What does the EU AI Act require if your company uses AI?
If your company uses AI tools like ChatGPT or Claude, the EU AI Act mostly requires governance, not engineering: know which AI systems you use, manage the data that goes into them, keep humans accountable, ensure staff AI literacy, and be able to document your controls. Obligations phase in through 2026, and they apply to any company serving EU users — not just EU-based ones.
Who it applies to
Any organization that develops, deploys, or uses AI systems affecting people in the EU — including non-EU companies with EU customers or staff. Most companies are "deployers" of general-purpose AI, which carries lighter but real obligations.
What it requires
- Maintain an inventory of the AI systems and tools in use across the business.
- Govern the data entered into AI tools (lawful basis, minimization, vendor terms).
- Keep meaningful human oversight over consequential AI-assisted decisions.
- Ensure staff AI literacy — people using AI understand its risks and limits.
- Be transparent where AI interacts with people or generates content.
- Document your controls so you can demonstrate compliance on request.
How to comply
- Inventory every AI tool your team uses (including shadow/consumer accounts).
- Classify the data flowing into each and confirm vendor DPAs + training opt-outs.
- Publish an AI usage policy and deliver basic AI-literacy training.
- Assign an owner (or Fractional CAIO) accountable for AI risk.
- Keep an evidence pack you can show auditors, customers, or regulators.
See exactly where you stand
Run a free 2-minute AI Exposure assessment — your risk scored and mapped to the EU AI Act, GDPR, and HIPAA, with a remediation plan and a starter policy.
This guide is general information, not legal advice. Confirm specifics with your counsel or compliance team.