EU AI Act compliance for GovTech and public-sector SaaS

GovTech SaaS sells into customers - public authorities - who themselves face Annex III high-risk obligations in most of their AI deployments. As the provider, you inherit Article 13 instructions-for-use obligations, Article 16 record-keeping, and Article 73 incident reporting. The customer-side procurement requirements are the strictest in any vertical: public tenders across the EU now require complete AI Act compliance attestations including conformity assessment files.

Is your product high-risk under Annex III?

Annex III points that catch GovTech directly via customer use cases: point 5(a) evaluation of natural persons by public authorities (welfare, disability, public assistance eligibility), point 6 law enforcement (risk assessment, evidence assessment, profiling), point 7 migration/asylum/border control, point 8 administration of justice (judicial research, case management with AI elements). If your GovTech is sold into any of these public-authority functions, the high-risk regime applies in full to your product as deployed.

Article 50 transparency obligations

Article 50 applies to citizen-facing surfaces. Article 50(1): citizen chatbots, AI advisors in public-portal interfaces, AI service navigation must disclose AI nature. Article 50(2): AI-generated correspondence to citizens, AI-summarised case notes, AI-drafted public-service communications must be marked. Article 50(3): emotion analysis or biometric categorisation in citizen interactions requires explicit disclosure. The GDPR Article 22 stack on top is heavy: citizens retain the right to human review of automated decisions affecting them.

Self-audit checklist before 2 August 2026

Seven checks:

  1. Map every AI feature against Annex III points 5(a), 6, 7, 8.
  2. Build the Article 43 conformity assessment file for each high-risk feature.
  3. Implement civil-servant override controls per Article 14 with full audit logging per Article 12.
  4. Document training data composition, with particular attention to demographic representativeness for citizen-affecting decisions.
  5. Build Article 13 instructions for use that public authority customers can integrate into their own compliance documentation.
  6. Add Article 50 disclosures to all citizen-facing AI features. Surface GDPR Article 22 human-review option in any automated decision affecting access to public services.
  7. Coordinate with the EU AI Act database registration (Article 49) requirements - some high-risk public-sector AI must be registered.

Penalties and enforcement

Penalty ceilings: €15M or 3% of global turnover for high-risk failures, €15M or 3% for Article 50. Public-sector contracts often include separate contractual penalty clauses. Worked example: GovTech with €4M ARR faces €120,000 AI Act max plus typical contractual penalties of €50,000 to €500,000 per breach. Bigger cost: contract termination. EU public-sector buyers can void contracts for material AI Act non-compliance and pursue cost recovery.

Last updated: 2026-05-28