EU AI Act Compliance
EU AI Act SaaS Compliance: Are You a Provider, Deployer, or Both?
Most SaaS companies are simultaneously an AI provider and an AI deployer under the EU AI Act — and that dual role doubles your compliance obligations. Here is how to work out exactly where you stand.
The dual-role trap most SaaS companies walk straight into
EU AI Act SaaS compliance is more complicated than it looks for one simple reason: most SaaS companies are not just one thing under the law. You build features on top of foundation models or AI APIs — that makes you a provider. You also run internal operations using AI tools from third-party vendors — that makes you a deployer. The AI Act treats those roles differently, and it assigns separate obligations to each. Miss one side of the equation and you are exposed.
This is not a hypothetical edge case. A CRM platform that adds an AI-powered lead-scoring feature is a provider of that feature to its customers. The same company probably uses an AI-assisted HR tool to screen job applicants. Under Article 3 of the AI Act, that makes them both a provider and a deployer — simultaneously, in the same working week.
What the AI Act actually means by provider and deployer
The definitions matter, so here they are plainly.
A provider is any natural or legal person that develops an AI system or general-purpose AI model and places it on the market or puts it into service. If you build an AI feature and your customers use it, you are a provider — even if the underlying model belongs to OpenAI or Anthropic and you are just wrapping it.
A deployer is any natural or legal person that uses an AI system under its own authority in a professional context. If you buy a SaaS HR tool with an AI screening module and you use it to filter CVs, you are the deployer. The HR tool vendor is the provider.
Article 25 is the article most SaaS teams have not read yet. It deals with the distribution of responsibilities along the value chain. The key principle: when a downstream operator — that is you, as a SaaS company wrapping a third-party model — makes a substantial modification to an AI system, or puts a general-purpose AI system to a specific use the original provider did not foresee, the downstream operator takes on provider obligations for that adapted system.
In plain terms: fine-tuning a model, adding a specific output layer, or building a product workflow around a general-purpose API can shift full provider liability onto you.
The three-layer stack you need to map
Think of your AI exposure in three layers.
Layer 1 — Upstream vendors you rely on. This is your AI stack as a deployer. Foundation model APIs, AI-assisted analytics tools, automated HR platforms, AI customer service widgets you have licensed. For each of these, you are the deployer and the original vendor is the provider. Under Article 26, you have deployer obligations: conduct a fundamental rights impact assessment for high-risk systems, maintain logs where the system allows it, ensure human oversight is in place, and inform affected individuals where required.
Layer 2 — AI features you have built. This is your AI stack as a provider. Anything your engineering or product team has built that qualifies as an AI system under Annex I and ships to your customers. For high-risk applications — recruitment tools, creditworthiness scoring, safety-critical components — you face the full Article 16 provider obligation set: conformity assessments, technical documentation, EU Declaration of Conformity, post-market monitoring.
Layer 3 — The grey zone. This is where most SaaS companies actually live. You take a foundation model API, build a product feature around it, and sell that to business customers. You are not the original model developer. But you have made design decisions about how the model is used, what data it sees, what outputs it produces, and what your customers do with those outputs. The Act does not let you stay neutral here. If you have modified the intended purpose or made material design choices, Article 25 moves provider obligations to your door.
Where the obligations multiply
The practical burden is not that any one obligation is crushing. The burden is that you are managing obligations from two directions at once.
As a provider, your key deadlines run from August 2026, when obligations for high-risk AI systems under Annex III become enforceable. You need technical documentation ready, a quality management system in place, and conformity assessment completed before your product reaches EU customers.
As a deployer, some obligations are already live. The prohibition articles under Article 5 — covering unacceptable-risk AI practices such as social scoring and certain biometric categorisation — applied from 2 February 2025. If any vendor in your stack is doing something that touches those prohibitions, you bear responsibility for continuing to use that system.
AI literacy obligations under Article 4 also apply from 2 February 2025. Your staff who work with AI systems need documented, proportionate training. That applies whether those systems are your own product or a third-party tool.
Penalties under Article 99 reach €35 million or 7% of global annual turnover for violations of Article 5 prohibited practices — whichever is higher. For other provider failures on high-risk systems, the ceiling is €15 million or 3% of turnover. These are not hypothetical numbers. They are already written into law.
Allocating responsibility in your contracts
One of the most practical things a SaaS company can do right now is audit its vendor contracts and its customer terms.
On the vendor side: do your AI API and platform contracts include the information handover obligations required under Article 25? Providers are supposed to give deployers the information they need to comply. If your AI API contract does not mention the AI Act at all, you are flying blind on what risk category the system sits in, what limitations apply, and what logs are available to you.
On the customer side: if you are a provider, your customers need to know they are using an AI system and what risk level it carries. Article 50 requires transparency for certain AI outputs, including a clear disclosure when users interact with AI-generated content or an AI system that could be mistaken for a human. Your terms of service and product documentation need to reflect this.
A short AI Act statement, attached to your product documentation or embedded in your terms, is the minimum. It should state the risk classification of your AI features, the data inputs used, the human oversight mechanism available, and who to contact for complaints.
Building a lean compliance structure that covers both roles
For a SaaS company with 20 to 200 employees, a full compliance programme does not need to be a six-month project. It needs to be a structured inventory.
Start with an AI system register. List every AI system your company builds or uses. For each one, record: is this system a provider or deployer relationship? What risk category does it fall into? What obligations apply? Who internally owns compliance for it?
For your provider-side systems, the next step is a preliminary risk classification against Annex III. Many SaaS AI features will fall into limited-risk or minimal-risk categories, which means lighter disclosure obligations rather than full conformity assessment. Know your classification before August 2026.
For your deployer-side systems, review each vendor contract before Q4 2025. Flag any gaps in AI Act information handover. For any system that touches employment, credit, education, or safety, conduct a proportionate fundamental rights impact assessment now — do not wait.
Document everything. The AI Act is an evidence-based regime. Regulators will ask for records: training logs, risk assessments, oversight procedures, incident reports. The companies that get through audits cleanly are the ones that built the paper trail early.
Knowing whether you are a provider, a deployer, or both is the first question the AI Act asks of every SaaS company. Answer it clearly, map your stack against the right obligation sets, and you have a compliance programme that is proportionate and defensible. Start with your AI system register this week — it takes an afternoon and it gives you the foundation for everything else.
Run a free 2-minute compliance check at comply.khairos.ai to see which obligations apply to your specific stack right now.
# Need help getting compliant?
The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.
Start the free check →