoring, and registration in an EU database.
Determine whether your AI features touch any Annex III high-risk category. Most general SaaS does not — but HR tech, fintech, edtech, and medtech founders must check carefully. Under the AI Omnibus (May 2026), the Annex III compliance deadline was pushed to 2 December 2027.
"High-risk AI systems referred to in Annex III shall comply with the requirements set out in this Section."
ARTICLE 6, EU AI ACT
GENERAL-PURPOSE AI MODEL OBLIGATIONS
Providers who build applications on top of GPAI models (GPT-4, Claude, Gemini, etc.).
If you deploy a GPAI model in your product, you are a deployer under the Act. GPAI providers (OpenAI, Anthropic, Google) have upstream obligations; you have downstream disclosure obligations. Systemic-risk GPAI models carry additional requirements.
Confirm your model provider's compliance status. Implement your own disclosure layer. Don't assume OpenAI's compliance covers you — it doesn't.
"Providers of general-purpose AI models shall provide to providers of AI systems that intend to integrate the general-purpose AI model into their AI systems the information and documentation necessary to enable them to comply."
ARTICLE 52 / GPAI, EU AI ACT
PENALTIES
Any provider or deployer found in breach.
Art. 99(3) — Prohibited practices (Art. 5 only — social scoring, mass biometric surveillance, manipulative AI): up to €35M or 7% of global turnover. Almost no SaaS lands here. Art. 99(4) — High-risk system and Article 50 transparency violations: up to €15M or 3% of global turnover. This is the realistic SaaS band. Art. 99(5) — Misleading information to supervisory authorities: up to €7.5M or 1.5%. SME and startup provisions allow lower caps.
The realistic SaaS exposure is Article 99(4): €15M or 3% of global turnover, whichever is higher. This covers Article 50 transparency violations (chatbots, AI-generated content) and Annex III high-risk obligations. €997 is 0.007% of the minimum €15M cap. GDPR fines were dismissed as unlikely until they weren't.
"Non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines of up to 35,000,000 EUR or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover."
ARTICLE 99, EU AI ACT
BY INDUSTRY
EU AI Act obligations explained for your sector.
AgTech / Agriculture SaaS
AgTech SaaS with AI for crop monitoring, yield forecasting, or farm management i…
Analytics / BI / Data SaaS
Analytics and BI SaaS using AI must comply with Article 50 transparency and Arti…
Communication / Collaboration SaaS
Communication and collaboration SaaS with AI summarisation, transcription, or as…
Content Generation / AI Writing SaaS
AI writing, content, and image generation tools must mark AI-generated output un…
Customer Support / Chatbot SaaS
Chatbot and helpdesk SaaS shipping into the EU must comply with Article 50 trans…
Cybersecurity SaaS
Cybersecurity SaaS using AI for threat detection, response, or behavioural analy…
Developer Tools / Code AI SaaS
Code AI, IDE assistants, and developer-tool SaaS face Article 50 and possible Ar…
E-commerce / Shopify-app SaaS
E-commerce SaaS using AI for recommendations, pricing, or content generation fac…
EdTech / Education SaaS
EdTech with grading, proctoring, or admissions sits on Annex III high-risk under…
Fintech / Financial Services SaaS
Fintech with credit scoring or insurance pricing sits on Annex III as high-risk …
GovTech / Public Sector SaaS
GovTech SaaS sells into Annex III-heavy customers (justice, law enforcement, pub…
HealthTech / Digital Health SaaS
HealthTech sits across the EU AI Act and the Medical Devices Regulation. Here is…
HR SaaS
HR SaaS sits on Annex III as a high-risk AI system. The full Chapter III obligat…
Insuretech / Insurance SaaS
Insuretech with life or health pricing sits on Annex III high-risk under the EU …
LegalTech SaaS
LegalTech tools used in court or by law enforcement are Annex III high-risk unde…
Logistics / Supply Chain SaaS
Logistics and supply-chain SaaS using AI for routing, demand forecasting, or dri…
Manufacturing / Industrial SaaS
Manufacturing SaaS with safety-critical AI may fall under Annex I of the EU AI …
MarTech / Advertising SaaS
MarTech using AI for targeting, personalisation, or content generation faces Art…
Media / Publishing SaaS
Media and publishing SaaS using AI for content generation, recommendation, or mo…
Project Management / Task SaaS
Project management SaaS with AI for scheduling, status reporting, or workforce a…
PropTech / Real Estate SaaS
PropTech using AI for tenant screening, rental decisions, or pricing faces Annex…
Recruitment Tech SaaS
Recruitment-tech using AI for sourcing, screening, or assessment sits on Annex I…
Retail Tech / POS SaaS
Retail-tech SaaS with AI for recommendations, biometric checkout, or workforce s…
SalesTech / CRM SaaS
SalesTech and CRM SaaS with AI lead scoring, outreach automation, or call analys…
Travel / Hospitality SaaS
Travel and hospitality SaaS using AI for booking, biometric check-in, or dynamic…
BY COUNTRY
Country-specific enforcement, DPA guidance, and local requirements.
EU AI Act and the UK after Brexit
The EU AI Act applies extraterritorially to UK SaaS with EU users. Here is how s…
EU AI Act in Austria
Austria applies the EU AI Act through DSB. Here is what Austrian enforcement mea…
EU AI Act in Belgium
Belgium hosts the EU institutions and applies the AI Act through APD/GBA and fed…
EU AI Act in Denmark
Denmark applies the EU AI Act through Datatilsynet with a strong digital-governm…
EU AI Act in Finland
Finland applies the EU AI Act through Tietosuojavaltuutettu with a strong AI str…
EU AI Act in France
France enforces the EU AI Act through CNIL and an interministerial AI committee.…
EU AI Act in Germany
Germany enforces the EU AI Act through BSI, BfDI, and 16 state-level data protec…
EU AI Act in Ireland
Ireland's DPC is the lead supervisor for most US-headquartered Big Tech in the E…
EU AI Act in Italy
Italy's Garante took ChatGPT offline temporarily in 2023. Here is how Italian AI…
EU AI Act in Poland
Poland is one of the fastest-growing EU SaaS markets. UODO enforces the AI Act a…
EU AI Act in Portugal
Portugal applies the EU AI Act through CNPD with growing AI sector activity. Her…
EU AI Act in Spain
Spain established AESIA in 2023 - the first EU AI supervisory agency. Here is ho…
EU AI Act in Sweden
Sweden's IMY enforces the EU AI Act with a strong consumer-protection tradition.…
EU AI Act in the Czech Republic
The Czech Republic applies the EU AI Act through UOOU. Here is what Czech enforc…
EU AI Act in the Netherlands
The Netherlands has the most relevant AI court precedent in the EU - the SyRI ru…
BY TOPIC
Deep-dive articles on specific EU AI Act obligations.
Annex III high-risk AI systems
Annex III lists the eight categories of high-risk AI systems under the EU AI Act…
Annex III: when your SaaS feature is actually high-risk under the EU AI Act
Most SaaS teams misclassify their own AI features. Here is the Annex III decisio…
Article 10 data governance for high-risk AI
Article 10 sets EU AI Act data governance requirements for high-risk AI. Here is…
Article 25 GPAI provider inheritance
Article 25 makes downstream deployers Providers when they substantially modify G…
Article 43 conformity assessment
Article 43 sets the conformity assessment routes for high-risk AI under the EU A…
Article 5 prohibited AI practices
Article 5 of the EU AI Act prohibits eight specific AI practices outright. Penal…
Article 50 disclosure code: copy-paste templates that pass the AI Act
Working HTML, Markdown, and metadata templates for Article 50 disclosures. Chatb…
Article 50 transparency obligations
Article 50 of the EU AI Act sets four transparency obligations for AI in the EU.…
Article 50 vs Article 52: which one binds your chatbot
Article 50 governs transparency to natural persons interacting with AI. Article …
Article 50(1) for AI chatbots: the disclosure rule, decoded
What Article 50(1) of the EU AI Act actually requires for SaaS chatbots, voice a…
Article 53 GPAI provider obligations
Article 53 sets EU AI Act obligations for general-purpose AI model providers. He…
Article 73 incident reporting for high-risk AI
Article 73 requires high-risk AI providers to report serious incidents within 15…
Article 99 EU AI Act penalties
Article 99 sets EU AI Act penalty ceilings: up to €35M or 7% global turnover. He…
EU AI Act compliance if you use OpenAI's API
You call OpenAI's API and your users see GPT output. You still have EU AI Act ob…
EU AI Act vs GDPR: where they overlap and where they don't
The EU AI Act and the GDPR cover different things and overlap in three specific …
How Disclos works: the team behind your EU AI Act audit
Disclos is a research practice. Every EU AI Act audit is led by a senior reviewe…
Provider vs deployer under the EU AI Act: which one is your SaaS
The EU AI Act assigns different obligations to providers and deployers. Most Saa…
Self-audit vs hired audit for the EU AI Act: when each makes sense
A practical decision framework for SaaS founders choosing between a DIY EU AI Ac…
Self-audit: thirty questions before you commission the practice
Thirty questions every SaaS founder can answer in an hour to scope their EU AI A…
The EU AI Act deadline calendar: what to ship by 2 August 2026
A working calendar for SaaS founders: every EU AI Act milestone from 2024 throug…
The five-day audit: how the practice moves from intake to handover
How the Disclos research practice runs a five-day EU AI Act audit: who works on …
What changes for SaaS founders on 2 August 2026
What the EU AI Act enforces on 2 August 2026: transparency obligations, GPAI dep…
What happens if you ignore the EU AI Act
What ignoring the EU AI Act actually looks like for a SaaS: the fines, the enfor…
Why the practice ships disclosures in 24 EU languages
Article 50 of the EU AI Act requires plain-language disclosures. The practice sh…
This article guide is for informational purposes. It is not legal advice. For a complete audit of your specific product against each applicable article, reserve an audit slot.
SOURCES + REFERENCES
Disclos is not a law firm. We deliver researched compliance checklists mapping your product against the published EU AI Act. This is not legal advice. Binding legal opinions require a qualified lawyer.