EU AI Act for SaaS: Transparency, GPAI & When AI Features Turn High-Risk
Most SaaS companies don't build foundation models — they embed AI features like chatbots, content generation and assistants into their products. Under the EU AI Act (Regulation (EU) 2024/1689), these features usually attract limited-risk transparency duties under Art. 50, but the classification depends entirely on what the AI does. Building on a general-purpose model can also make you a downstream provider or deployer with its own obligations.
Is it in scope?
The AI Act is risk-based, not sector-based, so a SaaS product's tier follows its use case, not its industry. AI that interacts with users (chatbots, assistants) or generates synthetic content falls under Art. 50 transparency — a comparatively light obligation. But the same platform can host a high-risk feature if it is deployed for, say, recruitment scoring or credit decisions under Annex III. Where a product is built on a general-purpose AI (GPAI) model, the SaaS company may act as a downstream deployer — or, if it substantially modifies the model, a provider — inheriting the corresponding duties.
Typical AI use cases
- In-app customer-support chatbots and assistants
- AI content and copy generation features
- Automated summarisation and data extraction
- AI-powered search and recommendations
- Code-generation and developer-assistant tools
- Synthetic image or media generation features
Risk classification
Interaction- and generation-focused features are typically limited-risk: your duty is to disclose that users are dealing with AI and to mark AI-generated or synthetic output as artificial (Art. 50), applicable from 2 August 2026. You are usually the provider of that feature to your customers. If your product embeds a third-party GPAI model, note that GPAI provider duties have applied since 2 August 2025 and you may carry downstream obligations. Always re-assess per feature — a new use case (e.g. HR screening) can pull a single feature into the high-risk regime.
Obligations to prepare for
FAQ
Do we have to tell users they're talking to a chatbot?
Yes. Art. 50 requires that people are informed they are interacting with an AI system, unless it is obvious from the context. This applies from 2 August 2026.
We just wrap OpenAI/Anthropic APIs — are we regulated?
Potentially. Building on a general-purpose AI model can make you a downstream deployer, and substantial modification can make you a provider. Your transparency duties under Art. 50 still apply to the features you ship.
Could a SaaS feature ever be high-risk?
Yes. Risk follows the use case. If your AI is deployed for an Annex III purpose — recruitment, credit scoring, education scoring — that feature becomes high-risk regardless of your product being 'just software'.
Run the free 2-minute risk checker — no sign-up.