Back to blog
EU AI Act

The EU AI Act Compliance Checklist for B2B SaaS Companies (2026)

Govarna Editorial Team Published June 1, 2026 Updated July 13, 2026 16 min read
Ten-step EU AI Act compliance checklist for B2B SaaS teams
Legal Disclaimer: This guide and checklist are for informational purposes only and do not constitute legal advice. Compliance requirements under the EU AI Act vary significantly based on your specific architecture, data processing roles, and industry. Please consult with qualified legal counsel before making regulatory, operational, or legal decisions regarding AI compliance.
Immediate deadline: Article 50 applies August 2, 2026. Under the May 7, 2026 political agreement on the AI Omnibus, rules for systems in certain high-risk areas are scheduled for December 2, 2027, and product-integrated high-risk rules for August 2, 2028. The revised high-risk dates remain subject to completion of the legal adoption process. (Source: European Commission AI Act overview)

TL;DR — Key Takeaways

  • Extra-territorial scope: If your AI system or its output is used in the EU, the Act applies regardless of where your company, servers, or engineers are based (Article 2).
  • Provider vs. deployer determines your workload: Most B2B SaaS companies building on third-party APIs (OpenAI, Anthropic) are deployers with Article 26 obligations. Build, brand, or substantially modify a high-risk system and you become a provider with the full Chapter III, Section 2 burden.
  • The timelines now diverge: Article 50 applies August 2, 2026. Under the May 2026 political agreement, rules for systems in certain high-risk areas are scheduled for December 2, 2027, and product-integrated high-risk rules for August 2, 2028; the revised dates are not yet in the original Regulation text.
  • Fines are tiered: up to EUR 35 million or 7% of global turnover for prohibited practices (Article 99(3)); up to EUR 15 million or 3% for violations of high-risk obligations (Article 99(4)).
  • Next step: Work through the 10-step checklist below, starting with an AI system inventory, or take our free 2-minute deployer assessment to classify your systems.

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive, horizontal law regulating artificial intelligence. It entered into force on August 1, 2024 and applies a risk-based approach: the greater the risk an AI system poses to health, safety, or fundamental rights, the heavier the legal obligations on the companies that build and use it.

Unlike sector-specific rules or voluntary frameworks such as the NIST AI RMF, the AI Act is directly binding law across all 27 EU member states, enforced by national market surveillance authorities and the European AI Office, with fines that scale to a percentage of global annual turnover. It sorts AI systems into four risk tiers: (Source: Regulation (EU) 2024/1689, EUR-Lex)

Risk TierExamplesCompliance ObligationApplies From
Prohibited (Article 5)Social scoring, cognitive-behavioral manipulation, exploiting vulnerabilities, untargeted facial-image scraping, emotion recognition in workplaces/schools (with narrow exceptions).Banned outright. Cannot be placed on the EU market or used.February 2, 2025
High-Risk — Annex III (Article 6(2))Recruitment ranking, credit scoring, insurance risk pricing (life/health), education assessment, essential services eligibility, critical infrastructure safety components.Conformity assessment, risk management, data governance, technical documentation, logging, human oversight, registration.December 2, 2027 scheduled for certain areas under the May 2026 political agreement
High-Risk — Product Safety (Article 6(1))AI safety components in products under EU harmonization legislation: medical devices, machinery, toys, aviation.Same high-risk obligations, integrated with existing product conformity procedures.August 2, 2028 scheduled under the May 2026 political agreement
Limited / Transparency Risk (Article 50)Customer chatbots, generative AI outputs, synthetic audio/video (deepfakes), emotion recognition and biometric categorization systems.Disclosure obligations: tell users they are interacting with AI; mark synthetic content.August 2, 2026
Minimal / No RiskSpam filters, AI in video games, basic search ranking, autocomplete.No formal obligations; voluntary codes of conduct encouraged (Article 95).

Most B2B SaaS products land in the limited-risk or minimal-risk tiers — but a single feature (a resume-ranking module, a credit-decisioning endpoint, an exam-proctoring add-on) can pull one system into the high-risk tier and trigger the full compliance program. That is why classification, not paperwork, is the first job. See our complete Annex III guide for a category-by-category breakdown with real SaaS examples.

Does the EU AI Act Apply to My SaaS Company?

Yes, if your AI system or its output reaches the European Union — regardless of where your company is incorporated. Article 2 gives the regulation extra-territorial effect: it covers providers placing AI systems on the EU market, deployers established in the EU, and non-EU providers and deployers whose system output is used inside the EU.

In practice, a US- or UK-headquartered SaaS company is in scope if any of the following is true:

  • You sell to EU customers. Offering an AI-enabled product to organizations or consumers in the EU means placing an AI system on the EU market.
  • Your EU customers use your AI output. Even if the contract is signed in Delaware and the model runs in Virginia, output used in the EU brings the system into scope.
  • You have EU-based employees using AI tools. An EU subsidiary using AI for hiring or performance management makes you a deployer established in the EU for those systems.

This mirrors the extraterritorial logic of the GDPR — and just as with GDPR, "we're not an EU company" is not a defense. The relevant question is where the system and its output are used, not where your servers sit.

Am I a Provider or a Deployer Under the EU AI Act?

A provider develops an AI system (or has one developed) and places it on the market or puts it into service under its own name or trademark. A deployer uses an AI system under its own authority in a professional context. Most B2B SaaS companies building features on third-party APIs such as OpenAI or Anthropic are deployers — with meaningfully lighter obligations.

The distinction matters because the compliance workload differs by an order of magnitude. Providers of high-risk systems carry the full Chapter III, Section 2 burden (risk management, data governance, technical documentation, conformity assessment, CE marking, EU database registration). Deployers of high-risk systems have the narrower — but still enforceable — duties of Article 26.

Warning — role escalation under Article 25: a deployer, importer, or distributor is treated as the provider of a high-risk system if it (a) puts its own name or trademark on the system, (b) substantially modifies a high-risk system already on the market, or (c) modifies the intended purpose of a system so that it becomes high-risk. White-labeling a third-party model inside your product under your own brand can silently move you into the provider role.

Obligation AreaProvider of High-Risk AI (Articles 9–22, 43, 48–49)Deployer of High-Risk AI (Article 26)
Risk managementEstablish and maintain a continuous risk management system (Article 9).No standalone duty; operate within the provider's documented risk controls.
Instructions for useSupply clear instructions covering capabilities, limitations, accuracy, and oversight measures (Article 13).Use the system in accordance with the provider's instructions for use (Article 26(1)).
Human oversightDesign the system so it can be effectively overseen, overridden, and stopped (Article 14).Assign oversight to natural persons with the necessary competence, training, authority, and support (Article 26(2)).
Data and input governanceEnsure training, validation, and testing data meet quality criteria (Article 10).Ensure input data under your control is relevant and sufficiently representative for the intended purpose (Article 26(4)).
Technical documentationCompile and maintain Annex IV technical documentation (Article 11); keep it 10 years.No Annex IV duty; retain the provider's instructions and your own usage records.
LoggingDesign automatic event logging (Article 12); retain logs under your control (Article 19).Keep automatically generated logs under your control for at least 6 months (Article 26(6)).
Monitoring & incidentsPost-market monitoring (Article 72); report serious incidents to authorities (Article 73).Monitor operation per instructions; inform the provider/distributor and the market surveillance authority of risks and serious incidents, and suspend use where needed (Article 26(5)).
Conformity & registrationConformity assessment (Article 43), CE marking (Article 48), EU database registration (Article 49).Verify the provider has completed these; public-authority deployers must also register their use (Article 49(3)).
Workforce notificationInform workers and their representatives before using high-risk AI in the workplace (Article 26(7)).
Fundamental rights impact assessmentRequired only for specific deployer categories under Article 27 (see the checklist below).

Not sure which role you hold for each system? Our free deployer assessment walks you through the role and risk-tier questions in about 2 minutes.

When Do EU AI Act Obligations Take Effect?

Prohibited practices and Article 4 AI literacy obligations have applied since February 2, 2025; general-purpose AI model obligations since August 2, 2025; and Article 50 transparency duties apply from August 2, 2026. Under the May 7, 2026 political agreement on the AI Omnibus, rules for systems in certain high-risk areas are scheduled for December 2, 2027 and product-integrated high-risk rules for August 2, 2028. The revised high-risk dates are agreed changes, not dates already contained in the original Regulation text, and remaining legal adoption steps are not yet complete. (Source: European Commission AI Act overview)

  • August 1, 2024: Regulation (EU) 2024/1689 entered into force.
  • February 2, 2025: Prohibited practices (Article 5) and AI literacy obligations (Article 4) apply.
  • August 2, 2025: Obligations for general-purpose AI model providers, governance structures (European AI Office, AI Board), and the penalties framework apply.
  • August 2, 2026: General application, including Article 50 transparency obligations. (Source: European Commission Article 50 FAQ)
  • December 2, 2027: Under the May 2026 political agreement, rules for systems used in certain high-risk areas are scheduled to apply.
  • August 2, 2028: Under the same political agreement, product-integrated high-risk rules are scheduled to apply.

One transitional nuance: the original Regulation's Article 111(2) addresses certain high-risk systems already placed on the market, while the political agreement changes the implementation schedule. Check the final amending text and system-specific transition rules before relying on grandfathering; routine model updates can affect the analysis. (Source: Article 111, Regulation (EU) 2024/1689)

What Are the Penalties for Non-Compliance?

Fines under Article 99 are tiered by severity. Prohibited practices attract fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher (Article 99(3)). Non-compliance with high-risk obligations — including provider and deployer duties — attracts up to EUR 15 million or 3% (Article 99(4)).

The full penalty structure:

  • Article 99(3) — up to EUR 35 million or 7% of global annual turnover: engaging in prohibited AI practices under Article 5 (social scoring, manipulation, exploitation of vulnerabilities, untargeted biometric scraping).
  • Article 99(4) — up to EUR 15 million or 3% of global annual turnover: non-compliance with obligations applying to providers (Article 16), authorized representatives, importers, distributors, deployers (Article 26), notified bodies, and the Article 50 transparency obligations.
  • Article 99(5) — up to EUR 7.5 million or 1% of global annual turnover: supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities.

For SMEs and startups, each cap is the lower of the fixed amount and the turnover percentage (Article 99(6)) — a meaningful mitigation, but still existential for most companies. Note the common error worth correcting: the EUR 35 million / 7% tier applies to prohibited practices only. Violations of high-risk obligations sit in the EUR 15 million / 3% tier. (Source: Article 99, Regulation (EU) 2024/1689)

What Is the Article 6(3) Derogation (and Should You Claim It)?

Article 6(3) is a narrow escape hatch: an AI system in an Annex III area is not classified high-risk if it does not pose a significant risk to health, safety, or fundamental rights — including by not materially influencing decision outcomes. Any one of four alternative conditions suffices, but profiling of natural persons always stays high-risk.

The four alternative conditions (satisfying any one is enough):

  1. The system performs a narrow procedural task (e.g., converting unstructured documents into structured records, detecting duplicate applications).
  2. The system improves the result of a previously completed human activity (e.g., polishing the language of a human-written assessment).
  3. The system detects decision-making patterns or deviations from prior patterns without replacing or influencing the completed human assessment absent proper review.
  4. The system performs a preparatory task to an assessment relevant to an Annex III use case (e.g., file indexing before human evaluation).

Two hard limits apply. First, a system that performs profiling of natural persons — evaluating personal aspects such as work performance, economic situation, reliability, or behavior — is always high-risk, no matter which condition it might otherwise satisfy. Second, the derogation is not self-executing: under Article 6(4) you must document your assessment before placing the system on the market and register it under Article 49(2), and produce the documentation to national competent authorities on request. An undocumented derogation claim is, from a regulator's perspective, no claim at all.

Not sure where your systems land?

Use our free EU AI Act Deployer Assessment to classify each AI system against the risk tiers, the Annex III categories, and the Article 6(3) conditions — in under 2 minutes, with a classification report you can file as evidence.

Start Free Assessment

The 10-Step EU AI Act Compliance Checklist for B2B SaaS

This is the execution plan we recommend for a mid-market SaaS team preparing for Article 50 on August 2, 2026 and the high-risk schedule agreed in May 2026 without six-figure consulting engagements. Steps 1–4 establish the facts; steps 5–10 build the controls and evidence.

Step 1: Build a Complete AI System Inventory

You cannot classify — let alone govern — what you have not inventoried. Log every AI model, vendor, and AI-enabled feature in your product and in your internal operations (shadow AI included). For each entry, record:

  • Vendor and model (e.g., Anthropic Claude via API, fine-tuned open-weights model, internal classifier)
  • Data types processed (personal data, special-category data, customer confidential data)
  • Business purpose and intended use (the AI Act classifies by intended purpose, so write it down precisely)
  • Whether outputs are customer-facing or internal-only, and whether they touch EU users
  • A named owner accountable for the system

The same inventory feeds NIST AI RMF alignment and ISO 42001 scoping — build it once, reuse it three times.

Step 2: Classify Every System by Risk Tier

Assess each inventoried system against the four tiers: prohibited, high-risk, limited-risk, minimal-risk. Pay particular attention if any feature touches HR tech, lending, insurance, education, or essential services — these are Annex III areas where high-risk classification is presumed. Work through the 8 categories in our Annex III deep dive, and record the reasoning for every classification, not just the conclusion. Buyers and regulators will ask "why is this limited-risk?" — the documented answer is the deliverable.

Step 3: Determine Your Role for Each System

For each system, decide: provider or deployer? The answer can differ per system — you might be a deployer of an HR screening tool you bought and a provider of the AI feature you sell. Check the Article 25 escalation traps: your own branding on a high-risk system, substantial modification, or repurposing a system into a high-risk use all convert you into the provider. Document the role determination alongside the classification.

Step 4: Document Any Article 6(3) Derogation Claims

If any Annex III-adjacent system arguably does not materially influence decisions, run the four-condition analysis above, confirm no profiling of natural persons is involved, and write the assessment down before the system is on the market. Then register under Article 49(2). Undocumented derogations are the single most common self-inflicted gap we see in SaaS compliance reviews.

Step 5: Implement Deployer Controls Under Article 26

For every high-risk system you deploy, operationalize the Article 26 duties:

  • 26(1): obtain and follow the provider's instructions for use; make them accessible to the operating team.
  • 26(2): assign human oversight to named individuals with documented competence, training, and the authority to intervene or stop the system.
  • 26(4): where you control input data, verify it is relevant and sufficiently representative for the intended purpose.
  • 26(5): monitor operation, and have an escalation path to inform the provider and market surveillance authority of risks and serious incidents — including suspending use.
  • 26(6): retain automatically generated logs under your control for at least six months.
  • 26(7): if the system is used on workers, inform them and their representatives before deployment.

Step 6: Check Whether Article 27 (FRIA) Applies to You

The fundamental rights impact assessment is not a universal deployer duty. It applies only to bodies governed by public law, private entities providing public services, and deployers of high-risk systems for creditworthiness evaluation/credit scoring or life and health insurance risk assessment and pricing (Annex III points 5(b) and 5(c)). If you fall into one of those categories, complete the FRIA before first use and notify the market surveillance authority. If you don't, note that determination in your compliance file — showing you checked is itself evidence of diligence.

Step 7: Implement Article 50 Transparency Declarations

From August 2, 2026, systems interacting directly with people must disclose the AI (unless obvious from context), and in-scope synthetic audio, image, video, and text content must be marked or disclosed as Article 50 requires. Our complete Article 50 transparency guide separates the four duties, exceptions, adaptable notices, and current Code of Practice status. For SaaS teams this typically means an "AI assistant" label on chatbots, generation disclosures in the UI, and provenance metadata on generated media. (Source: European Commission Article 50 FAQ)

Step 8: Adopt AI Governance and Acceptable Use Policies

Write and approve two documents: an Employee AI Acceptable Use Policy (what data may be pasted into which tools, which tools are approved) and an AI Governance Policy (how new AI systems are vetted, classified, approved, and monitored). These also satisfy the Article 4 AI literacy expectation that staff operating AI systems are appropriately trained. Start from our free AI Acceptable Use Policy template.

Step 9: Run Vendor Due Diligence on AI Subprocessors

For each third-party AI vendor, collect: their AI Act role and risk classification of the service, conformity documentation and CE marking for high-risk systems, instructions for use, data processing terms, and incident notification commitments. If a vendor cannot tell you whether their system is high-risk, that answer is your risk finding.

Step 10: Compile an Audit-Ready Compliance Package

Assemble the outputs of steps 1–9 — inventory, classifications with reasoning, role determinations, derogation assessments, Article 26 control evidence, policies, vendor files — into a single exportable package with an immutable audit trail of review dates and approvals. This is what you hand to a regulator, an enterprise buyer's security team, or an ISO 42001 auditor. Govarna automates exactly this workflow.

Common Mistakes to Avoid

  1. Assuming GDPR compliance is enough: the AI Act regulates system behavior — bias, robustness, human oversight, transparency of automated decisions — that GDPR data-protection policies do not address. The two regimes overlap on data but diverge on almost everything else.
  2. Misquoting the fine tiers: the EUR 35 million / 7% ceiling applies to prohibited practices under Article 99(3). High-risk obligation violations sit at EUR 15 million / 3% under Article 99(4). Getting this wrong in a board memo undermines the credibility of the whole program.
  3. Treating the deployer role as "no obligations": Article 26 duties — instructions for use, human oversight, monitoring, incident reporting, 6-month log retention — are enforceable and fined under Article 99(4).
  4. Claiming the Article 6(3) derogation without documentation: the assessment must exist before market placement and be registered under Article 49(2). A verbal "we think it's just preparatory" does not survive an authority request.
  5. Ignoring shadow AI: engineers pasting customer code into unapproved tools, or recruiters running candidates through free AI screeners, create uninventoried systems — and uninventoried systems are unclassified, ungoverned risk.
  6. Over-claiming compliance in marketing:"100% EU AI Act certified" is not a thing. Use precise, evidence-grounded statements — buyers' legal teams notice, and so do regulators.

Frequently Asked Questions

Do internal-only AI tools fall under the EU AI Act?

Yes. The Act covers AI systems "put into service" for professional use, whether customer-facing or internal. An internal resume-screening tool used only by your recruiters is high-risk under Annex III §4 (employment) — and if it touches EU-based candidates or employees, it is in scope regardless of where your company sits.

My AI vendor says their model is compliant — am I covered?

No. The provider's compliance covers the provider's obligations. As a deployer of a high-risk system you retain your own Article 26 duties: using the system per instructions, assigning human oversight, monitoring, incident reporting, and log retention. Vendor documentation is a necessary input to your compliance file, not a substitute for it.

We only use ChatGPT and Claude via API — does any of this really apply?

Probably, but lightly. Generic productivity use typically lands in the minimal- or limited-risk tiers: your obligations are AI literacy (Article 4), Article 50 transparency where users interact with the AI, and internal policy hygiene. The analysis changes the moment those APIs power an Annex III use case — screening candidates, scoring credit, grading students — at which point the high-risk regime attaches to that system.

Is there a certification that proves EU AI Act compliance?

Not as such. High-risk systems undergo conformity assessment (Article 43) and carry CE marking, but there is no general "AI Act certificate" for a company. ISO 42001 is the closest certifiable standard: it covers much of the underlying process work but is voluntary and does not by itself establish legal compliance.

Next Steps

With Article 50 applying August 2, 2026 and the high-risk rules scheduled later under the May 2026 political agreement, the practical order of operations is:

  1. This week: stand up the AI inventory (Step 1) and run each system through our free deployer assessment (Step 2).
  2. This month: settle role determinations and derogation documentation (Steps 3–4), and adopt your acceptable use and governance policies (Step 8).
  3. This quarter: operationalize Article 26 controls and Article 50 disclosures (Steps 5–7), complete vendor due diligence (Step 9), and assemble the evidence package for review (Step 10).

Get EU AI Act ready in weeks, not months

Govarna provides self-serve AI inventory tools, deterministic risk classification, editable policy templates, and append-only audit records — organized into one preparation package for review.

Get Started Free