The AI Act Is About AI Systems, Not Just Personal Data
The AI Act regulates how AI systems are designed, placed on the market, and used. It is not a personal‑data law like GDPR, and it can apply even when no personal data is processed. The regulation’s scope and timeline are set by the EU, with phased application through 2027, not by any one country. That distinction trips up teams teh first time they map use cases across laws.
The Risk Ladder In Plain Terms
Think of four rungs. Prohibited uses are banned outright. High‑risk systems include AI in listed areas such as biometrics, employment, and certain safety components, or AI that is a safety component of a regulated product. Limited‑risk systems carry transparency duties, like telling users they are interacting with AI and labeling synthetic content. Minimal‑risk systems face no AI Act duties. The Commission’s overview explains these categories and the obligations that attach to high‑risk systems, including risk management, logging, documentation, human oversight, and cybersecurity (European Commission overview and timeline).
Timeline You Can Actually Plan Around (2024 to 2027)
Mark the dates. The Act entered into force on August 1, 2024. Prohibited practices and AI literacy requirements started on February 2, 2025. Obligations for general‑purpose AI models began on August 2, 2025. Most rules apply from August 2, 2026, with extra time until August 2, 2027 for high‑risk AI embedded as safety components in regulated products (official timeline).
Why Most Technical‑Services Assistants Are Not The Primary Target
Common product‑intelligence scenarios focus on product data, specs, and configuration logic, often with little or no personal data. These assistants usually provide decision support rather than making consequential decisions about people or safety. That points to limited or minimal risk, where the main duty is transparency, such as informing users they are chatting with AI and marking synthetic content when relevant (Article 50 transparency).
The Edge Cases Manufacturers Must Watch
Three areas can escalate obligations fast. First, worker management and employment uses, like candidate ranking or performance scoring, are listed as high‑risk in Annex III and trigger the full high‑risk toolkit (Annex III high‑risk list). Second, biometric monitoring and emotion inference are tightly restricted, including a prohibition on using AI to infer emotions in workplaces and education except for defined medical or safety reasons (Article 5 prohibitions). Third, AI that functions as a safety component of a regulated product, such as certain machinery control or protective functions, is high‑risk and follows product‑safety style conformity routes.
What High‑Risk Looks Like In Practice
High‑risk providers document a risk‑management system, data governance, technical documentation, automated logging, human‑oversight measures, and accuracy, robustness, and cybersecurity controls. Deployers follow instructions for use, keep logs, ensure trained oversight, and monitor post‑market performance. These are familiar quality and safety disciplines for manufacturers, just applied to software and models (EU overview of high‑risk requirements).
A Simple Classification Checklist For Manufacturing Use Cases
Use this quick test before procurement or build decisions:
- Does the AI make or materially influence decisions about hiring, promotion, discipline, or firing? If yes, treat as high‑risk.
- Does it infer emotions or categorize people using biometric data in the workplace? If yes, expect prohibitions or severe limits.
- Is the AI a safety component of a regulated product whose failure could harm people? If yes, treat as high‑risk with product conformity steps.
- Otherwise, does the assistant simply retrieve specs, compare products, draft quotes, or assemble RFP responses with human review? If yes, likely limited or minimal risk with transparency duties.
What This Means For Catalog Intelligence, Matching, Comparisons, and RFPs
Expect transparency obligations and good record‑keeping, not a full conformity assessment. Design workflows so humans remain in control, especially for customer‑facing answers and pricing. Keep personal data out by default. Most product‑intelligence assistants do not sit in Annex III and do not act as safety components, so they usually avoid high‑risk categorization. This also keeps GDPR overhead lighter because little or no personal data is processed alongside AI outputs.
Procurement Guidance That Scales With Regulation
Select providers with a regulatory‑aware posture. Look for living technical documentation, configurable transparency notices, event logs, human‑in‑the‑loop controls, model change management, incident handling, and clear routes to export evidence for audits. Industry‑specific platforms like Hazel AI emphasize strong audit trails, liability and data guards, and a data‑scarcity stance, which helps you avoid collecting personal data you do not need. These safeguards let teams expand into tougher use cases later without a rebuild.
Bottom Line For 2026 Planning
Map each use case to a risk tier, confirm any Annex III or safety‑component triggers, and add transparency where needed. Keep humans in the loop for technical answers and quoting. If you branch into HR or biometric monitoring, budget for high‑risk obligations and timing. The EU’s phased schedule gives manufacturers enough runway to modernize technical‑service workflows while staying comfortably inside the rules.
