Most companies with European exposure are now facing two EU AI Act compliance questions they cannot answer easily. Which vendors run AI inside their products? And who carries the liability when regulators come knocking? In most stacks the honest answers are “unclear” and “the buyer, not the vendor.”
The EU Artificial Intelligence Act lands its heaviest weight not on the labs that build AI but on the companies that deploy it inside the software they buy. If your HR platform screens candidates with a model, if your CLM extracts clauses with one, if your finance tool flags anomalies with one, you are a deployer under the law. That obligation is already landing in the C-suite, even at companies whose boards have not yet figured out how to ask about it.
By Lihi Lutan, Co-Founder and CEO, Opstream
Co-Founder and CEO of Opstream, previously COO of StokeTalent (acq. Fiverr) and VP Operations at Taboola where she helped scale the company from $8M to $1B in revenue.
Key takeaways
● The August 2, 2026 EU AI Act deadline is wobbling, but the deployer obligations under Article 26 are not.
● Customers and M&A acquirers are running AI vendor diligence on their own clock, regardless of what Brussels decides.
● The real compliance gap is not legal interpretation. It is the inability to read vendor contracts at scale.
● Build an AI vendor inventory in 30 days, classify by deployer risk in 60, stand up quarterly review in 90.
● Procurement is the natural home for AI vendor governance because the data already flows through it.
What is the EU AI Act, and why does it matter now?
The EU AI Act is a risk-based rulebook that puts legal weight on every company using AI inside the EU, not just the labs that build it. Brussels passed it in 2024 as Regulation (EU) 2024/1689 and sorts AI systems into four buckets: prohibited, high-risk, limited-risk and minimal-risk. The rules tighten as the risk goes up.
Most coverage is written by lawyers for other lawyers, which misses the point for an operator. The regulation matters because it assigns direct responsibility to the buyer of AI, not just the seller. General counsel cannot solve it alone. Neither can the CISO or the head of procurement. The obligations cut horizontally across functions, which pushes the problem into the C-suite by default.
A second pressure lands alongside the regulation. Customers, acquirers and insurers are running their own AI vendor diligence today, regardless of what Brussels does next.
Is the August 2, 2026 deadline really moving?
Probably yes, partially, and not in a way that lets any deployer stop working on this.
In late 2025 the European Commission proposed a “Digital Omnibus” package that would defer the high-risk obligations for Annex III AI systems from August 2, 2026 to no later than December 2, 2027. In March 2026 the European Parliament’s IMCO and LIBE committees voted 101-9 to back fixed 2027 and 2028 deadlines, replacing the Commission’s flexible trigger. As of April 2026, the August 2, 2026 date is still legally binding, and the GPAI provider obligations from August 2025 are not delayed at all.
Many companies have quietly dropped this work from their Q2 agenda on the assumption that the delay gets them off the hook. That is a mistake. Three things do not change with a delay:
- Article 26 deployer obligations still exist on the books. The clock resets, it does not stop.
- The AI Office’s fining authority still kicks in on August 2, 2026. Penalties for prohibited practices reach €35M or 7% of global turnover. For other violations, the ceiling is €15M or 3%.
- Customer-driven and acquirer-driven diligence is moving on its own clock, and that clock is not in Brussels’ control.
The delay is runway, not a permission slip. Companies that use the extra time to build the inventory now will sail through enforcement. The ones that wait will be sorting through 200 vendor MSAs in a panic next summer.
What does the EU AI Act actually require of deployers under Article 26?
Article 26 is the part of the law that lands on you. It defines a deployer as any organization that puts an AI system to use under its own authority, which describes every company running AI-powered SaaS. The European Commission’s AI Act Service Desk spells out the core obligations.
- Use the system as instructed. Read the provider’s instructions, follow them and document that you did. Off-label use shifts liability onto you.
- Assign competent human oversight. A trained person with the authority to intervene must be watching the system. “Our admin clicks approve” is not a defense.
- Manage input data. When you control what goes in, you are responsible for its quality and relevance.
- Keep logs for six months minimum. Most SaaS contracts do not give you log export rights by default. Read yours.
- Notify affected people. If a high-risk system makes or assists a decision about a person, you have to tell that person. In the workplace, that includes workers and their representatives.
- Report serious incidents to the provider and, where required, to the national competent authority.
None of these obligations get waived because Brussels delayed enforcement. The spec your vendor stack has to meet is the same whether you act now or in 2027.
Why is your vendor inventory the real EU AI Act compliance gap?
You cannot govern what you cannot see, and almost no enterprise can map its AI vendor footprint clearly today. This is the actual compliance gap, and it has nothing to do with the legal text.
In the past 18 months, half the average SaaS stack has quietly added AI features without much fanfare. The CLM now extracts clauses with a model. The spend analytics tool predicts anomalies. The background check provider scores risk. The support platform writes draft replies. Each is a deployer obligation waiting to land on a compliance officer’s desk, and none of them show up in the existing vendor risk register.
The information is buried in documents that already exist. Vendor MSAs, DPAs and AI addenda describe what the system does and how it processes data. The problem is that those documents are 60 to 200 pages long, written by lawyers, and scattered across SharePoint, email, a CLM and the CISO’s laptop. Reading them at scale is not a job a procurement team can do with spreadsheets.
Ask a procurement leader “which of your 180 vendors deploy AI, and in what categories?” and the answer is usually silence. Not because they are negligent. Because the answer requires a project that does not fit anyone’s job description.
Free Download
EU AI Act Compliance Checklist
90-day implementation roadmap with Article 26 obligations, risk classification framework and governance actions.
How do enterprise buyers and acquirers force the issue regardless of Brussels?
Even if the EU AI Act vanished tomorrow, the question has to be answered for two other audiences who are not waiting.
The first is enterprise customers. Companies selling into financial services, healthcare, government or any large European employer are now receiving an “AI vendor questionnaire” alongside the usual security review. Banks in Frankfurt and insurers in Paris are not asking out of curiosity. They are asking because their compliance teams need to document the AI exposure inside their vendor stack. Failing the questionnaire kills the deal.
The second is the diligence team on the other side of any M&A or fundraise. AI vendor inventories are now showing up in the IT and data sections of due diligence checklists from every serious acquirer. A company that cannot answer “how is AI used in your stack and what are your deployer obligations” inside the data room has a finding. Findings depress valuations and derail timelines.
Set the regulator clock aside for a moment. The customer clock and the M&A clock are real, and they are running today.
What should your team do in the next 90 days?
Skip the legal-checklist approach you will read everywhere else. Start with two operational moves.
First, build an AI vendor inventory in 30 days. Not perfect, just real. Pull every active vendor from your contract repository and answer three questions for each: does it use AI, what category, and what data does it touch? Where the contract is silent, send a one-question email to your account contact. Track responses in whatever tool your team already uses.
Second, classify the inventory by deployer risk using the EU AI Act’s four-tier framework. Most vendors will land in limited or minimal risk and need little more than transparency notices. Focus on the small set that touch HR decisions, credit decisions, biometric data or access to services. Those carry material Article 26 exposure.
Then, in parallel:
| Action | Owner | Timeline |
|---|---|---|
| Add AI disclosure clause to all new vendor contracts | Legal + Procurement | Next 30 days |
| Update vendor questionnaire to capture AI use, training data, log access | Procurement + Security | Next 30 days |
| Assign a named owner for each high-risk vendor’s human oversight | Executive sponsor | Next 60 days |
| Confirm log retention rights and incident notification clauses | Legal | Next 60 days |
| Stand up a quarterly AI vendor review cadence | Executive + General Counsel | Next 90 days |
None of this requires a new hire. It does require a place to centralize the answers, and that is where most teams stall out. See how Opstream handles this →
How does Opstream close the AI vendor governance gap?
Full disclosure on the bias. Procurement is the natural home for vendor governance, and the vendor inventory your team already maintains is 80% of the answer to the EU AI Act problem. Opstream was built to close the other 20%.
The hardest part of compliance is not the regulation. It is reading every vendor’s MSA, DPA and AI addendum to figure out how the product actually uses AI. Opstream’s Compliance Framework handles that step automatically. Upload a vendor’s contracts and the system extracts AI-use disclosures, training-data clauses, log retention terms and incident notification language against a configurable playbook. A full day of paralegal work becomes a one-click report that drops into the AI vendor inventory the same morning. Every vendor onboarding and renewal then runs through the same orchestrated workflow, so the inventory updates itself. That is what it means to orchestrate vendor risk rather than chase it.
Frequently asked questions
What is the EU AI Act in simple terms?
The EU AI Act is the European Union’s risk-based law for artificial intelligence. It classifies AI systems by risk, bans the most harmful uses, and places legal obligations on both the companies that build AI and the ones that deploy it. It applies to any organization with EU exposure, regardless of where they are headquartered.
Who is a “deployer” under the EU AI Act?
A deployer is any organization that uses an AI system under its own authority for a professional purpose. If your business uses an AI-powered SaaS product, you are a deployer, even if you did not build the underlying model. Article 26 sets out the obligations that apply to deployers of high-risk AI systems.
Has the EU AI Act been delayed?
The Digital Omnibus proposal, backed by an IMCO and LIBE committee vote in March 2026, would delay high-risk AI obligations to December 2, 2027 for Annex III systems and August 2, 2028 for Annex I systems. Final adoption is pending. The August 2, 2026 enforcement date for the AI Office’s powers and the GPAI provider obligations from August 2025 are not delayed.
What are the penalties for EU AI Act non-compliance?
Penalties for prohibited AI practices reach €35 million or 7% of global annual turnover. Most other violations carry fines up to €15 million or 3%. For a company doing $200M in revenue, even the lower threshold can mean a $6 million fine for a single finding.
How do I know which of my SaaS vendors use AI?
Start with your contract repository, not your application catalog. Every vendor MSA, DPA and AI addendum signed in the past 24 months should describe whether and how the product uses AI. For vendors with no clear contract language, send a one-question email to your account manager.
About the author
Lihi Lutan, Co-Founder and CEO, Opstream
Lihi Lutan is the Co-Founder and CEO of Opstream, changing the way companies buy.
Throughout her career, Lihi built and scaled business operations at startups and large corporations. Early in her career, Lihi was with Cyota (acq. RSA Security) as a team leader and project manager before moving to Thomson Reuters and Fundtech to manage global projects. Later, Lihi joined Taboola (NSDQ: TBLA) as employee 15, as VP Professional Services and Operations, leading the department as the company scaled from $8M to $1B in revenue. Transitioning from Taboola to StokeTalent (acq. Fiverr), Lihi served as the company’s COO.
Lihi holds an LLB of Law and BSc of Computer Science from Tel Aviv University.
