← Back to blog
AI GovernanceJuly 2026·7 min read

The EU AI Act — what founders shipping AI need to know in 2026

The EU AI Act is the first comprehensive AI law in force. If you sell AI or ship AI features to customers who operate in the EU, it applies to you — regardless of where your company is registered. This post is a founder-focused guide: the four risk tiers, the deadlines that matter, and the smallest amount of paperwork you can get away with.

The four risk tiers

Every AI system falls into one of four buckets, and your obligations depend entirely on which bucket you are in.

Unacceptable risk — banned outright

Social scoring by governments, real-time public biometric surveillance, manipulative subliminal techniques, and a few other categories are simply not allowed. If your product does any of this, the AI Act is the least of your problems. Almost no legitimate SaaS falls here.

High risk — heavy obligations

AI used for hiring, credit scoring, education access, critical infrastructure, medical devices, law enforcement, and border control. If you are here, you need a conformity assessment, a technical file, quality management, human oversight, logging, and CE marking. This is where the AI Act has real teeth.

Limited risk — transparency only

This is where the majority of SaaS AI features actually sit. Chatbots, content generation, AI features that interact with users. Your obligation is straightforward: tell people they are interacting with AI and label AI-generated content. That is essentially it.

Minimal risk — no obligations

Spam filters, AI in video games, and other low-impact uses. You can do what you like, though following voluntary codes of practice is encouraged.

Which tier does your SaaS AI feature fall into?

Nine times out of ten: limited risk. If you are adding a chatbot, an AI summarizer, an AI writing assistant, or an AI search feature to your product, your only obligation is transparency. Users need to know they are talking to AI, and generated content should be labelled as such.

You cross into high risk only if the AI decision meaningfully affects access to employment, credit, education, healthcare, or public services. If your AI screens CVs or decides loan approvals, you are high risk. If your AI writes marketing copy, you are not.

The deadlines that actually apply

The AI Act phases in over several years. Two dates matter most for founders shipping today.

  • February 2025 — bans on unacceptable-risk systems took effect, and AI literacy obligations kicked in for anyone deploying AI
  • August 2026 — general-purpose AI model obligations and most transparency requirements apply, and enforcement mechanisms are active
  • August 2027 — high-risk system obligations for AI embedded in regulated products (medical devices, machinery, toys) fully apply

If you are shipping an AI feature today, the August 2026 deadline is the one to plan around.

"Provider" vs "deployer" — which are you?

A provider is the company that builds and puts the AI system on the market under its own name. A deployer is a company that uses an AI system provided by someone else in its own operations. If you fine-tune a foundation model and ship it as part of your product, you are a provider. If you drop a third-party AI SDK into your app without modifying the model, you are usually a deployer of that model but a provider of your own composite system.

Providers have more obligations than deployers. Most founders shipping AI features end up being providers of their own system, even if they built on top of someone else's foundation model.

The minimum paperwork checklist

  • Written classification of each AI feature into a risk tier — one paragraph per feature is enough
  • Transparency notices in the UI wherever users interact with AI
  • Labelling of AI-generated outputs (text, image, audio, video)
  • A short technical file describing what the AI does, what data it was trained on, and its limitations
  • A record of your provider vs deployer status for each AI system you use or ship
  • AI literacy training records — evidence your team understands the basics

For limited-risk features, that is genuinely the full list. Do not let a consultant convince you that you need a 200-page conformity assessment for a chatbot.

How Zilonex Govern helps

Zilonex Govern includes an AI Act classification wizard, transparency-notice templates, a technical-file generator, and evidence collection for AI literacy training. You go from "I have no idea if I comply" to "here is a signed artefact" in an afternoon rather than a quarter.

Ready to get started?

Start with Zilonex Govern →