News Anonde Agent: an in-network PII boundary for every AI tool. Join the waitlist →
anonde
Star on GitHub
Blog

The EU AI Act and your LLM pipeline

If you put personal data through an LLM, the EU AI Act now shapes how you have to build. Here's what it actually requires, the dates that matter, and where a PII boundary fits. Written for engineers, not lawyers.

·TL;DR

  • The EU AI Act (Regulation (EU) 2024/1689) regulates AI by use case and risk. It entered into force on 1 August 2024 and phases in through 2 August 2027.
  • It sorts systems into four tiers: unacceptable, high, limited, and minimal risk. High-risk systems carry the heavy obligations.
  • It does not replace GDPR. If your AI touches personal data, you owe both.
  • High-risk obligations include data governance, logging, transparency, and human oversight, and they don't disappear because you call someone else's model.
  • Stripping personal data before it reaches the model is a technical control that supports data-minimisation and governance goals. It's one engineering measure, not legal cover.

01What is the EU AI Act?

The EU AI Act is the first broad, horizontal law governing artificial intelligence. It regulates AI systems by what they're used for and how much risk they pose to people, not by which model or vendor you pick. It applies to providers and deployers whose systems are used in the EU, including companies based elsewhere.

The practical consequence: there is no "we just call an API" exemption. If your product uses AI in a regulated context, the obligations attach to you as the provider or deployer, regardless of where the underlying model comes from.

02The four risk tiers

The Act splits AI systems into four levels, and your obligations follow the level you land in:

  • Unacceptable risk: banned outright. Think social scoring and certain manipulative or biometric-surveillance uses. These prohibitions have applied since February 2025.
  • High risk: allowed, but heavily regulated. Covers AI in areas like employment, credit, education, critical infrastructure, biometrics, and migration. This is where data governance, documentation, logging, human oversight, and conformity assessment kick in.
  • Limited risk: transparency duties. Users must be told when they're dealing with AI (chatbots) or AI-generated content (deepfakes).
  • Minimal risk: most AI, e.g. spam filters and recommendation features. No new obligations.

A separate track covers general-purpose AI (GPAI) models, the foundation models many products are built on. Their providers carry transparency and documentation duties, and models judged to pose "systemic risk" face extra testing and reporting.

03The dates that matter

The Act phases in. The milestones engineers should plan around:

  • 1 August 2024: entered into force.
  • 2 February 2025: prohibited practices and AI-literacy duties apply.
  • 2 August 2025: obligations for general-purpose AI models apply.
  • 2 August 2026: most high-risk obligations and transparency rules apply.
  • 2 August 2027: full application, including the deadline for GPAI models already on the market before August 2025.

Some high-risk systems embedded in already-regulated products get a longer runway (into 2027–2028). Penalties are real: up to €35M or 7% of global turnover for prohibited uses, and up to €15M or 3% for breaching high-risk or GPAI obligations.

04Where the AI Act and GDPR overlap

The AI Act sits on top of GDPR; it doesn't replace it. Any AI system that processes personal data has to satisfy both. The two are complementary, and the Act's data-governance article references the GDPR directly.

Article 10, the data-governance rule for high-risk systems, requires training, validation, and testing data to be relevant, representative, and "to the best extent possible, free of errors and complete." It allows processing special categories of personal data only when strictly necessary for bias detection, and even then demands pseudonymization, state-of-the-art security, access controls, and deletion afterwards. That's GDPR-style data minimisation written into AI law.

The takeaway: the less raw personal data you move into model training and inference, the smaller your obligations under both regimes.

05What changes for your LLM pipeline

If your application is high-risk or builds on a GPAI model, expect to demonstrate, in practice:

  • Data governance: know what data flows into the model, where it came from, and why it's necessary.
  • Logging: keep records of how the system operated, so behavior is traceable.
  • Transparency: make clear when users interact with AI or AI-generated output.
  • Human oversight: design for a person to intervene, not just rubber-stamp outputs.

"Data governance" is the line item most likely to surprise engineering teams. Once a customer's name, address, or account number lands in a prompt, it can flow into a provider's logs, a fine-tuning corpus, or another tenant's context. From a governance view, that's data you now have to account for. The cleanest fix is to stop sending it in the first place.

06Where a PII boundary fits

This is Anonde's view, not a legal opinion: the simplest way to shrink your exposure is to keep personal data out of the model unless it's genuinely needed.

Anonde is an open-source, self-hosted boundary that anonymizes personal data and secrets in text, JSON, PDFs, and logs before they reach an LLM, then reveals the real values only inside your own trust boundary. Sensitive spans become stable placeholder tokens on the way in, and get restored on the way back to the user, never persisted in a provider's systems by default.

As an engineering measure, that maps onto the goals the Act and GDPR push toward: data minimisation, governance over what enters the model, and a clear, auditable point where redaction happens. It is one control among several. It does not make you "compliant," replace a conformity assessment, or substitute for legal advice. It just means there's less personal data in the riskiest place: someone else's model.

See how it works, try the live demo, or read the quickstart to run it on your own infrastructure.

07FAQ

Does the EU AI Act apply to using ChatGPT or other LLMs at work?

It regulates AI by use case and risk, not by which model you call. If your application is high-risk or builds on a GPAI model, you inherit obligations around data governance, logging, transparency, and oversight. Calling a third-party API doesn't move those off you.

When does the EU AI Act take effect?

It entered into force on 1 August 2024 and phases in through 2 August 2027, with prohibited practices live since February 2025 and most high-risk rules from August 2026.

How does it relate to GDPR?

They're complementary. If your AI processes personal data, you owe both, and GDPR principles like data minimisation still apply on top of the Act.

Can anonymizing data before an LLM help?

Anonymization or pseudonymization before data reaches a model is a technical control that supports data-minimisation and governance goals under both regimes. It's one engineering measure, not a substitute for legal assessment.

·Sources

This article is general information, not legal advice. Confirm your obligations with qualified counsel.