The European Artificial Intelligence Regulation — known as the AI Act — entered into force in August 2024 with a phased application period. It is not a theoretical document: it has concrete implications for any business that uses, develops or distributes AI systems within the European Union.
This guide is not legal advice. It is a practical overview for entrepreneurs and managers who want to understand what is changing and what they need to do.
The AI Act Structure: The Risk-Based Classification System
The AI Act classifies AI systems based on the level of risk they present. The risk level determines compliance obligations.
Unacceptable Risk — Prohibited
Applications banned in the EU: government social scoring systems, subliminal manipulation, exploitation of specific group vulnerabilities, real-time biometric facial recognition in public spaces (with exceptions for national security and finding missing persons).
Relevance for SMEs: low. These uses are remote for the vast majority of businesses.
High Risk — Stringent Obligations
AI systems used in high-impact contexts: critical infrastructure, education, employment (personnel selection, HR management), access to essential services (credit, insurance), law enforcement, migration, justice administration, medical devices, safety components in vehicles.
Main obligations for high-risk systems:
- Conformity assessment before deployment
- Detailed technical documentation
- Risk management systems
- Transparency towards users
- Guaranteed human oversight
- Documented accuracy, robustness and cybersecurity
- Registration in the EU database
Relevance for SMEs: moderate. A company using AI for personnel selection, for assessing creditworthiness, or for systems impacting people’s safety falls into this category.
Limited Risk — Transparency Obligations
Chatbots, content generation systems, deepfakes: obligation to inform users that they are interacting with an AI system or with AI-generated content.
Relevance for SMEs: high. Any company using an AI chatbot on their site or generating AI content for publication must apply these transparency obligations.
Minimal Risk — No Specific Obligations
The vast majority of AI applications: spam filters, AI in video games, recommendation systems, productivity tools. No specific obligations beyond those already existing (GDPR, sector regulations).
Application Timeline
- February 2025: ban on unacceptable AI practices
- August 2025: obligations for general-purpose AI models (GPAI), including foundation models like GPT-4 and Claude
- August 2026: obligations for high-risk systems in regulated product contexts (medical devices, machinery, vehicles)
- August 2027: obligations for all remaining high-risk systems
Practical Implications for SMEs
If you use APIs from existing models (OpenAI, Anthropic, Google)
You are a “deployer” (not a provider). The most stringent obligations fall on model providers. Your main responsibilities concern:
- Transparency towards users when they interact with AI
- GDPR compliance on data you send to the model
- Not using models for prohibited purposes
- Human oversight if the system is used in high-risk contexts
If you develop custom AI systems
You are a “provider” with more stringent obligations. Technical documentation, risk assessment, EU database registration if the system is high-risk.
If you use AI for personnel selection
This is one of the explicitly high-risk contexts. It requires documentation, transparency towards candidates, possibility of human recourse and conformity assessment. Before implementing any AI-assisted HR system, legal review is essential.
If you have an AI chatbot on your site
Transparency obligation: the user must know they are interacting with an automated system. An invasive disclaimer is not required, but it must be clear — typically in the chatbot name, in the first interaction, or in a visible note in the interface.
GDPR and AI: The Intersection That Complicates Everything
The AI Act overlaps with GDPR in ways not yet fully clarified by regulatory authorities. The most relevant overlap areas:
Training data: if personal data is used to train or fine-tune models, appropriate legal bases are required (consent, legitimate interest, contractual obligation).
Sending personal data to APIs: every time a prompt containing personal data (a customer’s name, details of a request) is sent to an external API, this is a data transfer that must have a legal basis and contractual coverage (DPA with the provider).
Data subject rights: if an AI system makes decisions impacting people (credit scoring, automated selection), people have the right to request explanations and not be subject to fully automated decisions.
Data minimisation: personal data should not be sent to AI models beyond what is strictly necessary for the task.
What to Do Concretely Today
1. Map the AI systems you use: include all tools with AI components (CRM with scoring, marketing automation tools, chatbots, analytics systems). Many SaaS software products have introduced AI features without announcing it explicitly.
2. Classify the risk: for each system, assess whether it falls into high-risk categories. When in doubt, consult a specialised lawyer.
3. Verify GDPR compliance of AI flows: do you have Data Processing Agreements (DPAs) with all AI providers you use? Is the data you send minimised?
4. Add transparency where missing: chatbots, content generators, any interface where the user interacts with AI must be labelled.
5. Document: keep track of AI systems used, the data they process, the human oversight measures in place. This documentation will be required in the event of an audit.
Our Approach
At MarfCode, every AI project is designed with attention to the regulatory framework from the discovery phase. We are not lawyers — and always recommend involving a legal expert for formal compliance assessments — but we know the technical and regulatory context in which we operate.
The solutions we build always include: AI transparency in user interfaces, data minimisation in prompts, human oversight on critical flows, technical documentation of the system.
→ Talk to us about AI compliance in your project
Related: AI for Business: complete guide for SMEs | AI Process Automation: where to start
