Forgeron3
Log in Demo
/ SecurityApr 27, 20268 min read

AI Act: what really applies to your business

The text is in force, penalties are coming. Most of your internal uses stay minimal-risk — but you still have to have shown it on paper before anyone asks.

F3
The Forgeron3 teamMarseille & Paris

The four risk levels, plainly

  • Unacceptable risk — banned, full stop. General social scoring, targeted behavioral manipulation, real-time biometric identification in public spaces outside security exceptions. Concerns very few standard French businesses.
  • High risk — allowed, but under heavy obligations: impact assessment, logging, human oversight, technical documentation. Concerns AI systems used in HR (CV screening), education (grading), credit access, critical infrastructure, justice, migration.
  • Limited risk — transparency obligations. Your users must know they’re interacting with an AI (chatbot, assistant), and that generated content is generated (deepfake, synthetic image).
  • Minimal risk — no specific obligation. The vast majority of internal SMB uses fall here: document search, writing assistance, meeting summarization, automatic classification.
The takeawayMost SMBs, accounting firms, and local governments sit in minimal or limited risk. High risk concerns very specific uses (automated HR, scoring, access to rights). The trap is sliding into high risk without realizing it — an automated CV screening is enough.

Who’s actually concerned in your organization

For an SMB, the only case that warrants immediate vigilance is automated candidate screening. As soon as an AI filters CVs or scores candidates, you fall into high risk. If you’re using it without knowing, via an ATS that quietly integrated “AI,” you carry the deployer’s responsibility.

For an accounting firm, assistance with drafting, doctrine research, or internal document analysis stays in minimal risk. The line shifts if you offer your clients an AI that makes decisions on their behalf (risk scoring, solvency rating).

For a local government, the focus is on access to rights and public services. An assistant answering residents about administrative procedures stays in limited risk (transparency). An AI that would pre-screen social aid or housing requests would move to high risk.

2026-2027 timeline — what kicks in when

  • February 2025 — bans on unacceptable risk, already in force.
  • August 2025 — obligations on general-purpose AI models (GPAI): transparency on training data, systemic risk management. Concerns providers, not deployers.
  • August 2026 — general application to all AI systems, including transparency obligations on the deployer side (limited risk).
  • August 2027 — entry into force of obligations on high-risk systems already in service before 2026.

Mapping your AI systems in five steps

  • 1. List. Every tool with “AI,” “assistant,” “generative,” “predictive model,” “automatic scoring.” Internal and external (SaaS). Include the ones you didn’t actively choose — ATS, antispam, marketing tools.
  • 2. Qualify. For each tool, what does it do, who’s the end user, what decision does it influence? Internal document search ≠ candidate screening.
  • 3. Classify. Assign a risk level to each tool, with a one-line justification. If borderline, treat it as the higher level until you’ve decided.
  • 4. Document. For tools at limited risk or above, formalize: who’s responsible, how users are informed, what human oversight looks like.
  • 5. Revisit. Every six months, or whenever a tool is added. The list ages fast.

On personal data compliance, see GDPR and AI assistants: the keys to compliance.

The actual penalties

The AI Act provides for proportionate administrative fines, with a cap of €35 million or 7% of worldwide turnover for prohibited practices — which will concern almost no one in practice. For breaches of obligations on high-risk systems, the cap drops to €15M or 3%. For false information sent to authorities, €7.5M or 1%.

More likely than the fine itself: publication of the decision, and the reputational effect. For local governments and public actors, political risk weighs as much as financial risk.

What barely changes for you

If you use an AI assistant platform scoped for document search, writing assistance, summarization, document analysis — without automated high-stakes decisions — you stay in minimal risk. No specific obligations to anticipate, beyond the basic transparency (“this is an AI replying to you”) already covered by honest practice.

The actual work boils down to: documenting what you’re already doing, and being able to produce it on request.

Does the AI Act replace GDPR?

No. The AI Act adds to GDPR. GDPR governs personal data, the AI Act governs AI systems. A system can be GDPR-compliant and not AI Act-compliant, and vice versa. Both apply.

Does an SMB need to name an AI officer?

No formal obligation for minimal-risk uses. For high-risk systems, yes in practice: you need someone to answer to the authority (likely the CNIL for France) on documentation and human oversight. An SMB can assign this role to the DPO or IT director.

What if my SaaS tool says it’s “AI Act ready”?

That’s a promise, not proof. Responsibility for classifying your use and documenting your deployment stays with you (the deployer), not the provider. Ask for the technical documentation provided, read it, and keep it on file.

Secure your compliance

Thirty minutes to map your AI uses and identify the ones that deserve priority documentation.

Book a demo

Read next.

/ Security8 min

GDPR and AI assistants: the keys to compliance

Article 28 processing, DPIA, data subject rights. The method to stay clean.

Read →
/ Security11 min

AI sovereignty: what it actually means

Dismantling sovereignty-washing in seven concrete points.

Read →
/ Method6 min

10 questions to ask your AI provider

Hosting, data, models, contract, reversibility.

Read →