EU AI Act Checklist for US SaaS Selling to Europe (2026)
You don't need an office in Europe for the EU AI Act to reach you. If EU customers use your AI features, you're in scope — and most US founders only discover this when a European enterprise buyer's procurement team asks for a compliance attestation.
Why a US-Only Company Is Still in Scope
The single most expensive misconception among US SaaS founders is that the EU AI Act is "a European problem." It isn't. Article 2 defines the territorial scope, and it deliberately follows the same extraterritorial logic that made GDPR apply to American companies. You are covered if any of these is true:
- You place an AI system on the EU market (sell or make it available to EU customers)
- You put an AI system into service in the EU under your name or brand
- The output produced by your AI system is used by people located in the EU — even if your servers and company are entirely in the US
That third condition is the trap. A US analytics tool whose AI generates a risk score that an EU bank then acts on is in scope. A US writing assistant used by a marketing team in Berlin is in scope. You do not get to opt out by being American — you opt out by geofencing EU users, which most companies won't do because Europe is real revenue.
Step 1: Figure Out If You're a Provider or a Deployer
The Act assigns obligations based on your role. Most US SaaS companies that build their own AI features are providers. The distinction matters because providers carry the heavier compliance load.
- •You build or train the AI feature yourself
- •You ship AI under your own product name
- •You fine-tune a model and rebrand it
- •You substantially modify a third-party AI system
- •You use someone else's AI tool internally
- •You embed a third-party API unchanged
- •You operate AI for your own business use
- •You don't alter the system's intended purpose
A subtle point: if you take a general-purpose model and put your name on the resulting feature, you can become the provider of that AI system for the purposes of the Act — inheriting provider obligations even though you didn't train the underlying model.
Step 2: Classify Your AI by Risk Tier
The EU AI Act is risk-based. Your obligations scale with the tier your feature falls into. Most SaaS AI lands in limited-risk, but check carefully — high-risk classification changes everything.
Prohibited (Unacceptable Risk)
Banned since February 2025. Social scoring, manipulative AI exploiting vulnerabilities, untargeted facial-recognition scraping, and certain emotion recognition in workplaces and schools. If your product does any of this for EU users, stop now — fines reach €35M or 7% of global turnover.
High-Risk
AI used in hiring, credit and lending decisions, education and exam scoring, critical infrastructure, biometric identification, and access to essential services. This tier carries the heaviest obligations and the August 2026 enforcement deadline. If your SaaS makes or materially influences consequential decisions about EU individuals, you're likely here.
Limited-Risk (Transparency)
Chatbots, AI content generation, and AI that interacts with humans. The main obligation is disclosure — users must know they're dealing with AI, and AI-generated content (including deepfakes) must be labeled. Most SaaS AI features live here.
Minimal-Risk
Spam filters, AI in video games, inventory optimization. No specific obligations under the Act, though voluntary codes of conduct are encouraged.
Step 3: The US SaaS Compliance Checklist
Here's what to actually do, sorted by how likely your feature falls into each tier. Start with the transparency column — it applies to nearly everyone — then layer on high-risk items only if your classification demands it.
Every US SaaS with AI (Limited-Risk Minimum)
- ☐Add clear 'you're talking to AI' disclosure on chat features
- ☐Label AI-generated text, images, audio, and video
- ☐Update your terms and privacy policy to disclose AI use
- ☐Map which features use AI and what data they process
- ☐Document the intended purpose of each AI feature
- ☐Maintain a basic record of model versions and changes
If Any Feature Is High-Risk (Add These)
- ☐Appoint an EU-based authorized representative
- ☐Build and maintain technical documentation (Annex IV)
- ☐Conduct a conformity assessment before EU launch
- ☐Register the system in the EU high-risk AI database
- ☐Implement a risk management system across the lifecycle
- ☐Run documented bias and data-quality audits
- ☐Enable human oversight and automatic event logging
- ☐Write deployer instructions for your EU customers
The Authorized Representative Requirement Catches People Off Guard
If you're a provider of a high-risk AI system and you're outside the EU, you cannot place that system on the EU market until you've appointed an authorized representative established in the Union. This is a named legal entity or person in the EU who holds your technical documentation, cooperates with regulators, and can be the point of contact for market surveillance authorities.
It mirrors the GDPR Article 27 representative concept, and the same vendors that offer GDPR representation increasingly offer AI Act representation. Budget for it if any feature is high-risk — it's not optional, and "we're a small US startup" is not an exemption.
What Happens If You Ignore It
Penalties are tiered. Prohibited practices reach €35M or 7% of global annual turnover. High-risk violations reach €15M or 3%. Supplying incorrect or misleading information to authorities reaches €7.5M or 1%. For US companies, the more immediate cost is usually commercial: EU enterprise buyers now ask for AI Act compliance attestations in procurement, and you'll lose deals if you can't produce documentation.
The practical reality for most US SaaS companies is that the transparency obligations are cheap to meet and the high-risk obligations are expensive — so the highest-leverage move is confirming, with documentation, that your features are not high-risk. Getting that classification wrong in either direction is the costly mistake.
Frequently Asked Questions
We block EU traffic entirely. Are we exempt?
If you genuinely prevent EU customers and end users from accessing your AI features — and the output of your AI is never used by people in the EU — the Act does not apply to those uses. But geofencing must be real and enforced, not a checkbox. Partial or leaky restrictions won't hold up, and most companies find geoblocking Europe costs more revenue than compliance costs.
We only use OpenAI/Anthropic APIs. Does the Act still apply to us?
Yes. The underlying model provider has their own obligations as a general-purpose AI provider, but if you ship a feature to EU users under your brand, you have obligations too — typically as a provider of the AI system you've built on top. You can't fully outsource compliance to your model vendor.
Is the EU AI Act the same as GDPR?
No, they're separate laws with overlapping reach. GDPR governs personal data; the AI Act governs AI systems by risk. An AI feature can trigger both. The good news is that the structural concepts (extraterritorial scope, authorized representatives, documentation, DPIAs) rhyme, so a company with mature GDPR practices has a head start.
We're pre-revenue in Europe. Should we wait to comply?
Build transparency disclosures in now — they're nearly free and apply the moment your first EU user shows up. Hold off on the expensive high-risk machinery until you've confirmed your classification. The mistake is launching into EU enterprise sales and only then discovering procurement requires compliance documentation you don't have.
Don't Let Procurement Be Your Wake-Up Call
The EU AI Act reaches US software the same way GDPR did — through your European customers. The companies that get blindsided are the ones who learn about their obligations when an enterprise buyer's legal team sends a compliance questionnaire mid-deal.
Classify your AI features now, add the transparency disclosures that apply to almost everyone, and document why your features are or aren't high-risk. That paper trail is what turns the AI Act from a deal-blocker into a checkbox you've already cleared.