EU AI Act compliance for travel and hospitality SaaS

Travel and hospitality SaaS sits in a mixed AI Act position. Booking chatbots, recommendation engines, and AI-generated travel content fall under Article 50. Biometric check-in and identity verification systems fall under Annex III point 1. Dynamic pricing and yield management raise Article 5 manipulation concerns at the edges. Penalty ceilings range from €15M (Article 50) to €35M (Article 5).

Is your product high-risk under Annex III?

Annex III points that catch travel-tech: point 1(a) biometric identification (airport check-in kiosks, hotel facial recognition, border-control adjacent ID tools). Point 1(b) biometric categorisation if inferring traveler characteristics. Point 5 essential services - relevant only if your travel-tech handles state-subsidised travel allocations or refugee transport. Standard booking engines, OTA platforms, hotel PMS, and revenue management tools are NOT in Annex III.

Article 50 transparency obligations

Article 50(1): travel chatbots, AI concierges, and AI booking assistants must disclose AI nature. Article 50(2): AI-generated travel itineraries, AI-written destination guides, AI-summarised review aggregation must be marked. Article 50(3): if you deploy emotion or sentiment analysis on guest feedback, disclosure to the guest is required. Article 50(4): AI-generated synthetic hotel imagery (renderings of unbuilt properties, AI-enhanced photos beyond standard editing) requires disclosure.

Self-audit checklist before 2 August 2026

Seven checks:

  1. Inventory AI features: chatbot, recommendation, pricing, content generation, image processing, biometric check-in, fraud detection.
  2. Tag biometric features against Annex III point 1.
  3. Add Article 50(1) disclosure to all conversational features.
  4. Mark AI-generated content (itineraries, descriptions, images) with visible label plus metadata.
  5. For dynamic pricing, document the design rationale - exclude vulnerability-targeting patterns that could trigger Article 5(1)(b).
  6. If biometric check-in is used, build the Annex III point 1 conformity assessment file.
  7. Update guest-facing communications and privacy notices with Article 50 language.

Penalties and enforcement

Penalty ceilings: €15M or 3% of global turnover for Article 50, €15M or 3% for Annex III, €35M or 7% for Article 5. Worked example: travel SaaS with €6M ARR faces theoretical maximum of €180,000 to €420,000 per violation. Bigger cost: distribution-channel delisting. Booking.com, Expedia Group, Airbnb partner programmes require Article 50 attestation for AI integration in 2026.

Last updated: 2026-05-28