Cyprus EU AI Act Compliance for SaaS & Tech Companies 2026

Cyprus has quietly become one of the EU's more practical bases for SaaS and AI founders: 15% corporate tax, an OECD-compliant IP Box, and an English-language legal system. But the EU AI Act now overlays a second compliance regime on top of GDPR, and the deadlines are no longer abstract. From 2 August 2026, high-risk AI systems must be conformity-assessed, documented, registered and monitored - or pulled from the market.

This guide explains what the EU AI Act actually requires from a Cyprus-based SaaS or tech company, how Cyprus is implementing it nationally, and the practical compliance steps founders should take in 2026. It is general information, not legal advice; for system-specific classification you should instruct a Cyprus Bar-licensed advocate familiar with EU technology law.

Overview of the EU AI Act

The Artificial Intelligence Act is Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024.Regulation (EU) 2024/1689 (EU AI Act), OJ L of 12 July 2024, Article 113It is the world's first comprehensive horizontal AI law and applies directly in every Member State - no national transposition is required for most of it to bite, although Cyprus and other Member States must still designate competent authorities and adapt domestic procedural and sanctioning law.

The Act takes a risk-based approach: the higher the risk an AI system poses to health, safety or fundamental rights, the heavier the obligations. Four broad tiers exist (unacceptable, high, limited, minimal), plus a separate vertical regime for general-purpose AI (GPAI) models that sit underneath downstream applications.

Phased application timeline

Article 113, Regulation (EU) 2024/1689 - Entry into force and date of applicationThe phased structure is deliberately long, but the August 2026 deadline is the practical one for most Cyprus SaaS founders, because that is when Annex III high-risk obligations kick in.

Who is in scope: providers vs deployers

The Act distinguishes between several roles. The two that matter most for a Cyprus SaaS founder are:

• Provider - the natural or legal person that develops an AI system (or has one developed) and places it on the EU market or puts it into service under their own name or trademark. If you ship an AI feature inside your SaaS, you are typically the provider of that AI system.
• Deployer - the natural or legal person using an AI system under its authority, except where used in the course of a personal, non-professional activity. If you use a third-party AI tool to screen job applicants for your own hiring, you are the deployer (and the obligations on deployers of high-risk systems are real, especially in HR contexts).

Importantly, the Act has extraterritorial reach: it captures providers outside the EU where the AI system's output is used inside the EU. A Cyprus company selling AI to Switzerland or the UK is still caught if EU users ultimately see the outputs.

The four risk tiers

General-purpose AI model obligations

Chapter V introduces a separate regime for general-purpose AI (GPAI) models - foundation models trained on broad data, capable of being adapted to a wide range of downstream tasks. These obligations applied from 2 August 2025.Articles 51-56, Regulation (EU) 2024/1689 - General-Purpose AI Models

Providers of GPAI models must:

• Maintain up-to-date technical documentation of the model (Annex XI).
• Provide downstream integrators with the information needed to comply with the Act (Annex XII).
• Implement a policy to comply with EU copyright law, including the Article 4(3) text and data mining opt-out under the Copyright in the Digital Single Market Directive.
• Publish a sufficiently detailed summary of training-data content.

Models presenting systemic risk (currently those trained with cumulative compute above 10^25 FLOPs, plus designations by the Commission) face additional duties: model evaluations, adversarial testing, systemic-risk assessment, incident reporting, and cybersecurity protections under Article 55. Most Cyprus SaaS founders are consumers of GPAI rather than providers, but the moment you fine-tune and re-release a model under your own brand, the analysis changes.

High-risk AI systems: the August 2026 wall

For most Cyprus SaaS companies, the live question is whether anything they ship is high-risk under Annex III. The classification list covers eight domains: biometrics; critical infrastructure; education and vocational training; employment, workers' management and access to self-employment; access to essential private and public services and benefits (including credit scoring); law enforcement; migration, asylum and border control; and administration of justice and democratic processes.Annex III, Regulation (EU) 2024/1689

If a system is high-risk, the provider must:

• Establish, document and maintain a risk-management system across the lifecycle (Article 9).
• Apply data governance measures to training, validation and testing datasets (Article 10).
• Draw up and keep up-to-date technical documentation (Article 11, Annex IV).
• Design the system to enable automatic record-keeping / logs (Article 12).
• Provide transparency and instructions for use to deployers (Article 13).
• Design for effective human oversight (Article 14).
• Meet accuracy, robustness and cybersecurity requirements (Article 15).
• Implement a quality management system (Article 17).
• Carry out a conformity assessment, draw up an EU declaration of conformity and affix the CE marking (Articles 43, 47-48).
• Register the system in the EU database before placing it on the market (Article 49).

Deployers of high-risk AI also have duties: human oversight, monitoring, record-keeping, and - for public authorities and certain private deployers - a fundamental rights impact assessment under Article 27.

Cyprus national competent authority

Each Member State had to designate at least one notifying authority and at least one market surveillance authority under Article 70 by 2 August 2025.Article 70, Regulation (EU) 2024/1689 - Designation of national competent authoritiesCyprus met that deadline. The Deputy Ministry of Research, Innovation and Digital Policy leads national AI policy coordination, while market surveillance, notifying and sectoral functions are split across existing regulators - including the Department of Electronic Communications, sectoral product-safety authorities, and the Office of the Commissioner for Personal Data Protection where AI processes personal data. Cyprus also nominated a single point of contact for AI Act matters, as required by Article 70(2).

For Cyprus-based founders this means: questions, complaints and incident notifications will be routed through Cypriot regulators, not directly to Brussels, and Cyprus penalty decisions will be enforced in line with the national implementing framework. See our broader notes on Cyprus economic substance for the parallel question of where a Cyprus company is actually managed and controlled.

Interaction with GDPR and the DSA

The AI Act is independent of - and cumulative with - the GDPR (Regulation (EU) 2016/679) and the Digital Services Act (Regulation (EU) 2022/2065). Three overlaps matter most:

• Personal data inputs and outputs. If your AI processes personal data (CVs, biometrics, behavioural signals), GDPR applies in full - lawful basis, transparency, data minimisation, DPIA under Article 35 where the processing is likely to result in high risk.
• Automated decision-making. Article 22 GDPR continues to regulate solely automated decisions producing legal or similarly significant effects. The AI Act adds product-safety style duties; GDPR adds individual-rights duties. Both apply.
• Online platforms. If your AI feature sits inside a platform regulated by the DSA, you may also face DSA duties on illegal content, recommender system transparency, and (for VLOPs / VLOSEs) systemic-risk assessments.

Founders also need to keep an eye on the Pillar Two minimum tax rules and on Cyprus transfer pricing - because AI groups often involve cross-border R&D, IP licensing and intra-group services, all of which are highly visible to the Tax Department.

Penalties and enforcement

Article 99 establishes a three-tier penalty regime.Article 99, Regulation (EU) 2024/1689 - Penalties

For SMEs and start-ups, the fine is the lower of the absolute amount and the percentage figure - a proportionality safeguard built into Article 99(6). National authorities (in Cyprus, the designated market surveillance bodies) impose the fines under domestic procedural law.

Practical compliance playbook for Cyprus SaaS

1. Inventory every AI system. Treat anything that meets the Article 3(1) definition as in scope until you prove otherwise. Include embedded vendor AI (e.g. analytics SDKs).
2. Classify the risk tier per system. Document the analysis - especially the reasons something is not high-risk under Annex III. This memo is what regulators will ask for first.
3. Roll out AI literacy. Article 4 has been in force since February 2025. Founders, engineers and customer-facing staff need basic AI literacy proportionate to their role. Keep a short training log.
4. Build the high-risk file early. If anything is or might be high-risk, start the Article 9-15 documentation in 2026 - not the week before August 2026. Conformity assessment is not a same-day exercise.
5. Run transparency duties on limited-risk systems. Chatbots must disclose AI status; AI-generated content must be labelled; deepfakes carry their own disclosure obligations under Article 50.
6. Reconcile with GDPR. DPIAs for high-risk processing, Article 22 logic, retention schedules and access rights all have to line up with your AI Act documentation.
7. Watch GPAI provider creep. If you fine-tune an open model and ship it, evaluate whether you have become a GPAI provider (Annex XII duties).
8. Coordinate with Cyprus tax structuring. A compliant AI stack pairs naturally with the Cyprus IP Box for software copyright income, provided the R&D and decision-making substance is genuinely in Cyprus.

Common founder mistakes

1. Assuming "we're just wrapping the OpenAI API" means out of scope. Wrapping a GPAI in a high-risk Annex III use case (e.g. CV screening) still makes you a provider of a high-risk system.
2. Skipping the AI literacy duty. It is the cheapest item to comply with and the easiest one for a regulator to spot is missing.
3. Treating it like GDPR with new branding. The AI Act is a product-safety regime in tone. CE marking, conformity assessment and EU database registration are concepts borrowed from medical devices and machinery, not from data protection.
4. Forgetting the deployer-side duties when you also use AI internally. Using an external HR-AI tool to screen candidates makes you a deployer of a high-risk system, with your own logging and human-oversight obligations.
5. Ignoring transparency on synthetic media. AI-generated or manipulated images, audio and video usually need labelling under Article 50, irrespective of risk tier.
6. Letting substance drift. Cyprus tax benefits and AI Act governance both rest on real decisions taken in Cyprus by qualified people. See our Cyprus holding company structuring guide for the broader substance picture.