EU AI Act for SaaS: Transparency, GPAI & When AI Features Turn High-Risk

Most SaaS companies don't build foundation models — they embed AI features like chatbots, content generation and assistants into their products. Under the EU AI Act (Regulation (EU) 2024/1689), these features usually attract limited-risk transparency duties under Art. 50, but the classification depends entirely on what the AI does. Building on a general-purpose model can also make you a downstream provider or deployer with its own obligations.

Is it in scope?

The AI Act is risk-based, not sector-based, so a SaaS product's tier follows its use case, not its industry. AI that interacts with users (chatbots, assistants) or generates synthetic content falls under Art. 50 transparency — a comparatively light obligation. But the same platform can host a high-risk feature if it is deployed for, say, recruitment scoring or credit decisions under Annex III. Where a product is built on a general-purpose AI (GPAI) model, the SaaS company may act as a downstream deployer — or, if it substantially modifies the model, a provider — inheriting the corresponding duties.

Typical AI use cases

  • In-app customer-support chatbots and assistants
  • AI content and copy generation features
  • Automated summarisation and data extraction
  • AI-powered search and recommendations
  • Code-generation and developer-assistant tools
  • Synthetic image or media generation features

Risk classification

Interaction- and generation-focused features are typically limited-risk: your duty is to disclose that users are dealing with AI and to mark AI-generated or synthetic output as artificial (Art. 50), applicable from 2 August 2026. You are usually the provider of that feature to your customers. If your product embeds a third-party GPAI model, note that GPAI provider duties have applied since 2 August 2025 and you may carry downstream obligations. Always re-assess per feature — a new use case (e.g. HR screening) can pull a single feature into the high-risk regime.

Obligations to prepare for

AI-interaction disclosure (Art. 50)
Marking of AI-generated/synthetic content (Art. 50)
Deepfake labelling where applicable (Art. 50)
GPAI downstream provider/deployer duties
Re-assess per use case for Annex III high-risk
Human oversight if a feature is high-risk (Art. 14)

FAQ

Do we have to tell users they're talking to a chatbot?

Yes. Art. 50 requires that people are informed they are interacting with an AI system, unless it is obvious from the context. This applies from 2 August 2026.

We just wrap OpenAI/Anthropic APIs — are we regulated?

Potentially. Building on a general-purpose AI model can make you a downstream deployer, and substantial modification can make you a provider. Your transparency duties under Art. 50 still apply to the features you ship.

Could a SaaS feature ever be high-risk?

Yes. Risk follows the use case. If your AI is deployed for an Annex III purpose — recruitment, credit scoring, education scoring — that feature becomes high-risk regardless of your product being 'just software'.

See exactly what applies to your system

Run the free 2-minute risk checker — no sign-up.

Run the free check