Does the EU AI Act Require Your Company to Have an AI Policy?

The EU AI Act is aimed mostly at companies that build AI systems — but it doesn't ignore companies that merely use them. If your business operates in the EU, sells to EU customers, or has EU employees, several obligations apply to you as a 'deployer' of AI systems, and a written AI policy is the practical way to meet them. The Act's obligations have been phasing in since February 2025.

The deployer obligations that touch ordinary companies

• AI literacy (Article 4, applicable since February 2025): companies must ensure staff operating AI tools have a sufficient level of AI literacy — training appropriate to their role and the tools they use.
• Prohibited practices (applicable since February 2025): certain AI uses — manipulative techniques, social scoring, emotion recognition in the workplace beyond narrow exceptions — are banned outright, with the Act's steepest penalties.
• Transparency (phasing in through 2026): people should be informed when they're interacting with an AI system rather than a human, and certain AI-generated content must be disclosed.
• High-risk uses: if you use AI in employment decisions (screening, evaluation), that's a high-risk category carrying significant deployer duties — human oversight, monitoring, record-keeping.

So is a written policy legally mandatory?

The Act doesn't contain a sentence saying 'every company must have an AI policy.' But look at what it does require of deployers — trained staff, no prohibited uses, transparency to users, human oversight of high-risk applications — and ask how you'd demonstrate any of it without a written policy. A policy is how the obligations become operational: it names the approved tools, embeds the prohibited-use list, sets the disclosure default, and documents the human-review requirement. It's also the first artifact a regulator or enterprise customer will ask to see.

What to put in the EU-aware sections

• GDPR rules for personal data in prompts: lawful basis, processor agreements, transfer mechanisms
• A commitment to avoid the Act's prohibited practices, with examples staff can recognize
• Legal review required before any AI use in employment or other high-risk decisions
• Disclosure defaults for customer-facing AI
• Role-appropriate AI training, satisfying Article 4's literacy requirement

Our generator includes EU-specific clauses automatically when you select the EU as a jurisdiction — GDPR, EU AI Act prohibited practices, AI literacy, and high-risk review requirements — alongside your industry's rules.