Does Using ChatGPT at Work Make You Liable Under the EU AI Act?
The Short Answer
Yes, using AI tools at work creates obligations under the EU AI Act. No, that does not mean you are in trouble.
Here is the honest version. When your team uses ChatGPT, Microsoft Copilot, Google Gemini or Claude to do work, you are almost certainly a deployer of an AI system, not a provider. Deployers have duties. For most everyday use those duties are light and very doable. They get heavier, sometimes a lot heavier, depending on what you point the tool at. Drafting emails is one thing. Ranking job applicants is another.
So the question is not "am I liable?" The question is "which kind of deployer am I?" That is exactly what our free risk check sorts out in about 90 seconds.
Check your risk level free (90 seconds)Provider vs Deployer: You're the Deployer
The EU AI Act, Regulation (EU) 2024/1689, hands out obligations by role. Two roles matter to most companies.
A provider develops an AI system, or has one built, and puts it on the market or into service under its own name or trademark. OpenAI, Microsoft, Google and Anthropic are the providers here. They carry the heavy build-side obligations under Article 16.
A deployer uses an AI system under its own authority in the course of a professional activity. That is you, the moment your staff opens ChatGPT to summarize a report. Deployer duties live in Article 26.
You did not build these models. You did not slap your logo on them and sell them. You bought a subscription and put the tool to work. That makes you a deployer, and it puts the lighter end of the rulebook on your desk.
| Provider (the AI vendor) | Deployer (your business) | |
|---|---|---|
| Who | OpenAI, Microsoft, Google, Anthropic | You, using the tool at work |
| Core duty | Build it safely, document it, conformity assessment | Use it responsibly, per the instructions |
| Governing article | Article 16 | Article 26 |
| Typical weight | Heavy | Light, unless your use case is high-risk |
What a Deployer Actually Has to Do
For ordinary office use, drafting, summarizing, brainstorming, coding help, the deployer load is genuinely manageable. In plain terms:
- Use the tool the way the provider tells you to. Follow the instructions for use. Do not bolt it onto something it was never meant for.
- Put a human in charge. Someone competent stays responsible for what the AI produces, and checks it before it counts.
- Keep relevant logs where the situation calls for it.
- Tell people when it matters. Some uses require you to inform the humans affected by the system.
There is one duty that already applies to every deployer, full stop. AI literacy. Article 4 says you have to make sure the people using these systems on your behalf have a sufficient understanding of what they are doing. This one has been in force since 2 February 2025. It is not coming. It is here. In practice that means a bit of training so your team knows the tool can be wrong, can leak data if misused, and is not a decision-maker.
A second duty is on the calendar. Transparency under Article 50. If you deploy AI that interacts with people (think a customer-facing chatbot) or that generates synthetic content, you have to be upfront about it. Those disclosure rules apply from 2 August 2026. Mark it down.
Check your risk level free (90 seconds)When Light Use Turns Into Heavy Use
This is the part people miss. The same ChatGPT subscription can sit in two completely different risk worlds depending on the job you give it.
The EU AI Act tags certain use cases as high-risk in Annex III. Point a general-purpose tool at one of those, and your deployer obligations jump. We are talking about uses like screening or ranking job applicants, deciding who gets hired or promoted, assessing someone's creditworthiness, or making calls about access to essential services.
Use Copilot to clean up a memo? Light. Use the same Copilot to score and shortlist 300 CVs? Now you are deploying AI in a high-risk context, and the deployer duties for high-risk systems kick in: meaningful human oversight, monitoring how the system performs, weighing the impact on people's fundamental rights, and more.
Same tool. Same login. Wildly different obligations. The trigger is the decision you are automating, not the brand on the chatbot.
| Lighter use (typical deployer duties) | Use that raises your obligations (high-risk) |
|---|---|
| Drafting and editing emails, docs, copy | Screening, ranking or shortlisting job applicants |
| Summarizing meetings and reports | Hiring, promotion or termination decisions |
| Brainstorming and research support | Assessing creditworthiness or loan eligibility |
| Coding assistance and debugging | Deciding access to essential public or private services |
| Internal Q&A over your own documents | Evaluating people in education or critical contexts |
If anything in that right-hand column sounds like your business, do not guess. Run the free risk check and get a clear read on where you stand.
The Trap: How You Accidentally Become a Provider
Staying a deployer keeps your obligations light. There are a few moves that quietly flip you into a provider, with the much heavier Article 16 obligations attached.
You can become a provider if you:
- put your own name or trademark on a high-risk AI system and offer it to others,
- make a substantial modification to a system already on the market,
- or take a general-purpose model, fine-tune it on your own data, and place the result on the market under your own brand.
That last one catches teams off guard. Fine-tuning is not free of consequences. Wrap a model into your own product, tune it, and ship it to customers, and you may have stepped over the line from "using AI" to "providing AI." The role changes, and so does the rulebook. If you are heading down the fine-tuning road, read up on provider obligations before you launch.
What Happens If You Get It Wrong
Worth knowing, worth not panicking over. Most obligation breaches under the Act carry penalties of up to €15 million or 3% of global annual turnover, and for SMEs the rule is that you pay the lower of the two figures, not the higher. The €35 million / 7% headline numbers you may have seen apply to the prohibited practices, the things nobody should be doing in the first place.
The realistic risk for a small business using ChatGPT for normal work is not a record fine. It is sleepwalking into a high-risk use case (usually something in hiring) without the oversight and documentation the law expects. That is the gap we help you close.
Check your risk level free (90 seconds)Your Practical Next Steps
You do not need a legal department to get this right. You need to know your situation and act on it.
- List the AI tools your team actually uses. ChatGPT, Copilot, Gemini, Claude, anything embedded in software you already pay for.
- Write down what each one is used for. Drafting? Summarizing? Anything touching hiring, credit, or access to services? That last group is your watchlist.
- Confirm your role. For these tools you are almost always a deployer. Just verify you have not crossed into provider territory by fine-tuning and shipping.
- Get AI literacy sorted now. It is already in force. A short, documented training session for your team covers it.
- Run the 90-second risk check. It returns your role and your risk tier and flags any high-risk use before it becomes a problem. Run the free risk check.
- Build your file. When you are ready to document oversight, transparency, and the rest in one place, start a free trial and let us guide you through it.
Using ChatGPT at work does not make you a villain, and it does not make you fine-free. It makes you a deployer with a short, honest to-do list that gets longer only if you use AI for the high-stakes stuff. Know which one you are, and the rest is straightforward.