Do you know which surfaces of your product interact with European users? If the answer is not an immediate, documented yes, you have two weeks to find out. On August 2, 2026, the EU AI Act's transparency obligations come into force, and they apply to any company deploying AI systems that interact with EU users regardless of where that company is headquartered. A bootstrapped SaaS founder in Bangalore, a YC startup in San Francisco, and an enterprise software company in Singapore are all equally in scope if a single user in France, Germany, or Poland can access their AI features.

Law firms Holland & Knight and Sidley Austin have published detailed compliance advisories in recent weeks, and the message is consistent: the August 2 deadline is real, enforcement will begin immediately, and the European Commission has signaled there will be no grace period. Non-compliance carries fines of up to 3 percent of global annual turnover or EUR 15 million, whichever is higher. For a mid-market SaaS company doing $50 million in revenue, that is a $1.5 million penalty per violation.

What the Transparency Obligations Actually Require

The EU AI Act's transparency rules are not a single requirement but a layered set of obligations that apply differently depending on the type of AI system you deploy. At the foundation level, any AI system that interacts with humans must clearly disclose that the interaction is with an AI system, not a human. This applies to chatbots, AI customer service agents, AI-powered phone systems, and any conversational interface where a user might reasonably believe they are speaking to a person.

The second layer applies to AI-generated content. If your system produces synthetic media text, images, audio, or video that could be mistaken for human-created content, you must label it as AI-generated or AI-manipulated. The regulation explicitly covers deepfakes, but it goes further: any materially manipulated content that could mislead a reasonable person falls under the labeling requirement. For SaaS platforms that generate marketing copy, product descriptions, or social media content, this means every AI-generated output sent to an EU user must carry a visible or machine-readable label indicating its origin.

The third layer requires you to document and disclose your AI system's capabilities and limitations. Users must be informed about what the AI can and cannot do, its accuracy characteristics, and any known failure modes. This is where most companies will struggle, because documenting limitations requires the kind of systematic testing and edge-case analysis that many teams skip in the rush to ship AI features.

Who Is in Scope and Who Is Not

The extraterritorial scope of the EU AI Act is one of its most consequential features. Any company that deploys an AI system whose output is used in the EU falls under the regulation, regardless of where the company is incorporated. This mirrors the GDPR model, which demonstrated that European regulation can set a de facto global standard when it attaches to end users rather than company headquarters.

If your SaaS platform has even a single customer with employees in the EU who use your AI features, you are in scope. If your API serves requests that originate from EU IP addresses, you are in scope. If your website embeds an AI chatbot that visitors from the EU can access, you are in scope. The only safe harbor is a system that has no interaction with EU users at all, which is increasingly difficult to guarantee in a globally connected internet.

General-purpose AI models face even stricter requirements under a separate tier of the regulation. If your model is used as the foundation for multiple downstream AI applications, you must provide detailed documentation about training data, computational resources, energy consumption, and model capabilities. The GPAI requirements are phased in later, but the transparency obligations for deployers of GPAI-based systems begin on August 2.

Enforcement Timeline and Penalties

The European Commission has been explicit that August 2 is a hard deadline, not a soft target. National competent authorities in each EU member state will begin enforcement activities immediately after the effective date. The commission has established a centralized AI compliance database where companies can register their systems, and it has signaled that proactive audits will begin within weeks of the deadline, not months.

Penalties are tiered by severity. For inadvertent non-compliance where a company can demonstrate good-faith efforts, regulators may issue warnings and remediation orders before imposing fines. For willful non-compliance or failure to remediate after notice, fines scale to 3 percent of global annual turnover. The critical detail that many founders miss is that the fine calculation is based on global turnover, not EU revenue. A company with 90 percent of its revenue in the United States and 10 percent in Europe still faces fines based on total worldwide revenue.

Individual member states can impose additional penalties under national implementing legislation, which means the effective penalty landscape may vary across the 27 EU countries. Some states have signaled they will be more aggressive enforcers than others, creating a compliance wild west in the first months of enforcement.

What Founders Need to Do Right Now

The two-week timeline is tight but manageable if you focus on the highest-risk surfaces first. Start with a full audit of every customer-facing surface where AI interacts with users. Chatbots, AI-generated content pipelines, recommendation engines, CV screening tools, automated email responders, and AI phone systems all need immediate review. For each surface, ask three questions: Does the user know they are interacting with AI? Is AI-generated content labeled? Are system capabilities and limitations documented and surfaced to the user?

Next, implement technical labeling mechanisms. The regulation requires machine-readable labeling of AI-generated content, not just a policy statement on your website. For text outputs, this means metadata flags in the API response. For images and video, this means visible watermarks plus embedded metadata. Several open-source tooling projects have emerged specifically for AI Act compliance labeling, and your engineering team should evaluate them this week, not after the deadline.

Prepare compliance documentation that demonstrates your transparency measures. The 72-hour incident reporting requirement under the EU AI Act mirrors similar obligations in Illinois SB 315 and California's SB-53, meaning a unified compliance system could serve multiple regulatory regimes simultaneously. A single documentation repository that maps specific AI features to their transparency labels, capability statements, and incident response procedures will save you from rebuilding the same system three times.

For Indian SaaS founders specifically: if your B2B customers have European end-users, you are in scope. Many Indian SaaS companies serve global enterprises through US-based resellers or direct European sales, and the obligation flows upstream. The EU does not care about your corporate structure it cares about whether EU users interact with your AI. Discuss compliance requirements with your legal counsel this week, not after the deadline passes.