EU AI Act for SaaS

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation, and it applies to every company that develops, supplies or operates AI systems – even if you only integrate an AI model via an API. The regulation entered into force on 1 August 2024 and has been phasing into application since February 2025. European Commission: Regulatory Framework for AI On 2 August 2026 the core transparency requirements (Art. 50) become fully applicable. The obligations for standalone high-risk AI systems under Annex III (Art. 6(2)) were originally also due to apply from 2 August 2026 – but under the EU's Digital Omnibus (adopted by the European Parliament on 16 June 2026, with formal adoption by the Council and publication in the Official Journal expected in summer 2026) that start date is being deferred to 2 December 2027 (high-risk systems embedded in regulated products under Annex I: 2 August 2028). Council of the EU: Council and Parliament agree to simplify and streamline AI rules For SaaS companies across the DACH region the message is clear: if your platform has AI features – chatbots, recommendation algorithms, content generation – you need to act now.

The risk-classification system

The AI Act sorts AI systems into four risk tiers – and the obligations rise with the risk: EU AI Act: High-Level Summary

Unacceptable risk (banned): social scoring systems, manipulative AI, biometric categorization based on sensitive characteristics – banned since February 2025
High risk: AI in credit scoring, recruitment, critical infrastructure, law enforcement – strict compliance obligations from 2 December 2027 (deferred from the original 2 August 2026 under the Digital Omnibus)
Limited risk: AI systems with the potential to manipulate or deceive (chatbots, deepfakes) – transparency obligations from 2 August 2026
Minimal risk: spam filters, AI-assisted games – no specific obligations

GDPR Local: AI Risk Classification Guide

€35M

or 7% of turnover – maximum fine for prohibited AI practices

€15M

or 3% of turnover – maximum fine for transparency violations

2 Aug

2026 – deadline for transparency obligations (Art. 50)

2 Dec

2027 – deferred deadline for high-risk obligations (Digital Omnibus)

6 months

minimum retention period for automatically generated logs

Provider vs. deployer: which role does your SaaS business play?

The AI Act draws a distinction between providers and deployers. Your role determines your obligations: MinnaLearn: Deployer or provider under the AI Act?

You are a provider if you:

Develop an AI system yourself and place it on the market under your own name
Substantially modify an existing AI model (fine-tuning, change of purpose, integration into a larger system)
Distribute a third-party model under your own branding

You are a deployer if you:

Integrate a third party's AI system into your platform (e.g. the OpenAI API, the Claude API)
Use a SaaS tool with AI features without modifying the model yourself
Run AI-assisted recommendations or automations inside your product

EyreACT: AI Provider under the EU AI Act

Deployer obligations for high-risk systems (Art. 26)

The majority of mid-market SaaS companies are deployers. Article 26 defines their obligations precisely: EU AI Act: Article 26 – Deployer Obligations

Use in line with instructions: operate high-risk systems only in accordance with the instructions for use provided by the provider
Human oversight: assign natural persons with the necessary competence, training and authority to carry out the oversight – and the oversight has to be real, not merely a formality
Relevance of input data: ensure that input data is relevant and sufficiently representative for the intended purpose
Monitoring duty: actively monitor the operation of the AI system and, on detecting any risk, immediately inform the provider and the authorities
Log retention: retain automatically generated logs for at least 6 months
Duty to inform: people affected by decisions made by a high-risk AI system must be informed accordingly

Fundamental rights impact assessment (Art. 27)

Deployers of high-risk AI systems in the public sector – as well as private companies using AI for credit scoring or insurance risk assessment – must carry out a Fundamental Rights Impact Assessment (FRIA) before putting the system into use. EU AI Act: Article 27 – FRIA This covers:

A description of the deployment processes and the intended purpose
Identification of the groups of people affected
An assessment of specific risks of harm to fundamental rights
Documentation of the human-oversight measures
An action plan for the event that a risk materializes
Reporting duty: the results of the FRIA must be submitted to the competent market surveillance authority

Nemko: FRIA under the EU AI Act

Transparency obligations for all AI systems (Art. 50)

Even if your AI is not a high-risk system, the transparency obligations under Article 50 apply from 2 August 2026 to almost every AI system, and they are not affected by the Digital Omnibus deferral: EU AI Act: Article 50 – Transparency Obligations

Chatbots: users must be able to recognize that they are interacting with an AI system – unless this is obvious
Synthetic content: AI-generated text, images, audio and video must be marked as AI-generated in a machine-readable form
Deepfakes: deployers must disclose that content has been artificially generated or manipulated
Emotion recognition / biometric categorization: the people affected must be informed that the technology is in use

In December 2025 the European Commission, acting through the AI Office, published a first draft of the Code of Practice on labeling AI-generated content. European Commission: Code of Practice – AI-Generated Content

Kriterium	Provider obligations	Deployer obligations
Conformity assessment	Must be completed before market launch	Not required
Technical documentation	Comprehensive – architecture, data, testing	Use in line with the provider's documentation
Quality management system	Mandatory	Not required
Human oversight	The system must enable oversight	Oversight must be actively carried out
Log retention	The system must generate logs	Retain logs for at least 6 months
FRIA	Not required	Mandatory for certain sectors
Transparency (Art. 50)	The system must enable labeling	Duty to label content for users

Fines: tiered by severity

The AI Act provides for a three-tier system of fines: EU AI Act: Article 99 – Penalties

Tier 1 (prohibited AI): up to €35M or 7% of global annual turnover
Tier 2 (other violations): up to €15M or 3% of global annual turnover
Tier 3 (incorrect information): up to €7.5M or 1% of global annual turnover

For SMEs and startups a proportionality rule applies: the fine is capped at whichever of the two amounts is lower (Art. 99(6) AI Act: "whichever thereof is lower"). For illustration: a startup with €500,000 in annual turnover risks no more than €35,000 for a Tier 1 violation (our own calculation: 7% of €500,000) rather than €35M. EU AI Act Service Desk: Article 99 – Penalties

Vibe coding and the AI Act: a twofold risk

Vibe-coded platforms face a twofold compliance problem – for a detailed analysis of the risks and the right way to handle AI-generated code, see our article Vibe Coding Done Right: LegalNodes: EU AI Act 2026 – Compliance Requirements

AI-generated code: the production code itself was written by AI systems – with no documentation of the AI's involvement, no quality assurance and no conformity assessment
AI features in the product: chatbots, recommendation algorithms or content generation wired in through APIs – often with no transparency labeling, log retention or human oversight

When a startup builds its entire platform with AI tools and integrates AI features into the product, the result is a compliance gap that neither automated tests nor overlay solutions can close. The AI Act's documentation obligations call for a traceable architecture – not specifications reconstructed after the fact.

How AnvilStack builds AI compliance into SaaS platforms

We use AI tools for fast prototyping – but every AI integration is assessed, documented and implemented for compliance by engineers:

Risk classification: systematic assessment of each AI component against the AI Act's risk-classification system – including a GDPR-compliant data-processor review for every AI API you integrate
Transparency by design: chatbot labeling, AI-content marking and user notification as an architectural decision
Log infrastructure: automatic log generation and retention for all AI interactions, hosted on Hetzner (DE)
Human-oversight architecture: interfaces for human review, correction and escalation – not as a checkbox, but as a workflow
Documentation: technical documentation of the AI components, data flows and decision processes – ready for regulatory review. Our security hardening service implements the technical safeguards
EU-sovereign infrastructure: all AI logs and user data on Hetzner (Germany) – no US jurisdiction, no CLOUD Act exposure

In a free initial consultation we assess your SaaS platform for AI Act relevance – from risk classification through to transparency labeling. For a fixed price of €36,000 we migrate and harden your platform end to end: in good time for the transparency obligations on 2 August 2026 and well prepared for the high-risk deadline on 2 December 2027.

Frequently asked questions

Does the EU AI Act apply to my SaaS business?

If you develop, supply or operate AI systems – even via a simple API integration (e.g. OpenAI, Claude) – the AI Act applies to you. Chatbots, recommendation algorithms and content generation inside your platform trigger transparency obligations at a minimum.

Am I a provider or a deployer under the AI Act?

You are a deployer if you integrate a third party's AI system without substantially modifying it. You become a provider once you substantially modify a model through fine-tuning, your own training data or a change of purpose (Art. 25 AI Act) – at which point all provider obligations apply to you.

What penalties apply for AI Act violations?

Up to €35M or 7% of turnover for prohibited AI practices, €15M or 3% for other violations, €7.5M or 1% for supplying incorrect information. For SMEs and startups a proportionality rule applies: the fine is capped at whichever of the two amounts is lower.

When do the AI Act obligations take effect?

The bans on unacceptable AI practices and the AI literacy obligation have applied since February 2025. The GPAI rules have applied since August 2025. The transparency obligations under Art. 50 take effect on 2 August 2026. The obligations for standalone high-risk systems under Annex III (originally also 2 August 2026) are being pushed to 2 December 2027 under the EU's Digital Omnibus (high-risk systems embedded in products under Annex I: 2 August 2028).

Do I have to label chatbots on my platform?

Yes. From 2 August 2026, users must be able to recognize that they are interacting with an AI system – the transparency obligations under Art. 50 remain on this date. AI-generated text, images and video must also be marked as AI-generated in a machine-readable form.

What does the AI Act mean for vibe-coded platforms?

A twofold compliance problem: the production code was written by AI (with no documentation), and AI features in the product are run without transparency labeling, log retention or human oversight. Both have to be addressed – the transparency obligations from 2 August 2026, the high-risk obligations by the deferred deadline of 2 December 2027.