EU AI Act / Does it apply to me
Three things decide it: your role, where your users are, and how risky your use of AI is. This page walks you through all three so you can place yourself. It gives you the general picture; the free Exposure Check gives you a personal one.
Two roles
The Act treats you differently depending on what you do with AI. Almost every small business falls into the lighter of the two roles.
Provider
You develop an AI system or an AI model, or you put your name on one and place it on the market. Providers carry the heavier design and documentation duties. Far fewer small businesses are providers.
Deployer
You use an AI system in the course of your business, whether that is an AI feature inside a vendor's tool or your team using ChatGPT or Copilot. This covers almost every SME, and deployer duties are lighter than provider duties.
Most small businesses are deployers, not providers. If that is you, the rest of this page is mostly reassuring.
Jurisdiction
The Act reaches beyond EU borders, on the same logic as the GDPR. You are in scope if you place an AI system on the EU market, put one into service in the EU, or if the output of your AI system is used by people in the EU, regardless of where your company is legally established.
So a company with no EU office and no EU staff can still be covered, purely because its AI-powered product is used by customers inside the EU. Non-EU providers placing systems on the EU market generally also need to appoint an EU-based representative.
Worked example: a UK or US company
A UK-only or US-only company that sells an AI-powered product to customers in the EU is very likely in scope, even with zero EU offices or employees. If you have no EU users or customers at all, treat this as good practice rather than a legal duty.
What is not covered
A few things really are outside the Act. One of them is widely misread, so it is worth being precise.
The personal-use exemption is for an individual using AI in their own private life, not for a business. If your employees use an AI tool as part of their job, even a purely internal tool with no customer visibility, that is deployer use and it is in scope. At a minimum it triggers the AI-literacy duty.
Free and open-source AI systems are largely carved out, unless the system is high-risk, is one of the banned practices, or is a general-purpose model with systemic risk. For most everyday open-source tools the carve-out applies.
AI built and tested purely for research, before it is placed on the market or put into service, is outside the Act. The duties attach when you actually ship or deploy it.
The four risk levels
The Act sorts AI by how risky the use is, not by the technology. Most day-to-day tools sit in the bottom two levels. The top two are narrow and mostly do not reach small businesses. Here is the full picture, with an example of each.
A short list banned outright, including social scoring by any organisation (public or private) and emotion recognition in the workplace. Not a compliance question: you simply do not do these.
For example: a tool that monitors staff emotions to rate their performance.
A defined set of sensitive uses, such as AI that screens job applicants or scores creditworthiness. Real obligations apply, but they reach a small minority of businesses and are not due until December 2027 (pending official publication).
For example: an AI tool that screens and ranks job applicants.
Tools that interact with people or generate content, like chatbots and AI-written text or images. These carry one duty, transparency, so people are told they are dealing with AI. It applies from August 2026.
For example: a customer support chatbot on your website.
Most everyday AI tools: spam filters, autocomplete, analytics. Effectively unregulated beyond the product-safety rules that already apply to any software.
For example: the spam filter and autocomplete already built into your email.
A quick self-check
Take the situation most readers will recognise: your team uses ChatGPT or Microsoft Copilot at work. Here is what that actually means under the Act.
You are a deployer, not a provider. You use the tool; you did not build it.
The system is minimal or limited risk, not high risk. General-purpose assistants used for everyday work are not on the high-risk list.
You already have one live duty: since February 2025, you must make sure staff have a basic working understanding of what the tool can and cannot do, its limitations, and why not to blindly trust its output for consequential decisions.
For a small team, a short internal note on sensible AI use usually covers it. That is the whole obligation for most SMEs in this position.
Answer 12 short questions and get an instant, plain-language report: your role, your risk level, and the single obligation that matters most for you. Free, about five minutes, no account needed.
If you build or sell an AI system or model, you are a provider. If you use AI in the course of your business, including a vendor's AI feature or your team using ChatGPT or Copilot, you are a deployer. Most small businesses are deployers, and deployer duties are the lighter of the two.
Yes. Using AI tools as part of your work makes you a deployer, so you are in scope. For general-purpose assistants the main duty is AI literacy: making sure staff understand what the tools can and cannot do. It is a short, practical obligation for most teams.
Very likely. The Act reaches you if you place an AI system on the EU market or if the output of your AI is used by people in the EU, wherever your company is based. A company with EU customers but no EU office is often in scope. With no EU link at all, treat it as good practice.
A defined list of sensitive uses, such as AI that screens job applicants, scores creditworthiness, or is used in education, essential services, law enforcement, or migration. Everyday business tools are almost never on it. The stand-alone high-risk rules do not apply until 2 December 2027, and that date is pending official publication.
No. Using AI still makes you a deployer, with duties of its own, though lighter than a builder's. The personal-use exemption covers an individual in their private life, not staff using AI at work. If your team uses AI tools, you are in scope.
Let's talk
Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.
This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.