The EU AI Act and generative AI: what ChatGPT and chatbot users must know
Published July 18, 2026 · 6 min read
Almost every European SME now uses generative AI: ChatGPT for drafting, Copilot in the office suite, a chatbot on the website. The good news is that using someone else's AI tool does not make you its provider, and the EU AI Act treats most of this as low-risk. Here is what you actually have to do, in plain terms.
You are (usually) a deployer, not a provider
The Act splits duties by role. A provider develops an AI system and puts it on the market under its own name, such as OpenAI, Microsoft, Anthropic or Google (Article 3(3)). A deployer simply uses an AI system in its work (Article 3(4)). If you use ChatGPT, Copilot or a third-party chatbot, you are a deployer, and the heavy design-and-marking duties sit upstream with the provider, not with you.
The transparency rules (Article 50)
Article 50 is a light transparency layer that applies to certain AI systems whatever their risk tier. It sets four duties, and it is careful about who owes each one:
- Chatbot disclosure (50(1)), a provider duty. AI systems that talk to people must tell them they are dealing with an AI, unless it is obvious. The provider designs this in, so a deployer using a compliant tool inherits it.
- Marking AI-generated content (50(2)), a provider duty. Systems that generate synthetic audio, image, video or text must mark the output so it is machine-readable and detectable as artificial. Again, the provider builds this in.
- Emotion recognition and biometric categorisation (50(3)), a deployer duty. If you run a system that reads emotions or categorises people biometrically, you must tell the people exposed, and respect the GDPR.
- Deep fakes and public-interest text (50(4)), a deployer duty. If you publish a deep-fake image, audio or video, or AI-generated text on a matter of public interest, you must disclose that it is AI-made, with exceptions for law enforcement, clearly artistic or satirical work, and text that had genuine human editorial review.
In every case the notice must be clear and given at the latest at the first interaction or exposure (Article 50(5)).
So what does a typical SME actually owe?
If you use generative AI internally or run a customer chatbot built on a compliant tool, your own Article 50 exposure is small, mostly making sure the emotion, biometric or deep-fake disclosures are in place if you do those things. The one duty that already binds you today is AI literacy: since 2 February 2025, Article 4 requires both providers and deployers to give the staff who use AI a sufficient level of understanding. See our AI literacy guide.
Two ways ordinary use becomes a heavier duty
The "I just use it" position is not a permanent safe harbour:
- You rebrand or substantially modify a system. Under Article 25, a deployer that puts its own name on a high-risk system, changes its purpose, or substantially modifies it becomes a provider and inherits the provider's obligations.
- Your use falls in a high-risk use case. Article 50 does not make a system high-risk by itself. But if you use generative AI for something listed in Annex III, such as recruitment, worker management, credit or insurance scoring, education or essential services, it is high-risk under Article 6, with far heavier duties. Classification is fact-specific: test your actual use case.
Building on top of a model? You may be a GPAI provider
If you go beyond using a model and start fine-tuning or materially modifying one, you can become a provider of a general-purpose AI model, though your duties are then limited to your modification (Recital 109). The Commission's July 2025 guidance treats you as a distinct GPAI provider only when the compute for your changes exceeds about a third of the original model's training compute, so light fine-tuning keeps you a deployer. See our GPAI obligations guide for what changes if you cross that line.
Deadlines
AI literacy applies now (2 February 2025). The Article 50 transparency duties apply from 2 August 2026. The machine-readable marking of synthetic content for systems already on the market was pushed to 2 December 2026 by the Digital Omnibus (adopted, pending Official Journal publication). Our deadlines guide has the full table.
Check where you stand
Not sure whether your generative-AI use is low-risk or lands in a high-risk use case? The free EU AI Act Snapshot sorts it in two minutes, no signup, and our 9-step compliance checklist turns the result into a plan. Plans start at EUR 0.