Does EU AI Act Apply to ChatGPT in Your Office?

# Your employees are already using it

Does the EU AI Act apply to ChatGPT when your staff use it for daily tasks? The answer, for most European SMEs, is yes. The moment an employee pastes a customer complaint into ChatGPT to draft a response, or uses it to screen CVs, your organisation steps into a legal role defined by the Act itself.

This is not a theoretical risk sitting somewhere in 2030. The EU AI Act entered into force on 1 August 2024, and the first obligations for providers and deployers of high-risk systems began applying from 2 August 2025. General-purpose AI systems like ChatGPT have their own obligations timeline under Chapter V of the Act. Waiting is no longer a neutral choice.

# What the law actually calls you

The EU AI Act draws a sharp line between providers (companies that build AI systems) and deployers (organisations that put AI systems to work). OpenAI is the provider of ChatGPT. Your company, the moment it uses ChatGPT in a professional context, becomes a deployer.

Article 3(4) of the EU AI Act defines a deployer as "any natural or legal person, public authority, agency or other body that uses an AI system under its own authority except where the AI system is used in the course of a personal activity." The phrase "personal activity" is the critical carve-out. Using ChatGPT at home to write a birthday card is personal. Using it at work, on company time, for business outputs, is not.

Size does not matter here. The Act applies to SMEs operating in the EU or whose AI outputs affect people in the EU. A 30-person logistics firm in Rotterdam using ChatGPT to summarise supplier contracts is a deployer under European law, the same as a 5,000-person corporation.

# The risk level of your specific use case

Not every ChatGPT use case carries the same legal weight. The Act organises risk into tiers, and your obligations depend on which tier your actual use falls into.

Unacceptable risk practices are banned outright from 2 February 2025. These include AI-based social scoring and certain real-time biometric identification systems. Standard ChatGPT use does not normally fall here.

High-risk uses are where most HR Directors need to pay close attention. Annex III of the Act lists employment-related AI applications as high-risk. These include systems used for recruitment, CV filtering, evaluating employees, promoting or terminating work relationships, and monitoring performance. If your team is using ChatGPT to help rank job applicants or assess performance reviews, that use likely qualifies as high-risk.

For high-risk deployment, deployers must meet obligations including:

• Conducting a fundamental rights impact assessment before deploying the system
• Ensuring human oversight is genuinely in place, not just nominally
• Maintaining logs of system use where technically feasible
• Providing transparency to employees and affected individuals that AI is involved in decisions affecting them
• Registering in the EU database where required

Article 26 sets out these deployer obligations in full. It is worth reading. It is written in plain enough language to act on.

Limited-risk uses include ChatGPT producing general text, summarising documents, drafting emails, or translating content. Here the main obligation is transparency: people interacting with AI-generated content in certain contexts must be told they are doing so. This applies especially when AI systems interact directly with customers or citizens.

Minimal-risk uses carry no mandatory obligations, though the Commission encourages voluntary codes of conduct.

# What "human oversight" really means in practice

Human oversight is one of those phrases that sounds easy until you try to define it in a Monday morning meeting. The Act does not accept checkbox compliance. Under Article 26, deployers must ensure that the humans assigned to oversee AI outputs actually have the competence and authority to intervene.

In practice, this means three things for your office:

1. Someone must be named. You need a person, or a defined role, responsible for reviewing AI-assisted outputs before they affect a business decision.
2. That person must understand the tool. They cannot just rubber-stamp results. They need enough familiarity with how ChatGPT works and where it typically fails to catch meaningful errors.
3. They must have the authority to say no. If a manager is pressured to accept a ChatGPT-generated shortlist because "the AI picked them," that is not human oversight. That is human decoration.

For HR Directors specifically: if ChatGPT touches any part of your hiring pipeline, document the oversight process now. Who reviews the output? What criteria do they use? Where is that recorded?

# The transparency obligation your employees trigger every day

Every time an employee sends a ChatGPT-generated email to a customer without disclosure, or publishes AI-written content without labelling it, your company may be in breach of the Act's transparency rules. Article 50 requires that natural persons interacting with AI systems be informed they are doing so, unless it is obvious from context.

"Obvious from context" is a narrow exception. A customer receiving a polished, personalised response to a complaint is unlikely to assume it was AI-generated. The safer approach is a brief disclosure policy. Many companies are adding a single-line footer to AI-assisted communications. This takes one afternoon to implement and removes a compliance risk that carries penalties up to €15 million or 3% of global annual turnover, whichever is higher.

# Three practical steps to take this week

You do not need a legal team on retainer to start. These three steps will cover the majority of your immediate exposure.

Step 1: Map your AI use. Ask department heads to list every tool that uses AI, including ChatGPT, Copilot, Grammarly, and any AI features inside your existing software. You cannot manage risk you have not inventoried.

Step 2: Classify your use cases. Take that list and check each use case against Annex III. Any use touching recruitment, performance management, or credit decisions needs immediate attention. Everything else gets a lower-priority review.

Step 3: Write a one-page AI use policy. It does not need to be long. It needs to specify who can use AI tools, for what purposes, what must be disclosed, and who reviews outputs before they affect decisions. A short, enforced policy beats a 40-page document no one reads.

# The cost of doing nothing

The EU AI Act is enforced at national level through designated market surveillance authorities. The Netherlands, for example, has designated the Autoriteit Persoonsgegevens and other bodies to share oversight responsibilities. Fines are not theoretical. The Commission has been clear that enforcement will ramp up through 2025 and 2026 as national authorities build capacity.

Beyond fines, the reputational damage from an AI-related employment dispute is harder to price. If a rejected job applicant argues that an AI system screened them out without adequate human review or transparency, you need documentation showing your process met the Act's standards. Without it, you are exposed.

SMEs often assume the Act was written for big tech. It was not. Recital 9 of the Act explicitly acknowledges that SMEs and startups need support in compliance, which confirms that the Act absolutely does apply to them. Support is available. The obligations are real.

# Start with a clear picture of where you stand

The single most useful thing you can do today is understand which of your current AI uses fall into which risk category. Once you know that, every subsequent decision becomes straightforward.

Khairos AI Comply offers a free 2-minute compliance check at comply.khairos.ai that maps your actual AI use cases against the Act's requirements and tells you exactly where to focus first. No jargon, no lengthy intake form. Just a clear picture of your obligations so you can act on them.