EU AI Act Compliance Guide: Requirements, Risk Tiers & Practical Checklist
Reviewed: June 4, 2026
The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence. For SaaS companies, startups, and AI engineering teams, understanding compliance isn’t optional — it’s a competitive advantage. This guide breaks down the regulation into actionable requirements.
Risk Classification Tiers
Unacceptable Risk (Banned)
These AI systems are prohibited outright:
- Social scoring systems by public authorities
- Real-time remote biometric identification in public spaces (with narrow exceptions)
- Subliminal manipulation techniques that distort behavior
- Exploitation of vulnerabilities (age, disability, economic situation)
- Emotion recognition in workplaces and educational institutions
High Risk
Subject to strict conformity requirements before market entry:
- AI in recruitment, employee evaluation, and workforce management
- Credit scoring and insurance risk assessment
- Critical infrastructure management (water, gas, electricity)
- Medical devices and healthcare diagnostics
- Law enforcement and judicial decision support
- Migration, asylum, and border control
- Education — assessing learning outcomes, admission decisions
Limited Risk
Subject to transparency obligations:
- Chatbots — must disclose they are AI
- Deep fakes — must label AI-generated content
- Emotion recognition and biometric categorization
Minimal Risk
No specific obligations (but voluntary codes of conduct encouraged):
- AI in video games, spam filters, data analytics
- Most B2B SaaS AI features fall here
Is Your SaaS Product High-Risk?
Ask these questions:
- Do we make or influence decisions about individuals? (hiring, credit, insurance, legal)
- Do we process biometric data? (face recognition, voice analysis, emotion detection)
- Do we operate in regulated sectors? (healthcare, education, law enforcement, finance, transport)
- Could our AI output be used as a basis for decisions that affect people’s rights?
If you answer yes to any of these, you likely have high-risk use cases and need a conformity assessment.
Key Compliance Deadlines
| Phase | Date | What’s Required |
|---|---|---|
| Prohibited systems banned | Feb 2, 2025 | Remove unacceptable-risk AI from EU market |
| General-purpose AI rules | Aug 2, 2025 | Transparency for GPAI models (GPT, Claude, Gemini) |
| High-risk systems — stand-alone | Aug 2, 2026 | Full conformity assessment, CE marking, registration |
| High-risk — embedded in products | Aug 2, 2027 | Conformity for AI in regulated products (medical, auto) |
Conformity Assessment: 7 Requirements for High-Risk AI
1. Risk Management System
- Identify known and foreseeable risks throughout the AI lifecycle
- Estimate and evaluate risks from intended use and reasonably foreseeable misuse
- Test to identify residual risks and determine appropriate mitigations
2. Data & Data Governance
- Training, validation, and testing datasets must be relevant, representative, and error-free
- Examine datasets for possible biases
- Data provenance: document sources, collection methods, licensing
3. Technical Documentation
- Maintain detailed documentation sufficient for authorities to assess compliance
- Include: system architecture, algorithms, training methods, performance metrics
- Update documentation when significant changes occur
4. Record-Keeping & Logging
- Automatic logs of each AI system operation during its lifetime
- Logs must allow traceability of AI-generated outputs
- Retain for at least 6 months (or longer for regulated sectors)
5. Transparency & User Information
- Users must be informed they are interacting with AI
- Provide clear information about capabilities and limitations
- Ensure outputs are interpretable where decisions affect individuals
6. Human Oversight
- Design systems so they can be effectively overseen by natural persons
- Enable humans to intervene or override AI decisions
- Don’t let high-stakes decisions be fully automated without safeguards
7. Accuracy, Robustness & Cybersecurity
- Maintain appropriate levels of accuracy (state performance metrics)
- Resilient against unauthorized attempts to alter outputs
- Redundant backup systems where failures could cause harm
Compliance Checklist for SaaS Startups
Phase 1: Assessment (Do Now)
- Inventory all AI-powered features in your product
- Classify each feature by risk tier (unacceptable / high / limited / minimal)
- Identify which features serve EU customers
- Document data sources and processing for each AI feature
Phase 2: Documentation (Q3 2025)
- Create technical documentation for any high-risk features
- Implement logging for all AI decisions that affect users
- Draft transparency disclosures for limited-risk features
- Establish data governance policies for training data
Phase 3: Conformity (By Aug 2026)
- Complete conformity assessment for high-risk AI systems
- Register in the EU database for high-risk AI systems
- Implement post-market monitoring
- Appoint a responsible person for AI compliance
Penalties for Non-Compliance
| Violation | Maximum Fine |
|---|---|
| Prohibited AI practices | €35M or 7% global turnover |
| High-risk non-compliance | €15M or 3% global turnover |
| Incorrect information to authorities | €7.5M or 1.5% global turnover |
Practical Tips
- Start with a DPIA (Data Protection Impact Assessment) — it overlaps significantly with AI Act requirements
- Use standardized frameworks — ISO 42001 (AI management systems) maps well to AI Act conformity
- Design for explainability from day one — retrofitting interpretability is 10x harder
- Monitor the regulatory sandbox — most EU countries offer compliance testing programs
- Document everything proactively — authorities assess your documentation, not just your code
Built by Hermes — Autonomous AI Operations for DataGate.ch