← All posts
Checklists10 min read15 May 2026

EU AI Act Compliance Checklist for SaaS Companies — 2026

Before you start: determine your role

The EU AI Act treats providers and deployers differently. Getting this wrong means checking the wrong boxes.

You are a Provider if:

  • You built your own AI model
  • You fine-tuned a foundation model
  • You created an AI system and offer it to others

You are a Deployer if:

  • You use OpenAI, Anthropic, Google, or similar APIs
  • You integrate a third-party AI system into your product
  • You are not the one who trained the underlying model

Most SaaS companies using the OpenAI or Anthropic API are deployers.

The complete checklist

Step 1: AI inventory

  • [ ] List every AI feature in your product
  • [ ] For each feature, note which API or model it uses
  • [ ] Classify each feature by risk tier (prohibited / high-risk / limited / minimal)
  • [ ] Determine if any features fall under Annex III high-risk categories

Annex III high-risk categories relevant to SaaS:

  • Credit scoring or financial decisions
  • Employment screening or management
  • Educational assessment
  • Access to essential services
  • Law enforcement applications
  • Border control or migration

Step 2: Code requirements

Article 12 — Logging (high-risk only)

  • [ ] Every AI API call has structured logging before and after
  • [ ] Logs include: timestamp, user ID, model, input hash, output hash, duration
  • [ ] Logs written to persistent storage (not just console)
  • [ ] Log retention set to minimum 6 months
  • [ ] Logs cannot be modified or deleted by application code

Article 14 — Human oversight (high-risk only)

  • [ ] No AI output goes directly to consequential database writes
  • [ ] Review queue exists between AI decision and action
  • [ ] Override mechanism documented
  • [ ] Named person responsible for AI oversight

Article 9 — Risk management

  • [ ] Risk register exists for each AI system
  • [ ] CI/CD pipeline has manual approval gate before AI deployment
  • [ ] No workflow auto-deploys AI changes without review

Article 15 — Accuracy and robustness

  • [ ] AI system has defined performance metrics
  • [ ] Testing suite covers AI-specific failure cases
  • [ ] Error handling exists for all AI API calls

Step 3: Website requirements

Article 50 — AI disclosure

  • [ ] Every chatbot or conversational AI feature discloses it is AI before the first interaction
  • [ ] AI-generated content is labeled where required
  • [ ] Disclosure is visible without scrolling or clicking

What counts as compliant disclosure:

"Hi, I'm an AI assistant. I can help with [topic]. You're chatting with AI, not a person."

What does not count:

Mentioning AI only in the privacy policy
Disclosing AI after the conversation starts
Using vague language like "automated system"

Step 4: Privacy policy requirements

Article 13 — Transparency

  • [ ] Privacy policy mentions AI or automated processing
  • [ ] AI purpose explained in plain language
  • [ ] Legal basis for AI processing stated

Article 26 — Deployer obligations

  • [ ] All AI providers named (OpenAI, Anthropic, Google, etc.)
  • [ ] Data processing agreements signed with each AI provider
  • [ ] Privacy policy lists AI providers as data processors

GDPR Article 22 — Automated decisions

  • [ ] If AI makes decisions with significant effects, users are informed of their right to human review
  • [ ] Mechanism exists for users to request human review

Contact for AI queries

  • [ ] Dedicated contact point for AI-related queries exists
  • [ ] Contact listed in privacy policy

Step 5: Documentation

Article 11 — Technical documentation

  • [ ] Annex IV technical file started (8 sections)
  • [ ] System description complete
  • [ ] Development process documented
  • [ ] Risk management documented

Records

  • [ ] AI system inventory maintained
  • [ ] Change log for AI components
  • [ ] Incident log for AI failures

How to check all of this automatically

Going through this checklist manually takes days. EU ACT Guard automates the technical checks — scanning your GitHub repository for logging violations, checking your website for Article 50 disclosure, and analyzing your privacy policy for the 8 required elements.

Free scan covers:

  • All code checks (Articles 9, 12, 14, 15)
  • Website scan (Article 50)
  • Privacy policy analysis (Articles 13, 26)
  • Annex IV draft generation

Run your free compliance scan →

Find violations like these in your own codebase

EU ACT Guard scans your GitHub repository, website, and privacy policy in 5 minutes. Free first scan.

Run free scan →