Is My SaaS Product High-Risk Under the EU AI Act?
EU AI Act · SaaS Compliance
Is My SaaS Product High-Risk Under the EU AI Act?
One AI feature can change your risk classification. Here’s how to classify correctly before the August 2, 2026 deadline.
1
Four risk tiers under EU AI Act
Prohibited · High · Limited · Minimal
2
Decision tree — classify your product
5-question interactive guide
3
Classification by SaaS vertical
HR · Fintech · Health · EdTech · Legal · Productivity
4
If you are high-risk — what you need
9-item compliance checklist
5
Book a classification review
Before the August 2, 2026 deadline
6
Common questions
SaaS exemptions, penalties, non-EU providers
Section 1
The Four Risk Tiers Under EU AI Act
Your EU procurement team has asked for your EU AI Act compliance status. Your sales engineer is waiting. You do not know the answer because no one in the company has ever run the classification exercise. This is the situation hundreds of B2B SaaS companies are in right now — with the August 2, 2026 deadline approaching. Our AI Governance & Risk practice helps SaaS companies classify and comply before the deadline. See also our full guide on EU AI Act classification.
BAN
Prohibited — banned Feb 2025
Prohibited Practices
Article 5 — immediate ban, no transition
Banned outright since February 2, 2025 — no grace period, no transition.
Social scoring systems that rank individuals based on behaviour or personal characteristics. Untargeted scraping of facial images for biometric databases. Real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions). AI that exploits vulnerabilities of specific groups. Emotion recognition in workplace or educational settings.
Penalty: Up to €35 million or 7% of global annual turnover, whichever is higher.
HR
Full obligations — deadline Aug 2, 2026
High-Risk AI Systems
Annex III — 8 categories, full compliance stack
Full compliance obligations apply. Eight Annex III categories: employment and workforce management (HR, recruiting), access to essential services (credit, insurance), healthcare and medical devices, education and vocational training, biometric identification, critical infrastructure, law enforcement, migration and border control.
What is required: risk management system, technical documentation, human oversight mechanisms, conformity assessment, EU database registration, ongoing monitoring. Penalty: up to €15 million or 3% of global turnover.
TRS
Transparency only
Limited Risk
Article 50 — disclosure obligations
Transparency obligations only — no conformity assessment or registration required.
Chatbots and conversational AI must disclose that users are interacting with an AI. Deepfakes and AI-generated content must be labelled as such. Emotion recognition systems must inform individuals. These obligations are ongoing — not a one-time disclosure at onboarding.
Most SaaS products with AI features fall here if they are not in Annex III. Review Article 50 carefully before assuming minimal risk.
MIN
No obligations
Minimal Risk
No Annex III use case — no compliance stack
No EU AI Act obligations — but classification must be documented to demonstrate the determination.
Most productivity tools, spam filters, AI writing assistants, recommendation engines, internal analytics tools. The key test: no Annex III use case, no individual profiling with decision impact, no regulated product integration.
Do not assume minimal risk without running the classification test. One AI feature added to an otherwise minimal-risk product can change the classification of the entire system if it touches an Annex III category.
Critical point on SaaS
Your product can be minimal-risk in one deployment context and high-risk in another. Classification follows intended use — not architecture. A cloud-delivered writing tool is minimal risk. The same tool with a CV screening feature sold to HR teams is high-risk. The SaaS delivery model does not create an exemption.
Section 2
Decision Tree — Classify Your SaaS Product
Answer 5 questions to find your preliminary classification. This is a first-pass indicator — a definitive classification requires full legal analysis of your system’s intended use and deployment context.
5-question EU AI Act classification guide
Based on Annex III categories and Article 6(3) exceptions
Decision Tree
Question 1 of 5
Does your product include AI that affects individuals in any of these areas: employment decisions, credit or insurance, healthcare, education, law enforcement, migration, or biometric identification?
Yes →
No →
Question 2 of 5
Does the AI make or meaningfully influence the decision — for example by ranking, scoring, filtering, or recommending individuals?
Yes, it influences outcomes →
No, human decides independently →
← Back
Question 3 of 5
Does the AI profile individuals — assess personal traits, behaviour, creditworthiness, health risk, performance, or similar characteristics?
Yes →
No →
← Back
Question 4 of 5
Is your product a general AI assistant, writing tool, or internal productivity tool with no impact on individual decisions in Annex III domains?
Yes →
No, it has decision impact →
← Back
Question 5 of 5
Do you deploy AI as a safety component or within an EU-regulated product — such as a medical device, machinery, vehicle, or critical infrastructure system?
Yes →
No →
← Back
Section 3
Classification by SaaS Vertical
Six common SaaS verticals. For each: the specific AI feature that triggers classification, the resulting risk tier, and the legal basis. Architecture does not determine classification — intended use does.
Vertical
AI feature example
Classification
Why & legal basis
HR & Recruiting
AI CV screening, candidate ranking, automated interview assessment
HIGH RISK
Annex III, Category 4(a): AI used for recruitment, selection, promotion, task allocation or performance monitoring. Applies even when humans make the final hire/reject decision.
Annex III, Art. 4(a) · Art. 6(3) exceptions narrow
Fintech & Credit
AI credit scoring, loan eligibility, insurance risk assessment
HIGH RISK
Annex III, Category 5(b): AI used to evaluate creditworthiness or establish credit scores. Also Category 5(c) for risk assessment in life and health insurance. Includes B2B lending tools that assess individual guarantors.
Annex III, Art. 5(b), 5(c)
Healthcare SaaS
AI clinical decision support, diagnosis assistance, patient triage
HIGH RISK
Annex III, Category 2(a): AI intended to be used as safety component of medical devices, or itself classified as a medical device under EU MDR/IVDR. Clinical decision support that influences treatment is almost always in scope.
Annex III, Art. 2(a) · EU MDR interface
EdTech
AI student assessment, automated grading, adaptive learning profiling
HIGH RISK
Annex III, Category 3(a): AI used to determine access to educational institutions or evaluate learners. Automated grading and profiling of students in formal education settings is in scope. Tutoring tools with no assessment function may qualify for Art. 6(3) exception with documentation.
Annex III, Art. 3(a) · Art. 6(3)
Legal SaaS
AI contract review assistant, legal research tool, clause drafting
MINIMAL RISK
No Annex III use case. AI contract review assists lawyers but does not profile individuals, make access decisions, or operate in a listed domain. Article 50 transparency obligations apply if the tool is conversational. Law enforcement and judicial AI is separately in scope — this does not cover general legal productivity tools.
No Annex III match · Art. 50 applies
Productivity & Writing
AI writing assistant, document summarisation, code generation
MINIMAL RISK
No Annex III use case. General-purpose productivity and writing tools with no decision impact on individuals are outside high-risk scope. Article 50 transparency obligations apply to conversational interfaces. Classification must still be documented. Adding any HR, credit, or health feature to the same product reopens classification.
No Annex III match · Document classification
Article 6(3) — do not self-declare without documentation
Your AI is not automatically non-high-risk just because a human makes the final call. Article 6(3) exception applies only when the AI performs a purely preparatory task, does not profile individuals, and does not meaningfully influence the outcome. If the AI ranks, scores, or filters candidates or applicants — even as one step in a human workflow — the exception is unlikely to apply. Claiming it without documented legal analysis exposes you to enforcement risk from national market surveillance authorities.
Not sure whether your product is high-risk under EU AI Act? A classification review before August 2, 2026 identifies your obligations and any Article 6(3) exceptions you can genuinely claim.
Book a classification review →
Section 4
If You Are High-Risk — What You Need by August 2, 2026
Nine compliance obligations for high-risk AI system providers. All must be in place before you place the system on the EU market or put it into service. For implementation support, see our AI Governance & Risk services.
High-risk AI provider compliance checklist
9 obligations — mandatory before August 2, 2026
Deadline: 2 Aug 2026
AI system inventory and classification documentation
List every AI component in your product. For each: intended use, Annex III category assessment, and any Article 6(3) exception analysis. Classification must be documented — a self-declaration without analysis is not sufficient for enforcement purposes.
Risk management system (Article 9)
A continuous process covering identification and analysis of reasonably foreseeable risks, risk estimation and evaluation, risk mitigation measures, and residual risk evaluation. Must be kept up to date throughout the system’s lifecycle. Not a one-time document — a live operational process.
Art. 9 · Ongoing lifecycle obligation
Technical documentation (Annex IV)
Comprehensive technical documentation covering system description, development process, training data, validation and testing, performance metrics, and changes made post-market. Must be maintained and made available to national authorities on request. Annex IV specifies the required content in detail.
Annex IV · Must be available to authorities
Data governance procedures (Article 10)
Training, validation and testing data must be subject to data governance practices covering: relevance and representativeness, collection and procurement processes, data preparation, examination for biases, and identification of data gaps. Documented procedures — not informal practices.
Art. 10 · Intersects with GDPR Article 22
Human oversight mechanisms (Article 14)
High-risk AI systems must be designed to allow effective oversight by natural persons. This includes the ability to understand capabilities and limitations, detect and address failures, override or interrupt the system, and not rely solely on AI output without independent verification. Must be built into the product — not just stated in documentation.
Accuracy, robustness, and cybersecurity (Article 15)
High-risk systems must achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. Performance metrics must be declared. Testing must cover reasonably foreseeable conditions including adversarial conditions. Accuracy thresholds must be documented.
Art. 15 · Performance metrics must be declared
Conformity assessment (Article 43)
Most Annex III categories allow self-assessment (internal control procedure under Annex VI). Biometric identification and certain other categories require third-party assessment by a notified body. Conformity assessment results must be documented before EU market placement.
Art. 43 · Most SaaS: self-assessment permitted
EU database registration (Article 71)
High-risk AI systems must be registered in the EU database before market placement. The database is operated by the European Commission. Registration requires system identification information, provider information, intended purpose, and conformity assessment reference. Non-EU providers must appoint an EU representative for registration.
Art. 71 · eu-ai-act-database.ec.europa.eu
EU representative appointment (non-EU providers)
If your company is based outside the EU but your high-risk AI system is placed on the EU market or put into service for EU users, you must appoint an EU-based authorised representative before the deadline. The representative is responsible for regulatory compliance and is the contact point for national authorities. See also our AI governance frameworks practice.
Need to classify your product and build your compliance stack before August 2?
WCR Legal runs EU AI Act classification exercises for SaaS companies — identifying your risk tier, any Article 6(3) exceptions you can claim, and the full compliance obligations that apply. We work to your deadline.
Section 6
Common Questions from SaaS Founders
Frequently asked questions
5 questions — SaaS exemptions, penalties, non-EU providers
5 questions
1
Does SaaS architecture exempt my product from EU AI Act high-risk obligations?
+
No. The EU AI Act does not distinguish between SaaS and on-premise deployment. Cloud-based products accessible from the EU are fully in scope. The Act regulates AI systems based on their intended use and the risk they pose to individuals — not on their delivery mechanism. If your system’s intended use falls under Annex III, the high-risk obligations apply regardless of whether it is SaaS, API-delivered, on-premise, or embedded in a mobile application.
2
My AI only assists humans — humans make the final decision. Am I still high-risk?
+
Possibly — and this is the most common misunderstanding in SaaS classification. The Article 6(3) exception applies only in narrow circumstances: the AI must perform a purely preparatory or assistive task, must not profile individuals, and must not meaningfully influence the outcome. If your AI ranks candidates, scores applicants, filters a pool, or provides a recommendation that shapes what options a human sees — the exception is unlikely to apply, even if a human formally presses the button. Claiming Article 6(3) without documented legal analysis is an enforcement risk. The exception must be justified, not assumed.
3
What is the penalty for non-compliance with high-risk obligations?
+
Up to €15 million or 3% of global annual turnover, whichever is higher, for violation of provider or deployer obligations under Articles 8–15 and 25–29. For prohibited AI practices under Article 5: up to €35 million or 7% of global turnover. National market surveillance authorities have powers including product withdrawal, suspension of market access, and financial penalties. The penalties apply to global turnover — not just EU revenue. See our AI risk and liability practice for enforcement risk assessment.
4
My company is based in the US. Does the EU AI Act apply to us?
+
Yes, if your product is used by EU users or your AI system’s outputs affect EU residents. The extraterritorial reach of the EU AI Act mirrors GDPR — it applies wherever the effect is felt in the EU, not where the company is incorporated. A US-headquartered SaaS company with EU customers selling an HR tool that screens EU job applicants is fully in scope for high-risk obligations. You will also need to appoint an EU-based authorised representative before placing the system on the EU market. See our full article on the EU AI Act for non-EU providers.
5
What is the first step I should take right now?
+
Build an AI system inventory. List every AI component in your product: its intended use, the data it processes, who it affects, and what decisions or recommendations it influences. Then map each component against the eight Annex III categories. For any component that touches an Annex III category, assess whether Article 6(3) genuinely applies — and document the analysis. This inventory is the foundation of every subsequent compliance obligation. Our AI Governance & Risk practice runs this classification exercise with SaaS companies and delivers a documented risk tier determination with supporting legal analysis. The August 2, 2026 deadline is the operative date for most high-risk obligations.
Post Comment