What the EU AI Act actually requires from SaaS startups before 2 August 2026

On 2 August 2026, the EU AI Act (Regulation 2024/1689) starts applying to companies that ship AI features into the EU. Most SaaS founders we talk to read the date as somebody else's problem. It is not. If your product talks to users in the EU, generates synthetic content, or does anything in HR, education, finance, or biometrics, the obligations land on you. The model providers you build on met theirs in August 2025.

The penalty framework lands on the same date. €35M or 7% of global turnover for prohibited practices. €15M or 3% for high-risk obligations. €7.5M or 1% for supplying incorrect information. The SME ceiling takes the lower of the two figures, but a missed Article 50 disclosure on a Series A company is still runway-level money.

What enforces on 2 August 2026

The Act applies in waves. Three dates matter:

  • 2 February 2025: Article 5 prohibited practices started applying. Social scoring, real-time biometric ID in public spaces, manipulative AI, emotion recognition in workplaces and schools. If your product does any of these you are already non-compliant.
  • 2 August 2025: GPAI model providers (OpenAI, Anthropic, Google, Meta, Mistral) started carrying Articles 51 to 55. This wave is upstream from your SaaS.
  • 2 August 2026: The rest of the Act applies. Article 50 transparency rules. The high-risk regime in Chapter III. The penalty framework. AI Office enforcement powers. This is the wave that hits SaaS deployers.

If you ship an LLM feature today and you have EU users on 2 August 2026, the third date is the one you have to plan against.

The four-question triage

Before you spend a single hour on conformance work, sit through this triage. The answers determine which articles touch your product and how much work you owe.

1. Are you a Provider, a Deployer, or both?

A Provider places an AI system on the market under its own name. A Deployer uses one. If you wrap GPT-4 in your SaaS and sell it under your brand, you are the Provider of the resulting AI system and a Deployer of the underlying GPAI model. Most SaaS sit in the overlap.

2. Does Annex III touch your product?

Annex III lists the high-risk use cases. The categories that hit SaaS most often:

  • Biometric identification or categorization
  • Critical infrastructure (energy, water, transport)
  • Education and vocational training (admissions scoring, plagiarism detection, exam proctoring)
  • Employment and HR (CV screening, performance evaluation, monitoring)
  • Access to essential services (credit scoring, insurance pricing, emergency dispatch)
  • Law enforcement use cases
  • Migration, asylum, border control
  • Administration of justice and democratic processes

If your SaaS does CV screening, credit scoring, automated grading, or exam proctoring, you are high-risk. Chapter III applies to you, and the documentation lift runs to several hundred engineering and compliance hours per system. Plan for it now.

If your SaaS does none of the eight, you are not high-risk. Your main exposure is Article 50.

3. Do you fine-tune or substantially modify a foundation model?

If yes, you may inherit GPAI Provider obligations under Article 25. The threshold of "substantial modification" is unsettled. The GPAI Code of Practice consultation closed in March 2026 without a clean answer. If you fine-tune anything beyond prompt engineering, budget for a written legal opinion before 2 August.

4. Do any of your AI features touch Article 5 prohibited practices?

Run through the Article 5 list once. Most SaaS will not trigger any of them. Workplace emotion recognition is the rule that catches teams out. If you analyse employee sentiment from emails or call recordings, this is you.

Article 50, which is the part that hits everyone

Article 50 is the obligation every SaaS shipping AI to EU users carries on 2 August 2026, regardless of high-risk status. Four sub-rules:

  • 50(1): If your AI system interacts with users, you must tell them they are talking to AI, unless context makes it obvious.
  • 50(2): If you generate synthetic text, image, audio or video output, you must mark it as AI-generated in a machine-readable way. The expected standard is C2PA. European standardisation bodies have not finalised the implementation detail.
  • 50(3): If you deploy emotion recognition or biometric categorization, you must inform users that it applies.
  • 50(4): If you generate deepfakes, you must disclose the content as artificially generated.

Practical translation for a typical SaaS:

  • One visible disclosure on first chatbot interaction
  • An "AI-generated" badge or metadata flag on every output your tool produces
  • A privacy notice paragraph covering inference, training data sources, and retention

Engineering effort is small. The bottleneck is knowing what to write.

The 7-step self-audit you can run this week

  1. Inventory every AI feature in your product. Chatbot. Embedding search. Recommendations. Autocomplete. Summarisation. Voice. Include every internal tool too. You cannot audit what you have not listed.
  2. Tag each feature with a role. Provider, Deployer, or both. Write it down per feature.
  3. Run each feature through Annex III. Yes or no per category. Any "yes" flags the feature for the high-risk regime.
  4. Run each feature through Article 5. Yes or no per prohibition. Rare hits, but check.
  5. Map each remaining feature to Article 50. Which sub-rule applies. Note the disclosure you owe.
  6. Document the model supply chain. Who provides each foundation model. Whether you fine-tune. Whether you log inputs and outputs. Article 25 inheritance rests on this trail.
  7. Write or update three documents. A public AI-use disclosure on your site. An internal AI policy for your team. An incident-response stub for Article 73 reporting if you are high-risk.

A non-high-risk SaaS can complete steps 1 through 7 in two to three weeks of focused work. Annex III teams need a longer engagement and outside review.

When to bring in outside help

Three triggers:

  • You sit on Annex III and you have not built compliance documentation before.
  • Procurement at one of your enterprise customers has asked for an AI Act attestation in writing.
  • You fine-tune a foundation model and you need an Article 25 opinion.

Outside those three cases, the work is doable in-house. The Act is long, but the obligations for a non-high-risk SaaS are bounded.

Where Disclos fits in

We run a fixed-scope audit for SaaS: €997 one-time, 5 business days, a written report against every relevant article of Regulation 2024/1689. Refund if your SaaS is not compliant by 2 August 2026 after following the report. Details on the audit are at /audit and pricing is at /pricing.

If you only want this checklist as a one-page PDF, email gatis@disclos.eu and we will send it back the same day.

AI-assisted draft. Reviewed and signed off by the lead reviewer before publication.

Last updated: 2026-06-13