ChatGPT Under the EU AI Act: Classify by Use, Not by Name

Most compliance guides treat ChatGPT as a single, fixed-risk object. The EU AI Act does not work that way. The risk tier for your organisation depends on what you do with ChatGPT — not on what the tool is called.

The Act splits obligations between two distinct parties. OpenAI, as the model provider, falls under Chapter V (GPAI obligations, in force since 2 August 2025). Your company, as the deployer, is governed by a separate stack that scales with how you use the tool. A team using ChatGPT to draft internal memos sits at minimal risk. The same company using a ChatGPT-powered assistant to pre-screen job applications lands squarely in Annex III — and inherits a substantially heavier set of requirements.

This page maps that split, tells you which obligations attach at which risk level, and flags the GDPR traps that catch companies off guard before they even reach the AI Act layer.

---

How the Act Divides Responsibility: OpenAI vs. You

ChatGPT is built on OpenAI's GPT family of GPAI models. Under Chapter V of Regulation (EU) 2024/1689, OpenAI — as the GPAI model provider — carries obligations that apply regardless of how any downstream deployer uses the tool. These include:

• Maintaining technical documentation (Article 53(1)(a))
• Publishing a sufficiently detailed summary of training data used (Article 53(1)(d))
• Implementing a copyright compliance policy (Article 53(1)(c))
• Providing downstream deployers with the information they need to comply with their own obligations (Article 53(1)(b))

If OpenAI's GPT models cross the 10²⁵ FLOP training threshold that triggers systemic-risk classification (Article 51), additional obligations kick in under Article 55 — adversarial testing, incident reporting, cybersecurity measures. That is OpenAI's burden, not yours.

Your obligations as the deployer begin at Article 26 and scale upward depending on where your use case sits in the risk hierarchy.

---

Classifying Your ChatGPT Use Case

The question is not whether ChatGPT is high-risk. The question is whether your specific deployment triggers an Annex III category under Article 6.

Minimal risk: general staff productivity

Using ChatGPT to draft emails, summarise documents, generate code suggestions, or support internal knowledge management carries no mandatory EU AI Act obligations. The tool sits at minimal risk. You do not need to register it, run a conformity assessment, or produce technical documentation under Article 11. Voluntary good practices — logging use, setting an acceptable-use policy — are sensible but not legally required.

The one obligation already in force for all organisations: Article 4 AI literacy, which applies since 2 February 2025. Staff who use AI tools in their work should understand the tool's capabilities and limitations at a level appropriate to their role. That does not require a formal training programme for every user of ChatGPT; it does mean you cannot claim ignorance if a misuse causes harm.

Limited risk: customer-facing or generative deployments

If you deploy ChatGPT in a customer-facing chatbot — a support assistant, a virtual agent on your website — you trigger Article 50(1). Users must be informed they are interacting with an AI system, unless the context makes it obvious. That obligation applies from 2 August 2026.

If your use involves generating synthetic content — AI-written articles, marketing copy, product descriptions — that content must be marked as machine-generated under Article 50(2), with exceptions for clearly creative or satirical work. Again, this is a disclosure duty, not a conformity assessment. The compliance burden is light but not zero.

High risk: Annex III use cases

ChatGPT becomes a high-risk deployment when it is used for a purpose listed in Annex III of the Act. The most common triggers for companies using ChatGPT:

• Annex III, point 4(a): AI used for recruitment or selection of natural persons, or to evaluate and classify them in employment. A ChatGPT-powered tool that pre-screens CVs, generates candidate summaries for HR, or scores interview responses falls here.
• Annex III, point 5(b): Creditworthiness assessment or credit scoring. A lender using ChatGPT to analyse borrower profiles or draft credit decisions lands in this category.
• Annex III, point 3: AI used in education or vocational training for purposes such as evaluating students. An ed-tech product that uses ChatGPT to grade assignments or generate personalised learning assessments qualifies.

One important check before assuming high-risk: the Article 6(3) filter. A system touching an Annex III area is not automatically high-risk if it performs a narrow procedural task, does preparatory work without influencing a human decision, or improves the result of a previously completed human activity. Any provider claiming this exemption must document the assessment. And any system that profiles natural persons is always high-risk, regardless.

For deployers, the Article 25 trap matters here: if your company builds a product on the ChatGPT API and puts its own name or trademark on the output — or substantially modifies the intended purpose — you shift from deployer to provider. Provider obligations (Article 16) are significantly heavier: technical documentation (Article 11 / Annex IV), conformity assessment (Article 43), registration (Article 49), EU Declaration of Conformity (Article 47), and a risk management system (Article 9).

---

What High-Risk Deployers Must Do

If your ChatGPT deployment is Annex III high-risk, here is what the Act requires of you as deployer — not OpenAI.

Register and classify the tool. Every high-risk AI system your organisation uses must be entered in the EU database under Article 49. The registration captures the system's intended purpose, your role, and the Annex III category.

Human oversight (Article 14). Outputs that affect a person's legal position or life chances must be reviewed by a human before they take effect. An automated CV rejection sent without human review is a direct Article 14 violation. The oversight mechanism must be documented.

AI literacy (Article 4). In force since 2 February 2025. Staff who interact with high-risk AI outputs — HR managers acting on ChatGPT screening summaries, loan officers reviewing AI-generated credit notes — need a baseline understanding of what the system does and where it can be wrong.

Article 26 deployer duties. Follow the provider's instructions; log system use for at least six months (Article 26); inform workers' representatives before deploying AI systems that affect employees (Article 26); monitor the system in operation and report anomalies to the provider.

Fundamental Rights Impact Assessment (Article 27). Required for public-body deployers, and for any deployer using a creditworthiness or life/health-insurance system (Annex III points 5(b) and 5(c)). Not automatically required for private employers using ChatGPT in HR — but best practice, and increasingly expected by national supervisors.

Deadline: Under the Digital Omnibus agreed in May 2026, the application date for stand-alone Annex III high-risk AI systems is 2 December 2027 (pushed back from the original 2 August 2026). That is breathing room, not a reprieve — assembling the documentation and processes takes months, and the inventory work is worth doing now to understand your exposure.

---

GDPR: the Layer Below the AI Act

Before you reach AI Act obligations, GDPR applies to almost everything you do with ChatGPT in a professional context.

Do not paste names, email addresses, performance reviews, medical information, or any other personal data into ChatGPT prompts unless you have a lawful basis for processing (GDPR Article 6) and a data processing agreement with OpenAI. ChatGPT consumer accounts (chatgpt.com) do not come with a DPA by default. OpenAI's enterprise tier and API access include a DPA and data controls; the free and Plus tiers on the consumer product do not.

Special-category data — health information, ethnic origin, religious belief, trade-union membership — is subject to GDPR Article 9 and requires explicit consent or another specific legal ground. Sending an employee's sick-leave record into a standard ChatGPT prompt is a GDPR breach before you even ask whether the AI Act applies.

Practical minimum: use ChatGPT Enterprise or the API with a signed DPA for any professional context. Set a data-handling policy that tells staff what categories of information they may not submit. Review it when you onboard new use cases.

---

How Confir Helps

Add ChatGPT to your AI register and Confir's rule-based classification engine asks you how you use it — not just what it is called. Answer the intake questions (role, use case, data types, user population) and the engine derives your risk tier and obligation scope in two steps: Article 5 prohibited-practice check first; then the Article 6 / Annex III scoping. If your use sits at minimal risk, you see a short checklist. If it triggers Annex III, the full deployer obligation stack appears — Article 26 duties, the Article 27 FRIA workflow if it applies, and the Article 4 literacy record.

Everything is rule-based and reproducible: the same intake produces the same finding, and the rule that fired is written in plain language so any reviewer can check it.

---

Frequently Asked Questions

Is ChatGPT itself high-risk under the EU AI Act?

Not by default. ChatGPT is built on OpenAI's GPAI models, and Chapter V obligations (Articles 51–55) sit with OpenAI as the model provider — those have applied since 2 August 2025. For your company as a deployer, the risk tier depends on the use case: general productivity tools sit at minimal risk; a customer-facing chatbot triggers Article 50 limited-risk transparency duties; an Annex III application (recruitment screening, credit assessment) triggers high-risk obligations. The tool's name does not determine the tier. The use does.

What does Article 50 require for a ChatGPT-powered customer chatbot?

Under Article 50(1), users must be informed they are interacting with an AI system — unless the context makes it obvious. If the chatbot generates synthetic content (text, images), that content must be labelled as machine-generated under Article 50(2). These transparency requirements apply from 2 August 2026. They are disclosure duties, not a conformity assessment. Non-compliance risks fines of up to €15 million or 3% of worldwide turnover under Article 99(4).

If we build a product on the ChatGPT API, are we a deployer or a provider?

It depends on what you build. If you use the API as a service under OpenAI's infrastructure and pass outputs to users, you start as a deployer. But if you put your own name or trademark on the system's output, or substantially change the intended purpose of the system, Article 25 converts you into a provider — with full provider obligations under Article 16: technical documentation, conformity assessment (Article 43), EU Declaration of Conformity (Article 47), and EU-database registration (Article 49). This is the Art 25 trap that catches many SaaS companies building on foundation model APIs.

What are our GDPR obligations when using ChatGPT?

GDPR applies before the AI Act. Any professional use of ChatGPT that involves personal data requires a lawful basis (GDPR Article 6) and, typically, a data processing agreement with OpenAI. Consumer ChatGPT accounts do not include a DPA; ChatGPT Enterprise and the API do. Special-category data (health, ethnicity, religion, trade-union membership under GDPR Article 9) requires explicit consent or another specific legal ground. Do not submit employee personal data, customer records, or sensitive business information to a consumer ChatGPT account.

When does the high-risk deadline apply if we use ChatGPT for recruitment?

Under the Digital Omnibus agreed in May 2026, high-risk obligations for stand-alone Annex III systems apply from 2 December 2027 (the original date of 2 August 2026 has been deferred). If your ChatGPT deployment screens job applicants (Annex III, point 4(a)), you have until then to have your risk management, human oversight, and documentation in place. Article 4 AI literacy applies now (since 2 February 2025). Article 50 transparency for customer-facing AI applies from 2 August 2026. Registration under Article 49 is tied to the high-risk application date.

Do we need a Fundamental Rights Impact Assessment (FRIA) for ChatGPT in HR?

The Article 27 FRIA is mandatory for public-body deployers and for deployers of creditworthiness or life/health-insurance systems (Annex III points 5(b) and 5(c)). Private employers deploying ChatGPT in recruitment are not automatically required to run one — but because recruitment is Annex III high-risk, maintaining a documented rights-impact analysis is prudent and increasingly expected by supervisors. The assessment should cover non-discrimination, data minimisation, human oversight mechanisms, and appeal rights for affected candidates.

What penalties apply if we get this wrong?

Breaches of Article 50 transparency duties and most deployer obligations under Article 26 carry a maximum fine of €15 million or 3% of total worldwide annual turnover, whichever is higher (Article 99(4)). For companies classified as SMEs or start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount — a proportionality protection worth knowing. Fines on GPAI providers (OpenAI) are imposed by the Commission under Article 101, up to €15 million or 3%.

---

Related guides

• Article 6 high-risk classification
• risk classification levels guide
• Article 3 definitions
• EU AI Act overview
• AI system inventory management