What the EU AI Act Means for SaaS Products Operating in Europe

The Risk Classification Framework

The EU AI Act does not apply uniformly to all AI systems. It establishes a tiered risk framework across four categories: unacceptable risk, high risk, limited risk, and minimal risk. The majority of general-purpose SaaS AI features — recommendation engines, content generation, summarisation — fall into the limited or minimal risk tiers. The compliance burden scales from transparency obligations at the lower end to full conformity assessments at the high-risk tier.

High-risk systems are defined in Annex III of the Act. The list is specific: AI systems used in recruitment and CV screening, credit scoring, biometric identification, access to education, critical infrastructure management, and administration of justice. If your SaaS product touches any of these domains — even as a supporting tool — you are likely operating a high-risk system.

The distinction matters because high-risk classification triggers mandatory requirements: technical documentation, conformity assessments, EU database registration, post-market monitoring, and designated human oversight mechanisms. These are not post-launch obligations. They must be satisfied before the system is placed on the EU market.

Prohibited AI Practices: What Is Already Banned

Since 2 February 2025, a set of AI applications is outright prohibited under Article 5. The prohibitions target practices that present unacceptable risks to fundamental rights:

• —Subliminal techniques designed to manipulate users without their awareness
• —Exploitation of vulnerabilities related to age, disability, or social situation
• —Social scoring systems by public authorities for general-purpose evaluation of individuals
• —Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
• —Emotion recognition in workplaces and educational institutions
• —Biometric categorisation based on sensitive attributes to infer race, political views, or religious beliefs

The enforcement risk here is immediate. SaaS products that incorporated emotion inference, behavioural manipulation, or biometric inference features — even as experimental capabilities — are in scope. The regulation applies to systems placed on the EU market or used in the EU, regardless of where the provider is established.

General-Purpose AI Models (GPAI)

The August 2025 milestone introduced obligations for providers of general-purpose AI models — the foundation models and large language models that underpin much of the SaaS ecosystem. GPAI providers must maintain technical documentation, publish summaries of training data, implement copyright compliance policies, and publish detailed model cards.

If your SaaS product is built on a third-party GPAI model, the obligation chain matters: the GPAI provider carries the model-level obligations, but you — as the downstream deployer — carry obligations related to how that model is integrated and operated in your specific use case. Regulatory accountability does not end at the API boundary.

GPAI models with systemic risk (defined as models trained with more than 10^25 FLOPs of compute) face additional obligations including adversarial testing, incident reporting to the European AI Office, and cybersecurity protections. This tier currently applies to the largest frontier models but the threshold may be revised as compute efficiency improves.

What Conformity Assessments Actually Require

High-risk AI systems must undergo a conformity assessment before deployment. For most systems not covered by existing sectoral legislation, this is a self-assessment process — but it is a structured, documented self-assessment that must produce a declaration of conformity and technical file.

The technical file must cover: the purpose and intended use of the system, the training data management process, performance metrics and accuracy benchmarks, the human oversight design, risk management documentation, the logging and audit trail architecture, and post-market monitoring procedures.

This is not a one-time exercise. The Act requires continuous monitoring and re-assessment when the system undergoes substantial modifications. A major model update, a change in intended use, or a significant shift in the user population can trigger a re-assessment obligation.

Fine Structure: How Enforcement Scales

Article 99 establishes the fine structure. Violations related to prohibited AI practices carry the highest maximum: €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with other obligations for high-risk systems carries up to €15 million or 3% of global turnover. Supplying incorrect information to authorities carries up to €7.5 million or 1%.

The "higher of" formulation is intentional. For large tech companies, a 7% global turnover figure is materially larger than any fixed cap. The structure is designed to scale enforcement pressure to company size, making the regulation non-trivial even for market incumbents. For SMEs — which the Act defines as companies with fewer than 250 employees — national market surveillance authorities have discretion to apply proportionate penalties.

Practical Priorities for SaaS Teams in 2026

The question for SaaS teams is not whether the EU AI Act applies — it almost certainly does in some form. The question is which tier and which obligations. A structured gap analysis should start with use-case mapping against Annex III, then assess transparency obligations under Article 50, then evaluate GPAI obligations if any foundation models are in the stack.

Human oversight is the most frequently underestimated requirement. Article 14 requires that high-risk systems be designed to allow natural persons to effectively oversee the system's operation. This is an architecture requirement, not a policy requirement. The oversight mechanism must be built into the system — documented, auditable, and functional.

Data governance is the second most common gap. Training data must be documented with the biases assessed, the collection methods described, and the relevance and representativeness of the data justified. For SaaS teams that rely on third-party training data or continuously fine-tune on user-generated content, this documentation chain can be complex to reconstruct retroactively.

The safest position for any European SaaS team is to integrate compliance obligations into the development lifecycle from the design phase — not as a pre-launch audit. The regulation is written with that architecture in mind, and the conformity assessment process will expose the difference.