Common myths about the EU AI Act
The Act attracts confident misinformation. Here are the myths that come up most often, and the reality behind each.
Myth: the Act bans AI
It does not. The Act bans a small, specific set of uses under Article 5, things like social scoring and untargeted face-scraping, and leaves the vast majority of AI use allowed. What it adds for the rest is a set of duties that scale to the risk, which for most businesses means light obligations rather than a ban.
Myth: it only applies to tech and AI companies
The companies that build AI carry the heaviest duties, but they are not the only ones in scope. Deployers, the businesses that simply use AI tools, have their own obligations, especially for high-risk uses. Since almost every company now uses AI somewhere, the Act reaches far beyond the tech sector.
Myth: if we did not build it, we are not responsible
Buying rather than building does not put you outside the Act. As a deployer you are responsible for how you use a system: using it as intended, keeping a human in oversight, and informing the people affected. Those duties grow heavier the higher the risk of the use, and they are yours regardless of who made the tool.
Myth: tools like ChatGPT are illegal
They are not, and there is no list of banned products. What you do with a tool decides the rules, and the everyday uses, drafting, summarising, and research, are minimal-risk. The same tool only attracts real duties when you point it at something like screening job candidates.
Myth: minimal-risk means there is nothing to do
Minimal-risk is the lightest tier, but it is not nothing. AI literacy under Article 4 applies to almost everyone, whatever the tier: the people using AI should understand its limits. It is a low bar, met by a short policy and some guidance, but it is not zero.
Myth: it is all in force now
The Act phases in over several years rather than landing all at once. The literacy duty and the prohibitions applied from February 2025, general-purpose AI rules from August 2025, the Article 50 transparency duties from August 2026, and the core high-risk duties from December 2027. Knowing which parts apply when is half of planning for it.
Myth: compliance needs a huge budget
Duties scale with risk, and the Act builds in proportionality for SMEs and startups, including lower fine caps and instructions to authorities to weigh a business's size. A small company with mostly minimal-risk AI can reach an audit-ready posture with a policy, an inventory, and a couple of documents, not a compliance department.
Myth: it does not reach companies outside the EU
It can. The Act applies to providers and deployers outside the EU when the output of their AI system is used in the EU, so a company with no EU office can still be in scope. The EU connection, not the company's address, is what counts.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.