DEV Community

Cristian Iridon
Cristian Iridon

Posted on

Is Your AI Wrapper Legal? The EU AI Act Checklist for SaaS Founders

#euaiact #ai #saas #compliance

You built a ChatGPT wrapper. It's doing $5K MRR. A founder on r/SaaS just posted: "Article 12 requires logging for every AI system decision — does my ChatGPT wrapper need this? I have 10,000 API calls/day, I can't log every single one with a timestamp and reasoning." The thread has 100+ upvotes and the comments are a panic spiral.

Take a breath. The real answer is simpler — and less terrifying — than the Reddit thread makes it sound.

This article explains exactly what the EU AI Act requires from AI wrapper products, which provisions actually apply to you, and how to check your compliance in under ten minutes. No law degree needed.

The Fear vs. The Reality

The fear: every ChatGPT API call counts as an "AI system decision," so you need to log 10,000 timestamped rationales per day or face fines.

The reality: Article 12 covers high-risk AI systems — and most AI wrappers aren't high-risk. The Act defines high-risk through two gates: Article 6(1) (safety component of a regulated product) and Annex III (use in specific sectors like biometrics, critical infrastructure, education, employment, law enforcement). A customer support chatbot or a blog post generator doesn't clear either gate.

Here's what the law actually requires, broken down by risk tier.

What the EU AI Act Actually Requires From Your AI Wrapper

The Act creates four tiers of obligation. Your wrapper falls into exactly one of them. Everything depends on what your AI does and where it's deployed.

Tier 1: Prohibited (Article 5) — Your Product Is Illegal

Your system is prohibited if it does any of the following:

  • Uses subliminal techniques to manipulate behavior and cause harm
  • Exploits vulnerabilities of children or persons with disabilities
  • Performs social scoring by public authorities
  • Uses real-time remote biometric identification in public spaces (with narrow exceptions)

If your wrapper does none of these — and most don't — you can move on. Fewer than 1% of SaaS AI products trigger Article 5.

Tier 2: High-Risk (Article 6(1) + Annex III) — Full Compliance Required

Your system is high-risk if it satisfies either of these two gates:

Gate A — Safety component. Your AI is a safety component of a product covered by EU harmonization legislation (machinery, medical devices, toys, lifts, radio equipment, etc.), OR your AI is itself a regulated product. Example: an AI diagnostic module embedded in a medical device.

Gate B — Annex III use case. Your AI operates in one of eight regulated sectors and is deployed in the EU:

  1. Biometrics (emotion recognition, categorization)
  2. Critical infrastructure management
  3. Education and vocational training (admissions, assessment)
  4. Employment and worker management (hiring, promotion, monitoring)
  5. Access to essential services (credit scoring, insurance pricing)
  6. Law enforcement
  7. Migration and border control
  8. Administration of justice and democratic processes

If neither gate applies, your system is not high-risk. Full stop. A ChatGPT wrapper for generating marketing copy, answering customer FAQs, or summarizing meeting notes doesn't fall into any of these categories.

If your system IS high-risk, Article 12 requires you to keep logs that enable traceability of the AI system's functioning — including recording the date and time of each use, the reference database used (if any), the input data, and identification of the natural persons involved. This is the requirement the r/SaaS founder was worried about. It applies only to high-risk systems.

Tier 3: Limited Risk (Article 52) — Transparency Obligations

Your system falls here if it:

  • Interacts directly with natural persons (a chatbot, for example)
  • Is deployed in the EU
  • Is NOT high-risk under Annex III

The obligations are modest: you must inform users they're interacting with an AI system, unless it's obvious from context. No logging of individual decisions. No timestamped rationale. Just disclosure.

For most AI wrapper founders, this is your tier. Add a small disclosure line and you're compliant.

Tier 4: Minimal Risk — No Obligations

Your system involves no direct human interaction, no safety component, no Annex III use case, and no EU deployment. You have no obligations under the Act. Most internal tools and back-end automation fall here.

"But I Have 10,000 API Calls a Day"

Let's return to the Reddit founder's specific concern. He runs a ChatGPT wrapper processing 10,000 calls a day. He's worried about logging every one.

Here's the question sequence that determines his obligations:

  1. Is the wrapper a safety component of a regulated product? Almost certainly no — it's a general-purpose text generator.
  2. Does it operate in an Annex III sector? If it's a marketing tool, a writing assistant, or a general chatbot — no.
  3. Does it interact directly with end users? If yes, Article 52 applies — add a disclosure.
  4. Is it deployed in the EU? If no, the Act doesn't apply at all.

For the vast majority of AI wrappers, the answer is "limited risk — add disclosure and move on." You do not need to log 10,000 API calls. You do not need timestamps. You do not need rationales per decision.

The panic comes from reading Article 12 in isolation without understanding the Article 6(1) and Annex III gates that determine whether Article 12 even applies to you.

The Wrapper Panic Is Real — and It's an Opportunity

The r/SaaS thread isn't wrong to be anxious. The EU AI Act is genuinely complex — 400 pages of dense legislation with nested cross-references and delayed implementation dates. Founders reading the text directly get lost in cross-references between Articles 5, 6, 12, 13, 50, and Annexes I through IX.

But the anxiety is disproportionate to the actual legal exposure. Most AI wrappers face minimal obligations. The founders who are most scared are the ones who haven't been walked through a structured classification.

This is where a free classification tool changes the game. In the time it took to write that Reddit post, a founder could have answered twelve yes/no questions and received a definitive risk tier with the exact obligations that apply.

Three Things You Should Do Right Now

1. Know Your Risk Tier

Don't guess. Walk through the actual gates: Article 5 prohibited practices, Article 6(1) safety components, Annex III use cases, Article 52 transparency. Write down the answers.

A ChatGPT wrapper for customer support in the EU: limited risk. An AI resume screener for hiring in Germany: high-risk. An AI that generates synthetic medical images for diagnostic training: high-risk, possibly prohibited. The distinction matters enormously — the compliance burden differs by an order of magnitude.

2. If You're High-Risk, Log from Day One

If your system genuinely clears the Annex III gate (you're in hiring, education, credit, or biometrics), you need Article 12 logging. This means:

  • Recording each use event with timestamp and operator identification
  • Keeping logs for at least six months
  • Ensuring logs are available to national authorities on request
  • Implementing log-level security appropriate to the sensitivity of the data

This is non-trivial infrastructure — but it only applies if you're high-risk. Before you build it, verify that gate B actually applies to you.

3. If You're Limited Risk, Ship the Disclosure and Move On

Add a clear notice that users are interacting with an AI. Make it visible before the first interaction. That's it. You're compliant under Article 52. Spend your engineering cycles on your product, not on phantom compliance requirements.

The Deadline Confusion: What's Actually Due When

Another source of panic: founders have heard conflicting dates. Here's a quick decode:

  • August 2, 2026: Primary enforcement date for high-risk AI systems. Prohibited practices provisions are already in effect. If your system is high-risk, this is your deadline.
  • December 2026: Article 50(2) watermarking requirements for AI-generated content take effect.
  • December 2027 (proposed): The Omnibus regulation may delay Annex III high-risk classification requirements by 18 months, but this is not yet final.

The takeaway: if you're not high-risk, your nearest hard deadline is December 2026 for watermarking disclosure — and that's straightforward. If you are high-risk, plan for August 2, 2026 with the understanding that Annex III enforcement timing may shift.

What the Law Actually Wants

Reading between the lines of the legislative text, the EU's goal is sensible: they want to know that AI systems making consequential decisions about people's lives are documented, explainable, and auditable. A chatbot that says "your order will arrive Tuesday" is not a consequential decision. An AI that says "you're denied a mortgage" is.

The burden is designed to land on the consequential cases. The problem is that the text is written broadly enough to scare the inconsequential ones too.

Don't let the scare keep you from shipping. Classify your system, understand your tier, and build only what the law actually requires.

Next Step

You can figure out your risk tier right now. It takes ten minutes and twelve questions — no legal training required.

Classify my AI system — free

No credit card. No consulting call. Just the exact obligations that apply to your specific AI system, mapped to the provisions of the Act.

Top comments (0)