Last updated
AI Act Compliance Checklist for SaaS Companies in Austria: Non-EU Founder Evidence
An Austria SaaS company does not become AI Act-ready by adding a generic compliance sentence to the website. The useful work is to identify which features use AI, what role the company plays, whether the system is prohibited, high-risk, limited-risk, or lower-risk, and what evidence the company can show before sales, investor diligence, customer security review, or regulator contact.
The safe approach is to build an evidence packet before submitting forms. Do not use this page as tax, legal, customs, immigration, or product-compliance advice. Use it to organise questions for the official authority, customs broker, tax adviser, counsel, or provider handling the file.
Official source baseline
- European Commission AI Act regulatory framework
- European AI Office
- Austrian Legal Information System
What to clarify first
| Review area | Question to answer | Evidence to keep |
|---|---|---|
| AI inventory | Which product features use AI, models, scoring, generation, ranking, profiling, or automation? | Feature list, model/provider names, user-facing flows, admin settings, and release dates. |
| Role | Are you a provider, deployer, importer, distributor, or downstream modifier? | Contract map, model source, customer responsibility matrix, reseller or API terms. |
| Risk class | Could the use case be prohibited, high-risk, transparency-only, or lower risk? | Risk memo, user group, domain, sector, possible impact, and human oversight notes. |
| Data protection | Does the feature process personal data or sensitive inferences? | DPIA screening, lawful basis, retention notes, access controls, and processor/subprocessor records. |
| Claims control | Do marketing pages overstate accuracy, automation, or regulatory status? | Approved claim library, limitations, evaluation notes, and correction history. |
Costs and timelines depend on the file, not the headline topic
| Timeline stage | What can move fast | What slows it down |
|---|---|---|
| Inventory | A small SaaS with a few AI-assisted features can list systems quickly. | Hidden AI in support, analytics, fraud, recruiting, or third-party plugins expands scope. |
| Classification | Low-risk assistive features may need concise documentation. | High-risk domains or automated decisions require deeper legal and technical review. |
| Customer diligence | Enterprise customers may accept a clear evidence packet. | Vague claims, missing subprocessor data, or no human oversight notes delay procurement. |
| Non-EU founder file | Founder nationality is not the AI Act trigger by itself. | Cross-border contracting, data hosting, customer location, and EU market placement need explanation. |
Evidence packet before escalation
- Write the exact task in one sentence: approval, registration, customs release, customer onboarding, renewal, correction, or refusal response in Austria.
- Identify who will decide the file and which law, official page, customer requirement, or provider rule they are applying.
- Prepare the evidence packet in one folder with dated documents and a short explanation of what each document proves.
- Do not reuse another country's checklist unless the same authority, scheme, and transaction flow actually apply.
- Ask for missing-document feedback in writing when a provider or authority refuses, delays, or asks repeated questions.
Common mistakes that create delays
| Mistake | Why it delays the file | Correction |
|---|---|---|
| Using a copied country checklist | The authority or provider cannot match the evidence to the actual jurisdiction. | Replace generic checklist items with the local authority, local identifier, and transaction-specific evidence. |
| Sending documents in fragments | Reviewers cannot see the complete chain from company to transaction to compliance obligation. | Submit a dated packet with index, company record, authority evidence, invoices, contracts, and role memo. |
| Ignoring role boundaries | Importer, seller, marketplace, customs broker, SaaS provider, deployer, and customer can have different obligations. | Map who does what before choosing the form or compliance route. |
| Overstating certainty | YMYL and regulated-topic pages become unsafe when they pretend every case has one route. | State assumptions, open questions, and when professional review is needed. |