What changes for SaaS founders on 2 August 2026: the practice's enforcement readout

What actually starts to apply on 2 August 2026

Three blocks of obligation begin to apply on 2 August 2026.

Article 50 transparency. Every SaaS surface where a natural person interacts with an AI system must disclose that fact. Every piece of AI-generated content (text, image, audio, video) must carry a machine-readable provenance mark and, where deployed in public-interest contexts, a visible label. Every emotion-recognition or biometric-categorisation feature must inform the user. Every deepfake must be labelled. Article 50 binds providers and deployers in different paragraphs; most SaaS sit in both roles depending on the feature. Penalty band: €15 million or 3% of worldwide annual turnover under Article 99(4).

GPAI provider obligations under Chapter V. Providers of general-purpose AI models that placed a model on the EU market after 2 August 2025 must comply with Article 53 transparency duties (training-data summary, copyright policy, technical documentation). Providers of GPAI models with systemic risk (training compute above 10²⁵ FLOP) must additionally comply with Article 55. These bind OpenAI, Anthropic, Google, Mistral, Meta. They do not bind a SaaS that uses those models through an API. A SaaS that fine-tunes a GPAI to the point of substantial modification under Article 25 can become a provider in its own right.

Governance framework under Chapter VII. The AI Board, the AI Office, national competent authorities, and the scientific panel become operative. National market-surveillance authorities, designated by Member States before 2 August 2025, take on enforcement responsibility. The Commission can begin issuing guidance, delegated acts, and harmonised-standards work programmes. From an enforcement standpoint, 2 August 2026 is the day the institutional machinery starts running.

What does NOT start to apply on 2 August 2026

Three blocks people commonly conflate with this date do not, in fact, trigger on it.

Annex III high-risk obligations. The eight Annex III categories (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) were originally scheduled for 2 August 2026 under the original Article 113. The AI Omnibus moved them to 2 December 2027. Articles 9 through 15 still apply. Conformity assessment under Article 43 still applies. EU database registration under Article 49 still applies. Only the date moved.

Annex I embedded-product obligations. AI used as a safety component in products covered by Union harmonisation legislation listed in Annex I (Machinery Regulation, MDR, IVDR, toys, lifts, RED, marine, civil aviation, motor vehicles, agricultural and forestry vehicles) was originally scheduled for 2 August 2027. The AI Omnibus moved it to 2 August 2028 to align with notified-body capacity and harmonised-standards publication. Article 6(1) is the operative classification path.

Article 5 prohibited practices. These entered force on 2 February 2025, eighteen months earlier. If your product does social scoring, untargeted face scraping, manipulative AI exploiting vulnerabilities, real-time remote biometric ID in public spaces by law enforcement, predictive policing, biometric categorisation by sensitive characteristics, emotion recognition in workplaces or education, or any of the other Article 5 prohibitions, you are already non-compliant. The AI Omnibus did not change Article 5 dates; it added one new prohibition (non-consensual sexually explicit AI content)

GPAI provider obligations under Article 53 entered force on 2 August 2025 for the upstream model providers. As a SaaS deployer using their APIs, those obligations are not directly on you. Your downstream Article 50 duties are.

Four findings our reviewers see slip the deadline most

Across the audits the practice has run, four patterns surface again and again in the run-up to 2 August 2026.

1. Chatbot disclosure missing or hidden. The single most common Article 50(1) failure: a chat surface that is plainly an AI but does not announce it at the start of every conversation. Our reviewers fix this with a drop-in chat banner snippet (React, vanilla HTML, Vue 3) carrying the wording in all 24 EU languages. Five minutes of paste, compliant.

2. AI-generated content unmarked. Article 50(2) requires a machine-readable provenance mark, not just a visible badge. Our technical reviewers integrate C2PA Content Credentials at generation time. It is the only currently-available implementation that meets the 'effective, interoperable, robust and reliable' standard the Act sets.

3. Deepfake or voice-clone left ambiguous. Article 50(4) is explicit: synthetic media depicting real persons must be labelled as artificially generated or manipulated. Our reviewers ship overlay components that wrap the customer's existing media renderer without changing the player.

4. Public AI-use policy missing. Not a strict Article 50 obligation by itself, but the single most useful trust signal a SaaS can publish. Our practice writes the policy as part of the audit, branded to the customer, ready to publish at /ai-use.

Penalty exposure on the same date

Article 99 penalties enter force in step with the obligations they enforce. Three tiers for SaaS to track.

€35 million or 7% of worldwide annual turnover for Article 5 prohibited practice violations under Article 99(3). Already enforceable since 2 February 2025. SMEs benefit from proportionality under Article 99(6) but the ceiling is unchanged.

€15 million or 3% of worldwide annual turnover for non-compliance with the high-risk obligations under Articles 6 through 49, and for Article 50 violations, under Article 99(4). Triggers on 2 August 2026 for Article 50. Triggers on 2 December 2027 for Annex III. Triggers on 2 August 2028 for Annex I embedded products.

€7.5 million or 1% of worldwide annual turnover for supplying incorrect or misleading information to authorities under Article 99(5). Triggers in step with the substantive obligation breached.

Our penalty calculator at /tools/penalty-calculator returns an SME-adjusted estimate based on the customer's revenue band. We do not believe small SaaS will see top-tier fines on day one of enforcement. We do believe market-surveillance authorities will move on visible violations to set precedent: chatbots that hide their AI nature, and deepfake services that ship unlabelled output.

What the practice recommends doing now

Three concrete steps, in order, for the Article 50 wave specifically.

Step 1: triage. Run the Article 50 audit at /tools/article-50-audit. Feature by feature: which paragraphs of Article 50 apply (chatbot disclosure, synthetic-content marking, emotion or biometric notice, deepfake labelling). Two minutes, decision tree.

Step 2: commission the audit. If you are in Article 50 territory (the vast majority of SaaS), commission a Disclos audit. €997, five business days, deliverable signed by our lead reviewer. The audit covers Article 50 implementation across every in-scope feature plus the disclosure logging trail.

Step 3: implement before 30 July 2026. Three days of buffer before the deadline. Our reviewers' check-in falls thirty days after delivery, which lands you with weeks to ship every fix before the date.

If you commission an audit in late July 2026, the deliverable will land in your inbox after 2 August 2026. By then the enforcement risk is real. The Annex III wave at 2 December 2027 is a separate eighteen-month programme; see our Annex III pillar for the roadmap.

Frequently asked questions

Will the EU AI Office actively prosecute SaaS founders on 2 August 2026?

Active prosecution requires market-surveillance authorities in each member state to be staffed and resourced. Our policy reviewers track readiness state by state. France (CNIL), Italy (Garante), Spain (AESIA), Germany (BSI + Bundesländer) are the four most likely first-movers. Day-one enforcement will probably be triggered by complaints from natural persons rather than active sweep audits. Visible violations (chatbots hiding their AI nature, unmarked deepfakes) are the most likely targets.

Does my US-incorporated SaaS need to do anything?

If a person located in the European Union can use your product, yes. Article 2(1)(a) makes the Act extraterritorial irrespective of where the provider is established. Our country-by-country pages walk what enforcement looks like in each member state.

What if I am not sure my features are AI?

Article 3(1) defines AI system broadly: any machine-based system that generates outputs (predictions, recommendations, decisions, content) for a set of objectives. Calling an inference endpoint and surfacing the result to a user is AI deployment under the Act, even if you never trained a model yourself. Our reviewers' standard intake includes a feature-by-feature classification. If you are uncertain, the audit removes the uncertainty.

Can I rely on OpenAI / Anthropic / Mistral to be compliant for me?

No. Their Article 53 obligations are GPAI-provider obligations, not your Article 50 deployer obligations. The Act is explicit on this point. Their compliance does not transfer to you. Reference their Article 53 disclosures in your model card, but ship your own Article 50 disclosures on your product.

How late is too late to commission an audit?

The practice runs a maximum of five audits per week. In June 2026, intake will fill to capacity. By mid-July 2026 we expect to close the form for the week within hours of opening. Commission before the end of June for delivery before the deadline with three weeks of implementation buffer.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://digital-strategy.ec.europa.eu/en/policies/ai-office