Talk to enough SaaS founders and you get the same shrug. EU AI Act? That's OpenAI's headache. You call an API, the model is theirs, so the rules are theirs too.
Nice story. It falls apart on 2 August 2026, and it lands on your bill.
That date is 47 days out as I write this, so call it seven weeks. The bit that catches almost everyone is Article 50, the transparency rules.
Article 50 does not care whether you trained a model or just plugged one in. It lands on whoever puts the AI in front of EU users. That's you.
What your model provider already sorted
Back on 2 August 2025, the rules for general purpose AI models kicked in. Articles 51 to 55 of Regulation 2024/1689. They hit the people who actually build the models, so OpenAI, Anthropic, Google, Meta, Mistral.
Documentation, training data summaries, copyright policy, a heap of extra work for the biggest models. Done. A year ago.
All of that covers the model. None of it covers your product. The moment you wrap a model in a feature and ship it, a fresh pile of obligations lands, and your name is on this one.
What actually hits you on 2 August 2026
2 August 2026 is Article 50 day. The transparency rules switch on, the penalties go live under Article 99, and the AI Office finally gets teeth.
The high risk regime is a different track on a later clock. The AI Omnibus pushed it to 2 December 2027, so if you were bracing for Annex III this August, you can stand down. Article 50 is the one with no exit, and it's the one landing in seven weeks.
If your product talks to users, spits out content, or runs on AI somewhere users can't see it, Article 50 has your name on it whether you're high risk or not.
Provider, deployer, or both at once
The Act sorts you into roles. A provider puts an AI system on the market under its own name. A deployer just uses one.
Founders assume that because they didn't build the model, they must be a deployer, and deployers get the soft version. Read it again. Wrap a model, stick your brand on it, sell it, and congratulations, you're the provider of that system and the deployer of the model underneath at the same time.
Most SaaS live in that overlap. "We just use OpenAI" describes half your situation and quietly skips the half with the paperwork.
There's a nastier edge. Fine tune or seriously modify a model and Article 25 can drop full provider duties on you, and nobody has nailed down what counts as serious yet. So if you're doing anything past prompt engineering, get someone to look before August, not in September.
What Article 50 actually asks of you
Four parts. None of them is rocket science.
- 50(1): if your AI talks to users, tell them it's AI, unless that's already painfully obvious.
- 50(2): if you generate text, images, audio or video, mark it as AI generated in a machine readable way. The expected standard is C2PA. Europe hasn't finalised the fine print, which is not your excuse to do nothing.
- 50(3): if you run emotion recognition or biometric categorisation, tell the people on the receiving end.
- 50(4): if you make deepfakes, say so.
For a normal SaaS with a chatbot and a bit of generated content, the actual work is small and boring. One clear notice the first time someone hits your AI. An "AI generated" label or metadata flag on whatever your tool spits out.
Plus a privacy notice paragraph that says, in plain words, what the model does with inputs, where the training data comes from, and how long you keep things.
The engineering is an afternoon. It doesn't get done because nobody on the team knows what to write, and writing is exactly the part the regulation is fussy about.
And notice what you can't push upstream. OpenAI can't drop a disclosure inside your chatbot. Anthropic can't label the output sitting on your customer's screen. This stuff lives at your product surface, which is the whole reason your vendor hitting its deadline does nothing for yours.
"Yeah but we barely have EU users"
Check that before you bet on it. Article 2 catches output that gets used in the EU, even if you and your servers are parked somewhere else. Someone in Berlin reads text your tool wrote, and that output just got used in the EU.
"No EU users" is a lot rarer than your dashboard makes it look.
What it costs to get this wrong
Article 99 sets the ceilings. Banned practices, up to €35M or 7% of global annual turnover. High risk and Article 50 slip ups, up to €15M or 3%. Feeding regulators wrong or misleading info, up to €7.5M or 1%.
If you're a startup the numbers scale down and you pay the lower of the two. Small comfort. A missed disclosure can still burn real runway, and the thing that usually shows up first isn't a regulator, it's an enterprise prospect asking for an AI Act attestation you can't hand over.
The 47 day version
You don't need a consultant to get moving. You need an afternoon and a spreadsheet.
- List every AI feature you ship. Chatbot, search, recommendations, autocomplete, summaries, voice, and yes the internal tools too.
- Label each one provider, deployer, or both.
- Run each through Article 50. Note which part applies and the disclosure you owe.
- Check if you fine tune anything. If you do, flag it for an Article 25 look.
- Write the documents. A public AI disclosure on your site, an internal AI policy, and that privacy notice paragraph.
A SaaS that isn't high risk can knock this out in two to three weeks of deeply unglamorous work. If you're doing CV screening, credit scoring, automated grading or exam proctoring, you're in the high risk regime as well. That's a heavier job, but the Omnibus moved its deadline to 2 December 2027, so Article 50 this August is still the thing to deal with first.
Where Disclos comes in
Want a second pair of eyes, that's the job. Disclos runs a fixed scope EU AI Act audit for SaaS. €997 one time, five business days, a written report against every article of Regulation 2024/1689 that actually touches your product. Refund if your SaaS isn't compliant by 2 August 2026 after following the report.
Rather do it solo, fair enough. The open source checklist is on GitHub and the free scope tool sits at disclos.eu/check. Either way, run the spreadsheet this week.
Seven weeks feels like loads of room, right up until you're staring at disclosures you've never written before.
Top comments (1)
That compliance gap is real. Vendor compliance does not automatically become product compliance, because the risk usually appears in how the feature stores, routes, logs, and exposes the AI output. The integration layer is where the audit trail lives.