Does the AI Act replace the GDPR?

No. They complement each other: the GDPR protects personal data, the AI Act governs AI systems. Personal data sent to an AI falls under both.

Is my company a “provider” if it just uses ChatGPT?

Generally no: using an assistant is closer to the deployer role. Obligations differ by role and by the use's risk level — to be checked case by case.

What should I do first?

Map your uses, set a clear policy, and minimize the data you transmit. Anonymization at the source is a concrete, immediate measure.

All articles

Compliance7 min read

The EU AI Act: what companies must anticipate

The EU AI Act takes a risk-based approach to AI. What companies that use AI need to know and prepare for now.

By Alexis de ONYRIJune 3, 2026

The EU Artificial Intelligence Act (AI Act) governs AI with a risk-based approach: the riskier the use, the stronger the obligations. For most companies using consumer AI assistants, the issue isn't being a “provider” under the regulation, but using AI responsibly — transparency, human oversight, and protecting the data that flows through. Anonymizing data before sending it remains a robust habit, whatever the regulatory detail.

A risk-based approach

The AI Act classifies AI systems by risk level, from prohibited uses to high-risk uses (subject to strict obligations), down to limited or minimal risk. General-purpose AI models have their own obligations, notably around transparency.

Unacceptable risk: certain uses are prohibited.
High risk: enhanced obligations (documentation, oversight, robustness).
Limited risk: transparency obligations (disclose it's AI).
Minimal risk: the majority of everyday uses.

Provider or deployer: which are you?

The regulation distinguishes, among others, the one who develops/places a system on the market (provider) from the one who uses it professionally (deployer). A company that merely uses an AI assistant is generally a deployer: its obligations focus on compliant use, transparency and data protection.

What you can prepare now

1Map your AI uses and the data they handle.
2Document a usage policy (transparency, human oversight).
3Minimize the data sent to third-party services (anonymization at the source).
4Connect AI Act and GDPR: data protection is a common foundation.

Whatever your role, sending less sensitive data to AI services reduces your risk surface. ONYRI Sanitize anonymizes that data in the browser before anything is sent: a simple move, aligned with the minimization spirit shared by the GDPR and the AI Act.

Frequently asked questions

Does the AI Act replace the GDPR?: No. They complement each other: the GDPR protects personal data, the AI Act governs AI systems. Personal data sent to an AI falls under both.
Is my company a “provider” if it just uses ChatGPT?: Generally no: using an assistant is closer to the deployer role. Obligations differ by role and by the use's risk level — to be checked case by case.
What should I do first?: Map your uses, set a clear policy, and minimize the data you transmit. Anonymization at the source is a concrete, immediate measure.

Sources & references

Artificial Intelligence Act (full text) — EUR-Lex
EU regulatory framework for AI — European Commission
European Data Protection Board (EDPB) — EDPB

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt