EU AI Act compliance if you use OpenAI's API

# EU AI Act compliance if you use OpenAI's API

You call OpenAI's API. GPT generates text in your product. Your users see the output. You did not train a model. You did not build an AI system from scratch. You just make API calls.

You still have EU AI Act obligations. Here is what they are and how to handle them.

Your role under the Act

You are a deployer. OpenAI is the provider of the general purpose AI model. You deploy it inside your product under your brand and your authority. The EU AI Act assigns obligations to both providers and deployers, and yours do not disappear because the model belongs to someone else.

This applies equally if you use Anthropic's Claude, Google's Gemini, Mistral, Cohere, or any other third party AI model through an API.

What applies to you

Article 50 transparency (mandatory for almost every SaaS using AI)

If your product does any of these, you must disclose it to users:

Chatbot or conversational AI (Article 50(1)): Users must know they are interacting with AI before the conversation starts. A visible notice in or above the chat interface. Not in your Terms of Service. Not in a help article. In the UI, at the point of interaction.

AI generated text, images, audio, or video (Article 50(2)): Output must be marked as AI generated in a machine readable format. Add data-ai-generated="true" to the containing element. If your product generates images or video, C2PA metadata is the emerging standard.

Deepfakes (Article 50(4)): If your product creates or modifies images or video depicting real people, the content must carry a visible and machine readable disclosure.

Emotion recognition or biometric categorization (Article 50(3)): If your product analyzes facial expressions, voice tone, or categorizes users by biometric data, you must inform users before processing begins and get their acknowledgment.

Most SaaS products using OpenAI's API fall into category 1 (chatbot) or category 2 (generated content) or both. Implementing these disclosures takes hours, not weeks.

Annex III high risk check (depends on your use case)

The API call itself is not high risk. What matters is what your product does with the output. If your SaaS uses GPT to:

• Screen job applicants or rank resumes (Annex III, 4(a)): high risk
• Assess creditworthiness or set insurance premiums (Annex III, 5(b)): high risk
• Triage patients or assist in medical diagnosis (Annex III, 1(a)): high risk
• Make decisions about access to education (Annex III, 3(a)): high risk
• Assist law enforcement in profiling (Annex III, 6): high risk

If your use case is on this list, you have deployer obligations for a high risk AI system. That means human oversight, logging, monitoring, incident reporting, and potentially a fundamental rights impact assessment.

If your product uses GPT for content generation, summarization, translation, or customer support where the output does not drive autonomous decisions about people's rights, you are likely not in high risk territory. Article 50 transparency is your primary obligation.

Record keeping

Article 26(6) requires deployers of high risk AI systems to keep logs generated by the system for at least 6 months. Even if you are not high risk, keeping records of your AI interactions is good practice. When a regulator or enterprise customer asks how your AI features work, you need documentation ready.

What OpenAI handles vs what you handle

OpenAI as the model provider handles:

• General purpose AI model obligations (Articles 51 through 56)
• Systemic risk assessment if the model qualifies (Article 55)
• Technical documentation of the model itself
• Reporting serious incidents related to the model

You as the deployer handle:

• Transparency disclosures in your product UI
• Annex III classification of your specific use case
• Human oversight and monitoring
• Logging and record keeping
• Incident reporting for issues in your deployment
• Fundamental rights impact assessment if applicable
• Responding to customer and regulator inquiries about your compliance

OpenAI publishing their model cards and system documentation does not satisfy your deployer obligations. You need your own compliance documentation specific to how you use the model in your product.

Implementation checklist

1. Audit your AI features. List every place your product calls OpenAI's API. Note what the input is, what the output is, and how users see it.
2. Add Article 50 disclosures. For each AI feature, add the appropriate transparency notice to your UI. Chatbot notice for conversational features. AI generated labels for content output. This is copy paste work.
3. Run the Annex III check. For each AI feature, check if the use case appears in Annex III. If it does, you have additional deployer obligations. If it does not, you are done after transparency.
4. Document everything. Write a one page summary of your AI features, your classification rationale, and the disclosures you implemented. This is what you hand to enterprise customers and regulators.
5. Set up monitoring. Decide how you will detect and respond to AI incidents. For most SaaS, this means logging AI interactions and having a process to report serious issues.

The deadline

August 2, 2026. Article 50 transparency obligations and high risk system deployer obligations become enforceable on this date. You have 60 days.

The implementation work for a typical SaaS using OpenAI's API is small. The transparency disclosures take a day. The classification takes an hour. The documentation takes an afternoon. Doing it now costs almost nothing. Doing it after enforcement starts costs your sales pipeline every week you delay.

Resources

Open source compliance checklist with Article 50 disclosure code and Annex III classifier: github.com/GatisOzols/eu-ai-act-checklist

Fixed scope EU AI Act audit for SaaS, 997 EUR, 5 business days: disclos.eu/audit

Last updated: 2026-06-04