EU Compliance for SaaS & Software
EU regulations directly affecting SaaS & Software organisations — including obligations, deadlines, and maximum fines. Use our regulation checker to map your exact exposure.
Which EU regulations apply to SaaS & Software businesses?
SaaS & Software organisations operating in the EU are subject to 9 key regulations, including AI Act, NIS2, CRA and 6 more. The most significant obligations cover Classify AI systems by risk tier; Implement cybersecurity risk management measures. Use the regulation checker to map your exact exposure in under 2 minutes.
- AI Act: max fine €35M or 7% of global turnover — Classify AI systems by risk tier
- NIS2: max fine €10M or 2% / €7M or 1.4% (essential / important entities) — Implement cybersecurity risk management measures
- CRA: max fine €15M or 2.5% of global turnover — Implement security by design
- Data Act: max fine Per member state (effective, proportionate, dissuasive) — Ensure data accessibility for users
| Regulations applicable | 9 |
| Key regulations | AI Act, NIS2, CRA |
| Highest fine | €10M or 2% / €7M or 1.4% (essential / important entities) |
Regulations that apply to SaaS & Software
AI Act
The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.
Max fine: €35M or 7% of global turnover
NIS2
NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.
Max fine: €10M or 2% / €7M or 1.4% (essential / important entities)
CRA
The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.
Max fine: €15M or 2.5% of global turnover
Data Act
The Data Act ensures fair access to and use of data generated by connected products and related services. It establishes rules for data sharing between businesses and with public bodies.
Max fine: Per member state (effective, proportionate, dissuasive)
ePrivacy
The ePrivacy Directive governs electronic communications privacy, covering cookies, email marketing, and confidentiality of communications. Its replacement (ePrivacy Regulation) is pending but the Directive remains law.
Max fine: Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)
DSA
The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.
Max fine: Up to 6% of global turnover (VLOPs/VLOSEs); per member state for others
Pay Transparency
The Pay Transparency Directive requires employers to disclose salary ranges in job postings, report on gender pay gaps, and enable employees to compare pay. Targets the gender pay gap across the EU.
Max fine: Per member state (compensation + penalties)
eIDAS 2.0
eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.
Max fine: Per member state
PLD
The revised PLD modernises liability rules for defective products, extending coverage to software, AI systems, and digital services. Shifts some burden of proof to manufacturers for complex cases.
Max fine: No cap — civil liability for all damage caused
Which regulations apply to your SaaS & Software business?
Answer 5 questions and get a personalised compliance map — free.
Run the regulation checkerExplore by regulation
- EU AI Act
- General Data Protection Regulation
- NIS2 Directive
- Cyber Resilience Act
- Digital Operational Resilience Act
- EU Data Act
- ePrivacy Directive
- Digital Services Act
- Digital Markets Act
- Pay Transparency Directive
- Whistleblower Directive
- Markets in Crypto-Assets Regulation
- eIDAS 2.0 Regulation
- Product Liability Directive (Revised)
- Corporate Sustainability Reporting Directive
- Corporate Sustainability Due Diligence Directive
- Green Claims Directive
- European Accessibility Act
- EU Machinery Regulation
Frequently asked questions
Which EU regulations apply to SaaS companies?
SaaS companies in or serving the EU must comply with GDPR (personal data processing), EU AI Act (AI features in Annex III risk categories), NIS2 (if a cloud provider, managed service provider, or digital infrastructure provider), the Data Act (data portability and cloud switching obligations from September 2025), and the CRA (Cyber Resilience Act, for software products with digital elements from 2027). DORA applies additionally if the SaaS company is an ICT third-party service provider to regulated financial entities.
Does the EU AI Act apply to SaaS products?
Yes. SaaS companies embedding AI features must assess whether any AI system falls within EU AI Act Annex III risk categories (employment screening, user risk scoring, access to essential services). General-purpose AI models (GPAIMs) integrated via third-party APIs may carry provider obligations that are contractually passed down. From August 2025, all AI providers must provide transparency disclosures for AI systems interacting with EU users.
What GDPR obligations does a SaaS company have as a data processor?
SaaS companies processing personal data on behalf of customers are data processors under GDPR Article 28. They must sign a Data Processing Agreement (DPA) with each controller customer; implement technical and organisational security measures (Article 32); notify the controller within 72 hours of discovering a personal data breach; process data only on documented instructions; and make available all information necessary for controllers to demonstrate compliance. Sub-processors may only be engaged with controller authorisation and on equivalent contractual terms.
When does NIS2 apply to a SaaS company?
NIS2 applies to SaaS companies that fall within the 'digital providers' sector in Annex II — specifically cloud computing service providers, online marketplaces, online search engines, and social networking service platforms — if they are medium (50+ employees or €10M+ turnover) or large enterprises. SaaS companies that are ICT managed service providers (MSPs) or ICT managed security service providers are covered as 'ICT service management (B2B)' under Annex I as essential entities.
What is the Data Act and when does it apply to SaaS?
The EU Data Act (Regulation (EU) 2023/2854) applies from September 12, 2025. For SaaS providers, the key obligation is cloud switching facilitation: providers must not contractually prevent customers from switching to a competing service; must offer functional equivalence during a switch; must reduce switching charges over a 3-year phase-in period ending with free switching by September 2027; and must support data portability in interoperable formats. Contracts entered into or renewed after September 2025 must comply.
For informational purposes only. This is not legal advice — consult qualified legal counsel.