Does it apply to me?
Who the EU AI Act applies to 8 questions
Does the EU AI Act apply to my small Irish business?
Yes. If your organisation operates in Ireland and uses any AI tool — including ChatGPT, Canva AI, Grammarly, or a CRM with AI features — the EU AI Act applies to you as a deployer. The Act covers all organisations regardless of size, sector, or whether you built the AI yourself. The only exemption is purely personal, non-professional use — which employees using ChatGPT for work do not qualify for.
We're a school / community organisation, not a business — does the AI Act still apply to us?
Yes. The EU AI Act uses the term deployer to cover any natural or legal person, public authority, agency or other body using an AI system — this explicitly includes schools, charities, GAA clubs, community organisations, and public bodies. Article 4's AI literacy obligation applies to every organisation using AI. Schools are also specifically flagged in the Act's high-risk Annex because AI used for student assessment can be high-risk.
I only use ChatGPT to write emails and marketing copy — surely that's too small-scale to matter?
Scale doesn't determine whether the law applies — only what level of obligation it triggers. Any professional use of an AI tool makes you a deployer under the AI Act. For everyday text generation like drafting emails or social media posts, your obligations are relatively light: principally Article 4 (ensure staff have basic AI literacy) and Article 5 (don't use prohibited AI practices). You are not exempt simply because your use is routine or low-volume.
What is a 'deployer' under the EU AI Act, and am I one?
A deployer is defined in Article 3 as any natural or legal person, public authority, agency or other body that uses an AI system for work purposes. If your business uses ChatGPT, Microsoft Copilot, Google Gemini, Canva AI, Grammarly, Otter.ai, or any AI-powered CRM or tool for professional tasks, you are a deployer. The provider (e.g. OpenAI, Google, Canva) has separate obligations for building the tool; your obligations are about how you use it.
When did the EU AI Act start applying, and when do the big deadlines hit?
The Act entered into force on 1 August 2024. Article 4 AI literacy obligations and prohibited AI practices (Article 5) applied from 2 February 2025. General-purpose AI model obligations applied from 2 August 2025. Following the Digital Omnibus deal agreed on 7 May 2026, high-risk Annex III obligations are delayed to 2 December 2027. AI-generated content watermarking applies from 2 December 2026. Article 4 and Article 5 remain fully in force now.
The high-risk AI rules are being delayed to 2027 — does that mean I don't need to do anything yet?
No — this is a common and dangerous misreading. The delay only applies to Annex III high-risk AI system obligations. Two major obligations already apply right now: Article 5 (prohibited AI practices, since February 2025) and Article 4 (AI literacy for all staff dealing with AI, since February 2025). Enforcement by national authorities including Ireland's began August 2025. If you have done nothing, you may already be non-compliant.
We're a sole trader using AI tools — do the rules apply to me personally?
Yes. A sole trader is a 'natural person' using an AI system in a professional capacity, which meets the definition of deployer under the AI Act. The 'personal non-professional' exemption only applies to private use (e.g. using ChatGPT to plan your own holiday). If you use AI tools in your freelance work, consulting, or trade — even without a limited company — Article 4 obligations apply, proportionate to your scale.
What AI tools are actually high-risk for a typical Irish small business?
For most Irish SMEs using everyday productivity tools, very few AI systems meet the high-risk threshold. High-risk AI is defined in Annex III and covers: AI used in recruitment, hiring, promotion, or dismissal; AI used to assess students; AI for credit scoring or insurance underwriting; AI managing critical infrastructure; and AI in health or medical decision-making. If your business uses ChatGPT for copywriting, Canva for design, Grammarly for editing, or Otter for notes — these are not high-risk. The assessment becomes more serious if tools inform consequential decisions about real people.
Everyday AI use
ChatGPT, Canva, Grammarly and the tools you actually use 8 questions
Is ChatGPT high-risk, minimal-risk, or something in between?
ChatGPT and similar large language models (including Claude, Google Gemini, and Microsoft Copilot) are classified as General-Purpose AI (GPAI) systems. For general tasks, primary obligations fall on the provider (OpenAI), not on you as the user. However, your use of ChatGPT can trigger higher-risk obligations depending on context: if you use it to help make decisions about employees, assess student work, or handle sensitive personal data, it can move into high-risk territory. For everyday tasks like drafting emails or writing marketing copy, it remains minimal-to-limited risk.
Do I need to label or disclose content I create with Canva AI or similar tools?
Yes, from 2 December 2026 under Article 50. Providers of generative AI must mark AI-generated audio, image, and video content in a machine-readable format (e.g. watermarking). Deployers must not remove those markers and, for some content types, must clearly disclose that content is AI-generated. AI-generated deepfakes and AI-generated text on matters of public interest must be visibly labelled. Plan for this if you create AI images for marketing or public information.
Can I use Grammarly on work documents, and what are my obligations?
Grammarly and similar writing tools are generally minimal-to-limited risk. Your obligations are to: (1) ensure staff are aware they are using an AI system (Article 4); (2) check that any personal data processed by Grammarly is covered by a Data Processing Agreement (GDPR Article 28); and (3) avoid pasting confidential client data or sensitive personal data into Grammarly's free consumer tier, which does not have enterprise data handling guarantees. Grammarly Business offers stronger GDPR compliance terms.
We use Otter.ai or Microsoft Teams transcription for meeting notes — what do we need to consider?
AI meeting transcription tools process voice recordings, which are personal data under GDPR. Before using any transcription tool, all participants must be clearly informed that the meeting is being recorded and transcribed by an AI. You need a lawful basis for the processing, a Data Processing Agreement with the tool provider, and a retention and deletion policy for transcripts. If the tool sends recordings to its servers and uses them for model training, configure its data settings to restrict this.
Can my team use ChatGPT on their personal accounts for work tasks?
This is one of the riskiest grey zones for Irish SMEs. When an employee uses ChatGPT on a personal free account for work purposes: (1) under the AI Act, the organisation is still considered the deployer — your obligations apply regardless of which account is used; and (2) the free tier of ChatGPT does not have the GDPR-compliant Data Processing Agreement that OpenAI's enterprise/API tiers offer, meaning any personal data entered is a potential GDPR breach. Your AI Acceptable Use Policy should clearly specify which tools and account tiers are approved.
What about Microsoft Copilot, which is built into our Microsoft 365 subscription?
Microsoft Copilot in Microsoft 365 operates under enterprise data protection terms including a GDPR-compliant Data Processing Agreement — a significant advantage over free consumer AI tools. Microsoft has designed Copilot to stay within your Microsoft 365 tenancy and not use your data for model training. However, you are still a deployer under the AI Act, still need to train staff on safe use (Article 4), and still need to be cautious about what sensitive data the AI accesses through your connected documents and emails.
We use an AI chatbot on our website — what obligations does that trigger?
A customer-facing AI chatbot is subject to Article 50's transparency obligations (from 2 December 2026). You must ensure that any person interacting with the chatbot is clearly and promptly informed they are talking to an AI — not a human — unless it is obvious from context. Additionally, if the chatbot collects or processes personal data from website visitors, it must comply with GDPR: lawful basis for processing, an up-to-date privacy notice, and a Data Processing Agreement with the chatbot vendor.
We use AI-powered HR or recruitment tools — is that high-risk?
Yes. Annex III explicitly categorises AI used in recruitment, selection, promotion, performance management, task allocation, and termination as high-risk AI. This means full high-risk AI obligations — including conformity assessments, technical documentation, human oversight, and worker notification — applying from 2 December 2027. You should not wait until then to audit these tools. Emotion recognition in job interviews has been prohibited since February 2025.
Legal obligations
What the law actually requires 5 questions
What is Article 4 and what does it actually require me to do?
Article 4 of the EU AI Act requires all deployers to take measures to ensure their staff have a sufficient level of AI literacy. The text says organisations must act 'to their best extent', acknowledging proportionality for smaller organisations. In practice this means: (1) identifying which staff use AI and for what; (2) ensuring they understand the risks, limitations, and legal obligations around those tools; and (3) keeping a record that you have done this. A one-time all-hands email is unlikely to be sufficient — some form of documented training or policy is expected.
Do I need a formal AI policy or Acceptable Use Policy for my team?
While the AI Act doesn't use the term 'Acceptable Use Policy', Article 4's AI literacy obligation in practice requires you to document how AI may and may not be used. A written AI Acceptable Use Policy — covering which tools are approved, what data can be entered, how outputs must be reviewed, and what is prohibited — is the standard mechanism for demonstrating compliance. It also protects you under GDPR if an employee later pastes customer data into an unapproved tool. Regulators and auditors will expect to see written evidence of your AI governance approach.
What AI practices are completely banned under the EU AI Act?
Article 5 sets out eight categories of AI that are absolutely prohibited across the EU, effective since 2 February 2025. These include: AI that manipulates people through subliminal or deceptive techniques; social scoring systems; AI exploiting vulnerabilities in age or disability to manipulate behaviour; real-time remote biometric identification in public spaces; AI that infers criminal intent from personal characteristics; and untargeted scraping of facial images from the internet or CCTV. Following the May 2026 Omnibus deal, AI systems that generate non-consensual sexual deepfakes are also explicitly banned. Breaches carry fines of up to €35 million or 7% of global annual turnover.
What does 'AI literacy' actually mean — do I need to make everyone a tech expert?
No. AI literacy under Article 4 is defined at a practical, proportionate level. For a shop assistant using an AI scheduling tool, it means understanding that the AI can make errors and outputs need human checking. For a manager using AI-assisted HR tools, it means understanding the legal obligations around AI-assisted employment decisions. Nobody needs to understand machine learning code — the focus is on safe, informed, and responsible use in each person's specific role.
Who enforces the EU AI Act in Ireland?
Ireland has designated 15 national competent authorities. The Competition and Consumer Protection Commission (CCPC) oversees consumer-facing AI. The Data Protection Commission (DPC) handles AI intersecting with personal data. The Central Bank of Ireland covers AI in financial services. A National AI Office is being established under the Regulation of Artificial Intelligence Bill 2026 as the central coordinating authority. National enforcement has been active since 2 August 2025. The EU AI Office in Brussels has direct authority over general-purpose AI model providers.
Data protection
GDPR, customer data, and AI tools 4 questions
If I paste a customer's name and email into ChatGPT, is that a GDPR problem?
Yes, very likely. Under GDPR Article 28, when you provide personal data to a third-party tool for processing, that tool becomes a 'data processor' and you need a Data Processing Agreement (DPA) in place. The free tier of ChatGPT does not provide a DPA — only OpenAI's API and enterprise plans do. Pasting customer data into a consumer ChatGPT account transmits that data to OpenAI's servers without a lawful GDPR framework — a potential breach reportable to the Data Protection Commission. Italy's DPA fined OpenAI €15 million in December 2024 for related failures.
What is the GDPR + AI Act interaction — do both apply at the same time?
Yes — both frameworks apply simultaneously whenever personal data is involved in AI use. GDPR governs how personal data is collected, processed, stored, and deleted. The EU AI Act governs how AI systems are deployed and overseen. Every time an AI tool processes personal data, you must satisfy both. You can be investigated by both the Data Protection Commission (for GDPR) and Ireland's AI Act competent authorities simultaneously.
Do we need a Data Processing Agreement (DPA) with our AI tool providers?
Yes, if those tools process personal data on your behalf. GDPR Article 28 requires a written DPA with any third party that processes personal data for you, specifying what data is processed, for what purpose, with what security measures, and for how long. Most enterprise AI vendors (Microsoft, Google, Salesforce, Zoom) provide a DPA automatically. Free consumer versions typically do not. Before rolling out any AI tool for use with customer or employee data, confirm whether a DPA exists.
Can we use AI to process special category data (health information, ethnicity, religion)?
Extreme caution is required. Special category data under GDPR Article 9 requires a higher lawful basis (typically explicit consent or a specific legal obligation) and much stronger security measures. Many AI tools are not designed or certified for special category data processing. Additionally, the EU AI Act prohibits certain biometric categorisation uses entirely. If your organisation processes health records, HR data including sensitive categories, or student data, conduct a Data Protection Impact Assessment (DPIA) before connecting any AI tool to that data.
Risks & consequences
What can actually go wrong 5 questions
What are the actual fines for non-compliance, and could a small Irish business really be fined?
The AI Act has three penalty tiers under Article 99. Breaching the prohibited practices ban (Article 5) carries fines of up to €35 million or 7% of total global annual turnover — whichever is lower for SMEs. So a business with €1 million turnover faces a maximum Article 5 fine of €70,000, not €35 million. High-risk AI violations carry up to €15 million or 3%. Enforcement in Ireland began August 2025. GDPR fines from the Data Protection Commission can run in parallel.
Are the fines realistic for a small business, or will regulators only go after big companies?
Regulators generally pursue large providers first, but SME deployers are within scope. Enforcement may begin through a formal warning or corrective order before fines are applied — but reputational damage and mandatory remediation can be costly even without a financial penalty. Under GDPR we have already seen Irish and EU regulators pursue complaints against smaller organisations. The proportionality in penalty calculation is a ceiling, not an invitation to ignore the law.
What happens if one of my employees misuses an AI tool without my knowledge?
Under both GDPR and the AI Act, the organisation bears responsibility for AI use that happens under its authority — even if you were unaware. If an employee uses an unapproved AI tool at work (shadow AI) or processes customer data through a personal ChatGPT account, the organisation is liable. A documented AI Acceptable Use Policy, regular staff training, and a list of approved tools are your evidence of reasonable steps taken. Without that documentation, it becomes very difficult to demonstrate compliance or mitigate regulatory consequences.
Is there any risk to my professional indemnity insurance or contracts if I use AI without a policy?
Potentially yes. Many professional indemnity insurance policies are beginning to include AI-specific exclusions. If you use AI to generate client deliverables without oversight and those deliverables contain errors or cause harm, your insurer may argue you failed to exercise reasonable professional care. Some client contracts in legal, financial, and professional services are beginning to include AI disclosure clauses. Without an AI policy, you cannot demonstrate to a client, insurer, or regulator that appropriate controls are in place.
What is 'shadow AI' and why is it a risk for my organisation?
Shadow AI refers to AI tools used by employees without the knowledge or approval of management or IT — typically when staff sign up for free AI tools using personal or work email addresses and start using them for work tasks. The risks: personal data transmitted to providers without a DPA; proprietary or confidential information fed into external AI systems; no oversight, audit trail, or ability to demonstrate AI Act compliance. The first step to addressing shadow AI is an honest internal audit of which AI tools your team actually uses.
Getting compliant
Practical steps for Irish organisations 6 questions
What practical steps should I take right now to comply with the EU AI Act?
The four most urgent steps for any Irish SME or organisation are: (1) Build an AI Use Inventory — list every AI tool your team uses, who uses it, what data it accesses, and whether it has enterprise-grade data protection; (2) Assess risk — identify whether any tools fall into high-risk categories; (3) Create a written AI Acceptable Use Policy — specify approved tools, prohibited uses, data handling rules; (4) Deliver documented AI literacy training to all relevant staff to satisfy Article 4. Many Irish SMEs can achieve a strong compliance baseline in a single workshop.
What should an AI Acceptable Use Policy for a small Irish business include?
A practical policy should cover: (1) a list of approved AI tools and the account tiers permitted; (2) categories of data that may never be entered into AI tools (customer personal data, health information, confidential client information); (3) requirements for human review of AI-generated outputs; (4) disclosure requirements when AI is used to produce client-facing content; (5) what employees should do if they discover a potential AI-related data incident; and (6) a review and update schedule. A two-page document covering the tools your team actually uses is more useful than a generic 20-page template.
What is an AI Use Inventory and why do I need one?
An AI Use Inventory is a structured list of all AI systems your organisation uses or is piloting. It should capture: tool name and provider; what it is used for; which staff use it; what data it accesses; whether a Data Processing Agreement exists; and its risk level under the AI Act. Without an inventory you cannot know whether you have high-risk AI tools in use, cannot demonstrate Article 4 compliance, and cannot respond effectively if the DPC or an AI Act authority requests evidence. Inventories regularly reveal 'shadow AI' tools management was unaware of.
How do I train my staff to satisfy Article 4 without a huge budget?
Article 4 uses the phrase 'to their best extent', which acknowledges proportionality for smaller organisations — you do not need a multi-day corporate programme. What you need is documented evidence that staff who use AI tools understand: what the tool does and its limitations; what data they can and cannot input; who is responsible for reviewing AI outputs; and the organisation's rules. A focused 2-3 hour workshop or team briefing session with an attendance record satisfies the requirement. SafeAI's Practical AI Safety Workshop is specifically designed for this.
Do I need a lawyer to comply with the EU AI Act?
For most Irish SMEs using everyday AI tools at minimal risk, no — not initially. The practical steps (inventorying tools, creating a policy, training staff) are operational tasks achievable with practical guidance rather than legal advice. Legal advice becomes valuable if you're using AI in genuinely high-risk contexts (health, finance, HR decisions), drafting AI clauses into client contracts, or responding to a regulatory investigation. SafeAI provides practical guidance and will refer you to a solicitor where a legal question requires it.
Are there any free resources to help Irish businesses get started?
Yes. SafeAI offers free resources at safeai.ie: the Irish SME AI Risk Checklist, the AI Image Safety Guide, and the SafeAI Team Policy Template. The European Commission's AI Act Service Desk provides guidance and a free compliance checker. Enterprise Ireland and Ireland's network of European Digital Innovation Hubs (EDIHs) offer supports for SME AI adoption. These are strong starting points — though a facilitated workshop or assessment will identify organisation-specific risks that generic checklists cannot.
About SafeAI
Who we are and how we can help 7 questions
What is SafeAI and what does it offer?
SafeAI (safeai.ie) is an Irish AI awareness and training service founded by Marcela, based in Cork and working with organisations nationally and remotely. SafeAI helps Irish SMEs, schools, and community organisations understand what AI tools their teams are using, what the EU AI Act says about AI literacy, and how to put basic safe-use practices in place — through practical, plain-English training. SafeAI is not a law firm, compliance auditor, or GDPR consultant. Core services are the Practical AI Safety Workshop (2.5-hour team session) and the AI Awareness Talk (45–60 min briefing for all-hands, CPD days, or conferences).
What qualifications does SafeAI's founder Marcela bring to this work?
Marcela brings a rare combination of EU policy expertise and enterprise technology experience. She spent five years at the European Parliament, developing direct familiarity with EU legislative processes — including the AI Act itself. She then spent 15 years in enterprise technology roles at Microsoft and VMware, giving her direct experience of how AI tools are deployed in real business environments. She holds a Master's degree in EU Legal System. This combination — knowing what the law means and how technology works in practice — is what makes SafeAI's approach distinctively useful.
What happens in SafeAI's Practical AI Safety Workshop?
The workshop is a focused 2.5-hour session for teams of up to 20 people. Your team maps every AI tool currently in use, has an honest conversation about what is and is not safe practice in your specific context, and works together to draft an Acceptable Use Policy as a starting point. You leave with an AI Use Inventory your team created themselves and a policy draft to refine. Delivered on-site across Ireland or remotely. This is awareness and education training — not legal compliance certification or a formal audit.
Can SafeAI deliver a talk or briefing rather than a full workshop?
Yes. The
AI Awareness Talk is a 45–60 minute session suitable for all-hands staff meetings, teacher CPD days, board briefings, and conferences. It covers what AI tools employees are typically using, what the EU AI Act says about AI literacy, and what responsible AI use looks like in practice — with space for questions from your team. Get in touch at
marcela@safeai.ie to discuss.
Does SafeAI only work with businesses, or also with schools and community organisations?
SafeAI works with the full range of Irish organisations that use AI: SMEs, sole traders, professional services firms, schools and educational institutions, charities, GAA clubs, and community organisations. The AI Act applies to all of them as deployers. SafeAI's workshops are designed for non-technical audiences and adapted to the specific tools and context of any Irish organisation, regardless of sector.
How is AI training different from legal advice, and why does that matter?
SafeAI provides AI awareness education and training — not legal advice, GDPR consulting, or compliance auditing. The training helps your team understand what AI tools they use, what the EU AI Act says about AI literacy, and what responsible day-to-day practices look like. For legal questions specific to your organisation — contracts, regulatory responses, GDPR assessments — you need a qualified solicitor or data protection specialist. General information, not legal advice applies to all SafeAI materials.
How quickly can SafeAI help us get compliant, and what does it cost?
The Practical AI Safety Workshop is a single
2.5-hour session, typically arranged within a few weeks. Free resources are available immediately at safeai.ie. For pricing and availability, contact Marcela directly at
marcela@safeai.ie — sessions are designed to be accessible for Irish SMEs, schools, and community organisations and can be delivered on-site or remotely.