Este artigo está disponível apenas em inglês no momento.
What AI Regulations Apply to My SaaS Product? A Founder's Compliance Map
You've built a SaaS product with AI features. Now you want to sell it in the EU, to enterprise clients, or to regulated industries. What regulations apply, when do they kick in, and what do you actually need to do about them?
Key Takeaways
The regulations that apply to your SaaS AI depend on three things: where your users are, what decisions your AI influences, and what industries you sell into. Most founders know the first and ignore the second and third.
EU AI Act: if you sell to EU customers and your AI is used in hiring, credit, education, healthcare, or critical infrastructure decisions, you are a provider of high-risk AI with specific obligations regardless of where you are incorporated.
GDPR / Privacy Act: if you process personal data of EU residents or Australians, data protection law applies — including obligations about AI processing, automated decisions, and data subject rights.
Sector-specific regulation cascades to you as a vendor: if your customer is a bank, insurer, or healthcare provider, their regulatory obligations create contractual and practical requirements on you as their AI vendor.
The founder's practical checklist: (1) map your AI features to EU AI Act risk categories, (2) review GDPR/Privacy Act obligations for each market, (3) understand what your customers' regulators will ask them about your product.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The three questions that determine your regulatory exposure
Most founders know that data protection law applies if they process personal data. Fewer founders have mapped their AI features against the EU AI Act risk categories. Almost no founders have thought through how their customers' sector-specific regulatory obligations flow down to them as an AI vendor. All three matter.
Where your users are determines which data protection laws apply. GDPR applies to processing personal data of EU residents. The UK GDPR applies to UK residents. Australia's Privacy Act applies to personal data of Australians processed by organisations with Australian turnover above $3M, and to all organisations that process health data. If you have users in any of these jurisdictions, the relevant data protection law applies to your product.
What your AI does determines whether you are in EU AI Act scope and at what risk level. Annex III lists the high-risk categories: biometric identification, critical infrastructure, education, employment, essential services (credit, insurance, social benefits), law enforcement, migration, and justice. If your AI is used by customers in any of these categories, you may be a provider of high-risk AI with obligations under the EU AI Act even if you did not think of your product as "high-risk AI."
How sector regulation cascades to you
This is the piece most founders miss. If you sell to financial services companies, their AI governance obligations — set by APRA, the FCA, MAS, or the Fed — flow down to you through procurement requirements. An APRA-regulated bank buying your AI product will ask you for documentation that their prudential supervisor expects them to hold about the AI systems they use. If you cannot provide that documentation, you lose the deal. Understanding what your customers' regulators require from their AI vendors gives you a significant competitive advantage in enterprise sales to regulated sectors.