EU AI Act · Ireland · 2025–2026

EU AI Act: Plain-English Answers for Irish Organisations

49 questions — from the complete basics ("what even is this law?") through to GDPR, Article 4 obligations, fines, and practical compliance steps. Written for Irish small businesses, schools, and community organisations.

Updated May 2026  ·  Reflects Digital Omnibus deal  ·  General information, not legal advice

The absolute basics — if you're new to this 6 questions

What is the EU AI Act? I've never heard of it.

The EU AI Act is a law passed by the European Union in 2024. It is the world's first comprehensive legal framework for artificial intelligence — the first time any major jurisdiction has set binding rules for how AI can and cannot be used.

The law was designed to make AI safer and more trustworthy across Europe. It sets out which AI uses are completely banned, which need extra safeguards, and what basic obligations apply to anyone using AI at work.

Because Ireland is an EU member state, this law automatically applies here — you don't need to do anything for it to be in force. It already is.

Read the official Irish government guidance on the EU AI Act →

Is this an EU law or an Irish law? How does it work here?

The EU AI Act is an EU Regulation — which means it applies directly in all 27 EU member states, including Ireland, without needing to be separately passed by the Oireachtas. It has the same legal force as Irish law.

The Irish government is responsible for enforcement in Ireland. The Department of Enterprise, Trade and Employment leads coordination, and 15 different Irish authorities have enforcement roles depending on sector — including the Data Protection Commission, the CCPC (competition and consumer), and the Central Bank.

The government has also published a Regulation of Artificial Intelligence Bill 2026 to establish a dedicated National AI Office as the central Irish authority.

Department of Enterprise: EU AI Act guidance for Ireland →

What counts as "AI" under this law? Does it mean ChatGPT, or everything?

The EU AI Act defines an AI system as a machine-based system that processes inputs to generate outputs like predictions, recommendations, decisions, or content — and that operates with some degree of autonomy.

In plain English, this covers:

  • Generative AI — ChatGPT, Google Gemini, Microsoft Copilot, Claude, Perplexity
  • AI image and video tools — Midjourney, DALL·E, Canva AI, Adobe Firefly
  • AI writing assistants — Grammarly, Otter.ai, Jasper
  • AI features inside software you already use — AI in your CRM, email platform, accounting tool, or HR system
  • AI decision tools — anything that filters applications, scores leads, or flags anomalies

Standard spreadsheet formulas, basic search, and rule-based automation (e.g. "if X then Y") are not AI systems under the Act. But most tools marketed as "AI-powered" almost certainly are.

OK, so what does the law actually say I have to do?

For most small Irish businesses, the EU AI Act creates three core obligations right now:

  1. AI literacy (Article 4) — already in force since February 2025. Everyone in your organisation who uses AI as part of their work must have enough knowledge to use it safely and understand its limitations. You need to document that this training happened.
  2. Don't use banned AI (Article 5) — already in force since February 2025. Certain AI uses are outright prohibited. These include AI that manipulates people psychologically without their awareness, AI that scores people's behaviour like a social credit system, and AI that identifies people by their face in public without authorisation.
  3. Be responsible for what AI does in your name. As a deployer, you are accountable for how AI tools are used in your organisation — even if you didn't build them, and even if an employee uses them on a personal account for work.

Heavier obligations (detailed technical documentation, conformity assessments) apply to high-risk AI systems — things like AI used in hiring, student assessment, or credit decisions. For most businesses using everyday productivity tools, these don't apply yet, and have been delayed to December 2027.

Why is this law being introduced now? What problem is it trying to solve?

AI tools became widely accessible to businesses and the public from around 2022–2023, but there were no specific rules about how they could be used. The EU AI Act was developed to address real harms that were already happening:

  • AI hiring tools were found to discriminate against women and minorities
  • AI chatbots were making false promises on behalf of companies
  • AI was being used to generate manipulative deepfakes and disinformation
  • Personal data was being fed into AI tools without GDPR-compliant safeguards
  • People were being affected by AI decisions (credit, insurance, benefits) with no right of explanation or appeal

The law aims to make AI trustworthy — so that people, businesses, and institutions can use it with confidence, knowing there are rules and consequences for misuse.

What is the single most important thing I need to do right now as an Irish business owner?

If you do one thing, it should be this: find out what AI tools your team is actually using.

Most business owners are surprised by what this audit reveals — tools used on personal accounts, AI features switched on by default inside existing software, and staff who have been using AI helpfully but without any guidance on what data they can and can't input.

Once you know what's being used, you can:

  • Check whether any of it handles personal data without proper safeguards (GDPR exposure)
  • See if any use cases touch high-risk categories (HR, student data, financial decisions)
  • Write a simple Acceptable Use Policy covering what's allowed and what isn't
  • Document a team briefing — which satisfies Article 4 AI literacy requirements

SafeAI's free Irish SME AI Risk Checklist walks you through exactly this process. The 2.5-hour Practical AI Safety Workshop does it live with your whole team and produces all the documentation you need.

📚 Official Irish Government Resources

The Department of Enterprise, Trade and Employment has published official guidance on the EU AI Act for Irish organisations:

enterprise.gov.ie — EU AI Act guidance →

Who the EU AI Act applies to 8 questions

Does the EU AI Act apply to my small Irish business?
Yes. If your organisation operates in Ireland and uses any AI tool — including ChatGPT, Canva AI, Grammarly, or a CRM with AI features — the EU AI Act applies to you as a deployer. The Act covers all organisations regardless of size, sector, or whether you built the AI yourself. The only exemption is purely personal, non-professional use — which employees using ChatGPT for work do not qualify for.
We're a school / community organisation, not a business — does the AI Act still apply to us?
Yes. The EU AI Act uses the term deployer to cover any natural or legal person, public authority, agency or other body using an AI system — this explicitly includes schools, charities, GAA clubs, community organisations, and public bodies. Article 4's AI literacy obligation applies to every organisation using AI. Schools are also specifically flagged in the Act's high-risk Annex because AI used for student assessment can be high-risk.
I only use ChatGPT to write emails and marketing copy — surely that's too small-scale to matter?
Scale doesn't determine whether the law applies — only what level of obligation it triggers. Any professional use of an AI tool makes you a deployer under the AI Act. For everyday text generation like drafting emails or social media posts, your obligations are relatively light: principally Article 4 (ensure staff have basic AI literacy) and Article 5 (don't use prohibited AI practices). You are not exempt simply because your use is routine or low-volume.
What is a 'deployer' under the EU AI Act, and am I one?
A deployer is defined in Article 3 as any natural or legal person, public authority, agency or other body that uses an AI system for work purposes. If your business uses ChatGPT, Microsoft Copilot, Google Gemini, Canva AI, Grammarly, Otter.ai, or any AI-powered CRM or tool for professional tasks, you are a deployer. The provider (e.g. OpenAI, Google, Canva) has separate obligations for building the tool; your obligations are about how you use it.
When did the EU AI Act start applying, and when do the big deadlines hit?
The Act entered into force on 1 August 2024. Article 4 AI literacy obligations and prohibited AI practices (Article 5) applied from 2 February 2025. General-purpose AI model obligations applied from 2 August 2025. Following the Digital Omnibus deal agreed on 7 May 2026, high-risk Annex III obligations are delayed to 2 December 2027. AI-generated content watermarking applies from 2 December 2026. Article 4 and Article 5 remain fully in force now.
The high-risk AI rules are being delayed to 2027 — does that mean I don't need to do anything yet?
No — this is a common and dangerous misreading. The delay only applies to Annex III high-risk AI system obligations. Two major obligations already apply right now: Article 5 (prohibited AI practices, since February 2025) and Article 4 (AI literacy for all staff dealing with AI, since February 2025). Enforcement by national authorities including Ireland's began August 2025. If you have done nothing, you may already be non-compliant.
We're a sole trader using AI tools — do the rules apply to me personally?
Yes. A sole trader is a 'natural person' using an AI system in a professional capacity, which meets the definition of deployer under the AI Act. The 'personal non-professional' exemption only applies to private use (e.g. using ChatGPT to plan your own holiday). If you use AI tools in your freelance work, consulting, or trade — even without a limited company — Article 4 obligations apply, proportionate to your scale.
What AI tools are actually high-risk for a typical Irish small business?
For most Irish SMEs using everyday productivity tools, very few AI systems meet the high-risk threshold. High-risk AI is defined in Annex III and covers: AI used in recruitment, hiring, promotion, or dismissal; AI used to assess students; AI for credit scoring or insurance underwriting; AI managing critical infrastructure; and AI in health or medical decision-making. If your business uses ChatGPT for copywriting, Canva for design, Grammarly for editing, or Otter for notes — these are not high-risk. The assessment becomes more serious if tools inform consequential decisions about real people.

Not sure where your organisation stands?

Download the free Irish SME AI Risk Checklist — 10 questions, takes 20 minutes.

ChatGPT, Canva, Grammarly and the tools you actually use 8 questions

Is ChatGPT high-risk, minimal-risk, or something in between?
ChatGPT and similar large language models (including Claude, Google Gemini, and Microsoft Copilot) are classified as General-Purpose AI (GPAI) systems. For general tasks, primary obligations fall on the provider (OpenAI), not on you as the user. However, your use of ChatGPT can trigger higher-risk obligations depending on context: if you use it to help make decisions about employees, assess student work, or handle sensitive personal data, it can move into high-risk territory. For everyday tasks like drafting emails or writing marketing copy, it remains minimal-to-limited risk.
Do I need to label or disclose content I create with Canva AI or similar tools?
Yes, from 2 December 2026 under Article 50. Providers of generative AI must mark AI-generated audio, image, and video content in a machine-readable format (e.g. watermarking). Deployers must not remove those markers and, for some content types, must clearly disclose that content is AI-generated. AI-generated deepfakes and AI-generated text on matters of public interest must be visibly labelled. Plan for this if you create AI images for marketing or public information.
Can I use Grammarly on work documents, and what are my obligations?
Grammarly and similar writing tools are generally minimal-to-limited risk. Your obligations are to: (1) ensure staff are aware they are using an AI system (Article 4); (2) check that any personal data processed by Grammarly is covered by a Data Processing Agreement (GDPR Article 28); and (3) avoid pasting confidential client data or sensitive personal data into Grammarly's free consumer tier, which does not have enterprise data handling guarantees. Grammarly Business offers stronger GDPR compliance terms.
We use Otter.ai or Microsoft Teams transcription for meeting notes — what do we need to consider?
AI meeting transcription tools process voice recordings, which are personal data under GDPR. Before using any transcription tool, all participants must be clearly informed that the meeting is being recorded and transcribed by an AI. You need a lawful basis for the processing, a Data Processing Agreement with the tool provider, and a retention and deletion policy for transcripts. If the tool sends recordings to its servers and uses them for model training, configure its data settings to restrict this.
Can my team use ChatGPT on their personal accounts for work tasks?
This is one of the riskiest grey zones for Irish SMEs. When an employee uses ChatGPT on a personal free account for work purposes: (1) under the AI Act, the organisation is still considered the deployer — your obligations apply regardless of which account is used; and (2) the free tier of ChatGPT does not have the GDPR-compliant Data Processing Agreement that OpenAI's enterprise/API tiers offer, meaning any personal data entered is a potential GDPR breach. Your AI Acceptable Use Policy should clearly specify which tools and account tiers are approved.
What about Microsoft Copilot, which is built into our Microsoft 365 subscription?
Microsoft Copilot in Microsoft 365 operates under enterprise data protection terms including a GDPR-compliant Data Processing Agreement — a significant advantage over free consumer AI tools. Microsoft has designed Copilot to stay within your Microsoft 365 tenancy and not use your data for model training. However, you are still a deployer under the AI Act, still need to train staff on safe use (Article 4), and still need to be cautious about what sensitive data the AI accesses through your connected documents and emails.
We use an AI chatbot on our website — what obligations does that trigger?
A customer-facing AI chatbot is subject to Article 50's transparency obligations (from 2 December 2026). You must ensure that any person interacting with the chatbot is clearly and promptly informed they are talking to an AI — not a human — unless it is obvious from context. Additionally, if the chatbot collects or processes personal data from website visitors, it must comply with GDPR: lawful basis for processing, an up-to-date privacy notice, and a Data Processing Agreement with the chatbot vendor.
We use AI-powered HR or recruitment tools — is that high-risk?
Yes. Annex III explicitly categorises AI used in recruitment, selection, promotion, performance management, task allocation, and termination as high-risk AI. This means full high-risk AI obligations — including conformity assessments, technical documentation, human oversight, and worker notification — applying from 2 December 2027. You should not wait until then to audit these tools. Emotion recognition in job interviews has been prohibited since February 2025.

Need a written AI policy for your team?

SafeAI's free editable policy template is a practical starting point — yours in under five minutes.

GDPR, customer data, and AI tools 4 questions

If I paste a customer's name and email into ChatGPT, is that a GDPR problem?
Yes, very likely. Under GDPR Article 28, when you provide personal data to a third-party tool for processing, that tool becomes a 'data processor' and you need a Data Processing Agreement (DPA) in place. The free tier of ChatGPT does not provide a DPA — only OpenAI's API and enterprise plans do. Pasting customer data into a consumer ChatGPT account transmits that data to OpenAI's servers without a lawful GDPR framework — a potential breach reportable to the Data Protection Commission. Italy's DPA fined OpenAI €15 million in December 2024 for related failures.
What is the GDPR + AI Act interaction — do both apply at the same time?
Yes — both frameworks apply simultaneously whenever personal data is involved in AI use. GDPR governs how personal data is collected, processed, stored, and deleted. The EU AI Act governs how AI systems are deployed and overseen. Every time an AI tool processes personal data, you must satisfy both. You can be investigated by both the Data Protection Commission (for GDPR) and Ireland's AI Act competent authorities simultaneously.
Do we need a Data Processing Agreement (DPA) with our AI tool providers?
Yes, if those tools process personal data on your behalf. GDPR Article 28 requires a written DPA with any third party that processes personal data for you, specifying what data is processed, for what purpose, with what security measures, and for how long. Most enterprise AI vendors (Microsoft, Google, Salesforce, Zoom) provide a DPA automatically. Free consumer versions typically do not. Before rolling out any AI tool for use with customer or employee data, confirm whether a DPA exists.
Can we use AI to process special category data (health information, ethnicity, religion)?
Extreme caution is required. Special category data under GDPR Article 9 requires a higher lawful basis (typically explicit consent or a specific legal obligation) and much stronger security measures. Many AI tools are not designed or certified for special category data processing. Additionally, the EU AI Act prohibits certain biometric categorisation uses entirely. If your organisation processes health records, HR data including sensitive categories, or student data, conduct a Data Protection Impact Assessment (DPIA) before connecting any AI tool to that data.

What can actually go wrong 5 questions

What are the actual fines for non-compliance, and could a small Irish business really be fined?
The AI Act has three penalty tiers under Article 99. Breaching the prohibited practices ban (Article 5) carries fines of up to €35 million or 7% of total global annual turnover — whichever is lower for SMEs. So a business with €1 million turnover faces a maximum Article 5 fine of €70,000, not €35 million. High-risk AI violations carry up to €15 million or 3%. Enforcement in Ireland began August 2025. GDPR fines from the Data Protection Commission can run in parallel.
Are the fines realistic for a small business, or will regulators only go after big companies?
Regulators generally pursue large providers first, but SME deployers are within scope. Enforcement may begin through a formal warning or corrective order before fines are applied — but reputational damage and mandatory remediation can be costly even without a financial penalty. Under GDPR we have already seen Irish and EU regulators pursue complaints against smaller organisations. The proportionality in penalty calculation is a ceiling, not an invitation to ignore the law.
What happens if one of my employees misuses an AI tool without my knowledge?
Under both GDPR and the AI Act, the organisation bears responsibility for AI use that happens under its authority — even if you were unaware. If an employee uses an unapproved AI tool at work (shadow AI) or processes customer data through a personal ChatGPT account, the organisation is liable. A documented AI Acceptable Use Policy, regular staff training, and a list of approved tools are your evidence of reasonable steps taken. Without that documentation, it becomes very difficult to demonstrate compliance or mitigate regulatory consequences.
Is there any risk to my professional indemnity insurance or contracts if I use AI without a policy?
Potentially yes. Many professional indemnity insurance policies are beginning to include AI-specific exclusions. If you use AI to generate client deliverables without oversight and those deliverables contain errors or cause harm, your insurer may argue you failed to exercise reasonable professional care. Some client contracts in legal, financial, and professional services are beginning to include AI disclosure clauses. Without an AI policy, you cannot demonstrate to a client, insurer, or regulator that appropriate controls are in place.
What is 'shadow AI' and why is it a risk for my organisation?
Shadow AI refers to AI tools used by employees without the knowledge or approval of management or IT — typically when staff sign up for free AI tools using personal or work email addresses and start using them for work tasks. The risks: personal data transmitted to providers without a DPA; proprietary or confidential information fed into external AI systems; no oversight, audit trail, or ability to demonstrate AI Act compliance. The first step to addressing shadow AI is an honest internal audit of which AI tools your team actually uses.

Ready to get compliant without the complexity?

SafeAI's 2.5-hour workshop leaves your team with everything they need — AI inventory, policy, and Article 4 documentation.

Practical steps for Irish organisations 6 questions

What practical steps should I take right now to comply with the EU AI Act?
The four most urgent steps for any Irish SME or organisation are: (1) Build an AI Use Inventory — list every AI tool your team uses, who uses it, what data it accesses, and whether it has enterprise-grade data protection; (2) Assess risk — identify whether any tools fall into high-risk categories; (3) Create a written AI Acceptable Use Policy — specify approved tools, prohibited uses, data handling rules; (4) Deliver documented AI literacy training to all relevant staff to satisfy Article 4. Many Irish SMEs can achieve a strong compliance baseline in a single workshop.
What should an AI Acceptable Use Policy for a small Irish business include?
A practical policy should cover: (1) a list of approved AI tools and the account tiers permitted; (2) categories of data that may never be entered into AI tools (customer personal data, health information, confidential client information); (3) requirements for human review of AI-generated outputs; (4) disclosure requirements when AI is used to produce client-facing content; (5) what employees should do if they discover a potential AI-related data incident; and (6) a review and update schedule. A two-page document covering the tools your team actually uses is more useful than a generic 20-page template.
What is an AI Use Inventory and why do I need one?
An AI Use Inventory is a structured list of all AI systems your organisation uses or is piloting. It should capture: tool name and provider; what it is used for; which staff use it; what data it accesses; whether a Data Processing Agreement exists; and its risk level under the AI Act. Without an inventory you cannot know whether you have high-risk AI tools in use, cannot demonstrate Article 4 compliance, and cannot respond effectively if the DPC or an AI Act authority requests evidence. Inventories regularly reveal 'shadow AI' tools management was unaware of.
How do I train my staff to satisfy Article 4 without a huge budget?
Article 4 uses the phrase 'to their best extent', which acknowledges proportionality for smaller organisations — you do not need a multi-day corporate programme. What you need is documented evidence that staff who use AI tools understand: what the tool does and its limitations; what data they can and cannot input; who is responsible for reviewing AI outputs; and the organisation's rules. A focused 2-3 hour workshop or team briefing session with an attendance record satisfies the requirement. SafeAI's Practical AI Safety Workshop is specifically designed for this.
Do I need a lawyer to comply with the EU AI Act?
For most Irish SMEs using everyday AI tools at minimal risk, no — not initially. The practical steps (inventorying tools, creating a policy, training staff) are operational tasks achievable with practical guidance rather than legal advice. Legal advice becomes valuable if you're using AI in genuinely high-risk contexts (health, finance, HR decisions), drafting AI clauses into client contracts, or responding to a regulatory investigation. SafeAI provides practical guidance and will refer you to a solicitor where a legal question requires it.
Are there any free resources to help Irish businesses get started?
Yes. SafeAI offers free resources at safeai.ie: the Irish SME AI Risk Checklist, the AI Image Safety Guide, and the SafeAI Team Policy Template. The European Commission's AI Act Service Desk provides guidance and a free compliance checker. Enterprise Ireland and Ireland's network of European Digital Innovation Hubs (EDIHs) offer supports for SME AI adoption. These are strong starting points — though a facilitated workshop or assessment will identify organisation-specific risks that generic checklists cannot.

Who we are and how we can help 7 questions

What is SafeAI and what does it offer?
SafeAI (safeai.ie) is an Irish AI awareness and training service founded by Marcela, based in Cork and working with organisations nationally and remotely. SafeAI helps Irish SMEs, schools, and community organisations understand what AI tools their teams are using, what the EU AI Act says about AI literacy, and how to put basic safe-use practices in place — through practical, plain-English training. SafeAI is not a law firm, compliance auditor, or GDPR consultant. Core services are the Practical AI Safety Workshop (2.5-hour team session) and the AI Awareness Talk (45–60 min briefing for all-hands, CPD days, or conferences).
What qualifications does SafeAI's founder Marcela bring to this work?
Marcela brings a rare combination of EU policy expertise and enterprise technology experience. She spent five years at the European Parliament, developing direct familiarity with EU legislative processes — including the AI Act itself. She then spent 15 years in enterprise technology roles at Microsoft and VMware, giving her direct experience of how AI tools are deployed in real business environments. She holds a Master's degree in EU Legal System. This combination — knowing what the law means and how technology works in practice — is what makes SafeAI's approach distinctively useful.
What happens in SafeAI's Practical AI Safety Workshop?
The workshop is a focused 2.5-hour session for teams of up to 20 people. Your team maps every AI tool currently in use, has an honest conversation about what is and is not safe practice in your specific context, and works together to draft an Acceptable Use Policy as a starting point. You leave with an AI Use Inventory your team created themselves and a policy draft to refine. Delivered on-site across Ireland or remotely. This is awareness and education training — not legal compliance certification or a formal audit.
Can SafeAI deliver a talk or briefing rather than a full workshop?
Yes. The AI Awareness Talk is a 45–60 minute session suitable for all-hands staff meetings, teacher CPD days, board briefings, and conferences. It covers what AI tools employees are typically using, what the EU AI Act says about AI literacy, and what responsible AI use looks like in practice — with space for questions from your team. Get in touch at marcela@safeai.ie to discuss.
Does SafeAI only work with businesses, or also with schools and community organisations?
SafeAI works with the full range of Irish organisations that use AI: SMEs, sole traders, professional services firms, schools and educational institutions, charities, GAA clubs, and community organisations. The AI Act applies to all of them as deployers. SafeAI's workshops are designed for non-technical audiences and adapted to the specific tools and context of any Irish organisation, regardless of sector.
How is AI training different from legal advice, and why does that matter?
SafeAI provides AI awareness education and training — not legal advice, GDPR consulting, or compliance auditing. The training helps your team understand what AI tools they use, what the EU AI Act says about AI literacy, and what responsible day-to-day practices look like. For legal questions specific to your organisation — contracts, regulatory responses, GDPR assessments — you need a qualified solicitor or data protection specialist. General information, not legal advice applies to all SafeAI materials.
How quickly can SafeAI help us get compliant, and what does it cost?
The Practical AI Safety Workshop is a single 2.5-hour session, typically arranged within a few weeks. Free resources are available immediately at safeai.ie. For pricing and availability, contact Marcela directly at marcela@safeai.ie — sessions are designed to be accessible for Irish SMEs, schools, and community organisations and can be delivered on-site or remotely.

Start using AI more safely and confidently

Practical AI training and compliance support designed for Irish organisations — not adapted from corporate frameworks.