ArticleProof

Readiness · 12 points · effective 2 Aug 2026

EU AI Act readiness checklist for SMB SaaS.

Twelve concrete questions for SaaS teams shipping AI features. Scoped to Article 50 — the transparency obligations — because that’s the part most general-purpose SaaS will hit first. Not legal advice.


  1. 01

    Map every AI-powered surface in your product.

    Chatbots, smart-compose, autocomplete, AI-generated summaries, image or audio synthesis, deepfake or face-swap tools. If it generates content or interacts with users, it sits inside Article 50.

  2. 02

    Decide which obligations apply per surface.

    Chat interfaces → Art. 50(1) disclose AI interaction. Generative endpoints → Art. 50(2) mark synthetic output. Deepfake-capable features → Art. 50(4). Each surface can hit more than one.

    Reference · Art. 50(1)–(4)

  3. 03

    Write your user-facing disclosure copy.

    Plain language, accessible, in the language of the user. The disclosure must be clear no later than the first interaction — not buried in a Terms of Service.

    Reference · Art. 50(5)

  4. 04

    Mark synthetic outputs in a machine-readable way.

    A visible label alone is not sufficient. The marking must be machine-detectable — for example via C2PA content credentials, watermarks, or provenance metadata included with the asset.

    Reference · Art. 50(2)

  5. 05

    Capture a server-side disclosure event log.

    A claim that the banner was shown is not evidence. You need a timestamped record per render, per acknowledgement, per dismissal. Browser-only logging is insufficient for audit.

  6. 06

    Timestamp every event server-side and hash the record set.

    Each event needs a server-side UTC timestamp — browser-reported time is not evidence. Append-only storage (no tenant edit or delete path) plus a SHA-256 hash over the full canonicalised event set gives you a verifiable integrity check: if the underlying records change, the published hash no longer matches.

  7. 07

    Handle deepfake disclosures separately.

    If your product can generate or manipulate images, audio, or video of real people, the deployer must label the output. The narrow artistic-expression carve-out does not cover commercial deployment.

    Reference · Art. 50(4) ¶1

  8. 08

    Treat raw IP addresses as personal data.

    Hash with a rotating salt, store only a coarse-truncated form (/24 for IPv4, /48 for IPv6), and document retention. Storing raw IPs creates a GDPR liability that compounds an Article 50 exposure.

  9. 09

    Decide who counts as a deployer for public-interest text.

    If your platform publishes AI-generated text on matters of public interest — news summaries, market commentary, civic information — the publisher is the deployer and the disclosure obligation lands on them.

    Reference · Art. 50(4) ¶2

  10. 10

    Verify the obviousness exemption with evidence, not assumption.

    Art. 50(1) exempts interactions where AI use is obvious to a reasonably well-informed user. Document why your surface qualifies — UX research, user testing, or product copy — instead of asserting it.

  11. 11

    Plan for the penalty bracket.

    Article 99(4)(g) sets Art. 50 violations at the higher of €15M or 3% of worldwide turnover. National competent authorities have discretion below the ceiling but the exposure is meaningful for any post-Series-A revenue line.

    Reference · Art. 99(4)(g)

  12. 12

    Build an audit-pack export before you need one.

    Have a single click that produces a deterministic PDF containing your rule evaluation, event log, integrity hashes, and configuration snapshot for any period. Doing this on-demand after a regulator asks is too late.


Next step

Stop tracking compliance in a spreadsheet.

ArticleProof handles items 05, 06, 08, and 12 for you out of the box — drop-in widget, server-side event log, salted-and-truncated IP handling, one-click deterministic audit pack. The other items still need a human, but you’ll have fewer of them to track.