Este artigo está disponível apenas em inglês no momento.
What AI Regulations Apply to My SaaS Product? A Founder's Compliance Map
You've built a SaaS product with AI features. Now you want to sell it in the EU, to enterprise clients, or to regulated industries. What regulations apply, when do they kick in, and what do you actually need to do about them?
Key Takeaways
The regulations that apply to your SaaS AI depend on three things: where your users are, what decisions your AI influences, and what industries you sell into. Most founders know the first and ignore the second and third.
EU AI Act: if you sell to EU customers and your AI is used in hiring, credit, education, healthcare, or critical infrastructure decisions, you are a provider of high-risk AI with specific obligations regardless of where you are incorporated.
GDPR / Privacy Act: if you process personal data of EU residents or Australians, data protection law applies — including obligations about AI processing, automated decisions, and data subject rights.
Sector-specific regulation cascades to you as a vendor: if your customer is a bank, insurer, or healthcare provider, their regulatory obligations create contractual and practical requirements on you as their AI vendor.
The founder's practical checklist: (1) map your AI features to EU AI Act risk categories, (2) review GDPR/Privacy Act obligations for each market, (3) understand what your customers' regulators will ask them about your product.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The first question: what is your role in the AI supply chain?
The EU AI Act — the most consequential AI regulation affecting SaaS companies globally — assigns obligations by role, not by company type or location. Understanding your role determines everything: what you must do, by when, and what the penalties are for getting it wrong.
There are two primary roles. A provider is the entity that places an AI system on the market under its own name or brand. A deployer is the entity that uses an AI system in a professional context. Most SaaS companies are both simultaneously: a SaaS company that wraps OpenAI, Anthropic, Claude, or another third-party model into its product and sells it to customers is the provider of that combined system, even though it did not build the underlying model. The same company using AI internally for customer support, marketing, or HR is a deployer of those systems.
The practical consequence: if your SaaS product embeds AI capabilities and sells them to customers, you carry provider obligations for that product. If a customer uses your AI product in a high-risk context — for example, a hospital using your general-purpose AI tool for clinical documentation — the high-risk obligations follow that use case, even if you designed the product for general use. Your documentation and terms of use must account for this downstream risk.
Does the EU AI Act apply to your SaaS company even if you are not in the EU?
Yes — with the same extraterritorial logic as GDPR. Under Article 2 of the EU AI Act, the regulation applies to: providers placing AI systems on the EU market regardless of where they are established; providers or deployers whose AI system outputs are used in the EU; and deployers located in the EU. A US, Australian, or UK-based SaaS company with EU customers whose products use or deliver AI capabilities is in scope for the EU AI Act. You do not need a European entity, European employees, or a European data centre. If an EU user or customer interacts with your AI system or its outputs reach EU users, you are in scope.
Non-EU providers of high-risk AI systems must appoint an authorised representative in the EU by written mandate before placing the system on the market. The representative must be able to verify compliance documentation, retain records for ten years, and cooperate with market surveillance authorities. For SaaS companies serving EU enterprise customers, this requirement is increasingly appearing in procurement due diligence.
The August 2026 deadline — what applies to most SaaS companies
The EU AI Act phases in over time. The most important dates for SaaS companies are:
Already in force (2 February 2025): Article 4 AI literacy obligation — anyone who operates or oversees AI systems must have sufficient understanding of how they work, their limitations, and risks. For SaaS companies, this means internal training for engineers, product managers, customer success teams, and anyone who configures or monitors AI systems. It also means your documentation must help customers achieve sufficient literacy for the AI features your product delivers. This is in force now.
In force from 2 August 2025: Obligations for providers of general-purpose AI (GPAI) models. If your SaaS product includes a GPAI model (a model capable of performing a wide range of tasks, such as an LLM), you have ongoing transparency and documentation obligations. All GPAI providers must supply technical documentation, instructions for use, comply with the EU Copyright Directive, and publish a summary of training content. If your model presents systemic risk (trained on over 10^25 FLOP), additional obligations apply.
From 2 August 2026: Full obligations for high-risk AI systems (Annex III categories: employment, credit, biometrics, education, essential services, law enforcement, critical infrastructure, and others); transparency obligations under Article 50 (chatbots must disclose they are AI; AI-generated content must be labelled; deepfakes must be disclosed). Under the Omnibus agreement of 7 May 2026, high-risk systems embedded in regulated products under Annex I have until 2 August 2028.
Is your SaaS AI product high-risk?
Most SaaS AI products are not high-risk. The EU AI Act's risk classification is specific: Annex III lists eight domains — biometrics, critical infrastructure, education, employment and HR, access to essential services (credit, insurance), law enforcement, migration, and administration of justice. A general-purpose productivity tool, a code assistant, a marketing automation platform, or a content generation tool is not high-risk unless it is specifically used for one of these purposes in a way that significantly affects individuals.
The risk comes from use, not design. A general-purpose AI platform deployed by an HR department to screen CVs is a high-risk AI system in that deployment context. Your terms of use, your contractual onboarding with customers, and your technical documentation all need to address this. SaaS companies serving enterprise customers in HR, financial services, healthcare, or education should audit their customer base to identify whether any customers' use cases create high-risk deployments, and whether they have the contractual and governance framework to manage this.
What to do now — a practical checklist
Regardless of whether your AI is high-risk, every SaaS company serving EU customers should have: documented AI literacy training for all staff who operate, configure, or oversee AI systems (Article 4, already in force); Article 50 disclosure mechanisms ready for August 2026 — chatbot disclosure, AI-generated content labelling; a risk classification review of all AI features and use cases against the Annex III categories; an EU authorised representative if you have high-risk AI systems and are not EU-based; contracts with your AI model providers that clearly allocate responsibilities and include the commitments you need for your own customer-facing documentation; and an AI section in your security and procurement questionnaire responses, because EU enterprise customers are already asking how you comply with the EU AI Act — often before they ask about GDPR.
The competitive angle: ISO 42001 (the international AI management system standard) is increasingly requested alongside SOC 2 and ISO 27001 in enterprise procurement. SaaS companies that complete ISO 42001 certification demonstrate AI governance maturity to enterprise buyers and are well-positioned to address EU AI Act compliance questions credibly.