The EU AI Act, Explained for Companies That Aren't Building AI
On this page
- First, the shape of the law
- The risk tiers
- Prohibited practices: banned outright
- High-risk: allowed, heavily regulated
- Transparency cases: tell people it’s AI
- Minimal risk: everything else
- One more layer: general-purpose AI models
- Provider vs deployer: the distinction that decides your exposure
- What deployers of high-risk systems actually have to do
- The two obligations that apply to almost everyone
- A practical sequence for an SMB
- Does the EU AI Act apply to my small company?
- What’s the difference between a provider and a deployer?
- What are the EU AI Act risk tiers?
- Is using ChatGPT or a similar assistant at work high-risk under the Act?
- Can a small company be fined under the EU AI Act?
TL;DR: The EU AI Act is the first comprehensive AI law, and it regulates uses by risk tier, not AI in general. For a typical SMB the punchline is reassuring but not empty: you’re almost certainly a deployer (user), not a provider (builder), so the heavy obligations aren’t yours, but a short list is: avoid the prohibited practices, disclose AI that interacts with people, ensure staff AI literacy, and treat any AI use in hiring, credit, or similar high-stakes areas with genuine diligence. Obligations phase in over several years. This page explains the mechanism; verify current dates, thresholds, and penalty specifics with a qualified professional, this is general guidance, not legal advice.
First, the shape of the law
Three design choices explain almost everything about how the Act touches you:
- It’s risk-based. The Act doesn’t regulate “AI” as a substance; it sorts uses of AI into tiers and scales obligations to the tier. Most everyday business AI lands in the lightest tier.
- It’s role-based. Obligations attach to what you are in the value chain, provider, deployer, importer, distributor. The same AI system carries very different duties depending on which seat you occupy.
- It’s extraterritorial and phased. Like the GDPR, it reaches non-EU companies whose systems or outputs are used in the EU. And it doesn’t switch on all at once: it entered into force in 2024 with obligations phasing in across several years, prohibitions and AI-literacy duties first, general-purpose model rules next, most high-risk obligations later. If you’re reading this, some waves have landed and others may still be arriving; check the current state before relying on any date.
The risk tiers
Prohibited practices: banned outright
A short list of uses the EU considers incompatible with fundamental rights. The categories include (described generally):
- Social scoring of people by or for public authorities and in certain private contexts, rating individuals’ trustworthiness across life domains.
- Manipulative or exploitative techniques that materially distort behavior in ways likely to cause significant harm, including exploiting vulnerabilities of age or disability.
- Certain biometric uses, including untargeted scraping of facial images to build recognition databases, and emotion recognition in workplaces and schools (with narrow exceptions).
- Certain predictive policing and real-time remote biometric identification uses, with tightly drawn exceptions for law enforcement.
For a normal company the practical takeaway is narrower than it looks, with one live trap: emotion recognition at work is on the banned list. AI features that claim to read employee sentiment from video calls, voice, or keystrokes, sometimes marketed inside HR and meeting tools, sit close enough to this line that you should treat them as off-limits absent specific legal advice.
High-risk: allowed, heavily regulated
The tier with real compliance weight. High-risk status attaches in two ways: AI as a safety component of regulated products (machinery, medical devices, vehicles), and AI used in listed sensitive domains, which include, described generally:
- Employment: recruiting, screening, evaluating candidates; decisions on promotion, termination, task allocation, monitoring.
- Access to essential services: credit scoring, insurance pricing in some cases, eligibility for public benefits.
- Education: admissions, assessment, proctoring.
- Plus domains most SMBs won’t touch: biometrics, critical infrastructure, law enforcement, migration, justice.
Notice which items are boldly mundane. Hiring tools are the high-risk category most SMBs will actually encounter. A CV-screening feature, an AI video-interview scorer, an automated promotion-recommendation dashboard, these are high-risk uses regardless of how small the company using them is.
Transparency cases: tell people it’s AI
A tier of disclosure duties rather than heavy process:
- People interacting with an AI system (chatbots, voice agents) must be able to know it’s AI.
- Synthetic content, including deepfakes, must be disclosed/marked as artificially generated, with the details depending on context.
- Where emotion recognition or biometric categorization is lawfully used at all, affected people must be informed.
If you deploy a customer-facing chatbot, this tier is yours: label it. (You should anyway, it’s also the responsible-AI baseline argued in Responsible AI in practice.)
Minimal risk: everything else
Drafting emails, summarizing meetings, writing code, analyzing spreadsheets, internal search, the overwhelming majority of business AI use. No new obligations from the Act. Your governance here is the voluntary kind: the acceptable-use policy, data privacy rules (the GDPR very much still applies), and tool vetting.
One more layer: general-purpose AI models
The Act separately regulates providers of general-purpose models, the large language models behind mainstream assistants, with documentation, copyright, and (for the most capable models) systemic-risk obligations. These duties sit on the model providers, not on you. They matter to you only indirectly: they’re part of why enterprise AI vendors publish model documentation you can lean on during security reviews.
Provider vs deployer: the distinction that decides your exposure
| Role | Who it is | Obligation weight |
|---|---|---|
| Provider | Develops an AI system (or commissions it) and puts it on the market under its own name | Heavy: risk management, data governance, technical documentation, conformity assessment, post-market monitoring |
| Deployer | Uses an AI system in a professional capacity | Lighter: use per instructions, human oversight, input relevance, monitoring, specific duties for high-risk uses |
| Importer / distributor | Brings third-country systems to the EU market / makes them available | Verification duties in between |
Most SMBs are deployers, full stop. But there’s a boundary worth respecting: you can become a provider by accident. Substantially modifying a high-risk system, putting your own name on one, or repurposing a system into a high-risk use can shift provider-grade duties onto you. Building a hiring screener on top of a general-purpose model API is the canonical example. If you’re doing anything like that, this page is not enough, get qualified advice before launch.
What deployers of high-risk systems actually have to do
If (and only if) one of your uses lands in the high-risk tier, deployer duties include, in general terms:
- Use the system per the provider’s instructions, which means obtaining and reading them; providers of high-risk systems must supply real documentation.
- Assign human oversight to people with the competence, authority, and time to actually intervene, the operational version of the oversight principle in Responsible AI in practice.
- Ensure input data is relevant and representative for the purpose, to the extent you control the inputs.
- Monitor operation and report serious incidents and malfunctions through the prescribed channels.
- Keep the system’s logs you control, for traceability.
- Inform affected people where the Act requires it, workers and their representatives before workplace deployment of high-risk AI, and individuals subject to decisions informed by it. Certain deployers must also run a fundamental-rights impact assessment before first use.
If you read that list and thought “that’s roughly a serious vendor implementation done properly”, yes. That’s the realistic frame: for deployers, the Act mostly mandates the diligence a careful company would apply anyway, and attaches penalties to skipping it.
The two obligations that apply to almost everyone
Beyond tiers, two duties are worth flagging because they’re broad and easy to action:
- AI literacy. The Act expects organizations that provide or deploy AI to ensure staff involved have adequate AI literacy, understanding what the systems can and can’t do, sized to the context. A short internal training tied to your acceptable-use policy rollout is a proportionate response for most SMBs, and it pays for itself in fewer hallucination-shaped incidents regardless of the legal driver.
- Penalties are real and tiered. The framework follows GDPR logic: maximum fines defined as percentages of worldwide annual turnover (with fixed ceilings), and the highest tier reserved for prohibited practices. The Act directs authorities to weigh proportionality, including SME circumstances, but “we’re small” is a mitigating factor, not a shield. Verify current amounts and enforcement practice with a professional; they’re the kind of specifics that shift.
A practical sequence for an SMB
- Inventory your AI uses. You need this for every governance purpose anyway, it’s step one of the risk assessment method and the substance of the approved-tools list.
- Screen against the prohibited list. Usually a fast pass. Look hardest at anything claiming to infer emotions of employees, and anything resembling scoring people across contexts.
- Flag high-risk domains. Anything touching hiring, promotion, monitoring, credit, or education gets pulled out for real analysis: confirm the vendor’s own Act posture, implement the deployer duties above, and involve counsel.
- Label conversational and generative outputs. Chatbots identified as AI; synthetic media disclosed. Cheap, visible, and the part a customer or regulator notices first.
- Stand up AI literacy. Fold it into policy rollout training. Keep a record that it happened.
- Put the Act on your six-month governance review. Phased application means the obligation set changes over time; codes of practice, standards, and guidance keep arriving. A standing agenda item beats a compliance fire drill.
FAQ
Does the EU AI Act apply to my small company?
If you’re established in the EU, place AI systems on the EU market, or deploy AI whose output is used in the EU, likely yes. There’s no general small-business exemption, though the Act builds in some SME accommodations and proportionality. Your actual obligations depend on role (provider vs deployer) and the risk tier of each specific use.
What’s the difference between a provider and a deployer?
Providers build AI systems (or commission them) and market them under their own name; they carry the heavy obligations, documentation, conformity assessment, monitoring. Deployers use AI systems professionally; their duties center on proper use: follow instructions, ensure competent human oversight, monitor, and meet extra duties when the use is high-risk. Beware role drift: substantially modifying or rebranding a system can make a deployer into a provider.
What are the EU AI Act risk tiers?
Prohibited practices (banned, social scoring, certain manipulative and biometric uses, emotion recognition in workplaces and schools), high-risk (permitted with substantial obligations, includes employment, credit, education uses), transparency cases (disclose chatbots and synthetic content), and minimal risk (most everyday business AI, no new obligations). General-purpose model duties sit separately, on model providers.
Is using ChatGPT or a similar assistant at work high-risk under the Act?
Routine drafting, summarizing, coding, and analysis is minimal-risk. The tier follows the use: the same assistant embedded in candidate screening becomes part of a high-risk use with deployer obligations attached. Assess uses, not logos, that’s the core method of the AI risk assessment.
Can a small company be fined under the EU AI Act?
Yes. Penalties scale by violation severity, highest for prohibited practices, and are structured as percentages of worldwide turnover with fixed maximums, GDPR-style. Regulators are instructed to consider proportionality including for SMEs. Treat current amounts, dates, and enforcement details as things to verify with a qualified professional, not to memorize from any article, including this one.
Get one practical AI implementation brief per week, join the free newsletter.
Frequently asked questions
Does the EU AI Act apply to my small company?
If you operate in the EU, sell into the EU, or your AI system's output is used in the EU, likely yes, there's no general small-business exemption, though the Act includes some SME accommodations. What applies depends on your role (provider vs deployer) and the risk tier of each AI use. Most SMBs are deployers with relatively light obligations.
What's the difference between a provider and a deployer under the EU AI Act?
A provider develops an AI system (or has one developed) and places it on the market under its own name. A deployer uses an AI system in a professional context. Providers carry the heavy obligations, conformity assessment, documentation, quality management. Deployers mainly have use-it-properly duties: follow instructions, ensure human oversight, monitor operation.
What are the EU AI Act risk tiers?
Four in practice: prohibited practices (banned outright, e.g., social scoring and certain manipulative or biometric uses), high-risk systems (allowed with substantial obligations, includes AI in hiring, credit, education, essential services), limited-risk / transparency cases (AI that interacts with people or generates synthetic content must be disclosed), and minimal risk (most everyday AI, no new obligations).
Is using ChatGPT or a similar assistant at work high-risk under the Act?
Ordinary drafting, summarizing, and analysis use is generally in the minimal-risk category, no new obligations beyond disclosure norms where applicable. Risk tier follows the use, not the tool: the same assistant wired into CV screening for hiring decisions would put that use in high-risk territory, with real deployer obligations attached.
Can a small company be fined under the EU AI Act?
Yes. The Act's penalty framework scales with the severity of the violation, the largest tier attaches to prohibited practices, and is designed, like the GDPR's, around percentages of worldwide turnover with fixed maximums. The Act instructs regulators to weigh proportionality, including for SMEs, but the exposure is real. Verify current penalty specifics with a qualified professional.