Check my compliance →
AIActComply / Blog / Using ChatGPT at work? Here's what the EU AI Act requires

Using ChatGPT at work? Here's what the EU AI Act requires

ChatGPT, Copilot, Claude, Gemini: if your company uses any of these, you have EU AI Act obligations. Most are light. Here is exactly what you need.

Published 18 February 2026

The question comes up constantly in compliance conversations: “We just use ChatGPT internally for drafting and research. Do we really need to care about the AI Act?”

The honest answer is yes, but the obligations are lighter than you probably expect. For most companies using commercial AI tools internally, compliance is achievable with one document and a straightforward risk review.

What GPAI means and why it matters

The EU AI Act introduced a category called General Purpose AI (GPAI) models. These are large-scale AI systems trained on broad data that can be used for a wide range of tasks, not a single defined purpose.

ChatGPT, Microsoft Copilot, Google Gemini, Claude, and similar tools all qualify as GPAI models or products built on top of them. The Act treats these differently from purpose-built AI systems. GPAI models have their own rules (Article 53 onwards), but most of those rules apply to the model providers, not to the companies using the tools.

This distinction matters a lot for your compliance workload.

Two different positions to understand

Your obligations depend on where you sit in the GPAI chain.

If you use GPAI tools as a deployer: Your company uses ChatGPT, Copilot, or a similar tool as part of your workflow. You did not train the model. You are procuring access and using it. In this position, your obligations are the standard deployer set: an AI literacy policy and a risk classification review of the tools you use. The GPAI-specific obligations (system cards, summaries of training data, technical documentation) sit with OpenAI, Microsoft, Google, Anthropic. Not with you.

If you build products using GPAI APIs: Your company integrates a GPAI model API into a product you offer to customers or clients. You are now a provider for the resulting system. Additional obligations apply, including transparency requirements and, depending on what your product does, potentially high-risk provider obligations.

Most companies fall squarely into the first category. If your team is using Copilot to write code or ChatGPT to draft reports, you are a deployer.

What different usage patterns actually require

Not all GPAI use is the same. The obligations scale with how the AI interacts with people outside your organisation.

Internal drafting and research (ChatGPT, Copilot, Gemini for internal use): AI literacy policy only. No additional obligations for the GPAI tools themselves. You need to classify the risk level (minimal risk, in most cases) and document that classification.

AI-generated code (GitHub Copilot, Cursor, similar): AI literacy policy. If the code ships to end users, consider whether the resulting software itself creates any AI Act obligations, but the coding tool itself is minimal risk.

Customer-facing AI chatbot (live chat, virtual assistant, automated advisor): Transparency notice required. Under Article 50, any natural person interacting with an AI system must be informed that they are doing so. This applies even if you built the chatbot on top of a third-party GPAI model. The notification obligation falls on you as the deployer of the customer-facing system.

AI screening job applications via API integration: High-risk deployer obligations. If you have built or integrated an AI screening process using a GPAI API (for example, a custom GPT-4 implementation that scores incoming CVs), you are likely operating a high-risk system under Annex III category 4. The underlying model being GPAI does not change the risk classification of what you built with it.

The transparency notice requirement

Article 50 of the AI Act requires that users be informed when they are interacting with an AI system, unless it is obvious from context. This applies specifically to:

The “obvious from context” exception matters less than it sounds. If your customer service chat window says “Chat with us,” that is not obvious. If it says “Chat with Aria (AI assistant),” that is.

For companies running customer-facing AI tools, this means checking your interface copy and adding a disclosure if it is not already there. This is one of the more immediate practical changes many companies need to make.

What “our employees already know it’s AI” does not cover

Some legal teams have argued that because staff know they are using ChatGPT, the transparency requirements do not apply internally. That is largely correct for internal use. The transparency rules are primarily aimed at external interactions where users may not know they are dealing with AI.

But this argument fails completely for customer-facing AI. You cannot assume your customers know. You cannot assume they read the terms of service. Article 50 exists precisely because the legislature did not want organisations relying on assumptions. If users interact with your AI system, tell them.

What you do not need to audit or document

One of the most common areas of unnecessary anxiety is around the underlying model. You are not required to audit OpenAI’s training data, review GPT-4’s architecture documentation, or verify Anthropic’s safety procedures. Those are obligations for the model providers, and the providers have their own compliance track.

Your AI literacy policy does not need to contain technical analysis of how ChatGPT works. It needs to cover which tools your staff use, which roles use them, what training or guidance those roles receive, and who is responsible for keeping the policy current.

If your developers are building with GPAI APIs, read this

The deployer position described above applies only when you are using existing GPAI tools as provided. If your engineering team is calling OpenAI’s API to build a product feature, the resulting system needs its own compliance review.

The question to ask: does the feature your team built constitute an AI system under the Act, and if so, what risk category does it fall into? If you built a customer-facing AI advisor, a CV screening integration, or an automated decision system affecting users, you are a provider or a high-risk deployer for that system. The fact that it runs on GPT-4 underneath does not change your obligations.

Find out exactly what your company needs

Answer 20 questions about your AI systems. AIActComply generates your complete compliance documentation, prefilled for deployers, in 11 EU languages.

Check my compliance →
Ready to get compliant?
Get all your EU AI Act documents in 30 minutes
Answer 20 questions. AIActComply generates your AI Literacy Policy, Risk Classification Memo, Usage Policy, and Transparency Notice — prefilled, in 11 EU languages. €99 one-time.
Start now →