You use ChatGPT, Gemini, or some other AI tool for your work, and you've seen the words "AI Act" go by without knowing whether it concerns you. Spoiler: yes, probably. It's the European law that governs AI, and a big chunk of it takes effect on August 2. Don't panic: for most of us, it comes down to a few simple reflexes. I dug into it for my own use, and I'm sharing what I took from it — in plain English, not legalese.
The AI Act is the first major legal framework in the world for artificial intelligence. It was passed by the European Union, it came into force on August 1, 2024, and it applies in stages. The biggest stage is August 2, 2026.
First misconception to bust: this isn't a matter for tech giants or developers. The law distinguishes between those who build AI (the "providers") and those who use it in a professional setting. This second category is called "deployers." And a deployer can be a freelancer, a micro-business, an SMB — you, if you run ChatGPT to write your quotes or sort your emails.
In other words: you don't need to code anything to be concerned. Just using an AI tool in your business is enough.
I'm not a lawyer. I'm an entrepreneur who uses AI every day and wanted to understand what's coming. What you're reading here is plain-language explanation to point you in the right direction — not legal advice. For a specific or sensitive case, ask a professional.
The AI Act doesn't land all at once. A few milestones have already passed, others are coming.
The takeaway: the date that probably concerns you is August 2, 2026.
The AI Act doesn't treat every use the same way. It sorts them by risk level, and that level is what decides your obligations.
For a freelancer or a micro-business, the good news is that most of your uses fall under "limited" or "minimal" risk. You're only exposed to "high risk" if you use AI for important decisions about people.
For normal AI use (writing, summaries, ideas, simple automations), two obligations actually concern you.
The first: train yourself, and train your team. That's the AI literacy obligation. Concretely, everyone who uses AI in your business must understand what the tool can do, what it can't do, and where it gets things wrong. The classic trap is the hallucination: the AI invents a piece of information with total confidence. Knowing how to spot that already puts you in line with the spirit of the law. If you want to get better at the use itself, my article on writing a good prompt without being a developer goes in that direction.
The second: say when it's AI. That's the transparency obligation. If you put a chatbot on your site, the visitor must know they're talking to a machine. And if you publish content that's generated or clearly retouched by AI — a visual, a video, a text — you need to be able to flag it. Nothing insurmountable: most of the time, a clear disclosure is enough.
Confusing the AI Act with GDPR. They're two different things. GDPR protects personal data; the AI Act governs AI systems. If you use high-risk AI, you may even have to keep a register of your AI systems, separate from your GDPR register. For most everyday uses, you're not there yet — but don't assume that "since I'm GDPR-compliant, I'm fine."
If part of your business relies on AI that decides for people, you switch categories. The typical examples listed by the law: software that screens job applications for recruitment, a scoring tool to grant or deny credit.
In that case, the obligations step up a notch. You notably have to keep a human in the loop (the AI proposes, a human keeps control), make sure the data you feed it is relevant, and keep records of how it operates for at least six months.
If you recognize yourself in that, it's time to look at it seriously. If you're just using AI to save time on tasks with no stakes for anyone else — what I describe in automating your tasks without coding — you're not in this category.
Let's be clear about the amounts, because they get thrown around and they scare people. The most serious breaches (the prohibited practices) can cost up to 35 million euros or 7% of annual global turnover. Other breaches, up to 15 million euros or 3%.
Before you panic, two important nuances. First, these ceilings target serious abuse, not the freelancer who forgot to display a disclosure. Second, the law provides that penalties be proportionate to the size of the company — a ceiling designed for a multinational isn't meant to land on a micro-business.
And there's real good news for small organizations: Europe has planned a leg-up. Priority, free access to regulatory "sandboxes" to test without risk, simplified documentation forms, lower compliance costs depending on size. Compliance isn't just a constraint: done well, it becomes an argument for trust toward your clients.
You don't need a law firm to get started. Here's where I'd begin.
Yes, as a "deployer." Using a consumer AI tool in a professional setting is enough. But don't worry: for simple use, your obligations mostly come down to understanding the tool's limits (literacy) and flagging when content comes from AI (transparency). You're not subject to the same rules as a software vendor.
GDPR governs personal data. The AI Act governs AI systems themselves. Both can apply at the same time. If you use high-risk AI, you may even have to keep a register of your AI systems, on top of your GDPR processing register — it's a separate document.
Look at the use, not the tool. If the AI is used to make or prepare an important decision about a person (hiring them, granting them credit…), you're probably in high-risk territory. For saving time on tasks with no stakes for anyone else, no. The European Commission is set to publish guidelines with concrete examples to help settle the borderline cases.
Up to 35 million euros or 7% of global turnover for prohibited practices, up to 15 million or 3% for other breaches. But these ceilings target serious abuse and are meant to stay proportionate to the size of the company. The goal isn't to sink a tiny business that forgot a disclosure.
Yes, that's the AI literacy obligation, in force since February 2025. It doesn't mean heavy, expensive training: the point is to make sure the people using AI understand its limits and risks. Serious, documented awareness-raising does the job for most small organizations.
The AI Act has broad reach: it can apply as soon as the output of the AI system is used within the Union. So targeting a European market doesn't automatically put you out of range. In this specific case, it's typically the moment to get professional advice.
The AI Act scares people mostly because it's talked about badly: nine-figure fines, legal vocabulary, never-ending articles. When you dig in, for the vast majority of us who use AI to save time, it comes down to two common-sense reflexes — understanding the tool you're using, and being honest about the fact that you're using it.
The one real point to watch is "high risk": if the AI decides in a human's place about someone's fate, then yes, you have to get serious about it.
For everything else, August 2 isn't a cliff. It's a chance to put a little order into the way you use AI — something you'd have every reason to do anyway.

I test AI for real and share what works, no jargon and no hype. If this article helped you, the easiest way to never miss anything is my Friday letter. And if you have a question or a doubt: reply to me, I read everything.