The EU AI Act

It is important to evaluate whether your use of AI falls under the 'high risk' category.

logo
PrivacyDocs
Updated Feb 3, 2025 · 3 min read

The EU AI Act (The Artificial Intelligence Act, Regulation 2024/1689) does not impose much additional work for most small and medium companies (SMEs) unless they are dealing with 'high risk' AI systems.

More on this

The EU AI Act

Who Needs To Comply?

Every business using, developing, or procuring AI solutions in the EU needs to comply. Compliance obligations are very limited unless a company is dealing with a 'high risk' AI system.

What Is a High Risk AI System?

An AI system is defined as high risk if:

  • It is a safety component that is required to undergo a third-party conformity assessment (in force since August 2027).
  • It involves biometrics.
  • It is used in critical infrastructure.
  • It is used for law enforcement, migration, or administration of justice and democratic processes.
  • It is used in providing access to essential services (health, credit, emergencies, etc.).
  • It is used in employment, workers' management, and access to self-employment.
  • It is used in education and vocational training.

EU member states are free to amend the list.

Small companies are most likely to be using existing AI systems (called 'deployers') in the last two categories.

Using An AI System in Employment, Education or Training

An AI system is considered 'high risk' if:

  • The AI system is used for the recruitment, selection, or evaluation of employment candidates.
  • The AI system is used to make decisions affecting terms of work-related relationships, employee promotion, termination, to allocate tasks, or to monitor and evaluate the employees (or contractors).

An AI system is considered 'high risk' if:

  • The AI system is used to determine access or admission to courses.
  • The AI system is used to evaluate learning outcomes, assess individuals, or monitor and detect prohibited behavior of students during tests.

If you plan to use AI in these contexts, then you need to check the regulation for details. That also applies when you are using an off-she-shelf AI system, such as Microsoft Copilot, ChatGPT, or Google Gemini.

GDPR Compliance

Special provisions for AI systems are provided in addition to all other GDPR requirements imposed on the companies operating them. In many aspects, the AI Act is a further development of the compliance requirements imposed by the GDPR. For practical reasons, most small companies should plan and document their compliance efforts with the AI Act as an additional item of their GDPR compliance efforts.

When Does The AI Act Come into Force?

The list of prohibited AI practices is already in force. Most of the provisions that are most relevant to small companies come into force in August 2025.