Is Your AI Wrapper Legal? The EU AI Act Checklist for SaaS Founders

A developer on r/SaaS sparked panic by asking whether the EU AI Act's Article 12 logging requirement applies to ChatGPT wrappers processing 10,000 API calls daily. The regulation requires timestamped rationales for every AI system decision, but only for high-risk systems—a category most AI wrappers do not fall into. For the majority of SaaS founders, compliance requires only a simple disclosure notice, not logging every API call.

You built a ChatGPT wrapper. It's doing $5K MRR. A founder on r/SaaS just posted: "Article 12 requires logging for every AI system decision — does my ChatGPT wrapper need this? I have 10,000 API calls/day, I can't log every single one with a timestamp and reasoning." The thread has 100+ upvotes and the comments are a panic spiral. Take a breath. The real answer is simpler — and less terrifying — than the Reddit thread makes it sound. This article explains exactly what the EU AI Act requires from AI wrapper products, which provisions actually apply to you, and how to check your compliance in under ten minutes. No law degree needed. The fear: every ChatGPT API call counts as an "AI system decision," so you need to log 10,000 timestamped rationales per day or face fines. The reality: Article 12 covers high-risk AI systems — and most AI wrappers aren't high-risk. The Act defines high-risk through two gates: Article 6 1 safety component of a regulated product and Annex III use in specific sectors like biometrics, critical infrastructure, education, employment, law enforcement . A customer support chatbot or a blog post generator doesn't clear either gate. Here's what the law actually requires, broken down by risk tier. The Act creates four tiers of obligation. Your wrapper falls into exactly one of them. Everything depends on what your AI does and where it's deployed. Your system is prohibited if it does any of the following: If your wrapper does none of these — and most don't — you can move on. Fewer than 1% of SaaS AI products trigger Article 5. Your system is high-risk if it satisfies either of these two gates: Gate A — Safety component. Your AI is a safety component of a product covered by EU harmonization legislation machinery, medical devices, toys, lifts, radio equipment, etc. , OR your AI is itself a regulated product. Example: an AI diagnostic module embedded in a medical device. Gate B — Annex III use case. Your AI operates in one of eight regulated sectors and is deployed in the EU: If neither gate applies, your system is not high-risk. Full stop. A ChatGPT wrapper for generating marketing copy, answering customer FAQs, or summarizing meeting notes doesn't fall into any of these categories. If your system IS high-risk, Article 12 requires you to keep logs that enable traceability of the AI system's functioning — including recording the date and time of each use, the reference database used if any , the input data, and identification of the natural persons involved. This is the requirement the r/SaaS founder was worried about. It applies only to high-risk systems. Your system falls here if it: The obligations are modest: you must inform users they're interacting with an AI system, unless it's obvious from context. No logging of individual decisions. No timestamped rationale. Just disclosure. For most AI wrapper founders, this is your tier. Add a small disclosure line and you're compliant. Your system involves no direct human interaction, no safety component, no Annex III use case, and no EU deployment. You have no obligations under the Act. Most internal tools and back-end automation fall here. Let's return to the Reddit founder's specific concern. He runs a ChatGPT wrapper processing 10,000 calls a day. He's worried about logging every one. Here's the question sequence that determines his obligations: For the vast majority of AI wrappers, the answer is "limited risk — add disclosure and move on." You do not need to log 10,000 API calls. You do not need timestamps. You do not need rationales per decision. The panic comes from reading Article 12 in isolation without understanding the Article 6 1 and Annex III gates that determine whether Article 12 even applies to you. The r/SaaS thread isn't wrong to be anxious. The EU AI Act is genuinely complex — 400 pages of dense legislation with nested cross-references and delayed implementation dates. Founders reading the text directly get lost in cross-references between Articles 5, 6, 12, 13, 50, and Annexes I through IX. But the anxiety is disproportionate to the actual legal exposure. Most AI wrappers face minimal obligations. The founders who are most scared are the ones who haven't been walked through a structured classification. This is where a free classification tool changes the game. In the time it took to write that Reddit post, a founder could have answered twelve yes/no questions and received a definitive risk tier with the exact obligations that apply. Don't guess. Walk through the actual gates: Article 5 prohibited practices, Article 6 1 safety components, Annex III use cases, Article 52 transparency. Write down the answers. A ChatGPT wrapper for customer support in the EU: limited risk. An AI resume screener for hiring in Germany: high-risk. An AI that generates synthetic medical images for diagnostic training: high-risk, possibly prohibited. The distinction matters enormously — the compliance burden differs by an order of magnitude. If your system genuinely clears the Annex III gate you're in hiring, education, credit, or biometrics , you need Article 12 logging. This means: This is non-trivial infrastructure — but it only applies if you're high-risk. Before you build it, verify that gate B actually applies to you. Add a clear notice that users are interacting with an AI. Make it visible before the first interaction. That's it. You're compliant under Article 52. Spend your engineering cycles on your product, not on phantom compliance requirements. Another source of panic: founders have heard conflicting dates. Here's a quick decode: The takeaway: if you're not high-risk, your nearest hard deadline is December 2026 for watermarking disclosure — and that's straightforward. If you are high-risk, plan for August 2, 2026 with the understanding that Annex III enforcement timing may shift. Reading between the lines of the legislative text, the EU's goal is sensible: they want to know that AI systems making consequential decisions about people's lives are documented, explainable, and auditable. A chatbot that says "your order will arrive Tuesday" is not a consequential decision. An AI that says "you're denied a mortgage" is. The burden is designed to land on the consequential cases. The problem is that the text is written broadly enough to scare the inconsequential ones too. Don't let the scare keep you from shipping. Classify your system, understand your tier, and build only what the law actually requires. You can figure out your risk tier right now. It takes ten minutes and twelve questions — no legal training required. No credit card. No consulting call. Just the exact obligations that apply to your specific AI system, mapped to the provisions of the Act.