Not a second data protection law
The most important first point: the AI Act is not a second data protection law. The GDPR (see module 7) asks whether personal data is processed lawfully. The AI Act asks something different – whether an AI system is deployed safely, transparently, and fairly as a product. It's product safety law, closer to a machinery or toy directive than to the GDPR – staggered by the risk a system poses.
The risk pyramid
The AI Act tiers all obligations by risk into four levels: prohibited, high risk, limited risk, minimal risk. The crucial, rarely stated insight: typical business use of AI – a team using a chat assistant, a chatbot answering standard questions, an automation sorting emails – almost always lands in the bottom two tiers. Not out of luck, but because "high risk" is narrowly defined in the law via a specific list. The first sensible step is therefore not a compliance project, but an honest inventory: which AI systems do we use where, and which tier does each one fall into?
More important than the risk: your role
The effort the AI Act actually demands of you depends less on the risk than on your role. The law mainly distinguishes the provider (develops an AI system and places it on the market under its own name) and the deployer (uses an AI system for its own purposes). Anyone who buys and uses AI is a deployer – and has significantly lighter obligations even in the high-risk case. The heavy obligations – technical documentation, conformity assessment, CE marking – fall almost exclusively on providers. The much-feared CE marking is the job of whoever manufactures the system, not whoever uses it.
The trap: becoming a provider without noticing
The practically most important, least-discussed insight: you can cross the line from deployer to provider without noticing – for example by deploying a high-risk system under your own name, substantially modifying it, or fine-tuning a model. Then the heavy provider obligations suddenly apply. For companies building their own applications on AI, this line belongs at the start of a project, not in a review after the architecture and branding are already set.
The one duty that already applies today
While everyone stares at the big high-risk deadlines, one duty has long been in force and applies to every company that uses AI, regardless of risk tier: the AI-literacy duty. The core: companies must ensure their staff have a sufficient level of AI competence – not as a certificate, but as a documented, demonstrable measure. Simply handing people a user manual is generally not considered enough. This duty is cheap to implement relative to its impact (structured, documented internal training) and is overlooked by almost everyone. If you only tackle one thing in the entire AI Act, make it this one.
Why this matters for you as a decision-maker
For the normal case, the AI Act demands far less than the headlines suggest – but it does demand that you know your own situation: which systems, which risk tier, which role? The legal framework itself is currently being adjusted on an ongoing basis (deadlines shift, wording gets softened), which is why "let's wait until it's all final" is the wrong strategy – part of it already applies. The smart response isn't standing still, but building flexibly: rolling out AI so that role, classification, and evidence can be retrofitted. The specific deadlines, fine amounts, and articles are in the linked article – this module gives you the durable framework behind them.