Readiness · 12 points · effective 2 Aug 2026
EU AI Act readiness checklist for SMB SaaS.
Twelve concrete questions for SaaS teams shipping AI features. Scoped to Article 50 — the transparency obligations — because that’s the part most general-purpose SaaS will hit first. Not legal advice.
- 01
Map every AI-powered surface in your product.
Chatbots, smart-compose, autocomplete, AI-generated summaries, image or audio synthesis, deepfake or face-swap tools. If it generates content or interacts with users, it sits inside Article 50.
- 02
Decide which obligations apply per surface.
Chat interfaces → Art. 50(1) disclose AI interaction. Generative endpoints → Art. 50(2) mark synthetic output. Deepfake-capable features → Art. 50(4). Each surface can hit more than one.
Reference · Art. 50(1)–(4)
- 03
Write your user-facing disclosure copy.
Plain language, accessible, in the language of the user. The disclosure must be clear no later than the first interaction — not buried in a Terms of Service.
Reference · Art. 50(5)
- 04
Mark synthetic outputs in a machine-readable way.
A visible label alone is not sufficient. The marking must be machine-detectable — for example via C2PA content credentials, watermarks, or provenance metadata included with the asset.
Reference · Art. 50(2)
- 05
Capture a server-side disclosure event log.
A claim that the banner was shown is not evidence. You need a timestamped record per render, per acknowledgement, per dismissal. Browser-only logging is insufficient for audit.
- 06
Timestamp every event server-side and hash the record set.
Each event needs a server-side UTC timestamp — browser-reported time is not evidence. Append-only storage (no tenant edit or delete path) plus a SHA-256 hash over the full canonicalised event set gives you a verifiable integrity check: if the underlying records change, the published hash no longer matches.
- 07
Handle deepfake disclosures separately.
If your product can generate or manipulate images, audio, or video of real people, the deployer must label the output. The narrow artistic-expression carve-out does not cover commercial deployment.
Reference · Art. 50(4) ¶1
- 08
Treat raw IP addresses as personal data.
Hash with a rotating salt, store only a coarse-truncated form (/24 for IPv4, /48 for IPv6), and document retention. Storing raw IPs creates a GDPR liability that compounds an Article 50 exposure.
- 09
Decide who counts as a deployer for public-interest text.
If your platform publishes AI-generated text on matters of public interest — news summaries, market commentary, civic information — the publisher is the deployer and the disclosure obligation lands on them.
Reference · Art. 50(4) ¶2
- 10
Verify the obviousness exemption with evidence, not assumption.
Art. 50(1) exempts interactions where AI use is obvious to a reasonably well-informed user. Document why your surface qualifies — UX research, user testing, or product copy — instead of asserting it.
- 11
Plan for the penalty bracket.
Article 99(4)(g) sets Art. 50 violations at the higher of €15M or 3% of worldwide turnover. National competent authorities have discretion below the ceiling but the exposure is meaningful for any post-Series-A revenue line.
Reference · Art. 99(4)(g)
- 12
Build an audit-pack export before you need one.
Have a single click that produces a deterministic PDF containing your rule evaluation, event log, integrity hashes, and configuration snapshot for any period. Doing this on-demand after a regulator asks is too late.
Next step
Stop tracking compliance in a spreadsheet.
ArticleProof handles items 05, 06, 08, and 12 for you out of the box — drop-in widget, server-side event log, salted-and-truncated IP handling, one-click deterministic audit pack. The other items still need a human, but you’ll have fewer of them to track.