RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJune 21, 2026

EU AI Act Compliance for SaaS Companies 2026: What US Startups Need to Know

The EU AI Act is live. August 2026 enforcement of high-risk AI obligations is weeks away. If your SaaS has AI features and serves EU users, you may already be in scope — and possibly already non-compliant. Here's how to understand your exposure and what to do about it.

€35M
Max fine for prohibited AI practices (or 7% global revenue)
Aug 2026
High-risk AI system obligations enforceable
~400M
EU residents potentially in scope of AI Act

Does the EU AI Act Apply to Your US SaaS?

The EU AI Act has a broad extraterritorial scope — intentionally modeled after GDPR. Article 2 of the Act applies it to providers and deployers of AI systems where either:

  • The AI system is placed on the EU market (available to EU users), or
  • The output of the AI system is used in the EU, or
  • The AI system affects people located in the EU

This means: if you have a SaaS product with AI features — a chatbot, an AI writing assistant, an AI-powered recommendation engine, a credit or scoring model — and EU customers or users interact with it, the EU AI Act applies to your product.

Being a US company incorporated in Delaware does not exempt you. EU regulators have already made clear they will enforce against foreign companies, as they have under GDPR. The question is not whether the law applies — it's which tier you're in.

The EU AI Act Risk Tier System

The EU AI Act uses a risk-based approach. Your obligations depend on which tier your AI system falls into.

Unacceptable Risk — Prohibited

BANNED

AI practices that were banned as of February 2025. These include: social scoring systems (assigning scores to people based on behavior), subliminal or manipulative AI techniques that exploit vulnerabilities, real-time remote biometric identification in public spaces (with limited law enforcement exceptions), and AI that infers sensitive characteristics like race, political opinions, or sexual orientation from biometric data.

Action: If your product does any of this: stop immediately. No compliance path — these are prohibited entirely.

High Risk

FULL COMPLIANCE REQUIRED BY AUG 2026

AI used in consequential decisions in regulated sectors: recruitment, employee monitoring, credit scoring, insurance underwriting, educational assessment, healthcare triage, border control, law enforcement, benefits eligibility. High-risk AI requires conformity assessments, risk management systems, data governance documentation, technical documentation (technical file), human oversight mechanisms, logging/audit trails, and EU market registration.

Action: Requires significant compliance work — technical documentation, risk management, registration in EU AI database.

Limited Risk — Transparency Obligations

DISCLOSURE REQUIRED

AI systems that interact with people must disclose they are AI. This includes chatbots, AI customer service agents, deepfake/synthetic media generators, and emotion recognition systems. Users must be informed they are interacting with an AI system.

Action: Relatively straightforward: add clear AI disclosure to all chatbots, AI assistants, and synthetic media tools.

Minimal Risk

VOLUNTARY CODES

Most AI features — AI-powered filters, recommendation engines, spam detection, search ranking. No mandatory obligations beyond existing EU law (GDPR, consumer protection). Voluntary codes of conduct encouraged.

Action: No new mandatory compliance steps. Ensure GDPR compliance covers any personal data used in AI training/operation.

GPAI: What If You Build on Top of Foundation Models?

The EU AI Act adds a separate category for General-Purpose AI (GPAI) models — the underlying foundation models like GPT-4, Claude, Gemini, Llama. If you are building your own GPAI model or fine-tuning one for release, you have provider-level GPAI obligations that became enforceable August 2025.

If you are building a SaaS product on top of someone else's GPAI model (using the OpenAI API, Anthropic API, Google Vertex AI, etc.), you are classified as a "deployer" not a "provider" of GPAI. This means:

  • You are not responsible for the underlying model's EU AI Act compliance — the model provider is.
  • You ARE responsible for how you deploy the model: what risk tier your use case falls into, transparency disclosures, and downstream compliance for high-risk applications.
  • If your use case creates a high-risk AI system, you must comply as a high-risk deployer even if the model itself is compliant.

In practice: using the Claude or GPT-4 API to power a chatbot on your SaaS puts you in the "limited risk / transparency" tier for that chatbot. Using the same model to power an automated hiring screening tool puts you in the high-risk tier.

High-Risk AI Compliance: What's Actually Required

If your SaaS is in the high-risk category, here's what compliance requires. This is not a checkbox exercise — the EU AI Act has real substance requirements:

Risk Management System

A documented, ongoing process to identify, analyze, and mitigate risks throughout the AI system's lifecycle. Must be updated as risks emerge — not a one-time document.

Data Governance

Training, validation, and test data must meet quality criteria. Bias must be examined and addressed. Data provenance documentation required. This includes data used to train or fine-tune models.

Technical Documentation

A 'technical file' covering system design, architecture, training methodology, performance metrics, limitations, and risk management. Must be maintained current and available to EU authorities on request.

Transparency to Users

Users must be given enough information to understand what the AI system does, its capabilities and limitations, and any human oversight. Instructions for use must be provided.

Human Oversight

High-risk AI systems must be designed so that humans can understand, monitor, and override the system's outputs. Effective override mechanisms must be built in — AI cannot make fully autonomous consequential decisions.

Accuracy, Robustness, Cybersecurity

The system must achieve declared accuracy metrics. It must be resilient to errors, faults, and adversarial attempts to manipulate outputs (prompt injection for LLMs is an example). Cybersecurity requirements apply.

Logging and Audit Trails

High-risk AI systems must maintain logs sufficient to enable post-hoc auditing of decisions. Log retention periods depend on the sector. This means you need to log AI outputs and the inputs that generated them.

EU AI Database Registration

High-risk AI systems must be registered in the EU AI Act database before market placement. The database is public (for transparency). Registration includes technical documentation summary and conformity declaration.

The Transparency Tier: What "AI Disclosure" Means in Practice

Even if you're not high-risk, you likely have transparency obligations. The EU AI Act requires disclosure when users interact with AI systems. Practically, this means:

  • Chatbots and AI assistants — must disclose at the start of the interaction that the user is talking to an AI, not a human.
  • AI-generated or AI-manipulated content — synthetic images, audio, and video that could be mistaken for real must be labeled as AI-generated.
  • Emotion recognition — if your AI infers emotional states (sentiment analysis on customer support tickets, emotion detection in HR tools), users must be informed.
  • Biometric categorization — AI that categorizes people by biometric characteristics must disclose this and comply with additional rules.

Note: if the user already obviously knows they're using an AI (e.g., a code generation autocomplete tool), no disclosure is required. The obligation targets cases where users might be deceived about whether they're interacting with a human or AI.

EU AI Act Timeline for SaaS Founders

Aug 1, 2024

EU AI Act entered into force

Law is in force; compliance clock started for all provisions.

Feb 2, 2025

Prohibited AI practices ban — ENFORCEABLE

Social scoring, subliminal manipulation, most real-time biometric ID banned. Fines: up to €35M / 7% global revenue.

Aug 2, 2025

GPAI obligations — ENFORCEABLE

General-purpose AI model providers (OpenAI, Anthropic, Google, Meta) must comply. Systemic-risk GPAI gets additional obligations.

Aug 2, 2026

High-risk AI system obligations — ENFORCEABLE

Full compliance required for high-risk AI systems (hiring, credit, healthcare, etc.). Technical documentation, registration, human oversight all required.

Aug 2, 2027

Certain biometric/critical infrastructure AI — ENFORCEABLE

Extended timeline for specific regulated sectors already covered by existing EU sector law.

EU AI Act Compliance Checklist for SaaS

Work through these in order. Most SaaS companies in minimal/limited risk tiers can complete steps 1–5 quickly.

Map all AI features in your product (list every feature that uses ML, AI, or LLMs)Start here
Classify each feature by risk tier (prohibited / high-risk / limited / minimal)Essential
Verify you are NOT running any prohibited AI practices (social scoring, manipulative AI, biometric surveillance)Essential
Add AI disclosure to all chatbots and AI-generated content experiences for EU usersAug 2025 +
Update privacy policy and terms to disclose AI feature use to EU usersEssential
If high-risk: Appoint an EU representative or establish EU contact pointHigh-risk only
If high-risk: Produce technical documentation (technical file) for each high-risk AI systemHigh-risk only
If high-risk: Implement risk management system and document itHigh-risk only
If high-risk: Implement human override mechanisms in productHigh-risk only
If high-risk: Set up audit logging for AI decisions affecting EU usersHigh-risk only
If high-risk: Register in EU AI Act database before serving EU customersHigh-risk only
Review GPAI provider (OpenAI, Anthropic, etc.) terms — confirm they are compliant GPAI providersAll API users

Monitor your AI-powered product for compliance issues

RatedWithAI helps SaaS teams track accessibility and compliance requirements across their web properties. Start with a free scan to understand what your EU users see.

Scan Your SaaS for Free →

Frequently Asked Questions

Does the EU AI Act apply to US companies?

Yes. The EU AI Act applies to any company that places AI systems on the EU market or whose AI systems affect EU residents — regardless of where the company is headquartered. If you have European users interacting with AI features, you're in scope. The territorial reach mirrors GDPR: serving EU users means EU law applies.

When does the EU AI Act become enforceable for SaaS companies?

Prohibited AI practice bans were enforceable from February 2025. GPAI obligations from August 2025. High-risk AI system obligations — which affect SaaS companies in HR, healthcare, finance, and education sectors — become enforceable August 2026. If you're not high-risk, your main obligation right now is AI transparency disclosures.

Is using ChatGPT/Claude API in my SaaS product 'high-risk' under the EU AI Act?

Using an LLM API makes you a 'deployer' of a GPAI model, not a provider. Whether your application is high-risk depends on what you do with the model — not the model itself. A customer support chatbot powered by GPT-4 is generally limited-risk (transparency obligation only). An AI-powered hiring screening tool built on Claude is high-risk regardless of the underlying model. The use case determines the risk tier.

What are the EU AI Act fines for startups?

Fines are tiered: €35M or 7% of global annual revenue (whichever is higher) for prohibited AI practices; €15M or 3% for high-risk violations; €7.5M or 1.5% for providing false information. The 'whichever is higher' phrasing means large companies pay proportionally more, but the absolute floor is still significant for startups. For SMEs, fines are capped at the lower of the two thresholds.

Do I need to add 'this is an AI' disclosures to my SaaS chatbot?

Yes, if your chatbot could be mistaken for a human and serves EU users. This applies to AI customer service agents, AI sales assistants, and similar features. The disclosure must be given at the start of the interaction. If it's obviously an AI (e.g., a code autocomplete that clearly suggests code), no disclosure is required because there's no risk of deception.

Related Guides