Is ChatGPT or Copilot allowed under the AI Act?
Short answer: yes. Using tools like ChatGPT, Copilot, or Gemini is not prohibited by the Act. The longer answer is that what you do with them decides your duties.
The short answer, and the catch
The EU AI Act does not ban general-purpose assistants. ChatGPT, Microsoft Copilot, Google Gemini, Claude, and the rest are all legal to use in a business. None of them appears on any prohibited list, because the Act does not regulate AI that way.
What it regulates is the use. The same tool can be a harmless convenience in one hand and a high-risk system in another, so the real question is not whether ChatGPT is allowed but whether what you do with it is. For the overwhelming majority of business uses, the answer is yes, with a couple of light conditions.
Why the tool is never the question
The Act classifies a use of AI, not a product or a brand. There is no schedule of approved or forbidden software, and a model vendor can neither make your use compliant nor make it prohibited. That turns entirely on what you point the tool at.
A concrete example makes it clear. An assistant that writes your marketing copy is minimal-risk. The identical account, used to score and rank job applicants, is a high-risk employment use under Annex III. Same login, same model, two very different sets of duties. Once that idea lands, the rest of the Act follows from it.
Most everyday uses are minimal-risk
The way most teams actually use these assistants, drafting emails and documents, summarising meetings and long threads, brainstorming, writing and checking code, general research, sits squarely in the minimal-risk tier.
Minimal-risk means no specific obligations beyond AI literacy under Article 4: making sure the people using the tool understand what it is good at, where it tends to make things up, and when a human has to check the output before it is relied on. For these uses there is nothing to file, label, or register. You simply use the tool knowingly.
Where real duties start
Two thresholds change the picture. The first is when the assistant interacts with your customers. A support chatbot built on one of these models triggers a transparency duty under Article 50: you have to make clear that the person is dealing with AI rather than a human.
The second is when you use it in a high-risk way. Then the heavier Article 26 deployer duties apply: human oversight, record-keeping, minding the input data, and the rest. The classic traps are hiring (screening, ranking, or sifting candidates) and credit or insurance decisions. The trigger, again, is the use and never the logo.
The data and confidentiality angle, separately
There is one more issue, and it is the one that actually catches businesses out, even though it sits beside the AI Act rather than inside it. Whatever you type into a tool can leave your control. Putting customer personal data, trade secrets, or confidential documents into an assistant that is not contracted and configured for it is a GDPR and confidentiality problem in its own right, whatever the AI Act tier.
Before your team relies on a tool, check whether it offers a business tier with a data processing agreement, whether your inputs are used to train the vendor's models, and where the data is processed. Then write the rule down, so people know what is fair game to enter and what is off limits.
What about Copilot, Gemini, and the others
The analysis is the same for every general-purpose assistant. Under the Act these are built on general-purpose AI models, which carry their own obligations, but those fall on the model providers, not on you as a user.
Your duties come from how you deploy the tool, so the questions to ask are identical no matter whose assistant it is: what do we use it for, does it talk to customers, and does it feed a decision about a person. The brand on the login does not change the answer.
A two-minute test for your own use
Ask three questions of each assistant in your business. Does it talk directly to customers? If so, you likely owe a transparency notice. Does it feed a decision about a person, in hiring, credit, access to a service, or similar? If so, treat it as potentially high-risk and look closely. Is anyone putting sensitive data into it? If so, sort the data rules out regardless of the tier.
If the answer to all three is no, you are almost certainly in minimal-risk territory: note the tool and its use, give your people basic AI literacy, and carry on. Veillo runs exactly this classification across every tool in your register and flags the few that carry real duties.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.