Regulation (EU) 2024/1689 applies to any company placing AI systems on the EU market — regardless of where you're headquartered. If your AI product touches EU users or EU-based businesses, this law applies to you.
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. Adopted by the European Parliament on June 13, 2024 and entering into force on August 1, 2024, it creates a risk-based tiered system for AI regulation across the 27 EU member states.
Unlike sector-specific AI rules, the EU AI Act covers AI broadly — from consumer chatbots to medical diagnostic tools. It classifies AI systems by their potential for harm and imposes increasingly stringent obligations based on risk tier. Unacceptable-risk AI is prohibited outright. High-risk AI requires extensive documentation, human oversight, and conformity assessment. Limited-risk AI requires transparency disclosures. Minimal-risk AI has no mandatory requirements.
Critically, like GDPR, the EU AI Act has extraterritorial reach. Under Art. 2(1)(c), it applies to providers and deployers of AI systems that are located in third countries (including the US) when the output of their AI is used in the EU. If your SaaS product uses AI and has EU customers, this regulation likely applies to you.
"AI systems should be safe, transparent, traceable, non-discriminatory, and environmentally friendly."
— EU AI Act Recital 1, the foundational principle
The EU AI Act phases in obligations over three years. Mark these dates on your compliance calendar.
Regulation (EU) 2024/1689 Enters into Force
The law is officially in force. The EU AI Office is established. The 36-month countdown to full enforcement begins.
Prohibited AI Practices (Art. 5) + AI Literacy (Art. 4)
All prohibited AI practices under Art. 5 are now illegal and enforceable. Organizations must implement AI literacy programs for staff. Non-compliance is active today.
GPAI Model Obligations (Art. 51–56) + Governance Rules
General-Purpose AI providers must comply with documentation, transparency, and copyright policies. Systemic-risk GPAI models face additional adversarial testing and incident reporting obligations.
Full Enforcement: High-Risk AI Systems (Annex III)
The main compliance deadline. All high-risk AI systems under Annex III must comply with Art. 9–15 obligations: risk management systems, data governance, technical documentation, logging, transparency, human oversight, and accuracy/robustness requirements.
High-Risk AI in Annex I Safety Products
AI embedded in products covered by EU sectoral safety legislation (Annex I) — medical devices, machinery, vehicles, toys, etc. — must comply. Extended timeline due to existing sectoral certification requirements.
The EU AI Act uses a four-tier risk pyramid. Your obligations depend entirely on where your AI system falls.
These AI applications are banned outright across the EU. Placing them on the market or into service is illegal from February 2, 2025.
Subject to full Art. 9–15 obligations: risk management, data governance, technical documentation, logging, transparency, human oversight, conformity assessment, and EU database registration. Deadline: August 2, 2026.
Annex III Categories:
Requires transparency obligations only. Users must be notified when interacting with AI — no pretending to be human. Applies to chatbots, deepfakes, AI-generated content, and emotion-recognition tools (where not prohibited).
The vast majority of AI applications — spam filters, AI-powered playlists, inventory optimization, basic recommendation systems — are minimal risk. No mandatory compliance requirements, though voluntary codes of conduct are encouraged.
US SaaS Companies: Where You're Most Likely High-Risk
If your AI product scores credit applications, screens resumes, makes hiring recommendations, assesses insurance risk, determines benefits eligibility, or provides AI-assisted decisions in healthcare or law — you are likely operating a high-risk AI system under Annex III. This applies even if the AI is just one component of a larger product.
The Complete Checklist
These obligations under Art. 9–15 apply to all high-risk AI providers. Deployers have additional obligations under Art. 26.
A continuous, documented risk management process covering the entire AI system lifecycle. Must identify and analyze known and reasonably foreseeable risks, estimate and evaluate risks that may emerge in use, adopt risk mitigation measures, and test to ensure residual risks are acceptable. Risk management must be updated as new risks are identified.
Training, validation, and test data sets must meet documented quality criteria. Practices must address data collection methods, data preparation operations, relevant assumptions, availability and quantity assessment, examination for possible biases, and identification of data gaps. Data used to train high-risk AI must be relevant, sufficiently representative, and free from errors where possible.
Comprehensive technical documentation must be drawn up before the AI system is placed on the market. Annex IV specifies 14 required elements including: general description of the system, detailed description of design and development, information on training/validation/testing data, intended purpose, monitoring and supervision provisions, and a list of harmonized standards applied. Documentation must be kept updated.
High-risk AI systems must have automatic logging capabilities to ensure traceability of the AI system throughout its lifetime. Logs must capture events relevant to risk identification, including start/end of each use period, reference database of input data, input data that led to the output, the identity of natural persons involved in verification of results, and any events that enabled the AI to stop functioning.
High-risk AI systems must be transparent to deployers. Providers must supply instructions for use that include: the identity of the provider, the intended purpose, the level of accuracy and performance, foreseeable inputs or operating conditions, hardware/software requirements, expected lifetime and maintenance needs, and information about residual risks. Designed to enable deployers to make informed use.
High-risk AI systems must be designed and developed to be effectively overseen by natural persons during operation. This includes enabling persons responsible for oversight to understand the capabilities and limitations of the AI, monitor its operation, interpret outputs correctly, and intervene or interrupt the system if necessary. Human oversight requirements must be built into the system design — they cannot be bolted on after deployment.
High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. Systems must be resilient to attempts by unauthorized third parties to alter their use or performance (adversarial attacks). Providers must document intended levels of accuracy using relevant metrics and test against those metrics before deployment. Failsafe fallback plans must be in place.
Before placing a high-risk AI system on the market, providers must complete a conformity assessment (Art. 43). For most Annex III systems, self-assessment is permitted. Providers must then register in the EU AI Act public database (Art. 49) and affix a CE marking. Authorized EU representatives may be required for non-EU providers (Art. 22).
Providers must implement a post-market monitoring plan and actively collect, document, and analyze data from deployed high-risk AI systems. This is an ongoing obligation — not a one-time assessment. Serious incidents (Art. 73) must be reported to national market surveillance authorities. Providers must take corrective action when monitoring identifies compliance risks.
If you train, fine-tune, or provide a General-Purpose AI model (e.g., a foundation model, LLM, or multimodal model), Art. 53 applies from August 2, 2025. All GPAI providers must:
Systemic Risk GPAI (models trained with >1025 FLOPs, Art. 51(2)): Additional obligations under Art. 55 include adversarial testing (red-teaming), incident reporting to the EU AI Office, cybersecurity protections, and energy efficiency reporting.
Three penalty tiers apply based on the type of violation. The "higher of" structure means large companies face percentage-based fines; SMEs may face the absolute cap.
Real-World Scale of EU AI Act Fines
For a company with $1 billion in global revenue: a Tier 1 (prohibited AI) violation carries a potential fine of $70 million (7%). A Tier 2 (high-risk AI) violation could mean $30 million (3%). These are maximum amounts — actual fines depend on severity, duration, cooperation, and whether the violation caused harm. SMEs receive a lower cap (the lesser of the percentage or the absolute amount).
From risk tier classification to Art. 9–15 documentation, GPAI technical documentation, and conformity assessment preparation — ComplianceStack guides you through every EU AI Act requirement before August 2026.
AI Risk Classification
Identify whether your AI systems are prohibited, high-risk, limited-risk, or minimal-risk based on Annex III criteria.
Art. 11 Technical Documentation
Generate all 14 required Annex IV documentation elements for high-risk AI system conformity assessment.
Risk Management System
Build and maintain the Art. 9 risk management framework with structured risk identification and mitigation tracking.
GPAI Documentation (Art. 53)
Generate Annex XI technical documentation and training data summaries required for GPAI model providers.
Free to start. No credit card required.
Building an Art. 9–15 risk management system, Annex IV technical documentation, and post-market monitoring plan takes 6–12 months. Start your EU AI Act gap assessment today.
Start Free EU AI Act AssessmentFree to start. No credit card required. Takes under 5 minutes.
Tailored EU AI Act compliance guidance for your industry.