SaaS vertical · 28 April 2026

EU AI Act for SaaS

Most SaaS = provider. Article 4 + Article 50 already biting.

B2B SaaS shipping AI features lands squarely as a PROVIDER under the EU AI Act. Most are NOT Annex III high-risk. But Article 4 (literacy), Article 5 (prohibited practices), Article 50 (watermarking) all bite already. Enterprise customers ask for signed evidence — ship it and you win procurement; don't and you lose deals.

FREE

90-Sec Readiness Scorecard

Determines provider/deployer/GPAI role + which articles bind. Signed cert.

£99

Article 50 Watermark Starter

C2PA manifest + SynthID watermark template + deployer disclosure policy.

£399/mo

Transparency Logs

Decision-trace logging + instructions-for-use generator + audit.

£4,950

Audit-Prep Bundle

14-day delivered: enterprise procurement evidence pack.

SaaS compliance checklist

Document your role(s) — provider for own AI features, deployer for third-party AI you integrate, GPAI provider if you ship a foundation model.
Article 4 literacy programme — already binding. Document staff training.
Article 5 prohibition check — verify no banned practices (manipulation, exploitation of vulnerabilities, social scoring, etc.).
Annex III scoping — check if your AI features fall under Annex III(1)-(8). Most B2B SaaS does not.
Article 50 watermarking — if you ship generative outputs, ship C2PA + watermark by 2 Aug 2026.
GPAI 51-55 — if you ship a foundation model, technical docs + training-data summary + copyright policy.
Customer-facing evidence — your enterprise customers will ask for signed compliance attestation in RFPs. Ship it.

Frequently asked

Am I a provider, deployer, or GPAI under the EU AI Act?

If you SHIP an AI system or feature in your SaaS — you're a PROVIDER (Article 3(3)). If you USE someone else's AI system in your business — you're a DEPLOYER (Article 3(4)). If you train + ship a foundation/general-purpose model — you're a GPAI provider (Articles 51-55). Most B2B SaaS with AI features land squarely in PROVIDER role for their own model + DEPLOYER for any third-party model they integrate. You can be all three at once.

What's binding now for SaaS?

Article 4 (literacy) since 2 February 2025 — your staff need a documented AI training programme. Article 5 (prohibited practices) — fully in force, no manipulative AI / social scoring / etc. GPAI obligations 51-55 — if you ship a foundation model. Article 50 (watermarking) — 2 Aug 2026 if you ship generative outputs. NIS2 (where transposed) — Germany 17 Oct 2026, depends on member state.

Is my SaaS Annex III high-risk?

Probably not — most B2B SaaS with AI features (productivity tools, CRM AI, dev tools, design tools) is NOT Annex III high-risk. Annex III(1)-(8) covers specific use-cases: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration/border control, justice. If your SaaS is used by customers IN those domains, you may face deployer-side obligations downstream — your customers will push them back through contract.

What changes with the Digital Omnibus delay?

Annex III high-risk obligations now apply 2 December 2027 (was 2 August 2026). Annex I product-safety AI now 2 August 2028. Article 50 watermarking applies 2 August 2026. Article 4, Article 5, and GPAI 51-55 are already in force. For most SaaS the only thing that changed is that the high-risk classification work has 16 more months — which means you have time to GET classified properly + ship evidence on day one when obligations bite.

What does MEOK ship for SaaS?

Free 90-second readiness scorecard at /scorecard with signed attestation. Article 50 watermark starter kit £99 if you ship generative outputs. /transparency £399/mo for instructions-for-use + decision-trace logging. /audit-prep-bundle £4,950 if you need full evidence pack for enterprise customer due-diligence. All MIT-licensed MCPs on PyPI you can self-host.

Win EU enterprise procurement, don't lose it

EU enterprise buyers now require pre-built EU AI Act evidence in RFPs. Ship signed compliance attestations and you get past the gate; don't and you lose the deal.

Free scorecard →£4,950 audit-prep →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

CSOAI

Initializing...

SaaS compliance checklist

Document your role(s) — provider for own AI features, deployer for third-party AI you integrate, GPAI provider if you ship a foundation model.

Article 4 literacy programme — already binding. Document staff training.

Article 5 prohibition check — verify no banned practices (manipulation, exploitation of vulnerabilities, social scoring, etc.).

Annex III scoping — check if your AI features fall under Annex III(1)-(8). Most B2B SaaS does not.

Article 50 watermarking — if you ship generative outputs, ship C2PA + watermark by 2 Aug 2026.

GPAI 51-55 — if you ship a foundation model, technical docs + training-data summary + copyright policy.

Customer-facing evidence — your enterprise customers will ask for signed compliance attestation in RFPs. Ship it.