EU AI Act Obligations from August 2026 — What Your Company Must Do
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 with a staggered timeline. The clauses your company must comply with depend on two factors. The first is your role: provider, deployer, importer, or distributor. The second is the risk category of the AI system you operate. This page lays out the deadlines and obligations. It also covers the practical steps for keeping ChatGPT, Copilot, and other LLM tools in compliant use inside a German organisation.
Who is in scope: provider, deployer, importer, distributor?
The EU AI Act distinguishes four operator roles: provider (placing on the EU market), deployer (using under own authority), importer, and distributor. Most German companies using ChatGPT or Copilot are deployers. This role has the lightest set of obligations. It still requires transparency (Art 50), risk awareness, and AI literacy training (Art 4).
A provider is whoever develops an AI system, or has one developed, and places it on the EU market under their own name. Examples are OpenAI, Anthropic, Google, Microsoft, and Mistral. A deployer is any natural or legal person who uses an AI system under its own authority in a professional activity. Private, non-professional use is excluded.
The role can shift. A deployer that fine-tunes a model, rebrands it, or substantially modifies a high-risk system can become a provider under Article 25. This is the typical trap for companies building custom Copilot agents or RAG systems on top of an off-the-shelf LLM. The risk classification (limited / high-risk / prohibited / general-purpose AI) applies on top of the role. It determines the bulk of the obligations.
Importer and distributor roles apply mostly to AI systems sold as physical or embedded products. For pure software-as-a-service LLM use, the deployer role is what matters in practice.
When does each obligation start?
The timeline has four key dates. Prohibitions and AI literacy apply from 2 February 2025. General-purpose AI obligations apply from 2 August 2025. The bulk of high-risk system obligations, including providers and deployers of Annex III systems, apply from 2 August 2026. High-risk systems embedded in regulated products apply from 2 August 2027.
The 2 February 2025 milestone is already in force. Art. 5 prohibitions (social scoring, untargeted facial-recognition scraping, emotion recognition in workplaces and schools, etc.) apply now. Art. 4 AI literacy applies to all providers and deployers regardless of risk class — not optional, not deferred.
The 2 August 2025 milestone added obligations for general-purpose AI models. This is where the upstream providers (OpenAI, Anthropic, etc.) have to publish training-data summaries, copyright compliance policies, and technical documentation. Deployers benefit indirectly but acquire no new direct obligation on that date.
The 2 August 2026 milestone is the heavy one for deployers. It brings full applicability of high-risk-system rules in Annex III. This includes Art. 13 (transparency to deployers), Art. 14 (human oversight), and Art. 26 (deployer obligations such as record-keeping, monitoring, and DPIA where required under GDPR). It also requires EU database registration for high-risk systems.
How do I anonymise data before sending it to a cloud LLM under Article 13 or 14?
To comply with Article 13 (transparency to deployers) and Article 14 (human oversight), the deployer must know what personal data is in the prompt before it leaves the perimeter. The practical way to satisfy this is a deterministic PII scrubber running between user and LLM. This is what curta.solutions' anonymize.dev, anonym.legal, and anonymize.today MCP servers do for Claude Desktop, Cursor, and OpenAI-compatible clients.
The scrubber operates locally. It identifies entities (names, addresses, financials, identifiers, credentials, health data), replaces them with deterministic pseudonyms, sends the cleaned prompt to the cloud LLM, and reverses the pseudonymisation on the response. The original PII never leaves the company perimeter. This simultaneously addresses GDPR Article 5(1)(c) data minimisation.
For Article 14 human oversight, the scrubber provides a deterministic audit trail. Every prompt is logged with its entity replacements before transmission. A human reviewer can verify what was sent. This is the kind of evidence the deployer needs for Article 26 record-keeping. It also supports the eventual DPIA under GDPR Article 35 where a high-risk AI system processes personal data.
The MCP server form factor matters. It plugs into Claude Desktop, Cursor, and OpenAI-compatible clients without changing user workflows. Adoption costs are low and the compliance layer is consistent across tools.
Can I keep using ChatGPT in a German company?
Yes. ChatGPT can be used in a German company if the deployer meets four conditions. Apply privacy-by-design (data minimisation through anonymisation). Keep a record of high-risk uses under Article 26. Run the AI literacy training required by Article 4. Document the EU AI Act risk classification of every productive use case. For fully sovereign use cases, the localLLM engagement keeps the model on-premises and skips most EU AI Act risk classification for ad-hoc LLM use.
A compliant ChatGPT deployment in a German company has five components. The first is an enterprise subscription (no training on customer data). The second is SSO and DLP integration. The third is a PII scrubber for prompts that may contain personal data. The fourth is a written AI use policy mapped to Article 4 and Article 26. The fifth is a register of productive use cases with their risk classification.
The same pattern works for Microsoft 365 Copilot. The contractual baseline is already strong (no training, EU Data Boundary, customer-managed keys). Article 4 AI literacy and Article 26 deployer records are still required. The grounding data does not exempt the deployer from the documentation duty.
For use cases where cloud is unsuitable — sovereign data, classified work, or air-gapped environments — localLLM provides an on-premises alternative. The model runs on the company's own hardware. Outbound traffic is physically blocked. This removes most of the Article 13/14 cross-border transparency questions because the system never leaves the perimeter.
What curta.solutions tools help with EU AI Act compliance?
Three curta.solutions products map directly to EU AI Act obligations. The first set is anonymize.dev, anonym.legal, and anonymize.today (Article 13-14 PII protection layer). The second is localLLM (sovereign on-premises model for cases that cannot use cloud LLMs). The third is the AI Implementation engagement (Article 4 AI literacy programme + Article 26 deployer documentation).
anonymize.dev targets developer workflows — credentials, API keys, customer data in code and prompts — via MCP for Claude Desktop and Cursor. anonym.legal targets regulated text (legal, healthcare, financial) with 285+ entity types and 48 languages. anonymize.today is the simpler regex-based option for general office use. All three are deterministic, ISO 27001-certified servers in Germany, and reversible.
localLLM is the engagement for sovereign use cases. It includes a codebase scanner, an OpenAI-compatible gateway with a 54-family model catalog, a plan-then-execute agentic orchestrator, and an MCP server with 38 tools. Air-gapped on-premises operation with zero cloud dependency. Designed for organisations where Article 13/14 transparency to a third-party LLM provider is not workable.
The AI Implementation engagement is where the Article 4 AI literacy programme and the Article 26 deployer documentation come together. Deliverables include a written AI use policy, a risk-classified register of productive use cases, role-specific literacy training, and a quarterly review cadence.
Best fit and known limitations
Best fit
German and EU companies running ChatGPT, Copilot, or Claude in productive workflows. They need an Article 4 / 13 / 14 / 26 compliance layer before 2 August 2026, plus a sovereign fallback for sensitive use cases.
Less suitable
Pure providers building foundation models. This engagement is designed for deployers. Provider obligations under Title III require a different stack, including conformity assessments and EU database registration.
Known limitations
The page is informational and the engagement supports compliance. The final risk classification and accountability under Article 26 sits with the deployer's governing body. Legal interpretation remains with company counsel.
Adjacent Engagements
GDPR-Compliant AI Prompting
Prompt policies, guardrails, and AI literacy training material that doubles as Article 4 evidence.
Learn more →.localLLM
Sovereign on-premises LLM platform for sensitive use cases where cloud transparency is not workable.
Learn more →.anonymize.dev
Privacy-as-Code MCP server for developer AI tools — the practical Article 13/14 PII protection layer.
Learn more →.Ready to map your EU AI Act exposure?
Book a consultation to walk through your operator role and your productive use cases. We will draft a fixed-price plan to be ready for 2 August 2026.