Back to Learn
Breakdown · 30

The AI Act,
what it changes
for your business

You use ChatGPT, Gemini, or some other AI tool for your work, and you've seen the words "AI Act" go by without knowing whether it concerns you. Spoiler: yes, probably. It's the European law that governs AI, and a big chunk of it takes effect on August 2. Don't panic: for most of us, it comes down to a few simple reflexes. I dug into it for my own use, and I'm sharing what I took from it — in plain English, not legalese.

9 min read Level Beginner Tools ChatGPT, Gemini, Claude
In 30 seconds

What you'll walk away with

What it is, and why it concerns you

The AI Act is the first major legal framework in the world for artificial intelligence. It was passed by the European Union, it came into force on August 1, 2024, and it applies in stages. The biggest stage is August 2, 2026.

First misconception to bust: this isn't a matter for tech giants or developers. The law distinguishes between those who build AI (the "providers") and those who use it in a professional setting. This second category is called "deployers." And a deployer can be a freelancer, a micro-business, an SMB — you, if you run ChatGPT to write your quotes or sort your emails.

In other words: you don't need to code anything to be concerned. Just using an AI tool in your business is enough.

My honest position

I'm not a lawyer. I'm an entrepreneur who uses AI every day and wanted to understand what's coming. What you're reading here is plain-language explanation to point you in the right direction — not legal advice. For a specific or sensitive case, ask a professional.

What changes on August 2

The AI Act doesn't land all at once. A few milestones have already passed, others are coming.

The takeaway: the date that probably concerns you is August 2, 2026.

The 4 risk levels, made clear

The AI Act doesn't treat every use the same way. It sorts them by risk level, and that level is what decides your obligations.

For a freelancer or a micro-business, the good news is that most of your uses fall under "limited" or "minimal" risk. You're only exposed to "high risk" if you use AI for important decisions about people.

Your obligations, concretely

For normal AI use (writing, summaries, ideas, simple automations), two obligations actually concern you.

The first: train yourself, and train your team. That's the AI literacy obligation. Concretely, everyone who uses AI in your business must understand what the tool can do, what it can't do, and where it gets things wrong. The classic trap is the hallucination: the AI invents a piece of information with total confidence. Knowing how to spot that already puts you in line with the spirit of the law. If you want to get better at the use itself, my article on writing a good prompt without being a developer goes in that direction.

The second: say when it's AI. That's the transparency obligation. If you put a chatbot on your site, the visitor must know they're talking to a machine. And if you publish content that's generated or clearly retouched by AI — a visual, a video, a text — you need to be able to flag it. Nothing insurmountable: most of the time, a clear disclosure is enough.

The trap to avoid

Confusing the AI Act with GDPR. They're two different things. GDPR protects personal data; the AI Act governs AI systems. If you use high-risk AI, you may even have to keep a register of your AI systems, separate from your GDPR register. For most everyday uses, you're not there yet — but don't assume that "since I'm GDPR-compliant, I'm fine."

The special case of high risk

If part of your business relies on AI that decides for people, you switch categories. The typical examples listed by the law: software that screens job applications for recruitment, a scoring tool to grant or deny credit.

In that case, the obligations step up a notch. You notably have to keep a human in the loop (the AI proposes, a human keeps control), make sure the data you feed it is relevant, and keep records of how it operates for at least six months.

If you recognize yourself in that, it's time to look at it seriously. If you're just using AI to save time on tasks with no stakes for anyone else — what I describe in automating your tasks without coding — you're not in this category.

The penalties (and the good news)

Let's be clear about the amounts, because they get thrown around and they scare people. The most serious breaches (the prohibited practices) can cost up to 35 million euros or 7% of annual global turnover. Other breaches, up to 15 million euros or 3%.

Before you panic, two important nuances. First, these ceilings target serious abuse, not the freelancer who forgot to display a disclosure. Second, the law provides that penalties be proportionate to the size of the company — a ceiling designed for a multinational isn't meant to land on a micro-business.

And there's real good news for small organizations: Europe has planned a leg-up. Priority, free access to regulatory "sandboxes" to test without risk, simplified documentation forms, lower compliance costs depending on size. Compliance isn't just a constraint: done well, it becomes an argument for trust toward your clients.

Your 5-point action plan

You don't need a law firm to get started. Here's where I'd begin.

  1. List your AI tools and what you do with them. You can't be compliant about what you haven't inventoried. And there's a hidden urgency: according to a 2024 report, nearly half of employees use AI tools not approved by their employer. Start by getting a clear picture.
  2. Train yourself, and train your team. One hour to understand the limits of AI and the "I check what comes out" reflex already covers most of literacy.
  3. Add your transparency disclosures. A chatbot? Say so. A published AI-generated visual? Flag it.
  4. Spot whether you have any "high risk." Recruitment, credit, decisions about people: if so, handle it separately and seriously.
  5. Keep a record. A simple document stating which tools you use, for what, and how you check. It's reassuring for you, and useful if anyone asks.

FAQ

I just use ChatGPT — am I really concerned?

Yes, as a "deployer." Using a consumer AI tool in a professional setting is enough. But don't worry: for simple use, your obligations mostly come down to understanding the tool's limits (literacy) and flagging when content comes from AI (transparency). You're not subject to the same rules as a software vendor.

What's the difference between GDPR and the AI Act?

GDPR governs personal data. The AI Act governs AI systems themselves. Both can apply at the same time. If you use high-risk AI, you may even have to keep a register of your AI systems, on top of your GDPR processing register — it's a separate document.

How do I know if my AI is "high-risk"?

Look at the use, not the tool. If the AI is used to make or prepare an important decision about a person (hiring them, granting them credit…), you're probably in high-risk territory. For saving time on tasks with no stakes for anyone else, no. The European Commission is set to publish guidelines with concrete examples to help settle the borderline cases.

What are the penalties, concretely?

Up to 35 million euros or 7% of global turnover for prohibited practices, up to 15 million or 3% for other breaches. But these ceilings target serious abuse and are meant to stay proportionate to the size of the company. The goal isn't to sink a tiny business that forgot a disclosure.

Do I absolutely have to train my employees?

Yes, that's the AI literacy obligation, in force since February 2025. It doesn't mean heavy, expensive training: the point is to make sure the people using AI understand its limits and risks. Serious, documented awareness-raising does the job for most small organizations.

What if I'm based outside the EU but my clients are European?

The AI Act has broad reach: it can apply as soon as the output of the AI system is used within the Union. So targeting a European market doesn't automatically put you out of range. In this specific case, it's typically the moment to get professional advice.


My takeaways

The AI Act scares people mostly because it's talked about badly: nine-figure fines, legal vocabulary, never-ending articles. When you dig in, for the vast majority of us who use AI to save time, it comes down to two common-sense reflexes — understanding the tool you're using, and being honest about the fact that you're using it.

The one real point to watch is "high risk": if the AI decides in a human's place about someone's fate, then yes, you have to get serious about it.

For everything else, August 2 isn't a cliff. It's a chance to put a little order into the way you use AI — something you'd have every reason to do anyway.

Jérémy Sagnier
Thanks for reading this far 👋

Shall we keep going?

I test AI for real and share what works, no jargon and no hype. If this article helped you, the easiest way to never miss anything is my Friday letter. And if you have a question or a doubt: reply to me, I read everything.

Get the newsletter → Read more articles