Does the EU AI Act apply to you if your software has no AI?

The EU AI Act only governs what it calls an AI system. If the software tools your company uses don't fit that definition, none of the law reaches you. The test is short. Does the system work out its own answers, or does it just follow rules a person wrote? Get that one question right and the heavy duties fall away.

What the EU AI Act actually regulates

The EU AI Act is a product-safety law for AI. It sorts AI systems by risk and puts duties on the riskier ones. It does not regulate software in general. It does not regulate data or automation either. It regulates systems that meet its own definition of AI, and only those. So the first question is never what your tool does. It is whether your tool is an AI system at all.

The law splits AI into four bands of risk:

• Unacceptable risk: a short list of banned uses, such as social scoring and most live facial recognition in public.
• High risk: systems that can affect safety or rights, like AI used to hire, fire, or score people. These carry the heaviest duties.
• Limited risk: systems that just have to be open about themselves, such as a chatbot telling you it is a bot.
• Minimal risk: everything else, where most AI sits and no duties apply.

The reach is wide. Under Article 2 of the Regulation, the rules bind providers who put an AI system on the EU market. They also bind deployers who use one inside the EU, even when the provider sits abroad. But every one of those hooks hangs on the same words: AI system. No AI system, no provider or deployer, and the duties never start.

What counts as an "AI system" under the law?

An AI system, in the law's own words, is a machine that works out its answers for itself. It does more than run a fixed script. The official definition turns on one ability: the system must infer. That is the line between regulated AI and ordinary software.

"AI system means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments."
Article 3(1), Regulation (EU) 2024/1689

The notes that explain the law are blunt about what this leaves out. Recital 12 says the definition should not cover "simpler traditional software systems or programming approaches." It should also not cover systems "based on the rules defined solely by natural persons to automatically execute operations." In plain terms: if a person wrote every rule and the software just runs them, it is not AI under this law.

Look at the tools a compliance team actually uses. A web form, a workflow that routes a case, an encrypted inbox, a database search, a fixed decision tree. None of these infer anything. They do exactly what they were told to do. They are software, not AI systems.

One thing flips the switch, and it is not what people assume. The Act doesn't apply because you handle sensitive data, automate a task, or run in the cloud. It applies because the system infers. A tool can be large, complex, and business-critical and still sit outside the law, as long as it doesn't learn from data or build its own model to reach an answer.

Rule-based software runs fixed logic. An AI system infers its own answers, and that is the line the law draws.

So does it apply if your software has no AI?

For the high-risk and transparency parts of the Act, the answer is no. If no part of your software meets the Article 3(1) definition, you are not the provider or deployer of an AI system. The high-risk duties and the transparency rules in Article 50 have nothing to attach to. There is no conformity check to pass, no risk file to keep, and no AI to register.

Two honest caveats come with that answer. The first is to be sure you really have no AI. Vendors add features all the time, and inference can hide in just one of them. An example shows how this happens. Say your reporting tool is plain software, but you switch on an AI helper that guesses how urgent each report is. That helper infers. Now you deploy an AI system, even though the rest of the tool only follows rules. A chatbot on your contact page, an AI translation feature, or an AI service running underneath as a sub-processor can do the same thing.

The second caveat is that other law still applies. The General Data Protection Regulation (GDPR) governs your personal data whether or not you use AI. And the Act's AI literacy duty, the rule that staff must understand the AI they work with, only bites companies that actually run AI systems. Drop the AI and that duty drops with it.

Where whistleblowing and HR tools get caught

Employment is one of the law's high-risk zones, and that is exactly where reporting and HR software lives. Annex III lists eight high-risk areas. Point 4 covers AI used in "employment, workers management and access to self-employment." It names AI that filters job applications, evaluates candidates, allocates tasks by behaviour or traits, or monitors how people perform. AI that screens or scores workers is presumed high-risk.

That sweeps in a feature many compliance tools now advertise. More and more whistleblowing and case-management platforms add AI to sort reports, score how serious they are, predict outcomes, or translate submissions on the fly. The moment that AI helps decide how a worker's report is handled, the customer using it can become the deployer of a high-risk system. That brings paperwork, human oversight, and logging duties. An AI chatbot that takes the first report adds an Article 50 duty to tell people they are talking to a machine.

Those deployer duties are not light, and they land on you, the buyer, not just the vendor. You have to keep a person in the loop on decisions the AI shapes. You have to watch the system over time and store its logs. You have to tell affected workers when an AI was involved. For a sensitive process like a whistleblowing report, where trust is the whole point, that is a heavy thing to take on for a convenience feature.

A tool with no AI in that path skips the whole question. A whistleblowing platform like WeMoral that keeps inference out of report intake and triage stays ordinary software in the eyes of the Act. Its customers never inherit a deployer's high-risk burden. The contrast is sharp once you line the two up:

One narrowing rule is worth knowing. An Annex III system can escape the high-risk label if it does not pose a significant risk of harm, for example when it only does a narrow clerical task. But that is a tight exception, and the provider has to document that assessment. For anything that screens people or shapes how their reports are treated, the safe assumption is high-risk.

The Act sorts AI by risk, from minimal at one end to a few banned uses at the other.

What changes on 2 August 2026, and what just got delayed?

The Act's general start date is 2 August 2026. That is when most of the rules switch on and national enforcement begins. But the dates have shifted. A simplification package known as the Digital Omnibus, backed by the European Parliament on 16 June 2026 and still going through the last steps before it becomes law, pushes the heaviest deadlines back.

Under that package the standalone high-risk duties move to 2 December 2027. High-risk AI built into regulated products moves to 2 August 2028. The marking of AI-generated media gets a short extension too. Some things do not move. The banned uses have applied since February 2025. The core transparency duties still land on the 2026 date, and that is when broad enforcement begins. You can track the current state on the European Commission's AI Act page. Treat the omnibus dates as near-final until they are published in full.

The Digital Omnibus pushes the heaviest deadlines from 2026 into late 2027.

The penalties show why the dates draw so much attention. The Act allows fines of up to 35 million euros or 7% of global yearly turnover for banned uses. Most other breaches run up to 15 million euros or 3%. Giving authorities misleading information runs up to 7.5 million euros or 1%. Those ceilings are big enough that scope is not a technicality. For a no-AI tool, the moving deadlines change nothing. The test stays the same. No AI means nothing to do, on any of these dates.

How to check whether you're in scope

You can settle your own exposure with one question, asked of every feature. Does it infer, or does it follow rules a person wrote? Work through your stack in order and the answer usually becomes clear.

1. List every feature that ranks, scores, predicts, sorts, recommends, or writes content.
2. For each one, ask whether it learns from data, or just runs fixed logic.
3. Hunt for hidden AI: chatbots, translation, search ranking, and any AI a vendor runs underneath.
4. For anything that does infer, decide your role. Did you build or badge it, or do you just use it?
5. If a feature infers and touches people's work, rights, or reports, treat it as possibly high-risk and get advice.

Ask your software vendors the same question in writing. A clear answer about whether any feature infers, and where, tells you more about your AI Act exposure than any brochure about "smart" or "intelligent" automation. Keep that answer on file, so you can show it if a regulator or a customer ever asks.

The law rewards knowing exactly what your software does. A tool with no AI gives a regulator a smaller surface to inspect and leaves you one fewer regime to manage. Your job is to prove that nothing in your stack infers, and to pick tools that keep it that way.