The EU AI Act for business: the 4 risk levels, made clear
A plain-English summary of the EU AI regulation for decision-makers: the 4 risk levels, provider vs deployer, and the real application timeline.
The EU AI regulation does not ban using artificial intelligence in your company. It does something less dramatic and more useful to understand: it sorts each use by the harm it could cause and attaches obligations that are proportional to that harm. The good news for most businesses is that almost everything you already do with AI (a support chatbot, a text writer, an internal search tool, a spam filter) falls on the lowest rung, where it asks almost nothing of you.
The bad news is that there is one rung, “high risk”, where the obligations are serious, and a single specific use is enough to land you there. Screening CVs with AI is the classic example. That is why it pays to know which level you are on before an inspection tells you.
This is a guide to help you get your bearings before you decide. At the end I point out which part is worth checking with a lawyer, and when.
What the AI Act is and who it binds
The AI Act is the short name for Regulation (EU) 2024/1689, approved on 13 June 2024 and in force since 1 August that year [1]. Being an EU regulation, it applies directly in every member state without a national law copying it, just as the GDPR did for data protection.
It binds almost anyone who touches an AI system inside the European market, but it does not bind everyone equally. The regulation separates two roles, and most companies get their own wrong:
- Provider: whoever develops an AI system, or has one developed, and puts it on the market under their own name or brand. This is where the big tech firms like OpenAI sit, or the consultancy that builds you a custom model.
- Deployer: whoever uses an AI system under their own authority in a professional activity. This is your company when it hires a support chatbot or an HR tool.
Almost no small or medium business is a provider. If you buy AI software and use it, you are a deployer, and your obligations are considerably lighter than those of the company that builds the system. That distinction settles half the conversation with your lawyer, so it is worth being clear about from the start.
The four risk levels, with business examples
The heart of the regulation is this classification. It depends on what you use the AI for and who it decides about, not on what technology sits under the hood. The same language model can be minimal risk when it writes an email and high risk when it scores a candidate.
| Level | What it means | Business example | What you have to do |
|---|---|---|---|
| Unacceptable | Uses banned for violating fundamental rights | Social scoring of employees; emotion recognition at work (with narrow exceptions) | Do not use it. It is prohibited |
| High | Uses that decide about people’s lives | Automated CV screening, creditworthiness scoring, AI in medical devices, education admission decisions | Strong obligations: risk management, human oversight, record-keeping and technical documentation |
| Limited | Uses where the risk is that the person does not know they are talking to a machine | Customer-support chatbot, image or text generation | Transparency: disclose that it is AI, label generated content |
| Minimal | Everything else | Spam filter, internal search, product suggestions, text corrector | Nothing specific. Voluntary compliance |
Two ideas that get lost in the headlines. First: the unacceptable level is short and extreme. We are talking about large-scale manipulation or scoring people by their behaviour, not your day-to-day tools.
The second, and the one that matters most for your business: the border between “limited” and “high” is where your compliance effort is decided. A chatbot that answers questions is limited risk and only has to disclose that it is a bot. That same chatbot, if it decides which customer gets a credit offer, moves toward high risk. The question is not “do I use AI?”, but “does my AI decide something important about a specific person?”.
”I don’t build AI, I just use it”: why that doesn’t let you off
The costliest mistake I see in small companies is thinking that, because they write no code, the regulation is not about them. It is. Being the deployer of a high-risk system carries obligations of its own, even if someone else built the system.
If you use a high-risk tool (say, software that ranks candidates for a role), the regulation expects you to use the system according to the provider’s instructions, to ensure real human oversight over its decisions, to monitor that it works as it should, and to report if something goes wrong. That oversight lasts the whole time the tool is in use, it does not run out once you sign a form at the start.
This is where theory turns into judgement, and where it pays to train your eye before signing contracts. In the AI without hype course we work on exactly this: looking at a real case and knowing which level it falls into without needing a law firm behind you.
One new concept every week
The timeline: what applies already and what comes later
The regulation did not land all at once. It applies in phases, and in 2026 the timeline was reworked by a European simplification package called the Digital Omnibus, which pushed back the heaviest parts. These are the dates confirmed by the European Commission [2]:
| Date | What takes effect |
|---|---|
| 1 August 2024 | The regulation enters into force |
| 2 February 2025 | Prohibitions on unacceptable-risk uses and the AI literacy duty |
| 2 August 2025 | Governance, rules for general-purpose AI models, notification of authorities and the penalty regime |
| 2 December 2027 | High-risk obligations under Annex III (employment, credit, biometrics, education) |
| 2 August 2028 | High risk embedded in regulated products, and full application |
Two things already bind you today, and they slip under the radar. The prohibitions have been active since February 2025: if you use anything on the banned list, you are already outside the law. And “AI literacy” (training your people to understand the tools they handle) is also enforceable from that date, without waiting for 2027.
Postponing high risk to December 2027 gives room to prepare, but it does not cancel the obligation. The European timeline has already changed several times, so treat it as a provisional date and confirm it before building a three-year plan on top of it.
What to do this week without calling the lawyer yet
Before you spend on advice, there is homework only you can do, because nobody knows your processes better. An honest inventory is worth more than a hundred pages of regulation skimmed over.
- List where you use AI today. Include what you would not call AI: the mail filter, the corrector, the CRM suggestions, the internal search. There is almost always more than you remember.
- Classify each use with the levels table. Flag in red any case that decides about people (hiring, granting credit, scoring, monitoring). That is your focus.
- Check the transparency of your chatbots and generated content: do they disclose that they are AI? It is the easiest thing to fix and it already binds you.
- Ask your suppliers which role they take on and what AI Act compliance documentation they hand you. A serious supplier already has an answer ready.
With that inventory in front of you, the conversation with a specialist lawyer takes one hour instead of five, and it focuses on the two or three cases that genuinely need it. That is where legal liability when the AI gets it wrong comes in, a topic the AI Act touches but does not exhaust.
An uncomfortable reminder: the AI Act does not replace data protection. If your AI handles personal data, you remain under the GDPR on top of the AI Act, and there the two rules overlap in ways worth understanding. I develop that in where the GDPR and artificial intelligence meet, and the full picture of both frameworks is in the guide to GDPR and the AI Act for business.
Sources
- Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence.
- European Commission, “AI Act | Shaping Europe’s digital future”: risk categories and application timeline (including the Digital Omnibus postponement, 2026). digital-strategy.ec.europa.eu
Frequently asked questions
Does it affect me if I only use ChatGPT in the office to write? Yes, but at the mildest level. Using an assistant to write text is limited or minimal risk. Your one practical obligation is transparency: if you publish AI-generated content to the public, label it as such. No audits, no paperwork.
Does the AI Act replace the GDPR? No. They are two separate rules that coexist. The GDPR protects personal data; the AI Act regulates AI systems by their risk. If your AI uses people’s data, you comply with both at once.
How big are the fines? The top band reaches up to 35 million euros or 7% of total worldwide annual turnover, whichever is higher, and it is reserved for prohibited practices [1]. There are lower bands for other breaches. Before that number keeps you awake: regulators start with prohibited and high-risk uses, not with a small business whose chatbot forgot to say it was a bot.
What if my software supplier is outside the European Union? The regulation applies just the same if the system is used within the EU or affects people in the EU, no matter where the maker is based. A US supplier selling you a tool for the European market has to comply. Ask them in writing how they do it.
Do I need a lawyer already? Only if you have some high-risk use (decisions about people) or you doubt whether something of yours is on the banned list. For everything else, your own inventory and well-placed transparency notices keep you covered. This is a summary to orient you, not legal advice: the final call on a specific case is signed by a professional.