EU AI Act vendor assessment requirements for SaaS

• The EU AI Act (Regulation (EU) 2024/1689) fully applies to high-risk AI systems from August 2, 2026, and EU enterprise buyers are already including AI Act conformity question blocks in vendor onboarding questionnaires.
• Most B2B SaaS products fall into the minimal risk tier and carry no specific EU AI Act compliance obligations, but vendors need to say so clearly and explain the classification basis.
• Enterprise buyers ask about risk classification, technical documentation (Article 11), human oversight (Article 14), conformity assessment status, and incident reporting procedures (Article 73).
• Overstating compliance ("EU AI Act compliant" when no conformity assessment is required) creates as many problems as understating it.
• Wolfia maps incoming AI Act question categories to verified answers from your existing compliance and product documentation, with source citations and hallucination prevention guardrails on every response.

The EU AI Act (Regulation (EU) 2024/1689), adopted June 13, 2024 and in force since August 1, 2024, sets out a tiered framework where obligations scale with the risk posed by an AI system. For SaaS vendors, the starting question is not "are we compliant?" but "which risk tier applies to our product?"

The four tiers are:

Prohibited AI (Article 5): Real-time biometric surveillance in public spaces, social scoring by public authorities, manipulation of vulnerable groups. Applies to essentially no standard B2B SaaS product.

High-risk AI (Annex III): Systems used in employment decisions, credit scoring, education assessment, critical infrastructure, and related categories. Carries the heaviest set of obligations, including technical documentation, quality management systems, and conformity assessments.

Limited risk: Systems that interact directly with people, such as chatbots, must disclose that they are AI. Transparency obligations only.

Minimal risk: Everything else. No specific compliance obligations under the Act.

Most SaaS products land in minimal risk. The problem is that vendors often do not know this clearly enough to say it confidently in a vendor questionnaire, and buyers do not always accept a minimal-risk answer without a short supporting explanation.

For most B2B SaaS vendors, the answer is no. The Annex III categories most relevant to software vendors are employment and worker management (Category 4), access to essential services (Category 5), and education or vocational training (Category 3). If your product does not touch any of these use cases, it is not high-risk under the Act.

Employment and worker management (Category 4) covers AI used for recruitment, CV ranking or filtering, task allocation, performance monitoring, and employment or promotion decisions. An HR tech product that auto-ranks job candidates before a hiring manager reviews the list triggers this category.

Access to essential services (Category 5) covers AI that evaluates creditworthiness, sets insurance premiums, or affects access to public benefits or financial services. A fintech underwriting engine falls here.

Education and vocational training (Category 3) covers AI that scores students, determines access to educational programs, or monitors exam behavior.

If your SaaS product does none of these things, you are not high-risk under Annex III. That is the accurate answer, and it belongs in your questionnaire response paired with a one-paragraph explanation of what your AI actually does instead.

For vendors trying to understand where their product fits in the broader risk classification landscape, third-party risk management practices have become significantly more structured in 2026.

Enterprise legal and procurement teams in the EU, particularly those subject to deployer obligations under Article 26, are adding AI-specific question blocks to standard vendor assessments. In questionnaires reviewed from EU enterprise buyers, these categories appear most consistently:

Classification and scoping: "How do you classify your AI system under the EU AI Act: prohibited, high-risk, limited risk, or minimal risk? Please explain the basis for this classification."

Technical documentation (Article 11): "Do you maintain technical documentation per Article 11 and Annex IV? Can you provide a summary or share documentation under NDA?"

Human oversight (Article 14): "What human oversight mechanisms are built into your system? Can a human review, override, or pause an AI-assisted decision?"

Accuracy and robustness (Article 15): "What accuracy metrics do you publish? How does your system perform on out-of-distribution inputs?"

Conformity assessment (Articles 43-44): "Have you completed a conformity assessment? Is it self-assessed or third-party audited? If registered in the EU AI Act database, what is your registration number?"

Incident reporting (Article 73): "What procedures govern serious incident reporting to your competent national authority?"

These questions arrive in the same spreadsheet format as a SOC 2 questionnaire or a SIG Lite section. Buyers are not always calibrated to the Act's nuance, so vague or hedged answers generate more follow-up rounds, not fewer.

For context on how AI-specific questions fit into the broader questionnaire cycle, AI agents in security questionnaire automation in 2026 covers how the vendor response process is adapting.

State your classification first, explain your reasoning in one paragraph, then address each question category at the level of specificity the buyer actually needs. Most B2B SaaS vendors are minimal risk and can close an AI Act questionnaire section in five to eight responses.

A well-scoped response for a minimal-risk vendor looks like this: "Our product does not fall within any Annex III category. Our AI features are used for [specific function, such as surfacing relevant documentation or generating draft text for user review]. These functions do not support employment decisions, credit decisions, educational assessment, or other Annex III use cases. No conformity assessment is required, and we are not subject to the Article 11 technical documentation or Article 17 quality management system obligations."

A high-risk vendor needs more detail. The accurate response covers: the specific Annex III category triggered, current conformity assessment status (self-assessed or third-party, completed or in progress), a description of human oversight design, and a pointer to technical documentation. If you are not yet compliant with Article 11 or Article 17, say so with a timeline. A vague indication that work is underway satisfies no one.

The EU AI Act official text, Regulation (EU) 2024/1689, is the authoritative reference for any classification argument you make in a questionnaire.

Vendors get this wrong in two directions.

Overstating is common among vendors who want to signal maturity. A vendor claiming "full EU AI Act compliance" when their product is minimal risk creates an immediate problem: they have implied they completed a conformity assessment and Article 17 quality management system that are not required for their risk tier. A buyer's legal team reading that claim will ask for a conformity certificate that does not exist.

Understating is equally common, usually from vendors who have not done the classification work. A response that says "we use AI but this regulation doesn't apply to us" with no supporting explanation sends a red flag to a procurement team that has its own Article 26 deployer obligations to satisfy. Buyers need vendor documentation to close their own compliance loop.

The accurate middle is specific: state the classification, provide the reasoning, and address each question category at the right level of detail. That is the response that closes the questionnaire round without a follow-up exchange.

This same pattern appears in standard security questionnaire cycles. Inaccurate vendor security questionnaire answers covers why generic responses slow deals rather than accelerate them.

For high-risk AI systems, Article 11 and Annex IV define what technical documentation must cover: a general description of the system and its intended purpose, design specifications and training methodology, details of training and test datasets, the risk management process and its results, accuracy and cybersecurity measures, and a post-market monitoring plan.

Most vendors building high-risk AI systems will not have a complete Annex IV documentation package by August 2026. For a buyer asking now, the right answer is a description of what documentation exists, what is being built, and when full Annex IV documentation will be available. That is more useful to a buyer than a claim of readiness that does not hold up to scrutiny.

For minimal-risk vendors, none of this applies. The documentation the buyer actually needs from you is a clear explanation of why no Annex IV package is required.

EU enterprise buyers are now attaching AI Act question blocks alongside their standard security and due diligence questionnaires. A typical vendor receives a 30-question AI Act section appended to a 200-question security questionnaire. Both need to be answered accurately, and both draw from the same underlying compliance and product documentation.

Wolfia is built for security and GRC teams handling exactly this workflow. When an AI Act classification question arrives, Wolfia locates the relevant documentation from your knowledge base (privacy impact assessments, AI governance policies, product architecture documents) and generates a response grounded in your actual product posture, with source citations so reviewers can verify each answer against the originating document.

The hallucination prevention guardrails matter here because AI Act responses carry legal weight. Wolfia's 10+ verification checks confirm that each answer is grounded in a specific source document before it reaches a reviewer. A response that overstates compliance, or that pulls from a stale policy document, gets flagged rather than sent.

The Wolfia Trust Center lets you gate AI Act documentation, including technical documentation summaries and conformity assessment status, for buyers who want to review materials without sending a questionnaire. When a buyer does send a questionnaire, Wolfia's Chrome extension handles intake across 55+ portal platforms including OneTrust and ServiceNow, so the AI Act question block does not require a separate manual workflow.

For teams managing AI Act questionnaire responses across multiple buyer relationships simultaneously, security questionnaire automation tools for B2B SaaS covers how the end-to-end response workflow connects.

The EU AI Act's high-risk AI requirements take full effect on August 2, 2026. Vendor assessment questionnaires with AI Act sections are already arriving, and they will become a standard part of enterprise onboarding for EU buyers over the next 18 months.

For most SaaS vendors, the path is clear: do the classification work, document the reasoning, and answer each question category at the right level of specificity for your actual risk tier. Minimal-risk vendors need a clear explanation of why they are minimal risk. High-risk vendors need a plan for Annex III obligations and honest timelines on documentation status.

The vendors who will have the hardest time are those who skip the classification step and try to answer each question in isolation. Get the classification right first, and the questionnaire answers become straightforward to write and easy for buyers to accept.