1. What Is the EU AI Act and Does It Apply to Your SaaS?

The EU AI Act (Regulation (EU) 2024/1689) was adopted on 21 May 2024 and entered into force on 1 August 2024. It is the first comprehensive legal framework for artificial intelligence anywhere in the world.

Like the GDPR, the AI Act has extraterritorial reach. It applies to any company that places an AI system on the EU market or whose AI system's output is used within the EU, regardless of where that company is established. As the European Commission states, the Act covers providers (developers), deployers (users in a professional capacity), importers, and distributors of AI systems.

Your SaaS is in scope if it does any of the following:

•        Integrates AI features (chatbots, recommendation engines, automated decisions, content generation) used by EU customers

•        Deploys or embeds a general-purpose AI model (such as an LLM) in a product accessible to EU users

•        Uses AI internally to make decisions about EU-based individuals (hiring, credit, insurance, moderation)

•        Provides AI-powered SaaS tools (analytics, scoring, classification) to EU-based businesses

2. The Risk-Based Framework: Four Tiers

The AI Act follows a risk-based approach. AI systems are classified into four tiers, each with different obligations. The classification determines what you must do. The official high-level summary from the AI Act website provides a useful overview.

Where most SaaS AI features land: The majority of AI-powered SaaS features (chatbots, content generation, recommendation engines, summarization tools) fall into the limited-risk or minimal-risk tiers. However, if your product makes or supports decisions about people in employment, creditworthiness, insurance, education, or similar domains, you are likely operating a high-risk AI system.

3. What Is Already Enforceable (As of March 2026)

The AI Act uses a phased timeline. Some obligations are already in effect. The European Commission's overview and DLA Piper's analysis confirm the following milestones:

Important: The European Commission proposed in November 2025 (the "Digital Omnibus" package) to potentially extend the high-risk deadline to December 2027. As of March 2026, this proposal is still being negotiated by EU lawmakers and is not yet adopted.

4. Prohibited AI Practices: What You Must Not Do

Article 5 lists eight AI practices that are completely banned. These have been enforceable since 2 February 2025, with penalties applicable since 2 August 2025. The European Commission published guidelines on 4 February 2025 explaining each prohibition in detail.

As Orrick's analysis explains, only practices explicitly listed in Article 5(1) are prohibited. The Commission interprets these prohibitions broadly, and organizations should not attempt to structure around them.

Penalty: Up to EUR 35 million or 7% of global annual turnover, whichever is higher. Italy has also introduced criminal penalties, including imprisonment for certain AI offences under its national implementing law (Law No. 132/2025).

5. AI Literacy: Already Mandatory

Article 4 requires all providers and deployers to ensure that their staff and contractors have a sufficient level of AI literacy. This obligation has been in effect since 2 February 2025.

AI literacy means ensuring that people who operate, oversee, or make decisions about AI systems understand how those systems work, their limitations, and the potential risks they pose. As Latham & Watkins explains, there are no direct fines for violating Article 4 itself. However, regulators will likely scrutinize AI literacy compliance during investigations, and inadequate training could increase liability if an AI system causes harm.

What this means in practice for SaaS companies:

•        Train product, engineering, support, and sales teams on how your AI features work and their limitations

•        Document your training program (dates, content, attendees) as evidence of compliance

•        Include AI literacy in onboarding for new hires and contractors

•        Tailor training to roles: engineers need technical depth; sales needs to understand disclosure obligations

6. High-Risk AI Systems: Does Your SaaS Qualify?

An AI system is classified as high-risk under Article 6 if it falls into one of two categories: (1) it is a safety component of a product covered by EU harmonization legislation in Annex I, or (2) it is listed in one of the use-case domains in Annex III. High-risk rules apply from 2 August 2026.

Critical note: An AI system listed in Annex III is always high-risk if it profiles individuals. There is a narrow exception under Article 6(3) for systems that do not materially influence decision outcomes, but you must document your non-high-risk assessment and register it before placing the system on the market.

7. Obligations for High-Risk AI Systems (Articles 9-15)

If your AI system qualifies as high-risk, you face the most substantial compliance burden under the Act. As Dataiku's analysis summarizes, providers must meet requirements under Articles 9 through 15, and deployers have their own set of obligations.

In addition, providers of high-risk systems must: complete a conformity assessment (self-assessment in most cases, third-party for biometric systems), affix the CE marking, register the system in the EU database (Article 49), and implement a post-market monitoring system (Article 72).

8. Transparency Obligations (Article 50): Applicable from August 2026

Article 50 applies to all generative AI systems, not just high-risk ones. As Bird & Bird notes, Article 50 will likely affect the greatest number of organizations because its scope is far broader than the high-risk rules.

The European Commission published the first draft of a Code of Practice on Transparency of AI-Generated Content on 17 December 2025, with finalization expected by June 2026. As Jones Day explains, although voluntary, this Code is likely to become the benchmark for what regulators consider adequate compliance with Article 50.

9. General-Purpose AI (GPAI) Model Rules

If your SaaS builds on or integrates a general-purpose AI model (such as an LLM from OpenAI, Anthropic, Google, Mistral, or others), the GPAI rules under Chapter V of the AI Act apply to the model provider, not typically to you as a downstream deployer. However, you should understand how these rules affect your supply chain.

GPAI providers (the model developers) must:

•        Maintain technical documentation covering training, evaluation, and capabilities

•        Provide downstream providers (you) with information to integrate the model compliantly

•        Implement copyright compliance measures and publish a training data summary

•        For systemic-risk models: conduct adversarial testing, track and report serious incidents, and ensure cybersecurity

What this means for SaaS companies using third-party models: You are a "deployer" or "downstream provider" in the AI Act's terminology. You are responsible for complying with your own obligations (transparency, high-risk requirements if applicable), but you should also verify that your GPAI model provider is meeting their Chapter V obligations. Request their technical documentation and information disclosures as part of vendor due diligence.

10. How the AI Act Interacts with the GDPR

The AI Act does not replace the GDPR. They operate in parallel. A single AI system can be subject to both regulations simultaneously. Key overlaps include:

As Wilson Sonsini's 2026 preview notes, the European Commission is expected to publish guidance in 2026 clarifying the AI Act's interplay with EU data protection law. Until then, treat both sets of obligations as cumulative.

11. Fines and Enforcement

The AI Act's penalty regime has been in effect since 2 August 2025. As DLA Piper reports, competent authorities may now impose administrative fines for non-compliance:

For SMEs and startups, the Act specifies that the lower of the fixed amount or percentage applies. Member states may also impose additional national penalties. Italy, for example, has introduced criminal penalties including imprisonment for certain offences.

As of March 2026, no public enforcement actions for AI Act violations have been announced. However, the Greenberg Traurig analysis notes that the Commission and national supervisory authorities have stated they will closely monitor implementation. Enforcement is expected to accelerate after August 2026 when the full set of obligations takes effect.

12. Step-by-Step Compliance Action Plan

Drawing from guidance by Orrick, Legal Nodes, and Greenberg Traurig, here is a practical action plan:

13. Common Mistakes SaaS Companies Should Avoid

Assuming the AI Act only applies if you build foundation models. Wrong. The Act applies to anyone who places an AI system on the EU market or deploys one. If your SaaS uses a third-party model to power features, you are a deployer (and potentially a downstream provider) with your own obligations.

Waiting until August 2026 to start. Prohibited practices and AI literacy have been enforceable since early 2025. Penalties have been in effect since August 2025. Starting compliance work in 2026 leaves no margin for error.

Treating AI compliance as separate from GDPR compliance. A single AI feature can trigger obligations under both the AI Act and the GDPR. Your data protection team and AI compliance team should coordinate, not work in parallel silos.

Ignoring the transparency obligations because your AI is "low risk." Article 50 applies to all generative AI systems regardless of risk level. If your SaaS has a chatbot, generates content, or produces synthetic media, you have transparency obligations.

Overlooking national implementing laws. Member states are passing their own laws (Italy's Law 132/2025, Germany's designation of the Federal Network Agency). These may include additional requirements or stricter penalties.

Failing to document your risk classification. If your AI system falls under Annex III but you believe it is not high-risk, Article 6(4) requires you to document that assessment before placing the system on the market. The burden of proof is on you.

References

1.     European Commission - AI Act Regulatory Framework - https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

2.     EU AI Act Full Text and Explorer - https://artificialintelligenceact.eu/

3.     EU AI Act High-Level Summary - https://artificialintelligenceact.eu/high-level-summary/

4.     Article 5 - Prohibited AI Practices - https://artificialintelligenceact.eu/article/5/

5.     Article 6 - Classification Rules for High-Risk AI Systems - https://artificialintelligenceact.eu/article/6/

6.     Annex III - High-Risk AI Systems List - https://artificialintelligenceact.eu/annex/3/

7.     Article 50 - Transparency Obligations - https://artificialintelligenceact.eu/article/50/

8.     EC Guidelines on Prohibited AI Practices (Feb 2025) - https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act

9.     EC Code of Practice on AI-Generated Content Transparency - https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content

10.  DLA Piper - Latest Wave of EU AI Act Obligations (Aug 2025) - https://www.dlapiper.com/en-us/insights/publications/2025/08/latest-wave-of-obligations-under-the-eu-ai-act-take-effect

11.  Wilson Sonsini - 2026 AI Regulatory Developments Preview - https://www.wsgr.com/en/insights/2026-year-in-preview-ai-regulatory-developments-for-companies-to-watch-out-for.html

12.  Orrick - 6 Steps Before 2 August 2026 - https://www.orrick.com/en/Insights/2025/11/The-EU-AI-Act-6-Steps-to-Take-Before-2-August-2026

13.  Orrick - EC Guidelines on Prohibited Practices Analysis - https://www.orrick.com/en/insights/2025/04/eu-commission-publishes-guidelines-on-the-prohibited-ai-practices-under-the-ai-act

14.  Greenberg Traurig - Key Compliance Considerations (Jul 2025) - https://www.gtlaw.com/en/insights/2025/7/eu-ai-act-key-compliance-considerations-ahead-of-august-2025

15.  Legal Nodes - EU AI Act 2026 Compliance Requirements - https://www.legalnodes.com/article/eu-ai-act-2026-updates-compliance-requirements-and-business-risks

16.  SIG - Comprehensive EU AI Act Summary (Jan 2026) - https://www.softwareimprovementgroup.com/blog/eu-ai-act-summary/

17.  Latham & Watkins - AI Literacy and Prohibited Practices - https://www.lw.com/en/insights/upcoming-eu-ai-act-obligations-mandatory-training-and-prohibited-practices

18.  Bird & Bird - Draft Transparency Code of Practice Analysis - https://www.twobirds.com/en/insights/2026/taking-the-eu-ai-act-to-practice-understanding-the-draft-transparency-code-of-practice

19.  Jones Day - Draft Code of Practice on AI Labelling - https://www.jonesday.com/en/insights/2026/01/european-commission-publishes-draft-code-of-practice-on-ai-labelling-and-transparency

20.  Dataiku - High-Risk AI System Requirements Guide - https://www.dataiku.com/stories/blog/eu-ai-act-high-risk-requirements

21.  Future of Life Institute - AI Act Prohibited Practices (Art. 5) - https://fpf.org/blog/red-lines-under-the-eu-ai-act-understanding-prohibited-ai-practices-and-their-interplay-with-the-gdpr-dsa/

22.  WilmerHale - Article 50 Transparency Deep Dive - https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240528-limited-risk-ai-a-deep-dive-into-article-50-of-the-european-unions-ai-act

23.  DataGuard - EU AI Act Timeline - https://www.dataguard.com/eu-ai-act/timeline