AI Regulation Watch

AI Act in Practice — Compliance Checklist for SaaS Companies in 2026

Regulation (EU) 2024/1689 — known as the EU AI Act — entered into force on 1 August 2024 and introduces […]

Regulation (EU) 2024/1689 — known as the EU AI Act — entered into force on 1 August 2024 and introduces graded regulation of AI systems depending on the level of risk. For SaaS companies that integrate or develop AI functionalities, the question is not whether obligations will arise, but which ones specifically and when. This text is informational in nature and does not replace individual legal advice.

Risk Classification: Four Levels

The AI Act divides AI systems into four categories:

Unacceptable risk — prohibited systems (prohibitions apply from 2 February 2025): – Cognitive manipulation of users that bypasses free will – Mass biometric surveillance in public spaces (with narrow exceptions for security authorities) – Social scoring by public authorities – AI that exploits vulnerabilities (age, disability)

High risk — strict requirements (application from August 2026 for new systems): – Systems in the field of employment (CV screening, performance assessment) – Critical infrastructure (energy, water supply) – Education and vocational training – Access to public services and benefits – Migration, asylum, and border control – Law enforcement

Limited risk — transparency obligations: – Chatbots must inform users they are communicating with AI – Deep-fake content must be labelled – AI-generated text distributed at large scale

Minimal risk — no specific obligations under the AI Act (spam filters, recommendation systems that are not high-risk).

What the AI Act Requires of High-Risk Providers

If your SaaS system falls under “high risk”, the obligations are substantial:

1. Risk Management System (Article 9) — A continuous process of identifying, assessing, and mitigating risks throughout the entire lifecycle of the system.

2. Data Governance (Article 10) — Training and test datasets must be relevant, representative, and free of errors that could lead to discrimination.

3. Technical Documentation (Article 11 + Annex IV) — A detailed description of the system: purpose, architecture, data flows, performance metrics, limitations.

4. Automatic Logging (Article 12) — High-risk systems must automatically record activities to the extent that allows subsequent reconstruction of decisions (post-market monitoring).

5. Transparency towards Users (Article 13) — Clear instructions for use, limitations, and human oversight.

6. Human Oversight (Article 14) — Measures enabling operators to take control, pause, or shut down the system.

7. Accuracy, Robustness, and Cybersecurity (Article 15)

8. Conformity Assessment (Article 43) — Self-assessment (for most high-risk systems) or independent third-party assessment (for certain categories). Affixing the CE marking. Registration in the EU database.

GPAI Models — Special Regime

The Regulation introduces specific rules for general-purpose AI (GPAI) models, such as large language models. Providers of GPAI models must:

  • Publish technical documentation
  • Publish a summary of data used for training
  • Implement a copyright compliance policy
  • High-risk systems built on GPAI inherit high-risk obligations.

Compliance Checklist for SaaS Companies (2025–2026)

Immediately (prohibitions active from 2 February 2025): – [ ] Verify that no AI functionality falls within the category of prohibited systems – [ ] Document the analysis for internal use

By August 2026 (high risk — new systems): – [ ] Classify each AI system you develop or use – [ ] For high risk: establish a risk management system – [ ] Prepare technical documentation pursuant to Annex IV – [ ] Implement automatic activity logging – [ ] Ensure a human-in-the-loop mechanism – [ ] Conduct a conformity assessment and register in the EU database

Transparency (immediately for chatbots and deep-fake): – [ ] Provide notification to users that they are communicating with AI – [ ] Label AI-generated content where applicable

Serbia and the EU AI Act

The AI Act applies to providers of AI systems that place systems on the EU market or use them in the EU — regardless of the company’s registered seat. A Serbian SaaS company selling to EU clients is subject to the AI Act. Serbia, as a candidate country, has no obligation of direct application, but harmonisation of laws is likely in the near future.

Frequently Asked Questions (Q&A)

Does the AI Act apply to a Serbian company selling SaaS in the EU? Yes. The AI Act has extraterritorial application — it applies to providers regardless of their registered seat, if they place AI systems on the EU market or if their systems are used in the EU.

Which SaaS systems are “high-risk”? High risk includes systems for employee screening (CV screening), credit risk assessment, and systems in education and public services. E-commerce recommendation systems are typically not high-risk.

What is a conformity assessment and do I need to engage a third party? For most high-risk systems, self-assessment with documentation is sufficient. An independent third party is mandatory for biometric systems and systems in critical infrastructure.

What are the penalties for breaching the AI Act? Up to EUR 35 million or 7% of total worldwide annual turnover for prohibited systems; up to EUR 15 million or 3% for other high-risk violations; up to EUR 7.5 million or 1% for providing incorrect information to the regulator.

Conclusion

The EU AI Act is operational. The question is not whether your SaaS will come under scrutiny — the question is when. System classification, documentation, and preparation for conformity assessment are manageable processes if started in time. If you wait for the regulator to contact you, the room for manoeuvre narrows drastically.

Sources: – Regulation (EU) 2024/1689 (EU AI Act), OJ L, 12.7.2024 – EU AI Office: https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence – AI Office — guidelines and opinions

The content of this website is informational and does not constitute legal advice. For specific legal advice, contact a lawyer directly. The firm operates in accordance with the Law on the Legal Profession and the Code of Professional Ethics for Lawyers.

Scroll to Top