The key distinction: provider vs deployer
The EU AI Act creates different obligations based on your role, not just what the AI does. If you use an AI tool made by someone else, you are a deployer. If you build and distribute an AI system (even on top of an existing model), you are a provider. These come with meaningfully different obligations — and most SMBs are deployers, not providers.
Which scenario applies to you?
Find your situation below to understand your role and obligation level at a glance.
You use ChatGPT, Copilot, or Gemini as a business tool
Drafting emails, summarising documents, answering customer questions, generating reports
You have built a product or internal tool on an LLM API
A customer service chatbot, an AI writing feature in your SaaS, an internal document Q&A tool
You use an AI tool to screen CVs, score applicants, or monitor employees
LinkedIn Recruiter AI, AI features in your ATS, performance monitoring software with AI
What is a General-Purpose AI model under the Act?
Articles 51–56 of the EU AI Act created a distinct compliance category for General-Purpose AI (GPAI) models — large foundation models trained on broad data that can be used for a wide range of tasks. ChatGPT (GPT-4/GPT-4o), Claude, Gemini, Llama, Mistral, and similar large language models all fall into this category.
Critically, these rules apply to the companies that build and distribute the models — OpenAI, Anthropic, Google, Meta, Mistral — not to businesses that use them. If you are a customer of these providers, the GPAI model rules are not your primary concern.
What IS your concern is the system you deploy — whether that is a tool you use internally, a product you sell, or a feature you have built. Your obligations follow from that system and its use case.
The compliance chain for GPAI-based products
GPAI model provider (e.g. OpenAI, Anthropic, Google)
Responsible for Articles 51–56: technical documentation, transparency, copyright policy, systemic-risk evaluation for the most capable models
Downstream provider (e.g. you, building on an API)
Responsible for compliance obligations of the derived AI system you create — classified by its use case, not the underlying model
Deployer (e.g. you, using a ready-made tool)
Responsible for deployer obligations: Article 4 literacy, Article 50 transparency, and high-risk deployer rules if the use case warrants it
If you use AI tools in your business (you are a deployer)
Most SMBs are deployers. You are a deployer if you use an AI tool built and distributed by someone else — ChatGPT, Copilot, Notion AI, Salesforce Einstein, an AI recruitment platform, etc. Here is what you must do.
Identify your GPAI tools
List every AI tool your business uses — including features bundled into software you already pay for (e.g. Copilot in Microsoft 365, AI in Notion, Salesforce Einstein). Check what data they process and what decisions they inform.
Check each tool's use case for high-risk status
If any tool feeds into employment decisions (hiring, performance, termination), credit or financial assessments, healthcare workflows, or law-enforcement contexts, it is likely high-risk under Annex III — and your obligations are substantially greater.
Read the provider's EU AI Act documentation
OpenAI, Microsoft, Google, and others are now publishing EU AI Act compliance docs. These typically detail what they do as GPAI providers and what downstream obligations they are contractually transferring to you. Review your Terms of Service or DPA.
Implement Article 4 AI literacy
Mandatory since February 2, 2025. All staff who use AI tools must have sufficient understanding of how AI works, its limitations, and the risks of over-reliance. Document this training — write down what was covered, who attended, and when.
Ensure Article 50 transparency for any AI your users interact with
If you use a GPAI tool to power a customer-facing chatbot or assistant, Article 50 requires you to inform users they are interacting with AI unless it is obvious from context. Add a clear disclosure statement.
Higher obligations if your use case is high-risk
If you use a GPAI tool for employment (CV screening, performance management), credit assessment, healthcare triage, or similar Annex III use cases, you are a deployer of a high-risk AI system — even if the tool itself is a generic LLM like ChatGPT.
High-risk deployer obligations include: fundamental rights impact assessment, ensuring a qualified person can override system outputs, notifying employees if AI is used in workforce decisions, maintaining records of use, and registering the system in the EU AI database. These are significant additional requirements beyond the basic deployer rules above.
If you have built a product on an LLM API (you are a provider)
If you built a SaaS product, an internal tool, or any application that uses an LLM API (OpenAI, Anthropic, Google, Mistral, etc.) as its foundation, you are the provider of a derived AI system. Your compliance obligations are determined by what your system does — its use case — not by the underlying model.
Determine your system's risk classification
The classification follows the use case of your system, not the underlying GPAI model. A chatbot built on GPT-4 for general customer service is likely limited-risk. An AI hiring tool built on the same model is high-risk. Use the risk classifier to determine where you stand.
Review what your GPAI provider has disclosed
OpenAI, Anthropic, and Google publish technical documentation about their models under Article 53 of the EU AI Act. Understand what they cover and what they pass on to you. The chain of responsibility matters.
Prepare your own technical documentation
As a provider of a derived AI system, you are responsible for technical documentation covering your system's intended purpose, capabilities, limitations, the data it processes, and the GPAI model it uses. This does not need to be lengthy, but it must exist.
Implement a disclosure for end users
Article 50 requires that your users know they are interacting with an AI system. Add clear disclosure language to your product — in the UI, in your terms of service, and in any onboarding materials.
Register if your system is high-risk
If your derived system is classified as high-risk (e.g. you built an AI tool used in employment or credit decisions), it must be registered in the EU AI database by the August 2, 2026 deadline. Non-registration is an infringement.
Good news for most LLM-based product builders: if your system is not deployed in an Annex III use case (employment, education, credit, healthcare, etc.) and is not a chatbot impersonating a human, your obligations as a provider are primarily documentation, transparency disclosure, and Article 4 literacy — not the full high-risk compliance regime. Use the risk classifier to confirm your classification.
What GPAI model providers must do (for context)
Understanding what OpenAI, Anthropic, Google et al. are required to do helps you know what documentation they should be providing to you — and what your responsibilities do and do not include.
Technical documentation (Art. 53)
GPAI providers must produce and maintain documentation describing model training, data used, capabilities, limitations, and known risks. This is for regulators and downstream providers.
Summary of training data (Art. 53)
A sufficiently detailed summary of the content used for model training must be published — allowing downstream users and regulators to assess data sources.
Copyright policy (Art. 53)
Providers must put in place a policy to comply with EU copyright law, including respect for opt-out rights from text- and data-mining.
Systemic risk evaluation (Art. 55)
GPAI models with "systemic risk" (estimated ≥ 10²⁵ FLOPS training compute) must conduct adversarial testing, report serious incidents, and implement cybersecurity measures. This applies to the most capable frontier models.
Common questions
Does simply using ChatGPT at work make us subject to the EU AI Act?
Yes, but your obligations are limited. Using ChatGPT or similar tools makes you a "deployer" under the Act. Your main obligations are: (1) Article 4 AI literacy — staff must understand the tools they use; (2) Article 50 transparency — if you use AI to interact with your customers, they must know. You do not need to register, write technical documentation, or conduct a conformity assessment unless the use case is high-risk.
What is a "General-Purpose AI model" (GPAI) under the Act?
A GPAI model is a large AI model trained on broad data that can perform a wide range of tasks — like GPT-4, Claude, Gemini, Llama, or Mistral. The EU AI Act creates a separate compliance tier for the companies that build and distribute these foundation models (Articles 51–56). Most businesses use or build on these models rather than training them from scratch.
We built a product using the OpenAI API. Are we a GPAI provider?
No. You are a provider of an AI system that is built on a GPAI model — that is a different category. The GPAI provider rules (Articles 51–56) apply to OpenAI directly, not to you as their customer. You are the downstream provider of a separate AI system, and your obligations are determined by that system's use case and risk level.
Is Microsoft Copilot in Microsoft 365 a GPAI system we need to manage?
Microsoft is the GPAI provider and is responsible for the model-level compliance obligations. Your role as a business deploying Copilot within Microsoft 365 is that of a deployer. You need Article 4 literacy in place, you should review Microsoft's EU AI Act compliance documentation, and if you configure Copilot for any high-risk use case (e.g. reviewing employee performance), the high-risk rules apply to you.
What if we use an AI tool for HR — screening CVs or monitoring employees?
This is one of the most common high-risk scenarios. Under Annex III, AI used in recruitment, CV screening, performance evaluation, or workforce management is high-risk. This applies regardless of whether you built the tool or bought it. As a deployer of a high-risk system, you must conduct a fundamental rights impact assessment, ensure human oversight, maintain logs, and comply with all high-risk deployer obligations by August 2, 2026.
What about AI that writes marketing content, summarises documents, or generates code?
General content generation — marketing copy, document summaries, code assistance — is typically minimal-risk under the EU AI Act. No mandatory technical documentation or registration is required for these uses. Article 4 AI literacy still applies, and Article 50 applies if the AI-generated content involves real people's likenesses or if users interact with an AI persona.
Key articles to know
Not sure if your AI use is high-risk?
Our free classifier walks through your AI system in 5 questions and gives you a plain-English obligation list — tailored to your answers.
Classify My AI SystemFree · No signup · Not legal advice