Free AI Tools and the EU AI Act: Does Article 4 Care About Price?

"We only use the free version" is not a compliance defence. That sentence gets said in boardrooms across the Netherlands and Belgium every week, and it is wrong. The free AI tools EU AI Act question has one clear answer: price is irrelevant. What matters is whether your staff are using AI systems in a professional context, and whether you have taken steps to ensure they understand those systems well enough to use them responsibly.

# What Article 4 Actually Says

Article 4 of the EU AI Act creates an obligation for both providers and deployers to ensure their staff have sufficient AI literacy. The word used is "sufficient" — not expert-level, not theoretical, but enough to understand the capabilities and limitations of the AI systems actually being used in your organisation.

The obligation is not conditional on:

• Whether you signed a contract with the AI provider
• Whether you pay a subscription fee
• Whether the tool is enterprise-licensed or consumer-tier
• Whether you have an official procurement record for it

The AI Act defines a deployer in Article 3(4) as any natural or legal person that uses an AI system under its own authority in a professional context. A company whose HR team pastes candidate CVs into ChatGPT's free tier is a deployer. Full stop.

# Why "Free" Feels Like a Defence (But Isn't)

The intuition behind the "we just use free tools" argument is understandable. If there is no vendor invoice, there is no contract. If there is no contract, maybe there is no obligation. That logic works in some regulatory contexts. The AI Act is not one of them.

The Act is use-based, not procurement-based. Recital 58 makes clear that AI literacy obligations are about the actual deployment context — the tasks being performed, the people involved, and the potential impact on individuals. None of those factors change based on whether your finance director paid for GPT-4o or is using the free version.

There is also a shadow IT dimension that makes free tools more risky from a compliance standpoint, not less. Paid enterprise tools typically come with data processing agreements, which you need anyway under the AVG/GDPR. Free consumer tools often do not. So the company using the free tier of a major AI model may simultaneously have an Article 4 problem and an Article 28 GDPR problem sitting right next to each other.

# The Risk Profile of Common Free Tools

Let's be specific. These are tools that routinely appear in SME environments:

ChatGPT free (OpenAI): Consumer account, no DPA by default, conversations may be used for model training unless you opt out. Staff use it for drafting emails, summarising documents, generating policy text. From an AI Act perspective, if it touches HR decisions, credit assessments, or customer-facing content, the deployer obligation is active.

Gemini free (Google): Similar structure. Google's free tier for individual accounts is not covered by Google's enterprise data processing terms. If a manager uses it to evaluate performance notes or plan a redundancy consultation, that is a professional deployment.

Microsoft Copilot free (Bing Chat, now Copilot.com): Microsoft distinguishes sharply between its commercial Copilot (covered by enterprise terms) and the free consumer version. The free version does not fall under the Microsoft Product Terms DPA. Companies using it on work devices are in a gap.

In every case, the AI Act obligation exists independently of the GDPR gap. Even if you somehow resolved the data question, Article 4 still requires documented AI literacy measures for your staff.

# What Documentation Does Article 4 Require?

Article 4 does not prescribe a specific format. It requires deployers to take measures to ensure sufficient AI literacy. In practice, supervisory guidance and the Commission's own published compliance materials indicate that "measures" means something you can demonstrate. That includes:

1. A record of which AI systems staff are using — including free and informal tools, not just licensed software
2. Training or awareness sessions with attendance records
3. Internal guidance on acceptable use, covering what these systems can and cannot do
4. A named person or team responsible for AI oversight

For a company of 30 people, this does not need to be a 100-page policy. A two-page acceptable use document, a 45-minute staff briefing with a sign-off sheet, and a simple tool inventory can satisfy the spirit of the obligation. But "we didn't know staff were using it" is not a satisfactory answer to a supervisory authority.

The AI Act enforcement timeline matters here. The AI literacy obligation under Article 4 applied from 2 February 2025. That date has passed. If your organisation has not yet documented its AI literacy measures, you are already behind.

# The "Shadow AI" Inventory Problem

Most SMEs have a formal software stack and an informal one. The informal stack is where free AI tools live. A staff member bookmarks Claude.ai at home and starts using it for work tasks. Someone in accounts discovers Perplexity. The marketing coordinator uses an AI image generator with a free account.

None of these show up in procurement. All of them create deployer obligations.

The practical starting point is not a policy document; it is an honest conversation with your team about what AI tools they are actually using. That conversation needs to happen before you can write the policy, because a policy that only covers tools you already knew about is incomplete.

A lightweight tool inventory does not require enterprise software. A shared spreadsheet with columns for tool name, use case, user group, and data types involved is enough to start. The point is visibility. Once you have visibility, you can assess which tools carry higher risk — for instance, any tool touching employee data, customer personal data, or consequential decisions.

# Sector Specifics for Dutch and Belgian Deployers

The Dutch Autoriteit Persoonsgegevens has already signalled that AI use in HR contexts is a supervision priority. In Belgium, the APD/GBA has published guidance linking AI use to existing GDPR obligations. Neither authority has issued AI Act-specific enforcement yet — that sits with the national market surveillance authorities being designated under Article 70 — but the direction is clear.

For HR Directors specifically: if your recruitment process involves any AI-assisted screening, shortlisting, or assessment, and you are using free-tier tools to do it, you have both an Article 4 literacy obligation and likely an Article 26 deployer obligation (for high-risk AI systems in employment contexts listed in Annex III). These are not the same obligation. They stack.

# One Action to Take This Week

Before you write a single policy document, do the tool inventory. Send a short internal survey — five questions, anonymous if needed — asking staff which AI tools they use for work tasks, how often, and for what purpose. Collate the responses. You now have the foundation for both your Article 4 documentation and your broader AI Act compliance roadmap.

The price tag on a tool has never determined your regulatory exposure. What determines it is how, and by whom, and for what purpose the tool is being used inside your organisation.

If you want a structured starting point, the free 2-minute compliance check at comply.khairos.ai maps your current AI use against your Article 4 obligations and flags where gaps exist — whether your tools are paid, free, or somewhere in between.