EU AI Act for SaaS
Most SaaS = provider. Article 4 + Article 50 already biting.
B2B SaaS shipping AI features lands squarely as a PROVIDER under the EU AI Act. Most are NOT Annex III high-risk. But Article 4 (literacy), Article 5 (prohibited practices), Article 50 (watermarking) all bite already. Enterprise customers ask for signed evidence — ship it and you win procurement; don't and you lose deals.
SaaS compliance checklist
- Document your role(s) — provider for own AI features, deployer for third-party AI you integrate, GPAI provider if you ship a foundation model.
- Article 4 literacy programme — already binding. Document staff training.
- Article 5 prohibition check — verify no banned practices (manipulation, exploitation of vulnerabilities, social scoring, etc.).
- Annex III scoping — check if your AI features fall under Annex III(1)-(8). Most B2B SaaS does not.
- Article 50 watermarking — if you ship generative outputs, ship C2PA + watermark by 2 Aug 2026.
- GPAI 51-55 — if you ship a foundation model, technical docs + training-data summary + copyright policy.
- Customer-facing evidence — your enterprise customers will ask for signed compliance attestation in RFPs. Ship it.
Frequently asked
Am I a provider, deployer, or GPAI under the EU AI Act?
If you SHIP an AI system or feature in your SaaS — you're a PROVIDER (Article 3(3)). If you USE someone else's AI system in your business — you're a DEPLOYER (Article 3(4)). If you train + ship a foundation/general-purpose model — you're a GPAI provider (Articles 51-55). Most B2B SaaS with AI features land squarely in PROVIDER role for their own model + DEPLOYER for any third-party model they integrate. You can be all three at once.
What's binding now for SaaS?
Article 4 (literacy) since 2 February 2025 — your staff need a documented AI training programme. Article 5 (prohibited practices) — fully in force, no manipulative AI / social scoring / etc. GPAI obligations 51-55 — if you ship a foundation model. Article 50 (watermarking) — 2 Aug 2026 if you ship generative outputs. NIS2 (where transposed) — Germany 17 Oct 2026, depends on member state.
Is my SaaS Annex III high-risk?
Probably not — most B2B SaaS with AI features (productivity tools, CRM AI, dev tools, design tools) is NOT Annex III high-risk. Annex III(1)-(8) covers specific use-cases: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration/border control, justice. If your SaaS is used by customers IN those domains, you may face deployer-side obligations downstream — your customers will push them back through contract.
What changes with the Digital Omnibus delay?
Annex III high-risk obligations now apply 2 December 2027 (was 2 Aug 2026). Annex I product-safety AI now 2 August 2028. But Article 4, Article 5, GPAI 51-55, and Article 50 watermarking did NOT get delayed. For most SaaS the only thing that changed is that the high-risk classification work has 16 more months — which means you have time to GET classified properly + ship evidence on day one when obligations bite.
What does MEOK ship for SaaS?
Free 90-second readiness scorecard at /scorecard with signed attestation. Article 50 watermark starter kit £99 if you ship generative outputs. /transparency £399/mo for instructions-for-use + decision-trace logging. /audit-prep-bundle £4,950 if you need full evidence pack for enterprise customer due-diligence. All MIT-licensed MCPs on PyPI you can self-host.
Win EU enterprise procurement, don't lose it
EU enterprise buyers now require pre-built EU AI Act evidence in RFPs. Ship signed compliance attestations and you get past the gate; don't and you lose the deal.
MEOK AI Labs · CSOAI LTD · UK Companies House 16939677