QUESTIONS FOUNDERS ACTUALLY ASK.

20 questions across applicability, transparency obligations, model provider responsibilities, audit scope, and special cases.

Applicability

Does the EU AI Act really apply to my non-EU company?

Yes. The Act has extraterritorial reach identical to GDPR. If a person located in the EU can access your product — regardless of where your company is incorporated — you are in scope. The Act applies to 'providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country' (Art. 2(1)(a)).

I have almost no EU users. Does this still matter?

The threshold is not market share — it's market access. If your sign-up page accepts European email addresses and does not geo-block EU users, you are offering the product in the Union. One user is sufficient to trigger scope.

Does B2B SaaS trigger the Act?

Yes. The Act covers both B2B and B2C deployment. The key question is whether natural persons interact with your AI system. If your B2B product has user-facing AI features, Article 50 disclosure obligations apply to those users — who are natural persons even if their employer is the contract party.

What about EU member state variations? Is the Act uniform?

The Act is a Regulation, not a Directive — it is directly applicable in all 27 EU member states without transposition. There are no member-state variations on the core obligations. National market surveillance authorities will enforce it, but the legal text is identical across the EU.

Did the EU AI Act deadline get delayed?

Partially. The AI Omnibus (May 2026) pushed Annex III high-risk obligations to 2 December 2027 and Annex I embedded systems to 2 August 2028. Article 50 transparency obligations and the penalty regime still apply from 2 August 2026. Most SaaS using AI fall under Article 50, so the 2 August 2026 deadline remains relevant for the majority of founders.

Article 50 — transparency

What exactly does Article 50 require?

Article 50(1) requires that providers of AI systems intended to interact directly with natural persons ensure users are informed they are interacting with an AI system, before or at the beginning of the interaction, unless it is obvious from context. The disclosure must be in plain language, visible, and not buried in terms.

Does a simple 'Powered by AI' badge satisfy Article 50?

Probably not alone. The requirement is that users are 'informed' they are interacting with an AI system. This implies active, clear disclosure at the point of interaction — not a small badge. The wording must make clear the nature of the system. We include reviewed disclosure copy in every audit pack.

What about AI-generated content — emails, reports, summaries?

Article 50(3) requires that AI-generated content be labelled as artificially generated or manipulated, where applicable. This covers AI-written text, images, audio, and video. If your product outputs content the user might believe was human-created, disclosure is required.

Does Article 50 apply in all 24 EU languages?

The Act doesn't mandate 24 languages explicitly — it requires disclosure in language the user understands. In practice, if your product is used by users across the EU in their native languages, your disclosure must be translated accordingly. Our audit pack includes all 24 EU official languages.

OpenAI and model providers

My chatbot is powered by OpenAI. Doesn't OpenAI handle compliance?

No. OpenAI is a GPAI model provider. You are the deployer. Article 3(4) defines 'deployer' as any natural or legal person using an AI system under its authority. The disclosure obligations under Article 50 are assigned to you, not to OpenAI. OpenAI's usage policies confirm this.

What are my obligations when using a GPAI model like GPT-4 or Claude?

You inherit the transparency and disclosure obligations as the deployer. GPAI providers have upstream documentation obligations; you have downstream disclosure obligations to your users. You must implement compliant disclosures and, for any high-risk application, conduct your own conformity assessment.

Do I need training data documentation?

If you are a GPAI model provider, yes. If you are a deployer using a third-party model, you benefit from the model provider's documentation obligations. However, if you fine-tune a model on your own data, you may take on provider-level obligations for that component.

The audit

Who actually delivers the audit?

Gatis Ozols, Lead Auditor · EU AI Act. EU citizen (Latvia). Every audit is reviewed and approved by the lead reviewer personally — not outsourced, not AI-generated. The audit pack includes a personal Loom video walkthrough of your specific findings.

How long does the audit take?

Five working days from receipt of the completed intake brief and payment confirmation. Day 0: intake. Days 1–3: audit and report. Days 4–5: delivery of the full package.

What is NOT included in the audit?

The audit covers EU AI Act compliance specifically. It does not cover GDPR (separately), ISO 27001, SOC 2, CCPA, or general cybersecurity. It is not legal advice — it is a researched compliance report. For binding legal opinions, you need a qualified EU lawyer.

What happens after 2 August 2026?

Enforcement begins. National market surveillance authorities and the EU AI Office can investigate and impose fines. We offer re-audits at 50% for existing clients within 12 months of original delivery.

Special cases

Does deepfake labelling apply to me?

Article 50(4) requires that providers of AI systems generating synthetic audio, image, video, or text label the output as artificially generated. If your product generates realistic synthetic media — including AI-written content presented as human-written — disclosure is required.

My product uses biometric data. What applies?

Biometric categorisation systems and emotion recognition systems are subject to both prohibition rules (Art. 5) and transparency obligations (Art. 50). If your product infers emotion, sentiment, personality, or demographic characteristics from biometric data, this requires careful analysis — covered in your audit.

What about GPAI in contracts — DPA AI addendum?

When you process personal data using a GPAI model, your Data Processing Agreement with the model provider may need an AI-specific addendum confirming their compliance status. Our audit pack includes a DPA AI addendum template.

What is the actual penalty I face as a SaaS founder?

For most SaaS, the relevant band is Article 99(4): up to €15M or 3% of total worldwide annual turnover, whichever is higher. This applies to Article 50 transparency violations (chatbot disclosure, AI-generated content labelling, deepfake marking) and Annex III high-risk obligations. The €35M / 7% ceiling in Article 99(3) applies only to Article 5 prohibited practices — social scoring, mass biometric surveillance, subliminal manipulation — which almost no SaaS product does. If you run a chatbot or surface AI-generated content without a disclosure label, you are in the €15M / 3% band.

Disclos is not a law firm. We deliver researched compliance checklists mapping your product against the published EU AI Act. This is not legal advice. Binding legal opinions require a qualified lawyer.