The headline numbers are scary: €35 million or 7% of global annual turnover. But the reality is more nuanced — and in some ways more concerning for SaaS founders.
| Violation | Max fine | Compared to GDPR |
|---|---|---|
| Prohibited AI practices (Art. 5) | €35M or 7% turnover | Same as GDPR top tier |
| Non-compliance with high-risk obligations | €15M or 3% turnover | GDPR mid tier |
| Providing incorrect info to authorities | €7.5M or 1% turnover | GDPR low tier |
| Date | Milestone |
|---|---|
| Feb 2025 | AI Act entered into force |
| Aug 2025 | Prohibited practices ban生效 |
| Aug 2026 | AI Act rules apply (most obligations) |
| Aug 2027 | Annex III high-risk system obligations apply in full |
Key: For most AI SaaS founders, the clock started ticking in August 2025. Full enforcement for high-risk systems kicks in August 2027, but transparency obligations (Article 50) are already in effect.
National regulators (each EU member state designates one) will prioritize:
If you're a B2B AI SaaS without AI disclosure on your website, you're in category 3 — and that's the easiest fix.
The fine itself is usually not the biggest risk. What hurts more:
The EU AI Act is enforced by each member state's market surveillance authority. In practice:
| Your situation | Estimated risk | What to do |
|---|---|---|
| No AI disclosure | High | Add it this week |
| High-risk system, no docs | Very high | Run scan + legal review |
| Limited risk, basic docs | Low | Maintain and update |
| Minimal risk, some docs | Very low | No immediate action |
The EU AI Act is enforced. Fines are real. But most SaaS founders have 12–24 months to get their documentation in order — if they start now.
The worst position is not knowing where you stand.
Run a free AI Act readiness scan. Get your risk score in 2 minutes.
→ Get your free risk score