Beyond Prompt AI Studio

Using AI responsibly

The EU AI Act – what actually affects your business

Few pieces of regulation cause as much vague anxiety right now as the EU AI Act – and few are as often misunderstood. "That costs millions in fines" and "we'll have to get everything certified" simply aren't true for most businesses. This module frames what actually matters.

Wider = more applications typically land here

Tap a level to see examples and obligations.

Four examples – to remember it

Not a second data protection law

The most important first point: the AI Act is not a second data protection law. The GDPR (see module 7) asks whether personal data is processed lawfully. The AI Act asks something different – whether an AI system is deployed safely, transparently, and fairly as a product. It's product safety law, closer to a machinery or toy directive than to the GDPR – staggered by the risk a system poses.

The risk pyramid

The AI Act tiers all obligations by risk into four levels: prohibited, high risk, limited risk, minimal risk. The crucial, rarely stated insight: typical business use of AI – a team using a chat assistant, a chatbot answering standard questions, an automation sorting emails – almost always lands in the bottom two tiers. Not out of luck, but because "high risk" is narrowly defined in the law via a specific list. The first sensible step is therefore not a compliance project, but an honest inventory: which AI systems do we use where, and which tier does each one fall into?

More important than the risk: your role

The effort the AI Act actually demands of you depends less on the risk than on your role. The law mainly distinguishes the provider (develops an AI system and places it on the market under its own name) and the deployer (uses an AI system for its own purposes). Anyone who buys and uses AI is a deployer – and has significantly lighter obligations even in the high-risk case. The heavy obligations – technical documentation, conformity assessment, CE marking – fall almost exclusively on providers. The much-feared CE marking is the job of whoever manufactures the system, not whoever uses it.

The trap: becoming a provider without noticing

The practically most important, least-discussed insight: you can cross the line from deployer to provider without noticing – for example by deploying a high-risk system under your own name, substantially modifying it, or fine-tuning a model. Then the heavy provider obligations suddenly apply. For companies building their own applications on AI, this line belongs at the start of a project, not in a review after the architecture and branding are already set.

The one duty that already applies today

While everyone stares at the big high-risk deadlines, one duty has long been in force and applies to every company that uses AI, regardless of risk tier: the AI-literacy duty. The core: companies must ensure their staff have a sufficient level of AI competence – not as a certificate, but as a documented, demonstrable measure. Simply handing people a user manual is generally not considered enough. This duty is cheap to implement relative to its impact (structured, documented internal training) and is overlooked by almost everyone. If you only tackle one thing in the entire AI Act, make it this one.

Why this matters for you as a decision-maker

For the normal case, the AI Act demands far less than the headlines suggest – but it does demand that you know your own situation: which systems, which risk tier, which role? The legal framework itself is currently being adjusted on an ongoing basis (deadlines shift, wording gets softened), which is why "let's wait until it's all final" is the wrong strategy – part of it already applies. The smart response isn't standing still, but building flexibly: rolling out AI so that role, classification, and evidence can be retrofitted. The specific deadlines, fine amounts, and articles are in the linked article – this module gives you the durable framework behind them.

Key takeaways

  • The EU AI Act is product safety law for AI, not a data protection law – it tiers obligations by risk (prohibited / high / limited / minimal).
  • Most business applications sit in the bottom two tiers – "high risk" is narrow and defined via a specific list.
  • Your role decides your effort more than the risk does: deployer (light obligations) vs. provider (heavy obligations).
  • The trap: becoming a provider without noticing – e.g. via your own branding, a substantial modification, or fine-tuning a model.
  • One duty already applies to everyone using AI today: the AI-literacy duty – staff must be able to competently handle AI.

The EU AI Act: what companies really need to know – and what's just panic

Quick check: did it land?

1 / 3

What does the EU AI Act fundamentally regulate?

Building your own AI applications and want to get role and risk right from the start?