What Most Companies DON'T Need to Worry About Under the EU AI Act

There is a lot of noise about the EU AI Act. Consultants charging €500/hour want you scared. Compliance tools (yes, including this one) benefit when you think the sky is falling. LinkedIn influencers are posting countdown timers. So here is something you will rarely hear from anyone selling compliance services:

Most companies using AI do not have heavy obligations under the EU AI Act.

That is not a reason to ignore the regulation entirely. But it is a reason to stop, take a breath, and figure out where you actually stand before spending money on compliance you might not need.

Most AI is not high-risk

The EU AI Act uses a four-tier risk system. The heavy obligations — technical documentation, risk management systems, conformity assessment, post-market monitoring — only apply to high-risk AI systems. High-risk is defined by specific use cases listed in Annex III of the regulation. Here is what qualifies:

• AI used in hiring, HR screening, or employment decisions
• AI used for credit scoring, insurance underwriting, or benefit eligibility
• AI used in education for admissions, grading, or assessment
• AI used in law enforcement, migration, or border control
• AI used in healthcare as a medical device or safety component
• AI used for biometric identification
• AI managing critical infrastructure (energy, transport, water)

If your AI does not do any of these things, it is not high-risk. That means the 11 mandatory obligations, the conformity assessment, the Annex IV documentation — none of it applies to you.

Deployers have much lighter obligations

Even if your AI IS high-risk, your obligations depend on whether you are a provider or a deployer.

Providers are the companies that develop, train, and place AI systems on the market. They carry the heaviest burden: technical documentation, risk management systems, quality management systems, conformity assessment, EU database registration, and post-market monitoring.

Deployersare companies that use someone else's AI tool in their business. If you bought an AI-powered HR screening tool from a vendor, you are a deployer. Your obligations are real but significantly lighter:

• Use the system according to the provider's instructions for use
• Ensure human oversight as specified by the provider
• Monitor the system for risks in your specific context
• Inform affected individuals that AI is being used in decisions about them
• Conduct a fundamental rights impact assessment (public bodies only)
• Keep logs generated by the system for at least six months

Notice what deployers do NOT have to do: no conformity assessment, no Annex IV technical documentation, no quality management system, no EU database registration. The provider handles those. If a Reddit commenter tells you "obligations fall on the model provider, not the deployer" — they are mostly right about the heavy stuff. But they are wrong that deployers have zero obligations.

What's actually light

For the majority of companies using AI in 2026, here is what compliance actually looks like:

Limited risk (chatbots, content generators)

If your AI interacts with users or generates content, you need Article 50 transparency disclosures. In practice this means:

• Tell users they are talking to an AI (a banner, a label, a disclosure in your UI)
• Label AI-generated content as AI-generated
• Make synthetic media machine-detectable where technically feasible

That is it. No conformity assessment. No risk management system. No Annex IV documentation. A competent developer can implement these disclosures in a day.

Minimal risk (internal tools, analytics, recommendations)

If your AI is used internally, makes recommendations that humans always review, or does not directly affect individual people, you likely have no mandatory obligations at all. The EU AI Act encourages voluntary codes of conduct but does not require anything specific.

Should you still document your AI practices? Probably — it builds trust with enterprise customers and positions you well if the scope expands. But you are not legally required to.

Where the obligations are real

Now for the honest part: if you DO fall into the high-risk category, the obligations are genuinely serious and ignoring them is genuinely risky. This is where we stop downplaying and start being direct:

• Fines are real. Up to €15 million or 3% of global annual turnover for high-risk non-compliance. Up to €35 million or 7% for prohibited practices. These are not theoretical — the enforcement infrastructure is being built now.
• Market access is at stake. Non-compliant AI systems cannot be legally placed on or kept on the EU market. For companies with EU customers, this is an existential issue.
• Enterprise procurement is changing. Large companies are already adding EU AI Act compliance to their vendor questionnaires. If you cannot demonstrate compliance, you lose deals — even before enforcement begins.
• The deadlines are firm. Transparency obligations hit in 72 days (August 2, 2026). High-risk obligations land in 559 days (December 2, 2027). The Digital Omnibus gave extra time for high-risk, but transparency was not extended.

The honest checklist

Here is a realistic assessment of what you actually need to do, based on where you sit:

• You use AI internally only, no EU user impact → Minimal risk. No mandatory obligations. Consider voluntary documentation for enterprise sales. Move on.
• You have a chatbot or content generator serving EU users → Limited risk. Add transparency disclosures before August 2026. Half a day of work for most teams.
• You deploy someone else's high-risk AI tool (Workday, HireVue, etc.) → Deployer obligations apply. Read the instructions for use, set up human oversight, inform affected people. A few days of structured work.
• You build AI that makes decisions about people in Annex III domains → Provider obligations apply. This is where it gets serious. Start with classification, then work through the 11 obligations systematically.

The EU AI Act is real legislation with real consequences. But "real" does not mean "everyone should panic." Figure out where you actually stand. If you are minimal or limited risk, relax — do the basics and move on. If you are high-risk, take it seriously and start now. Either way, knowing your actual position is the first step.