EU AI Act Compliance for API-Based AI Products
# EU AI Act Compliance for API-Based AI Products
This page explains how EU AI Act obligations are split between foundation model providers and the SaaS teams or developers who build products on top of their APIs, and what that means for your compliance posture right now.
---
## What the EU AI Act Actually Says
The EU AI Act (Regulation (EU) 2024/1689) distinguishes between **providers** (those who develop or place AI systems on the market) and **deployers** (those who put an AI system into use). When you build a product on top of a third-party LLM API, you are almost certainly acting as a provider in the eyes of the regulation, not just a deployer. The fact that you did not train the underlying model does not remove your obligations.
Several provisions are directly relevant to API-based products:
**Article 53 -- Obligations for providers of general-purpose AI models**
Article 53(1)(b) requires providers of general-purpose AI (GPAI) models to maintain technical documentation and provide it to downstream providers who integrate their models. This creates a documentation chain. If you are building a product on top of a GPAI model, you are entitled to receive that documentation from the upstream provider. More importantly, you are expected to use it to assess and document your own system's compliance. Receiving that documentation and doing nothing with it is not a defensible position.
**Article 50 -- Transparency obligations**
Article 50 imposes transparency requirements at the point of human interaction. If your product involves an AI system that interacts with natural persons, you must inform users that they are interacting with an AI, unless this is obvious from context. For products using synthetic audio, video, image, or text output, additional labelling obligations apply. These obligations land on the product layer, not the model provider. Your API vendor does not satisfy Article 50 for your users. You do.
**Article 6 and Annex III -- High-risk AI systems**
If your product falls into one of the categories listed in Annex III (which covers systems used in employment, education, credit scoring, biometric categorisation, critical infrastructure, and more), it is classified as a high-risk AI system regardless of whether it calls an external API or runs its own model. High-risk classification triggers a full set of obligations under Chapter III: conformity assessments, technical documentation, human oversight measures, logging, and registration in the EU AI database.
**Article 5 -- Prohibited practices**
Article 5 bans specific AI practices outright, including subliminal manipulation, exploitation of vulnerabilities, and most social scoring systems. These prohibitions apply to the product, not to the model. If your product is built on a general-purpose API but the product itself engages in a prohibited practice, the ban applies to you.
---
## Who This Applies To
The EU AI Act applies to providers placing AI systems on the EU market or putting them into service within the EU, regardless of where the provider is established. A US-based SaaS startup with EU customers is in scope. There is no small-company exemption that eliminates all obligations. Microenterprises are exempt from some conformity assessment requirements for high-risk systems under specific conditions, but not from Article 50 transparency obligations or Article 5 prohibitions.
The provider vs deployer distinction matters but is not a shield. If you customise a model, integrate it into a system, and put that system on the market under your brand, you are a provider. If you take an off-the-shelf AI tool and use it internally without modification, you may be acting as a deployer, with a narrower set of obligations.
---
## What the Obligation Actually Requires
**For products using GPAI APIs (Article 53):**
Request the technical documentation and model card from your upstream provider. Review it to understand the model's intended uses, known limitations, and risk areas. Document how your product uses the model and where your use case falls relative to those limits. If you are fine-tuning or significantly adapting a GPAI model, you may take on the obligations of a GPAI provider yourself.
**For products interacting with users (Article 50):**
Implement a clear disclosure that the system is AI-powered at the point of first interaction. Do not rely on a footer note or a terms-of-service clause. The obligation is to inform, not to bury. If your product generates synthetic content (images, audio, video), implement a technical mechanism to label it as AI-generated.
**For products that may be high-risk (Annex III):**
Map your use case against the Annex III categories. If there is a genuine overlap, engage legal counsel early. High-risk compliance is not a checkbox exercise. It requires documented risk management processes, data governance controls, human oversight mechanisms, and registration before market placement.
---
## Key Deadlines
- **February 2 2025 (already in force):** Article 5 prohibited practices. If your product engages in any of the banned practices, you were out of compliance over a year ago.
- **August 2 2026:** GPAI obligations (Article 53) and Article 50 transparency requirements become enforceable. This is 14 months away. Preparation time for GPAI documentation chains and transparency UI changes should start now.
- **December 2 2027:** Annex III high-risk system obligations become enforceable. This is the deadline for conformity assessments and full high-risk compliance. Do not confuse this with the GPAI/Article 50 deadline.
---
## What to Do Now
1. **Classify your system.** Decide whether your product is a GPAI system, a high-risk system under Annex III, or a general AI system with Article 50 obligations. This classification drives everything else. Do not assume you fall into the lowest-obligation category without checking.
2. **Request documentation from your model provider.** Contact your LLM API vendor and ask for their GPAI model documentation as required under Article 53(1)(b). If they cannot provide it, that is itself a risk signal worth documenting.
3. **Audit your user-facing interactions for Article 50.** Walk through every touchpoint where your product communicates with an end user. Assess whether each one satisfies the transparency obligation. Implement disclosures before August 2 2026.
4. **Run an Annex III use-case check.** Map your product's actual function against the Annex III category list. Pay particular attention to employment, education, credit, and biometric use cases. If there is any overlap, begin the conformity assessment process early.
5. **Document your compliance decisions.** Even if you conclude your system is low-risk, document the reasoning. Regulators will look for evidence of a considered assessment, not just an assertion.
---
## Run Your Risk Assessment Now
Use the free ActComply risk screener to see which obligations apply to your system: https://www.getactcomply.com/check
The screener maps your product against the EU AI Act classification framework and tells you which provisions apply, which deadlines are relevant, and what documentation you need to produce. It takes under five minutes and gives you a starting point for your compliance roadmap.