A Practical Guide to GDPR, AI Act, Security, Accessibility, VAT, and Legal Requirements for Modern SaaS
Introduction: Why Compliance Is Your Product’s Foundation
- The Cost of Getting It Wrong
- The EU as a Regulatory Superpower
- Who This Book Is For and How to Use It
- The Compliance Mindset: From Checkbox to Culture
Chapter 1: The EU Regulatory Landscape — A Map for SaaS Builders
- How EU Law Works: Regulations, Directives, and National Transposition
- The Key Institutions: Commission, Parliament, EDPB, and Data Protection Authorities
- The Brussels Effect: Why Global SaaS Companies Care About EU Law
- Germany-Specific Considerations: BDSG, TTDSG, and the Enforcement Landscape
- A Quick Reference Map of Every Relevant Regulation
Chapter 2: GDPR Fundamentals for SaaS — Data Protection by Design
- Controller vs. Processor vs. Joint Controller (with SaaS Examples)
- Lawful Bases for Processing: Which One Applies to Your Use Case?
- Data Subject Rights in Practice: Access, Erasure, Portability, Objection
- Data Protection Impact Assessments (DPIAs): When and How
- Records of Processing Activities (RoPA): A Practical Template
Chapter 3: Building a GDPR-Compliant SaaS Architecture
- Privacy by Design and Default: Technical Controls That Matter
- Data Minimization and Storage Limitation in Practice
- Encryption, Anonymization, and Pseudonymization
- International Data Transfers: SCCs, IDTA, and the End of Safe Harbor
- Choosing and Vetting Sub-processors
Chapter 4: ePrivacy, Cookies, and Tracking — The Consent Layer
- The ePrivacy Regulation: Where Things Stand (and Why It Matters)
- What Counts as Valid Consent Under GDPR + ePrivacy
- Cookie Banners That Actually Work (And Those That Don’t)
- Analytics, Advertising, and First-Party vs. Third-Party Tracking
- The German Angle: TTDSG and the Stricter Enforcement Landscape
Chapter 5: The EU AI Act — Compliance for SaaS with AI/ML
- The Four Risk Tiers: Unacceptable, High, Limited, and Minimal Risk
- What Makes a SaaS “AI System” Under the AI Act?
- High-Risk Obligations: Technical Documentation, CE Marking, Human Oversight
- Transparency Requirements for Chatbots and Generated Content
- Compliance Roadmap: Deadlines, Notified Bodies, and Conforms
- AI Act vs. GDPR: Where They Overlap and Diverge
Chapter 6: Cybersecurity and Resilience — NIS2, ISO 27001, and Beyond
- NIS2 Directive: Which SaaS Companies Are In Scope?
- Essential and Important Entity Obligations Under NIS2
- ISO 27001 and SOC 2: What They Mean, How to Get Them
- The Cyber Resilience Act: Security by Design for Connected Products
- Practical Security Measures: Access Control, Monitoring, Incident Response
- Penetration Testing, Bug Bounties, and Vulnerability Disclosure
Chapter 7: Accessibility — WCAG, EAA, and What EU Users Expect
- The European Accessibility Act (EAA): Scope and Deadlines
- WCAG 2.1/2.2 AA: What It Means for Your Product
- German Specifics: BITV and the Barrierefreiheitsstärkungsgesetz
- Technical Implementation: ARIA, Keyboard Navigation, Screen Readers
- Testing and Auditing: Automated Tools vs. Manual Review
Chapter 8: VAT, Tax, and Financial Compliance — Selling in the EU
- VAT Basics for Digital Services: Where the Tax Is Due
- B2B vs. B2C: Reverse Charge, OSS, and Thresholds
- The German Fiscal Perspective: UStG, KassenSichV, and E-Invoicing
- Invoicing Requirements and Documentation
Chapter 9: Contracts, Terms, and Enterprise Expectations
- The Core Legal Documents: ToS, Privacy Policy, Acceptable Use
- Data Processing Agreements (DPAs): Essential Clauses and Templates
- Service Level Agreements (SLAs): What to Promise and How to Deliver
- Enterprise Security Questionnaires: Preparing for SOC 2, ISO, and Custom RFIs
- German Contract Law Considerations: AGB, BGB, and Digital Contracts
Chapter 10: Operational Compliance — Running a Compliant SaaS Business
- Data Breach Response: The 72-Hour Rule and Beyond
- Incident Response Playbooks for SaaS Teams
- Vendor and Sub-processor Management at Scale
- Employee Training and Compliance Culture
- Audits, Certifications, and Continuous Improvement
Chapter 11: Scaling Compliance — From Startup to Enterprise
- Stage-Gated Compliance: What Matters at Seed, Series A, and IPO
- Building Your First Compliance Team (or Hiring a CCO)
- Multi-Regulatory Expansion: EU, UK, US, APAC Simultaneously
- Compliance as a Sales Enabler (Not a Roadblock)
- Tools, Automation, and GRC Platforms
Chapter 12: The Future of EU SaaS Regulation — What’s Coming Next
- Enforcement Trends: Fines, Investigations, and Market Surveillance
- Upcoming Regulations: Digital Services Act, Data Act, Data Governance Act
- AI Regulation Beyond the AI Act: Sector-Specific Rules
- The Geopolitics of Data: US Cloud Act vs. EU Data Sovereignty
- Building a Regulation-Aware Product Strategy