Scan Your AI Stack for EU AI Act Obligations

Calling OpenAI, Anthropic, or Google APIs in your SaaS makes you a deployer under Art. 3(4) of the EU AI Act (except for purely personal, non-professional use); this 2-minute scan lists your obligations.

What AI services does your product use?

Select all that apply. This determines your role under the EU AI Act.

OpenAI

GPT-4, ChatGPT

Anthropic

Claude

Google

Gemini

HuggingFace

Models & Inference

Mistral AI

Mistral, Mixtral

Cohere

Command, Embed

Custom Model

Self-trained / fine-tuned

Not sure where to start?

• Does the EU AI Act apply to me? — 5-question decision tree
• EU AI Act deployer obligations — the duty surface for SaaS using third-party AI APIs
• OpenAI, Anthropic, Google deployer guide — provider-by-provider breakdown
• DPIA template for AI — generate a Data Protection Impact Assessment
• AI literacy training (Article 4) — foundation to enforcement

Why a scanner for SaaS using third-party AI

Most EU AI Act guidance is written for the companies training the models. If your SaaS calls OpenAI's, Anthropic's, or Google's API, you're a deployer, and the regulation applies to you from 2 August 2026 regardless of whether you trained anything.

Deployer obligations sit on three load-bearing articles:

Art. 4 AI literacy: every staff member or contractor handling AI on your behalf must have a sufficient grasp of the system they operate.
Art. 50 transparency: tell users they're talking to AI; mark AI-generated audio, images, video, and public-interest text.
Art. 26 high-risk deployer duties: human oversight, monitoring, and 6-month log retention (Art. 26(6)) when your use-case lands in Annex III.

The scanner walks through provider, use-case, and region in three steps and maps to the obligations triggered. For depth, see the EU AI Act deployer obligations guide; for the literacy duty, AI literacy training (Article 4); for the chatbot rules, the Article 50 transparency obligations explainer.

What the scan tells you

Your role. Most SaaS using third-party AI APIs come back as deployer under Art. 3(4); a small number are providers if they materially modify the model.
Your risk tier with cited articles. Minimal, limited (Art. 50), or high-risk (Annex III use-cases or Annex I safety-component products under Art. 6). If your use-case lands in Art. 5 prohibited practices — social scoring, real-time biometric ID in public, manipulative AI — the scan flags it as out-of-bounds, not just high-risk.
Your deadline window. Most deployer obligations apply from 2 August 2026 (Art. 113); the Art. 4 AI literacy duty has been in force since 2 February 2025.

What it is not: the scanner does not replace your DPIA template for AI (Art. 26(9)), it does not audit your vendors, and it is not legal advice. It produces a starting list of obligations to discuss with your DPO or counsel.

How the answers stay current

Compliance moves with regulation, not the calendar. We monitor the European Commission, the AI Office, and CEN-CENELEC JTC 21 weekly, and ship updates when source text changes.

Two recent inputs we tracked: the Commission's proposed Digital Omnibus on AI (COM(2025) 836, 19 November 2025) — currently a proposal, not adopted — and the CEN-CENELEC JTC 21 exceptional-measures package (October 2025) targeting Q4 2026 publication of the harmonised standards under Art. 40.

Last reviewed: 2026-04-26.

Frequently asked questions

We just call OpenAI's API — are we really in scope?

Yes. Art. 3(4) defines a deployer as anyone using an AI system under their own authority; calling OpenAI, Anthropic, or Google's API in your product makes you the deployer. You owe Art. 4 AI literacy and, if user-facing, Art. 50 transparency at minimum.

Does the EU AI Act apply to my SaaS?

Almost certainly, if you serve EU users. The territorial scope (Art. 2) covers anyone whose AI system or its output is used in the Union. Run the scanner above, or work through the does the EU AI Act apply to me decision tree for the longer walkthrough.

Will the Omnibus push these deadlines back?

As of late April 2026: no. The Commission published the Digital Omnibus on AI (COM(2025) 836) on 19 November 2025 proposing extensions to Annex III and Annex I dates, but the proposal has not been adopted. The 2 August 2026 general application date stands.

We did a GDPR DPIA — do we need a separate AI Act assessment?

Sometimes overlapping, never identical. GDPR governs personal data; the AI Act governs AI systems. Art. 26(9) explicitly says the deployer DPIA can build on the GDPR Art. 35 one. But Article 4 AI literacy and Art. 50 transparency are AI Act-specific obligations a GDPR DPIA does not cover.

What's the penalty if we ignore this?

Art. 99 sets three tiers, each capped at whichever is higher: prohibited-practice violations up to EUR 35M or 7% of worldwide turnover (Art. 99(3)); operator obligations — including Art. 26 deployer duties and Art. 50 transparency — up to EUR 15M or 3% of worldwide turnover (Art. 99(4)); and incorrect-information offences up to EUR 7.5M or 1% of worldwide turnover (Art. 99(5)).

For SMEs, Art. 99(6) inverts the formula: the cap is the lower of the percentage or absolute, not the higher. Worked examples and the SME-cap maths are in the EU AI Act fines guide.

How is this kept current?

Weekly review of the Commission, the AI Office, and CEN-CENELEC JTC 21. JTC 21 is the body drafting the Art. 40 harmonised standards; it adopted an exceptional-measures package in October 2025 to publish key drafts by Q4 2026. The page footer carries the last-reviewed date.

Is this legal advice?

No. The scanner produces a structured starting list of obligations from your stack, the law text, and current Commission output. Take it to your DPO or external counsel before relying on it. See Terms.