EU AI Act compliance for SalesTech and CRM founders

SalesTech and CRM SaaS using AI for lead scoring, automated outreach, conversation intelligence, or pipeline forecasting is generally not high-risk under Annex III but faces three obligation clusters: Article 50 transparency for AI-generated outreach and conversational tools, Article 5 manipulation risk for aggressive personalisation, and Article 10 data governance for any models trained on customer or prospect data. Penalty ceiling is €15M or 3% of global turnover.

Is your product high-risk under Annex III?

SalesTech is NOT typically high-risk under Annex III. Exception cases: AI used in employment-adjacent recruitment marketing (Annex III point 4), AI for credit-style B2B underwriting of customer creditworthiness (Annex III point 5(b)), AI for predictive customer profiling that could affect access to essential services. For standard CRM, sales engagement, conversation intelligence, and forecasting tools, Annex III does not apply.

Article 50 transparency obligations

Article 50 applies to user-facing AI features. Article 50(1): AI-powered SDR tools, chatbot-driven prospecting, and conversational AI assistants must disclose AI nature to the recipient. Sending an AI-generated cold email without AI disclosure is a 50(1) violation if the recipient cannot reasonably infer AI authorship. Article 50(2): AI-generated email copy, AI-summarised call notes, AI-drafted customer correspondence must be marked as AI-generated in machine-readable form. Article 50(3): emotion analysis on recorded calls (sentiment scoring for coaching) requires disclosure to the customer.

Self-audit checklist before 2 August 2026

Seven checks before 2 August 2026:

  1. List every AI feature: lead scoring, email generation, call summarisation, sentiment analysis, forecasting, recommendation, chatbot.
  2. Audit AI-generated outreach: does every email mention AI involvement? Update templates.
  3. Add disclosure to chatbot and AI assistant features.
  4. Mark AI-generated content (email copy, call notes, suggested replies) with visible label + HTML metadata.
  5. If sentiment analysis runs on calls, add customer disclosure at call open and in privacy notice.
  6. Document training data composition for AI models, particularly anything trained on customer-content corpora.
  7. Set up Article 73 incident reporting for misuse (mass spam from your tool, deceptive AI-generated outreach).

Penalties and enforcement

Penalty ceiling for Article 50 failures: €15M or 3% of global turnover. For Article 5 manipulation: €35M or 7%. Worked example: a SalesTech SaaS with €5M ARR faces theoretical maximums of €150,000 (Article 50) or €350,000 (Article 5). Bigger cost: distribution platform delisting. Salesforce AppExchange, HubSpot Marketplace, and Microsoft Dynamics now require Article 50 attestation in their app review processes.

Last updated: 2026-05-28