July 1, 20269 min readBy Infiniti Tech Partners
The EU AI Act for US and UK SaaS: A Practical Compliance Guide

The EU AI Act is the first comprehensive AI law, and like GDPR before it, it reaches well beyond Europe's borders. If your SaaS ships an AI feature and a single EU user can touch it, the Act is potentially your problem — regardless of where your company or servers sit. The good news, and the part the headlines miss, is that the vast majority of SaaS AI features fall into low-obligation tiers. The Act is risk-based: a customer-support chatbot and a system that screens job applicants are governed completely differently. The expensive mistake is assuming either that none of it applies or that all of it does. Here is how to figure out which tier you're actually in and what it costs you.

Does it even apply to you?

The Act has extraterritorial reach, exactly like GDPR. It applies if you put an AI system on the EU market, if your output is used in the EU, or if the people affected are in the EU — even with no EU entity, office, or servers. In practice it becomes real the same way GDPR does: a European customer's procurement team sends a questionnaire, or a deal won't close without an answer about your AI governance. Your role also matters: most SaaS companies are 'providers' (you build and ship the AI feature) and sometimes 'deployers' (you use someone else's AI in your operations). Providers carry the heavier obligations. The first step is simply knowing which AI systems you operate, what they do, and who they affect — an inventory most teams have never written down.

The four risk tiers

  • Unacceptable risk (banned): social scoring, manipulative or exploitative systems, most real-time biometric identification in public. If you're building these, the answer is don't.
  • High risk (heavily regulated): AI used in hiring and HR, credit and lending decisions, education access, essential services, medical devices, critical infrastructure, and biometric categorization. This tier carries the real compliance load — risk management, data governance, documentation, human oversight, accuracy and robustness requirements, and registration.
  • Limited risk (transparency obligations): chatbots, emotion-recognition, and generative AI that produces text, images, audio, or video. The core duty is disclosure — users must know they're interacting with AI, and synthetic media must be labeled. Most SaaS AI features live here.
  • Minimal risk (no specific obligations): spam filters, recommendation engines, AI in games, most productivity features. The bulk of everyday AI falls here and is essentially unregulated by the Act.

Where most SaaS actually lands

If your AI feature summarizes documents, drafts text, answers questions, generates images, powers a chatbot, or recommends content, you are almost certainly in limited or minimal risk — and your obligations are light: tell users they're talking to AI, label AI-generated media, and don't make deceptive claims. The trap is feature creep into high risk. The moment your product influences a hiring decision, a loan approval, an insurance price, access to education, or a medical judgment, you cross into the high-risk tier and the obligations multiply. Teams building HR tech, fintech, insurtech, and healthtech need to take this seriously now; most other SaaS needs a transparency notice and an honest inventory.

Concrete obligations by tier

  • Everyone: maintain an inventory of your AI systems and their risk classification, and ensure 'AI literacy' — that the people building and operating these systems understand them. This is already in force.
  • Limited risk: clear user-facing disclosure that AI is in use; machine-readable marking of AI-generated or manipulated content (the labeling rules for generative output).
  • High risk: a documented risk-management system, data-governance and bias controls, detailed technical documentation, automatic logging, meaningful human oversight, accuracy/robustness/cybersecurity standards, a conformity assessment, and registration in the EU database before going to market.
  • Using a general-purpose model (GPAI): if you build on a frontier model from a major provider, the heaviest GPAI obligations sit with that provider — but you inherit duties around transparency and acceptable use, so read your model provider's terms and documentation.

The timeline that matters

  • The Act entered into force in 2024 and phases in over several years rather than all at once.
  • Already live: the bans on unacceptable-risk systems and the AI-literacy duty.
  • Phased in next: the GPAI/general-purpose model obligations, then the transparency rules for limited-risk systems, and finally — on the longest runway — the full high-risk requirements.
  • Penalties are GDPR-scale: the most serious violations reach into the tens of millions of euros or a percentage of global annual turnover, whichever is higher. This is not a regime to ignore because enforcement feels distant.

What to do this quarter

Start with the inventory: list every AI system you provide or deploy, what it does, and who it affects, then classify each into a tier. For anything limited-risk, ship the disclosure and content-labeling now — it's cheap. For anything that looks high-risk, treat it like a compliance program, not a feature, and budget accordingly. Fold AI governance into the privacy and security posture you already maintain for GDPR rather than standing up a parallel function — the data-governance, documentation, and logging muscles overlap heavily. And build the security and oversight controls the Act expects into the system from the start, because retrofitting human oversight and logging is far more expensive than designing them in.

How Infiniti Tech Partners helps with AI governance

We help US and UK SaaS teams inventory and classify their AI systems, ship the transparency and logging controls the Act expects, and — for genuinely high-risk products — build the documentation, human-oversight, and data-governance scaffolding that a conformity assessment requires. We tell you honestly which tier you're in, so you don't over-build for a chatbot or under-build for a hiring tool. If an EU customer has started asking about your AI governance, that's the signal to start a conversation.

Frequently asked questions

Does the EU AI Act apply to US and UK companies?

Yes. Like GDPR, the EU AI Act has extraterritorial reach: it applies if you put an AI system on the EU market, if your output is used in the EU, or if the people affected are in the EU — even with no EU entity, office, or servers. In practice it becomes real when a European customer's procurement team asks about your AI governance or a deal won't close without an answer. Most SaaS companies are 'providers' who build and ship the AI feature, which carries the heavier obligations.

What are the risk tiers in the EU AI Act?

The Act is risk-based with four tiers. Unacceptable-risk systems (social scoring, manipulative systems, most public biometric ID) are banned; high-risk systems (hiring, credit, education, medical, critical infrastructure) carry heavy obligations like risk management, documentation, human oversight, and registration; limited-risk systems (chatbots and generative AI) mainly owe transparency — disclosing AI use and labeling synthetic media; and minimal-risk systems (spam filters, recommendations, most productivity features) have no specific obligations. Most SaaS AI features land in limited or minimal risk.

What does a typical SaaS company need to do for EU AI Act compliance?

If your AI summarizes, drafts, answers, generates media, or powers a chatbot, you're almost certainly limited or minimal risk, so the obligations are light: tell users they're interacting with AI, label AI-generated content, and keep an inventory of your AI systems with their risk classification. The trap is feature creep into high risk — the moment your product influences hiring, lending, insurance pricing, education access, or medical judgments, the obligations multiply. Start with the inventory, ship transparency notices now, and treat any high-risk feature as a compliance program rather than a feature.

Have a related problem you're working on?

Talk to a senior engineer — usually within one business day.

Start a conversation