EU AI Act compliance for EdTech SaaS founders

EdTech SaaS that touches admissions, grading, proctoring, or learning-path personalisation is high-risk under Annex III point 3 of the EU AI Act. Chapter III obligations apply on 2 August 2026. The penalty ceiling is €15M or 3% of global turnover. EU universities and ministries of education now require AI Act attestations in procurement, and most public tenders for the 2026-2027 academic year already include it as a non-negotiable requirement.

Is your product high-risk under Annex III?

Annex III point 3 covers AI used in education and vocational training. The use cases that hit EdTech:

  • AI for determining access or admission to educational institutions
  • AI for grading student work or examinations
  • AI for assessing appropriate level of education for a student
  • AI for monitoring or detecting prohibited behaviour during tests (proctoring)

If your product covers any of these and ships to EU institutions, Chapter III applies in full: Article 43 conformity assessment, Article 10 data governance (with extra obligations for training data involving minors), Article 14 human oversight, Article 15 accuracy and robustness, Article 72 post-market monitoring.

Article 50 transparency obligations

Article 50 transparency rules apply:

Article 50(1): students or applicants interacting with your AI must be told they are interacting with AI. The teacher or admissions officer does not satisfy this requirement; the student themselves must be informed.

Article 50(3): emotion recognition or biometric categorisation in remote proctoring (eye-tracking for engagement, stress detection) requires explicit disclosure to the student.

Article 50(4): AI-generated grading rationales, feedback, or coaching messages must be marked as AI-generated.

Additional layer: GDPR Article 8 requires verifiable parental consent for processing data of children under 16 (member states may set 13-16). Your AI features triggering this need parental-consent gating before any inference.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. List every AI feature: grading, proctoring, personalisation, admissions, recommendation, plagiarism detection, attendance.
  2. Map each against Annex III point 3 categories.
  3. For each high-risk feature, document training data composition, particularly any data involving minors (extra obligations under Article 10).
  4. Build the Article 43 conformity assessment file.
  5. Implement human oversight: teachers or administrators must be able to override every AI decision. Document the override workflow.
  6. Update student-facing and parent-facing disclosures with Article 50 language. Update teacher dashboards to show AI-generated labels.
  7. Confirm GDPR Article 8 parental-consent gating for under-16 features.

Penalties and enforcement

Penalty ceilings under Article 99: €15M or 3% of global turnover for high-risk failures or Article 50 failures, €7.5M or 1% for misinformation to regulators. Worked example: an EdTech with €3M ARR and 30 staff faces a theoretical max around €90,000 per violation under SME proportionality. The bigger cost is ministry-of-education procurement: every EU public tender now requires the attestation, and missing it disqualifies you from the bid entirely.

Last updated: 2026-05-28