Gilt die EU-KI-Verordnung für mein Unternehmen?

The Short Answer

If your business develops, sells, or uses an AI system that affects people in the European Union, the EU AI Act almost certainly applies to you. There is no revenue threshold, no employee minimum, and no exemption for small companies.

The EU AI Act (Regulation 2024/1689) entered into force on August 1, 2024, with the most significant obligations — those covering high-risk AI systems — taking effect on August 2, 2026. Understanding whether and how it applies to your business is the first step toward compliance.

Who the Act Applies To

Article 2 defines the scope. The regulation applies to four categories of actors in the AI value chain:

Providers — Anyone who develops an AI system (or has one developed on their behalf) and places it on the market or puts it into service under their own name or trademark. This includes SaaS companies, product companies shipping AI features, and enterprises building internal AI tools branded under their name.

Deployers — Anyone who uses an AI system under their authority in a professional context. If your company uses an AI-powered HR screening tool, a chatbot, or an AI credit scoring model, you are a deployer.

Importers — Entities that bring AI systems from outside the EU into the EU market.

Distributors — Entities that make AI systems available on the EU market without being the provider or importer.

You can hold multiple roles simultaneously. A company that builds an AI tool for internal use is both a provider and a deployer.

The Geographic Reach

This is where many non-EU companies get caught off guard. The AI Act applies to:

• Companies established in the EU that provide or deploy AI systems
• Companies outside the EU whose AI system's output is used within the EU (Article 2(1)(c))
• Companies outside the EU that place AI systems on the EU market

A US-based SaaS company whose AI features are used by European customers falls under the regulation. A Chinese manufacturer whose AI-equipped product is sold in Europe falls under the regulation. The geographic reach mirrors GDPR's extraterritorial approach — if the effects are felt in the EU, the law applies.

Who Is Excluded

The Act does have exclusions. Article 2(3)-(12) carves out several categories:

• Military and national security — AI systems developed or used exclusively for military purposes are outside scope
• Scientific research and development — AI systems used purely for research before being placed on the market are excluded
• Personal, non-professional use — An individual using an AI tool for personal purposes is not a deployer
• Open source — Free and open-source AI components are largely exempt, unless they are part of a high-risk system or a prohibited practice
• Third-country authorities — AI systems used by public authorities of non-EU countries under international agreements for law enforcement or judicial cooperation

One important nuance on open source: if you take an open-source model and integrate it into a product you sell or deploy professionally, the AI Act applies to your product. The open-source exemption covers the component, not the system you build from it.

The 5-Question Decision Tree

Answer these questions in order to determine if the EU AI Act applies to your business:

1. Does your business develop or use a system that meets the AI definition?

Article 3(1) defines an AI system as a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that infers from its inputs how to generate outputs such as predictions, content, recommendations, or decisions. Simple rule-based automation or basic data processing generally does not qualify.

If no → The Act does not apply. You're done.

If yes → Continue to question 2.

2. Is the AI system used exclusively for military, research, or personal purposes?

If the system is developed solely for national security, used only in a pre-market research context, or used for personal non-professional activities, it falls outside scope.

If yes → The Act does not apply.

If no → Continue to question 3.

3. Does the AI system affect people in the EU?

This includes systems placed on the EU market, put into service in the EU, or whose output is used within the EU — regardless of where your company is headquartered.

If no → The Act does not apply.

If yes → Continue to question 4.

4. Are you the provider, deployer, importer, or distributor of this system?

If you develop the system, use it in your business, import it into the EU, or make it available on the EU market, you hold at least one of these roles.

If no → The Act does not apply to you (though it may apply to others in the value chain).

If yes → The EU AI Act applies to your business. Continue to question 5.

5. What is your risk level?

Your specific obligations depend on whether your AI system is classified as minimal, limited, high-risk, or prohibited. This determines whether you face zero mandatory requirements, transparency obligations, the full compliance regime, or an outright ban.

Common Misconceptions

"We're a small company, so it doesn't apply." Wrong. The EU AI Act contains no size exemption. A five-person startup deploying a high-risk AI system has the same core obligations as a multinational. SMEs do benefit from reduced penalty caps (Article 99(6)) and simplified documentation options (Article 11(2)), but the law itself applies equally.

"We're outside the EU, so it doesn't matter." Wrong. If your AI system's output is used in the EU, you are in scope. This is explicit in Article 2(1)(c).

"We just use ChatGPT — we're not an AI company." Using a third-party AI tool in a professional context makes you a deployer. Your obligations depend on how you use it and what risk category the use case falls into. If you use an AI system for hiring decisions, you are deploying a high-risk system regardless of who built it.

"Our system is rule-based, not machine learning." The AI definition in Article 3(1) is broader than machine learning. If your system infers outputs from inputs and operates with some autonomy, it may qualify. However, simple if/else automation without inference typically falls outside the definition.

"We'll deal with this after August 2026." Some provisions are already in force. The ban on prohibited AI practices (Article 5) and AI literacy requirements (Article 4) have been enforceable since February 2, 2025. Non-compliance today already carries penalties of up to 35 million EUR or 7% of global turnover.

Next Steps

Determining applicability is step one. Step two is classifying your AI system's risk level, which determines the specific obligations your business must meet. The Witness AI System Classifier walks you through this process in about three minutes — no signup required, no consultants needed.