What does a SaaS startup need to do for EU AI Act compliance?

Start with an AI system inventory, classify each system by risk tier, add transparency disclosures for any AI chatbots or generated content, and check whether any system qualifies as a GPAI model. Most SaaS products fall into the limited or minimal risk tiers and need only transparency notices.

Does a startup with AI features need to comply with the EU AI Act?

Yes, if the startup has EU customers or EU users. Compliance steps depend on risk tier. Most startups with standard AI features (recommendations, chatbots, search) face limited-risk obligations: disclose that the user is interacting with AI.

EU AI Act Compliance Checklist for SaaS and Startups 2026

Scope note: Annex III high-risk obligations (employment decisions, credit scoring, access to essential services, law enforcement uses) are deferred to December 2, 2027 per the Digital Omnibus proposal. The checklist below covers what's binding now: prohibited practices, GPAI, Article 50 transparency, and enforcement readiness. Phase 5 covers the December 2027 scope.

Audit: Build Your AI Inventory and Classify Risk

Week 1-2

Build a complete AI system inventory. Every AI component you build or use: your own models, fine-tuned models, third-party APIs (OpenAI, Anthropic, Mistral, Cohere, Google, etc.), and AI embedded in third-party software you ship. For each: what does it do, who does it affect, does the output reach EU persons? If you use third-party AI APIs, you are a deployer under the Act regardless of whether you wrote the model yourself.

Classify each system against the four risk tiers. Prohibited (Chapter II): stop now. High-risk Annex III (deferred to Dec 2, 2027): begin conformity assessment prep. Limited-risk / Art. 50 transparency: chatbots, voice agents, AI-generated content needing disclosure. Minimal-risk: no mandatory obligations but document the classification decision anyway.

Check for prohibited practices. Subliminal manipulation of persons, social scoring by public authorities, real-time biometric ID in public spaces without authorization, exploitation of vulnerability, untargeted biometric scraping. If any system comes close to any of these, get legal review immediately. Prohibited practices have been binding since February 2, 2025.

Determine if you develop or fine-tune a GPAI model. This includes RAG pipelines that materially extend a base model, fine-tuned models you distribute to third parties, and orchestration layers that create a new general-purpose capability. If yes, Chapter V GPAI obligations applied from August 2, 2025 and are already active. Assess and remediate now.

Transparency: Article 50 Disclosures

Week 2-3

Add Article 50 AI disclosure to every user-facing chatbot, voice agent, and customer-service AI interaction. The disclosure must be clear and distinguishable, and it must appear before the interaction starts. Not in the terms of service. Not after the first AI message. Before. A single line at the opening of the conversation ("You're now chatting with an AI") satisfies the spirit of the requirement.

Add AI-generated content labeling to any output the user might believe is human-created. AI-written summaries, reports, articles, audio, images, video. The regulation uses the term "artificially generated or manipulated" and requires machine-readable marking where technically feasible plus human-readable disclosure where the content reaches end users.

Document your transparency implementation. Screenshots of the disclosure in your product, the code commit that deployed it, and the date it went live. You need this for enforcement. Authorities will ask when the disclosure was implemented and whether it predates the August 2, 2026 enforcement date.

GPAI: If You Develop or Distribute a General-Purpose AI Model

Week 3-4 (if applicable)

Complete technical documentation per Annex XI. For general-purpose AI models you develop: training data description (sources, how selected, cleaning methods), architecture overview, training compute used, evaluation methodology, benchmarks, and known limitations. This documentation must be maintained and updated as the model evolves.

Publish a transparency summary per Annex XII. This is a publicly accessible document covering your GPAI model's general capabilities and limitations, the types of tasks it can perform, and what it should not be used for. "Publicly accessible" means on your website, not behind a login.

Implement a copyright compliance policy documenting how training data was sourced and what opt-outs you honor (Article 53(1)(c)). If you scraped web data, what robots.txt and opt-out signals did you respect? This needs to be a real policy, not a legal disclaimer that says "we comply with applicable law."

Assess whether your GPAI model exceeds the systemic risk threshold. The current threshold is 10^25 FLOPs of training compute, or designation by the European Commission. If you're above this threshold (which applies to only the largest foundation models today), notify the EU AI Office and begin adversarial testing per Article 55.

Governance: Internal AI Compliance Program

Week 4-6

Appoint an internal AI compliance owner. A named individual with authority to make compliance decisions, access to engineering and legal, and accountability for maintaining the AI inventory and documentation. "The legal team" or "the CTO" is not enough: a specific person must own this.

Appoint an EU representative if you're not EU-established but place AI on the EU market. This is a separate legal requirement (Article 22) from having a legal entity. Your EU representative handles regulatory contact and can receive enforcement notices on your behalf. Must be an actual legal entity established in an EU member state.

Build an incident response process. How your company detects, records, and reports serious AI incidents (incidents causing death, serious injury, disruption to critical infrastructure, or violations of fundamental rights) to national authorities. The regulation requires providers to report serious incidents without undue delay. "Without undue delay" means you need a process before the incident, not while it's happening.

Create an internal AI policy. What AI systems and APIs are approved for use, how third-party AI vendors are assessed for compliance (ask for their Article 53 documentation), how new AI features go through a compliance check before launch, and who has authority to approve AI-powered features in customer-facing products.

Archive everything. AI inventory with classification decisions, transparency implementation records, technical documentation, compliance policies, incident logs. Create a compliance folder that an enforcement authority could walk through from day one. Enforcement begins August 2, and auditors can request documentation immediately.

Future-Proof: Annex III High-Risk (December 2, 2027)

Begin now for Dec 2027

Identify any Annex III high-risk systems in your product. Employment decisions (AI that screens, scores, or ranks job applicants or employees), credit scoring or financial services eligibility decisions affecting EU persons, access to essential services, any AI used in education, healthcare triage, or law enforcement contexts. If you have any, start conformity assessment preparation now. The deadline is December 2, 2027, but documentation and assessment takes 3-6 months.

Understand the full Annex III conformity obligation. For high-risk systems: quality management system, technical documentation per Annex IV, data governance documentation, registration in the EU AI Act database, fundamental rights impact assessment (for certain deployers), post-market monitoring plan, and conformity assessment by a notified body (for most Annex III categories). This is a substantial undertaking that takes months, not days.

The common shortcuts that create legal risk

Relying on your AI vendor to handle compliance. If you deploy OpenAI, Anthropic, or any other AI provider's model in a customer-facing product, you are a deployer under the EU AI Act. The provider's compliance with their own GPAI obligations doesn't satisfy your Article 50 transparency obligations or your obligation to classify and document the AI systems you deploy.
Hiding the disclosure in the terms of service. Article 50 transparency must reach the user before the interaction starts. A terms-of-service clause that mentions "AI-powered features" satisfies nothing. It needs to be in the product interface, visible, and timely.
No audit trail for AI incidents. When enforcement authorities investigate, the first thing they'll ask for is your incident log. If you haven't started logging AI incidents (unexpected outputs, harmful results, user complaints about AI behavior), you have nothing to show.
No named compliance owner. "Everyone is responsible" means no one is. The regulation assumes identifiable accountability. If an authority can't identify a person in your company responsible for AI compliance, that's a flag in any investigation.
Assuming your company is too small to matter. The EU AI Act has no SME exemption (unlike some product safety legislation that has lighter obligations for micro-enterprises in specific areas). A startup with EU customers and a user-facing chatbot has Article 50 obligations from August 2, 2026, regardless of headcount or revenue.

EU AI Act Compliance Checklist for SaaS Companies and Startups

The common shortcuts that create legal risk

EU AI Act Resource Hub

Get the free EU AI Act Risk Classifier checklist

Know your EU AI Act risk before August 2