The AI Act is an EU regulation that governs artificial intelligence according to the level of risk. It has entered into force and is being rolled out in stages, with different deadlines for different obligations. Many companies assume it is a problem only for model providers. That is a misconception. If you deploy and use an AI system, you are a deployer and you have your own obligations.

A risk-based approach

At the heart of the AI Act is the division of AI uses into risk levels. The higher the risk to people’s rights and safety, the more requirements apply.

  • Unacceptable risk. Prohibited practices, for example social scoring of citizens or subliminal manipulation.
  • High risk. Systems used in recruitment, credit scoring or access to services. This is where obligations are heaviest.
  • Limited risk. Transparency requirements, for example letting people know they are talking to a chatbot.
  • Minimal risk. Most everyday tools, where obligations are light.

The key question is not whether we use AI, but what we use it for. It is the use case, not the technology itself, that determines the level of obligations.

In conversations with boards I keep seeing the same mistake. A company asks whether its tool is legal, when it should be asking in which process it is used. The same model in marketing and in recruitment are two completely different levels of risk.

What this means for the average SME

Most SMEs do not build models, they use ready-made tools. Even so, it is worth doing a few things so you do not wake up with a problem.

Take an inventory of your AI

Write down where your company actually uses AI. There is often more of it than you think: an assistant in your office suite, a recruitment tool, a chatbot on your website, sales analytics. Without this list you cannot assess the risk.

Assess high-risk uses

If AI supports decisions about people, for example selecting candidates, treat it seriously. This is where human oversight, transparency and documentation come in. You cannot offload the decision onto an algorithm and wash your hands of it.

Ensure transparency

Wherever a customer interacts with AI, tell them so openly. AI-generated content has to be labelled in some cases. It is a cheap change that builds trust.

The AI Act and GDPR

These are two different acts, but they overlap heavily. AI often processes personal data, so GDPR applies regardless of the AI Act. In practice this means having a legal basis for processing, carrying out an impact assessment where the risk is high, and honouring the rights of data subjects.

If your company has a Data Protection Officer or you use DPO outsourcing, they are the natural person to watch over the intersection of AI and personal data. Separating these topics leads to duplicated work and gaps.

What to do right now

You do not have to wait for every deadline to get the basics in order. A sensible minimum plan looks like this:

  • Build a register of the AI tools you use and map their uses.
  • Flag high-risk processes and introduce human oversight in them.
  • Add a transparency and data protection requirement to your rules on using AI.
  • Train your team so they know what must not be fed into AI.

Summary

The AI Act is not there to stop companies from using AI. It is meant to force them to do it consciously, especially where decisions about people are involved. For most SMEs the obligations are manageable, as long as you start with an inventory and an assessment of uses rather than with panic.

If you want to deploy AI legally and sensibly, take a look at our AI implementation for business. We combine the technology side with data protection so that one does not undermine the other.