The AI Act (hereinafter referred to uniformly as the “AI Act”) applies to all companies that develop artificial intelligence (AI) and place it on the European market, and/or use AI in their products, services, or business processes. It is therefore irrelevant for the applicability of the AI Act whether the AI is developed in-house or merely deployed. Likewise, it does not matter whether AI is used solely internally — for example as a productivity tool — or directly in interactions with customers and business partners.

In short: the AI Act applies whenever AI forms part of a company’s product portfolio, business model, or operational processes.

The focus of the AI Act is the concept of an AI system as defined in Article 3(1) of the AI Act. AI systems differ from purely rule-based (“if-then”) applications and traditional programming approaches in the way they process inputs to generate outputs. The AI Act only applies where a system genuinely operates on the basis of AI technologies.

For companies, two key roles are relevant when using AI:

• A provider is a company that develops — or commissions the development of — an AI system (or certain AI models) with the intention of placing it on the European market or putting it into operation.
• An operator, by contrast, is a company that deploys an AI system under its own responsibility, regardless of whether the system was developed internally or licensed from a third party.

For example, when using a generative AI system (such as ChatGPT or Microsoft 365 Copilot), a company will typically act as an operator. However, if it develops its own AI systems, it may also assume the role of a provider.

The AI Act distinguishes between four risk categories, each subject to different regulatory requirements:

• Prohibited AI practices: Certain AI use cases are banned throughout the EU (e.g. emotion recognition in the workplace, social scoring, and manipulative techniques).
• High-risk AI systems: Permitted AI use cases that are nevertheless subject to strict regulation due to their potential risks, including obligations relating to conformity assessments, risk management, technical documentation, and human oversight.
• AI systems with transparency obligations: Generative AI systems and chatbots whose use or output must, depending on the role and use case, be clearly identifiable as machine-generated or AI-supported.
• AI systems with minimal risk (e.g. spam filters): No mandatory legal obligations apply; only voluntary measures are recommended.

In summary, the nature and scope of a company’s compliance obligations depend on the combined assessment of the company’s role and the risk classification of the relevant AI system.