← Back to blogAI Act Impact Assessment for SaaS: What to Check Before Launch
2026-07-14·7 min read·Compliance, Impact Assessment, Checklist
Why SaaS teams need an impact assessment
Before you launch — or before your next EU customer signs — you need to know how the EU AI Act applies to your product. An impact assessment is not a legal opinion. It is a structured way to answer: What does our AI do, who does it affect, and what obligations follow?
Most founders skip this and discover gaps during legal review, investor diligence, or an enterprise security questionnaire.
The SaaS impact analysis checklist
1. Define the AI system boundary
- What features use AI (ranking, generation, classification, recommendations)?
- Which models or APIs power them (OpenAI, Anthropic, in-house)?
- Is AI always-on, or optional per customer?
If you cannot draw this boundary, you cannot assess impact.
2. Identify affected users and decisions
- Does the AI influence access to jobs, credit, education, healthcare, or essential services?
- Are decisions fully automated, or reviewed by a human?
- Do outputs affect individuals in the EU?
High-impact use cases (HR screening, credit, education assessment) trigger stricter obligations than internal analytics or generic chatbots.
3. Classify risk under the AI Act
| Category | Examples for SaaS | Typical obligations |
| Unacceptable | Social scoring, manipulative AI | Banned |
| High-risk | HR AI, EdTech assessment, credit scoring | Documentation, logging, human oversight |
| Limited risk | Customer support bots, content generation | Transparency disclosure |
| Minimal risk | Spam filters, internal tools | Minimal |
4. Map documentation you already have vs. what is missing
Common gaps we see in SaaS impact assessments:
- No model inventory (provider, version, purpose)
- No AI disclosure on product or marketing site
- No description of training/fine-tuning data
- No logging for AI-assisted decisions
- No human override workflow documented
5. Assess cross-border and deployer obligations
- Are you a provider (you build/customize the AI) or deployer (you use a third-party API)?
- Do you need an EU authorized representative?
- Does your customer contract pass obligations correctly to enterprise buyers?
6. Prioritize fixes by enforcement risk
Not every gap is urgent. Prioritize:
- Transparency (AI disclosure) — applies to almost everyone
- High-risk classification — if you are in Annex III territory
- Logging and human oversight — for decisions affecting individuals
- Conformity documentation — before scaling in regulated verticals
What to do this week
- Run a structured impact assessment on your product (free scanner)
- Work through the full 10-step EU AI Act checklist
- Add an AI disclosure notice to your site and product
- Document your model inventory and data flows
- Book legal review with a clear list of open questions
This is a preliminary technical guide. Always consult qualified legal counsel for compliance decisions specific to your product.