The EU AI Act: What Changes for Everyday LLM Users
The Act is aimed at model providers and deployers, but a lot of its obligations land on the team that pastes personal data into ChatGPT. Here is the short version.
Risk tiers in one paragraph
The AI Act sorts systems into unacceptable (banned), high-risk (regulated), limited-risk (transparency obligations) and minimal-risk (nothing new). Foundation-model providers get a separate track. For most teams the practical question is: does the way we use ChatGPT put us in high-risk?
The three triggers that catch normal users
- Automated screening of job applicants — even a prompt like 'rank these CVs' is high-risk.
- Biometric categorisation of natural persons — including photos in a marketing brief.
- Any AI-assisted decision that affects a person's access to services, credit or legal rights.
Transparency for the rest
Outside high-risk, the main obligation is transparency: label AI-generated content, disclose AI usage when it materially affects the user. This is easy to comply with; the trap is drifting into high-risk without noticing.
Where redaction helps
Redacting personal data before the model sees it does not remove the AI Act obligation, but it materially reduces the harm surface. A CV-ranking prompt that has been through a redactor no longer contains named applicants — which does not make the practice compliant on its own, but does make the accompanying human-in-the-loop review more defensible.
Frequently asked
When do the obligations bite?+
Rolling. GPAI model obligations from August 2025; high-risk system obligations from August 2026.
Does the Act apply to non-EU companies?+
Yes, if the output is used in the EU. Territorial scope is broad, similar to GDPR.