Practical articles for developers and CTOs — no legal jargon, just what you need to unblock enterprise deals.
Free decision tree to determine if your AI system is high-risk. All eight Annex III categories with concrete SaaS examples, the Article 6(3) filter, common false positives, and what changes if you do qualify.
The four sub-paragraphs of Article 6(3) with eleven worked SaaS examples, the profiling trap, Article 6(4) documentation duty, Article 49(2) registration, and a memo template enterprise procurement actually accepts.
The eleven duties Article 26 puts on deployers of high-risk AI, the Article 27 FRIA trigger, the provider/deployer split, the deployer trap most SaaS falls into, and a one-page-per-duty memo template procurement signs.
The deployer document that closes banking, insurance, healthcare and public-sector deals. Six Article 27(1) items, the Article 27(3) notification to market surveillance, the Article 27(4) DPIA articulation, and a copyable one-page template B2B SaaS hands to enterprise procurement.
The obligation procurement asks for first. In force since 2 February 2025 — retroactive duty on every provider and deployer of any AI system. Three-document package: signed policy statement, role-based training matrix across five bands, training log with annual refresh. Six failure modes audited in 2026 and SDK exports.
The post-market obligation that decides whether a high-risk launch survives a real-world incident. Four Article 3(49) outcome categories, 2/10/15-day timing thresholds running from awareness, the deployer-to-provider chain under Article 26(5), the Annex IX-aligned eight-block report template, six failure modes audited in 2026 and SDK exports.
If your SaaS wraps GPT-4, Claude, Gemini or Llama, you are a downstream provider under the AI Act. Article 53 regime, the Article 25(1)(c) substantial-modification trap, the open-source carve-out, and the one-page flowdown enterprise procurement signs.
The only EU AI Act deadline the May 2026 Omnibus did not delay. Chatbot disclosure, C2PA synthetic content marking, emotion recognition, deepfake labelling — the four regimes, who owes what, and a one-page compliance bundle procurement signs.
What changed after the May 2026 Omnibus delay. Every date a CTO needs — GPAI, Annex III (now Dec 2027), Annex I (now Aug 2028), prohibited practices and Article 50 transparency — in one timeline.
14 real questions from 2026 enterprise vendor assessments, the model answers that close deals, and the audit evidence procurement teams ask for next.
Free template and Article 26 deployer checklist. Understand exactly what documentation your enterprise customers will ask for before signing — and how to generate it automatically.
Honest review of GRC platforms vs developer SDKs vs done-for-you audits. Which option fits a 50-person AI startup that just got an enterprise compliance ask?