The EU AI Act (Regulation 2024/1689) is already in force — it entered the legal record on August 1, 2024 — and the clock for full compliance is running out. By August 2, 2026, every B2B SaaS tool that uses AI to process data about EU persons falls under a complete obligations regime. That includes your CRM's predictive scoring, your meeting assistant's transcription engine, and the sales intelligence platform that enriches contact records. Getting this wrong is not a theoretical risk: the minimum penalty tier starts at €7.5 million. A Ponemon Institute report from 2025 put the average cost of AI non-compliance at $5.2 million per incident, and a 2026 Gartner survey found 34% of enterprise AI projects had already been paused because of compliance concerns. The window to act is now: organisations typically require 9 to 14 months to reach LLM compliance. This article gives procurement leads, RevOps, and Sales Ops teams a precise, date-anchored playbook for their AI tool stack.
The EU AI Act timeline: what's already in force vs. what's coming
Most compliance guides talk about August 2026 as if it were a single switch being thrown, but the EU AI Act is a phased regulation with obligations that have been accumulating since 2024. Understanding exactly which layer is live right now — and which one is still approaching — determines what you need to fix immediately versus what you can plan for.
| Date | What becomes enforceable |
|---|---|
| Aug 1, 2024 | Entry into force. Regulation 2024/1689 published in the EU Official Journal; 24-month clock starts for most provisions. |
| Feb 2, 2025 | Prohibited practices ban + AI literacy duties. Article 5 (banned AI systems: social scoring, subliminal manipulation, real-time remote biometric identification in public spaces) is fully enforceable. Article 4 AI literacy obligations apply to all providers and deployers. |
| Aug 2, 2025 | GPAI codes of practice. General Purpose AI model providers must adhere to codes of practice published by the AI Office. Affects vendors whose models underpin your sales tools. |
| Aug 2, 2026 | Full applicability for most AI systems. All remaining provisions go live: high-risk AI obligations (Articles 8–15), GPAI model obligations (Articles 51–56), transparency rules for limited-risk systems (Article 50), deployer obligations (Article 26), and penalty regime. This is the operative deadline for virtually all B2B SaaS tools. |
| Aug 2, 2027 | Article 6(1) high-risk AI deferred. AI systems embedded in safety-critical products covered by EU harmonisation legislation (Annex I: medical devices, machinery, aviation, etc.) get one extra year. This narrow carve-out does not apply to standard sales or CRM software. |
The February 2025 date matters for procurement teams right now. If any tool in your stack uses prohibited techniques — for instance, an AI that infers emotional states from voice to manipulate buying decisions, or a system that builds behavioural profiles to exploit psychological vulnerabilities — that tool is already in violation today. The August 2026 deadline is not an excuse to defer reviewing current vendor behaviour.
Risk classification for sales tools: where CRM, meeting AI, and sales intelligence land
The EU AI Act uses a four-tier risk framework: unacceptable (prohibited), high-risk, limited-risk, and minimal-risk. Practically every AI tool in a B2B sales stack falls into either minimal-risk or limited-risk — with a narrow band of exceptions that matter enormously to buyers in financial services and insurance sectors.
A high-risk AI system under the EU AI Act is an AI system listed in Annex III of Regulation 2024/1689 that is used in one of eight specified domains: biometric identification and categorisation; management of critical infrastructure; education and vocational training; employment, workforce management, and access to self-employment; access to essential private services and public services (including creditworthiness assessment, life and health insurance risk assessment); law enforcement; migration and asylum management; and administration of justice. High-risk AI systems require a conformity assessment by a notified body before deployment, mandatory registration in the EU's public AI database, and ongoing post-market monitoring by the provider.
Minimal-risk: most CRM and sales intelligence features
Standard CRM intelligence — lead scoring based on engagement signals, account recommendations, email categorisation and spam filtering, pipeline forecasting — sits firmly in the minimal-risk tier. These tools process behavioural and transactional data but do not make consequential decisions about individuals' access to services, employment, or credit. They carry no mandatory transparency obligations under the AI Act, though vendors should still document their systems as a matter of good practice and to satisfy future audit requests.
Limited-risk: chatbots and emotion-aware meeting assistants
Limited-risk AI systems are those that interact with humans or generate synthetic content. Under Article 50, two categories relevant to sales tools attract transparency obligations: AI chatbots (any conversational AI that interacts with prospects or customers) and emotion recognition systems. If your meeting assistant or sales tool analyses voice tone to infer emotional states — frustration, interest, hesitation — the EU AI Act classifies this as emotion recognition and requires that the person being analysed is informed. Meeting AI tools that only transcribe and summarise are not emotion recognition systems; tools that score emotional states are. Procuring the latter requires explicit disclosure workflows to prospects on calls.
High-risk edge cases: when sales AI crosses the line
The high-risk designation becomes relevant for B2B SaaS in two specific scenarios. First, any AI tool used to support hiring decisions — candidate screening, interview scoring, workforce management — is classified as high-risk under Annex III regardless of how it is marketed. Second, AI used in creditworthiness scoring or insurance risk assessment (including tools that help financial-services sales teams qualify prospects based on credit signals) also falls in Annex III. If your stack includes any such tool, you are in high-risk territory: conformity assessment, notified-body involvement, pre-deployment registration in the EU AI database, and human oversight guarantees are all required before August 2, 2026.
What "provider" vs "deployer" means for your procurement team
The EU AI Act splits responsibility between two actors, and getting this distinction right in contracts is one of the highest-leverage actions a procurement team can take. Misaligned contracts — where neither party has accepted specific obligations — create dual liability exposure for both buyer and vendor.
A provider is the entity that develops, trains, or places an AI system on the EU market. In practice, this means the SaaS vendor: the company that built the sales intelligence platform, the meeting assistant, or the CRM AI. Providers carry the heavier technical and documentation burden under Articles 8–15: they must produce technical documentation (Article 11), implement logging capabilities (Article 12), achieve the required accuracy and robustness standards (Article 15), and register high-risk systems in the EU public database before deployment.
A deployer is the organisation that puts an AI system to use in a professional context. That is your company when you subscribe to a SaaS AI tool. Deployers are not off the hook: Article 26 imposes obligations to implement human oversight measures, monitor for anomalous outcomes, retain logs for post-market surveillance, and — critically — inform natural persons when they are subject to a high-risk AI system (Article 26(11)). If your CRM vendor classifies their tool as high-risk, you as the deployer must notify the people affected by it.
The extraterritorial scope of the regulation adds an important wrinkle: the EU AI Act applies to any operator, anywhere in the world, whose AI output affects EU persons. A US-based sales intelligence vendor selling to a German company is within scope. The deployer (the German company) cannot transfer liability to a non-EU vendor by claiming the vendor is outside EU jurisdiction.
The five contract clauses every EU company must add to AI vendor agreements
Contracts signed before August 2025 almost certainly do not contain adequate EU AI Act language. Renewals, new purchases, and any material amendments are the opportunity to close this gap. These five clauses are the minimum floor for any AI vendor agreement at an EU-based company.
- Role designation clause. The contract must explicitly state whether the vendor is acting as provider, deployer, or both under Article 3 of the EU AI Act. This is not boilerplate — ambiguity here means both parties inherit full obligations. Vendors who white-label third-party AI foundations (e.g., OpenAI or Anthropic models embedded in their product) must disclose this and clarify which GPAI obligations they have already met.
- Risk classification disclosure. The vendor must warrant the current risk classification of each AI component they supply to you, notify you in writing within 30 days of any reclassification (e.g., if a new feature crosses into high-risk territory), and provide a copy of their technical documentation on request. Without this clause, your deployer obligations can trigger without warning.
- Audit log exportability guarantee. Articles 11–12 and Article 26(6) require that high-risk AI system logs are automatically generated and retained by deployers. Your contract must specify that logs are exportable in a machine-readable format, define the retention period (the Act suggests a minimum period appropriate to the system's purpose), and establish the process for exporting records in the event of a regulatory audit or legal hold. Note the tension with GDPR: where logs contain personal data, the right to erasure under Article 17 GDPR may conflict with AI Act retention duties — your DPO must address this in your records of processing activities.
- Human oversight and override guarantees. Article 14 requires that high-risk AI systems allow human oversight — specifically, that a natural person can understand, monitor, and override the system's outputs. Your contract must confirm that the vendor's system provides this capability, and identify who in your organisation holds oversight responsibility. Contracts that leave this undefined expose the deployer to direct enforcement action.
- Data processing location and subprocessor management. The AI Act does not replicate GDPR data localisation rules, but it intersects with them. Vendor contracts must specify where AI processing occurs (EU, adequate country, or under standard contractual clauses), list all AI subprocessors (e.g., the LLM provider whose model the vendor uses), and commit to notifying you before adding new subprocessors. This is distinct from your GDPR DPA but must be read together with it.
Documentation and logging obligations: what your audit trail must contain
For any high-risk AI system in your stack, the EU AI Act mandates a specific documentation and logging regime. Understanding what your audit trail must contain is important both for vendors (who must build it) and deployers (who must retain it and produce it on regulatory request).
Under Articles 11 and 12, providers of high-risk AI systems must maintain technical documentation that includes: the system's intended purpose and reasonably foreseeable misuse cases; the design specifications and development process; the datasets used for training, validation, and testing; the performance metrics and known limitations; and the human oversight measures built into the system. This documentation must be kept up to date throughout the system's lifecycle and made available to national competent authorities on request.
Article 26(6) requires deployers to retain logs generated by high-risk AI systems to the extent those logs are under the deployer's control. In practice, this means your procurement team needs to ask vendors: does your system generate logs automatically? Can we export them? For how long do you retain them on your infrastructure before they become unavailable?
The logging-versus-erasure tension is worth flagging explicitly. If your meeting assistant produces logs that contain personal data — names, voice transcripts, sentiment scores tied to identifiable individuals — those logs are simultaneously subject to GDPR retention limits and AI Act retention requirements. The two frameworks operate under separate enforcement structures, which means a single data record can create exposure to both a GDPR supervisory authority and an AI Act market surveillance authority. The resolution is to apply pseudonymisation to AI logs wherever feasible, retaining the compliance record while minimising personal data exposure.
For deployers in the public sector or in specific Annex III use cases (credit assessment, insurance), Article 27 requires a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system. Private B2B deployers in standard sales contexts — CRM, meeting intelligence, pipeline tools — are not generally subject to the FRIA requirement, but the internal due-diligence process of running a FRIA-style review is sound risk management regardless.
The compliance calendar: action dates for sales ops teams
Given that organisations typically need 9 to 14 months to reach full LLM compliance, a team reading this in June 2026 is already at the edge of comfortable runway for the August 2026 deadline. The table below maps the remaining critical actions to their latest defensible start dates.
| Action | Owner | Latest start |
|---|---|---|
| Now | Audit your AI stack. List every B2B SaaS tool that uses AI to process data about EU persons. Classify each as minimal, limited, or high-risk using the Annex III criteria. | RevOps / Legal |
| Now | Check for prohibited practices. Confirm no vendor in your stack uses social scoring, subliminal manipulation, or banned biometric techniques. These have been illegal since February 2, 2025. | Procurement / DPO |
| Jul 2026 | Insert contract clauses on renewal. Add the five clauses above to every AI vendor agreement that comes up for renewal or amendment before August 2, 2026. | Legal / Procurement |
| Jul 2026 | Confirm log exportability. For each vendor supplying high-risk AI, verify that audit logs can be exported and establish your internal retention process. Coordinate with DPO on pseudonymisation. | Sales Ops / IT |
| Jul 2026 | Assign human oversight roles. For each high-risk AI system, designate the employee responsible for monitoring and overriding AI outputs. Document this in your records of processing activities. | Sales Ops / Compliance |
| Aug 2, 2026 | Full compliance deadline. All high-risk AI systems must be registered in EU public database, all deployer obligations under Article 26 must be met, all GPAI vendor obligations live. | All |
One structural reality that makes this harder than it looks: EU AI Act enforcement runs through national market surveillance authorities — separate bodies from the GDPR supervisory authorities. If you operate across multiple EU member states, you face dual regulatory exposure from two distinct enforcement structures. Your legal team and DPO need to be coordinating with both frameworks, not treating EU AI Act compliance as an extension of GDPR compliance. They share principles but not procedures, timelines, or penalty calculations.
The EU AI Act is also technology-neutral by design, which means it applies to sales AI tools built on any foundation model — whether the vendor uses its own proprietary model or wraps OpenAI, Anthropic, or Mistral models. GPAI obligations for those foundation-model providers go live on August 2, 2026. When your sales tool vendor's model provider becomes compliant, your vendor should pass those compliance artefacts down the chain. If your vendor cannot confirm which foundation model their product uses or whether that model's provider has met GPAI obligations, that is a red flag in any procurement evaluation.
See how Numi's AI documentation framework makes audit-readiness a built-in feature rather than a last-minute scramble.