The EU Artificial Intelligence Act, formally published in the Official Journal of the European Union in July 2024, represents the world’s first comprehensive horizontal regulatory framework for artificial intelligence. It applies not only to companies based in the EU but, through its extraterritorial reach, to any provider whose AI system is made available on the EU market or whose system’s output is used within the EU. For SaaS companies that have integrated AI capabilities into their products, for developers building foundation models or deploying AI components, and for investors underwriting these businesses, the Act introduces obligations and risks that demand early attention.
Structure of the Regulation: A Risk-Based Tiered Model
The Act classifies AI systems across four risk tiers. At the top are prohibited practices — AI applications whose risks are considered unacceptable regardless of their implementation context. These include social scoring systems by public authorities, real-time remote biometric identification in publicly accessible spaces (with narrow law enforcement exceptions), manipulation of individuals through subliminal techniques, and exploitation of vulnerabilities of specific groups. These prohibitions applied from August 2024, earlier than the bulk of the regulation’s compliance obligations.
The second tier covers high-risk AI systems, which are the regulation’s primary focus. These are AI systems deployed in contexts where they can significantly affect individuals’ safety or fundamental rights: biometric identification, critical infrastructure, educational admissions, employment decisions, access to credit and insurance, administration of justice, and management of essential public services. Providers of high-risk systems face the most demanding compliance obligations under the Act.
The third tier covers general-purpose AI (GPAI) models, a category introduced relatively late in the legislative process to address large foundation models such as GPT-series or Gemini. GPAI models that pose systemic risk — defined primarily by the computational resources used in training, with a threshold currently set at ten to the power of 25 floating point operations — face heightened obligations including adversarial testing and incident reporting to the European AI Office.
The fourth tier covers limited-risk and minimal-risk AI systems, which face only transparency obligations (for instance, chatbots must inform users they are not interacting with a human) or no specific obligations beyond existing law.
High-Risk Classification: SaaS Products in the Crosshairs
For SaaS companies, the high-risk classification is the most operationally significant. The Act defines high-risk systems by reference to Annex III, which lists the sectors and use cases. SaaS companies serving HR technology markets need to assess whether their AI-assisted CV screening, performance evaluation, or workforce monitoring features fall within the employment and workers management category. SaaS products supporting credit decisioning, insurance underwriting, or fraud detection in financial services will need to assess the financial services category. EdTech products used for assessments or admissions are similarly covered.
The compliance obligations for providers of high-risk systems are substantial. They include: establishing a risk management system that is maintained throughout the system’s lifecycle; implementing data governance measures covering training, validation, and testing datasets; preparing technical documentation; enabling logging and record-keeping; ensuring transparency toward deployers; ensuring human oversight mechanisms are built into the system; and achieving a level of accuracy, robustness, and cybersecurity appropriate to the intended purpose.
Additionally, providers of high-risk AI systems placed on the EU market must register their systems in the EU database established by the Commission, conduct a conformity assessment (which may be self-assessment for most high-risk systems not covered by existing sectoral legislation), and apply the CE marking. These requirements impose both upfront development costs and ongoing operational costs that SaaS companies must factor into their product roadmaps and financial models.
The Provider vs. Deployer Distinction
One of the most practically important distinctions in the Act is between providers and deployers. A provider is the entity that develops and places the AI system on the market under its own name or brand, or puts it into service. A deployer is an entity that uses an AI system under its own authority. In the SaaS world, this creates layered responsibility: a foundational model provider such as OpenAI or a European equivalent is a provider; a SaaS company that builds a product on top of that model and sells it to corporate customers is both a provider (of its own system) and potentially a deployer (of the underlying model). The enterprise customers who deploy the SaaS product within their operations are deployers.
This layering matters because obligations are distributed across the supply chain. Providers must provide deployers with the technical documentation, instructions for use, and information needed for deployers to meet their obligations. Deployers of high-risk systems must implement the provider’s instructions, maintain logs, conduct data protection impact assessments where required, and designate responsible persons for AI oversight within their organisation. When a SaaS company customises a GPAI model for a high-risk use case, it may transition from deployer to provider status with all associated obligations.
General-Purpose AI Models: Implications for AI Developers
The GPAI provisions represent one of the most commercially sensitive parts of the Act. Developers of foundation models — whether proprietary or open-weight — must prepare technical documentation, comply with EU copyright law in relation to training data, and publish a summary of the content used for training. For GPAI models with systemic risk, additional obligations include performing model evaluations, adversarial testing (red-teaming), reporting serious incidents to the European AI Office, ensuring cybersecurity protections, and reporting on energy consumption.
Open-source model developers benefit from certain carve-outs, but these are narrower than the open-source community had initially hoped for. The exemption does not apply to open-weight models that qualify as systemic risk GPAI models, and providers releasing open-weight models must still comply with the copyright transparency obligations. For European AI startups building and releasing foundation models, this regulatory layer adds compliance costs that may disadvantage them relative to non-EU-headquartered competitors, although the Act applies to any model made available in the EU market regardless of origin.
Compliance Timelines
The Act’s compliance obligations are phased. The prohibitions on unacceptable risk practices applied in August 2024, six months after entry into force. Obligations relating to GPAI models and governance provisions apply from August 2025, twelve months after entry into force. The full obligations for high-risk AI systems under Annex III apply from August 2026, twenty-four months after entry into force. High-risk systems embedded in products covered by existing EU harmonisation legislation have until August 2027.
For SaaS companies and developers, the August 2025 deadline for GPAI provisions is commercially significant because it will impose obligations on the foundation model providers whose APIs many SaaS products depend on, potentially triggering upstream contractual changes. The August 2026 deadline for Annex III high-risk systems requires companies to have built compliance infrastructure, retrained teams, and updated product architectures well before the deadline, given the lead time required.
Enforcement and Penalties
The Act establishes a dual enforcement structure. At EU level, the European AI Office within the European Commission has supervisory authority over GPAI model providers and coordinates with national competent authorities. Each member state must designate national authorities for market surveillance and conformity assessment. This creates the possibility of regulatory fragmentation similar to what has occurred under GDPR, where enforcement intensity varies significantly across member states.
Penalties for violations are structured across three tiers. Violations of the prohibited practices provisions can attract fines of up to EUR 35 million or 7% of global annual turnover, whichever is higher. Violations of other obligations, including those applicable to high-risk systems, can attract fines of up to EUR 15 million or 3% of global annual turnover. Providing incorrect, incomplete, or misleading information to authorities carries fines of up to EUR 7.5 million or 1.5% of global annual turnover. For SMEs and startups, proportionate consideration is given in fine calculations, but the reputational and operational consequences of enforcement action can be disproportionately damaging regardless of the financial penalty.
Investor Considerations
For investors in AI-enabled SaaS companies or AI infrastructure developers, the Act introduces both risk factors and diligence imperatives. On the risk side, companies that have not mapped their AI systems against the Act’s risk classification framework may be unknowingly building products that require significant redesign or documentation before the applicable compliance deadline. The cost of retrofitting compliance into a product architecture that was not designed with the Act in mind is substantially higher than building compliant by design.
Due diligence for investments in AI companies operating in the EU market should now include a regulatory risk assessment that covers: identification of the company’s AI systems and their risk classification under the Act; assessment of the company’s compliance roadmap and its adequacy given applicable deadlines; review of contractual arrangements with foundational model providers to ensure obligations are appropriately passed down or up the supply chain; and assessment of the company’s data governance practices, particularly for training data that may be subject to the Act’s copyright and data quality requirements.
Conversely, the Act creates opportunities for companies that build compliance tooling, audit and certification services, and conformity assessment capabilities. The Act’s conformity assessment requirements for high-risk systems will generate demand for third-party technical testing and documentation services that do not yet exist at the required scale in Europe.
Interaction with Other EU Regulations
The AI Act does not operate in isolation. High-risk AI systems that process personal data must comply with both the Act and the GDPR, and the Act explicitly states that it does not supersede data protection obligations. For systems subject to sector-specific legislation — such as medical devices, financial services, or aviation — the AI Act obligations apply alongside the existing sectoral framework. The European Commission has begun working on sectoral guidance to address these overlaps, but as of mid-2024 much of that guidance remained in development.
The interaction with the NIS2 Directive on cybersecurity is also relevant, particularly for AI systems deployed in critical infrastructure or essential service contexts, where the cybersecurity requirements of NIS2 and the robustness requirements of the AI Act will need to be addressed simultaneously. Companies operating at the intersection of AI and critical infrastructure should treat these regulatory frameworks as a combined compliance programme rather than separate workstreams.
Conclusion
The EU AI Act is a landmark regulation that will reshape product development, procurement, and investment in AI-enabled technology businesses in Europe and beyond. Its risk-based tiered structure provides a workable framework, but the breadth of the high-risk category, the complexity of the provider-deployer chain, and the interaction with existing regulatory frameworks create genuine compliance challenges. SaaS companies, developers, and their investors should begin classification exercises now, engage counsel familiar with both technology and regulatory law, and build compliance roadmaps that are integrated with product development cycles rather than bolted on as an afterthought.