In short
The Act groups AI use into risk levels. Some practices are prohibited. High-risk systems need documentation, human oversight, logging, testing, and conformity work. Limited-risk systems usually need clear disclosure that a person is interacting with AI or seeing AI-generated content.
For most SMEs, the immediate job is an inventory: which AI tools are in use, what data enters them, whether the company is a provider or deployer, whether the use case is high-risk, and what notice or human review is required.
Where it bites
The EU AI Act bites when a useful AI pilot quietly becomes part of hiring, credit, customer eligibility, education, safety, or another consequential workflow. Reconstructing risk classification, logging, and human oversight after launch costs more than designing the guardrails before release.
What to check
- Is the system prohibited, high-risk, limited-risk, or minimal-risk under the Act?
- Are you the provider, deployer, importer, distributor, or only an end user of the AI system?
- Where are user notice, human review, logging, data protection, and complaint handling documented?
Common questions
What is the EU AI Act?
The EU AI Act is the EU regulation that classifies AI systems by risk and sets obligations for prohibited, high-risk, limited-risk, and general-purpose AI systems.
Does using ChatGPT make my company an AI provider?
Usually no. Most companies using commercial AI tools are deployers or users, not model providers. The obligation still depends on the use case, the data involved, and whether the output affects a real decision.
What should you check first for the EU AI Act?
Start with an AI system inventory, use-case risk classification, provider versus deployer role, transparency notices, human oversight, GDPR basis, and the current implementation timeline.