You ship AI features. Your users are in Europe. The EU AI Act doesn't care where your servers are — if EU residents use your product, you're in scope. Answer 9 questions and find out if you're prohibited, high-risk, limited-risk, or minimal-risk before the August 2, 2026 deadline hits.
The EU AI Act catches founders off guard because the classification is based on what the AI is used for, not what your product is called. Here are the five scenarios that most often flip a "minimal-risk" SaaS into high-risk territory.
Employment and HR is one of the eight Annex III high-risk categories. If your SaaS helps customers screen CVs, rank job applicants, set performance goals with AI, or predict employee churn — you may be high-risk. This applies even if you're a B2B tool and a human ultimately makes the decision. The relevant test is whether the AI "materially influences" the employment decision, not whether it makes it autonomously. Founders selling to HR departments, ATS platforms, or people-management tools are most exposed here.
Annex III covers AI used to assess creditworthiness or establish credit scores, and AI used to price insurance for individuals. Fintech and insurtech founders building AI underwriting tools, lending APIs, or "financial health" dashboards face a high-risk designation. The same applies to SaaS with benefits eligibility scoring, such as determining who qualifies for a service or support tier. A free-tier chatbot answering financial questions is generally minimal-risk; a scoring model that recommends loan approval or denial to lenders is almost certainly high-risk.
Most AI SaaS products with a chat interface or generative output layer land in the limited-risk bucket under Article 50 — not high-risk, but not obligation-free either. You must inform users they are interacting with AI (for chatbots and voice agents) and mark AI-generated content as such. This is often the one founders miss because they assume "it's just a feature, not a standalone AI system." Article 50 transparency duties apply to components, not just standalone products. If your SaaS wraps GPT, Claude, or Gemini and produces user-visible text, images, or audio, Article 50 applies to you as the deployer.
Educational assessment is explicitly listed in Annex III. If your SaaS evaluates learner performance, determines educational pathway recommendations, scores essays, or monitors students during assessments, you may be in the high-risk tier. Edtech SaaS founders building AI tutoring tools should check whether the AI's role is purely informational (explaining concepts — likely minimal-risk) versus evaluative (scoring, ranking, or gating access to content based on performance — likely high-risk). The line is whether the AI output affects "access to, or continuation in, educational and vocational training."
Enterprise AI SaaS sold to critical infrastructure operators faces high-risk classification regardless of the AI's specific function, if it manages or makes decisions about critical infrastructure components. If your anomaly detection SaaS is deployed in a power grid, your predictive maintenance tool runs at a water treatment facility, or your AI monitors financial market infrastructure, you're in Annex III category 2. Many founders don't discover this until an enterprise customer asks for a conformity assessment during procurement — often a €30,000+ surprise.
| Founder Pain Point | What the Risk Assessment Does |
|---|---|
| "I don't know if my product is high-risk or just needs a disclosure label." | The 9-question quiz walks you through the Article 6 + Annex III classification tree in the same order a Notified Body would, giving you a definitive tier with citations. |
| "My investor is asking for an EU AI Act compliance statement before our Series A." | At the end of the assessment, you can copy a formatted compliance report or save a PDF — a shareable artifact you can drop into a data room. |
| "I added an AI feature to my existing SaaS — does that change my classification?" | Run the classifier again for each AI component. The tool handles fine-tuned models, GPAI wrappers, and standalone AI features separately, so you can assess each use case in isolation. |
| "We only have US servers and US employees. Does the EU AI Act even apply?" | Article 2 makes the regulation extraterritorial — identical scope to GDPR. The question "will any EU resident use, see, or be affected by the AI's output?" is one of the 9 questions. If yes, you're in scope. |
| "I need to explain our compliance posture to an enterprise customer in Germany." | The downloadable PNG card and shareable deep-link let you show prospects your classification tier and obligations checklist without a slide deck. |
| "I think I qualify for the Article 6(3) carve-out but I'm not sure." | The assessment has a dedicated question for Annex III carve-outs and explains the four qualifying criteria with plain-language examples. It also reminds you to document and register the carve-out even if you qualify. |
The most common misclassification: a founder assumes their SaaS is "just software" and lands in minimal-risk. Two years later, a European enterprise customer triggers an Article 6 review, discovers the HR scoring feature is Annex III, and the deal collapses — or worse, the national supervisory authority gets involved. Running this classifier now costs zero and takes 60 seconds. Running it after an enforcement letter costs your legal team days and your deal weeks.
Run the Free Risk Assessment →For founders who need to know their EU AI Act classification, there are several options. Here's how they stack up in cost and speed for the initial classification step alone.
| Option | Cost | Time to First Classification | Notes |
|---|---|---|---|
| TinyTools EU AI Act Risk Assessment | Free | 60 seconds | 9-question interactive classifier, Article citations, downloadable PDF report. Good for initial triage and investor data rooms. |
| Big 4 AI Act compliance audit (KPMG, Deloitte, PwC) | €15,000 – €50,000 | 4–8 weeks | Full conformity assessment, legal opinion, Notified Body liaison. Necessary for high-risk systems; overkill for initial classification. |
| Specialist AI law firm engagement | €5,000 – €15,000 | 2–4 weeks | Legal opinion letter, suitable for fundraising or enterprise procurement. Requires brief preparation and back-and-forth. |
| AI compliance SaaS (OneTrust AI, Credo AI) | $3,000 – $12,000 / year | 1–2 weeks onboarding | Good for ongoing compliance monitoring. Overkill if you just need to know your tier once before adjusting your roadmap. |
| In-house counsel + EU AI Act reading | ~€2,000 – €5,000 in hours | 3–10 days | Works if counsel has AI regulation experience. Most startup in-house counsel don't — EU AI Act is a specialized niche. |
| Doing nothing and hoping for the best | €0 now, up to €35M later | — | Not recommended. Enforcement authority fines scale with global turnover. Early-stage startups have been fined under GDPR; the AI Act is stricter. |
The practical workflow for AI SaaS founders: use the free classifier to determine your tier first. If you land in high-risk, then budget for legal counsel and a conformity assessment — you'll need them. If you land in limited-risk or minimal-risk, the free tool tells you exactly which Article 50 disclosures to add, and our AI Disclosure Generator generates the correct HTML snippets in 30 seconds.
EU AI Act classification is step one. These sister tools cover what comes next.
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI regulation, and it applies to any AI system placed on the market or put into service in the EU — regardless of where the company building it is based. For AI SaaS founders, this creates a compliance obligation that is often invisible until it becomes a deal-breaker.
Most founders focus on August 2, 2026 — the date high-risk system obligations kick in. But the timeline started earlier. Prohibited practices (Article 5) have been banned since February 2, 2025. GPAI model obligations (Articles 51–55) apply from August 2, 2025. If you're a model provider or a deployer of a foundation model via API, you may already be in scope for GPAI documentation requirements. The August 2026 date covers high-risk system conformity assessments, CE marking, and EU database registration — but limited-risk transparency duties under Article 50 also activate on the same date.
The EU AI Act draws a hard line between AI "providers" (entities that develop and place AI systems on the market) and "deployers" (entities that use AI systems in their own products or workflows). As an AI SaaS founder, you are almost certainly a provider. You're building AI-powered features, not just using someone else's AI internally. This matters because providers carry the heaviest compliance obligations — including conformity assessments for high-risk systems, EU database registration, and post-market monitoring. If you are also wrapping a foundation model like Claude, GPT-4, or Gemini, you may be both a provider of the application layer and subject to GPAI downstream deployer obligations.
Many SaaS features touch Annex III categories without being high-risk in practice. Article 6(3) provides four carve-outs: the AI performs only a narrow procedural task; it improves the result of a previously completed human activity; it detects patterns without replacing human review; or it performs a preparatory task. An AI that surfaces "here are the top 5 candidates sorted by keyword match" may qualify for the carve-out, while one that outputs "this candidate scores 87/100 — recommended for interview" probably doesn't. The carve-out requires documentation and registration even when it applies. Use the free classifier to determine whether your specific feature qualifies.
If your classification comes back high-risk, here is what you are committing to build before August 2, 2026: a continuous risk management system covering the full product lifecycle; data governance covering training, validation, and test data quality; technical documentation per Annex IV; automatic logging of system events for the system's lifetime; transparency documentation covering accuracy, robustness, and cybersecurity metrics; human oversight design so operators can override or intervene; a conformity assessment (self-assessment or third-party depending on category); CE marking; EU database registration; and post-market monitoring with serious incident reporting within 15 days. This is not a checkbox — it's an engineering and documentation workstream that typically takes 3–6 months for a well-staffed founding team.
Yes, if EU residents use your product. The regulation's scope (Article 2) mirrors GDPR's: it applies to any AI system placed on the EU market or "put into service" in the EU, and to providers located outside the EU when the output is used in the EU. "Put into service" includes making an AI system available to users via a web interface, API, or mobile app. Any SaaS product without active geo-blocking of EU users is presumed to be in scope.
No. Under the GPAI rules, foundation model providers (OpenAI, Anthropic, Google) have their own obligations as model providers. But you, as the application-layer provider, have separate obligations as the entity placing an AI system on the EU market. OpenAI publishing a compliant GPAI technical documentation does not relieve you of your Article 6 / Annex III classification obligations for what you build on top of their model.
The Annex III classification applies to what the AI is used for downstream, not who your immediate customer is. If your B2B customer uses your SaaS to make decisions about their employees (Annex III category 4) or their end-users' creditworthiness (Annex III category 5), the high-risk designation attaches to your system regardless of the B2B contract layer in between. Deployers of high-risk systems are also subject to their own obligations — your enterprise customers may request evidence of your conformity assessment.
Answer 9 questions and get your classification with a full obligations checklist, Article citations, and a shareable PDF. Takes 60 seconds and costs nothing.
Run the Risk Assessment →