The EU AI Act: What It Means for Businesses in Bulgaria

EU AI Act — Regulation (EU) 2024/1689 — risk-based approach, proportionate obligations, applies directly in Bulgaria.

Quick Answer

The EU AI Act (Regulation (EU) 2024/1689) is the EU’s first comprehensive AI regulation. It entered into force on 1 August 2024 and applies directly in Bulgaria, with obligations phased in over time. It establishes a risk-based framework — most businesses will find their everyday AI tools carry limited or minimal obligations. The main compliance milestone for many obligations is 2 August 2026.


A Risk-Based Framework

The Act does not prohibit AI. It categorises AI systems by risk level and assigns obligations accordingly.

A small set of applications are prohibited outright — systems used for mass social scoring, subliminal manipulation, and certain forms of biometric surveillance, as defined under the Act. These prohibitions have applied since February 2025 and are not relevant to the vast majority of commercial operators.

High-risk systems, listed in Annex III of the Regulation, are a separate and distinct category. They remain lawful but face demanding requirements: documented risk management, data quality controls, human oversight mechanisms, and logging. This category covers tools used in employment and HR decisions, credit scoring, critical infrastructure, and certain public-sector applications.

Limited-risk systems — including chatbots and AI-generated content tools — carry transparency obligations: users must be informed they are interacting with AI, and in some cases that content has been artificially generated.

Minimal-risk systems — spam filters, basic recommendation engines, most standard productivity tools — carry no mandatory obligations under the Act. This is where the majority of everyday business AI tools sit.

For most SMEs and professional services firms, high-risk classification is unlikely — but worth a deliberate check rather than an assumption. The table below illustrates how common business AI tools are likely to be classified:

AI Use Case Likely Risk Level
AI writing assistant or drafting tool Minimal / Limited
Customer-facing chatbot Limited
CV screening or recruitment tool Potentially High Risk
Credit scoring or financial risk tool High Risk
Automated HR decision system High Risk

Provider or Deployer — Why It Matters

The Act distinguishes between providers (those who develop and bring AI systems to market) and deployers (those who use AI systems professionally). Most businesses — including accounting firms, consultancies, and SMEs generally — are deployers.

Deployer obligations are real but proportionate. For high-risk systems, deployers must verify correct use, maintain logs, ensure human oversight, and report serious incidents. For limited-risk tools, the primary obligation is transparency toward users. For minimal-risk tools, no mandatory requirements apply.

If your organisation uses AI tools built by third-party vendors — which describes most businesses — the practical starting point is straightforward: identify which tools are in use and by whom, understand their risk classification, ensure your vendor is supplying appropriate documentation, and confirm that any consequential output is subject to documented human review before it reaches clients or employees.


EU AI Act in Bulgaria

The AI Act applies in Bulgaria as in every other EU member state, while national supervisory arrangements continue to evolve. The Commission for Personal Data Protection (CPDP) is relevant for AI systems that involve personal data processing, given its existing mandate under GDPR, but the broader national enforcement architecture is still being established.

Businesses should not read the developing national framework as reduced obligation. The Regulation is in force. Enforcement through the EU-level AI Office operates independently of national structures. The Act provides for significant maximum fines, tiered by infringement type: up to €35 million or 7% of global annual turnover for prohibited practices, and up to €15 million or 3% for material breaches of operator obligations. These thresholds apply proportionately — the Regulation includes specific provisions for SMEs — but they exceed GDPR-level sanctions and are designed to carry real weight.


How Aidos Approaches This

We use AI tools in our work — for drafting, research, and internal documentation — and we treat human oversight of every client-facing output as non-negotiable. Our AI Policy is the result of deliberate internal review rather than a compliance reflex, and it reflects the same standards we apply to data protection and AML governance. It sits within our broader Governance framework and is available to any client or prospect who wishes to understand how we handle AI in the context of their work.

For businesses operating in Bulgaria, the EU AI Act is one of several EU regulatory frameworks — alongside GDPR, AML obligations, and sector-specific requirements — that form part of the compliance picture any well-governed organisation should understand.


Common Misconceptions

The EU AI Act bans tools like ChatGPT.  No. The Regulation governs how AI systems are developed and deployed; it does not prohibit general-purpose AI tools. Most widely used AI applications remain lawful, subject to applicable transparency or oversight obligations.

Every company using AI must conduct extensive compliance audits.  No. Obligations scale with risk classification. Businesses using minimal or limited-risk tools face proportionate requirements — primarily transparency and basic documentation — not large-scale audit programmes.

Only technology companies are affected.  No. Any organisation using AI professionally may have obligations under the Act, regardless of sector. Accounting firms, consultancies, HR departments, and manufacturers are all within scope as deployers.


Conclusion

The EU AI Act places clear, proportionate obligations on those who use AI in a professional context. For most businesses in Bulgaria, the tools in everyday use carry limited obligations — but understanding where you stand requires deliberate assessment, not assumption. For many organisations, the right first step is simply identifying which AI tools are already in use across the business and whether any internal governance measures are appropriate. The main compliance milestone for many obligations is 2 August 2026. That is the right moment to review your position — not after it.

If you are uncertain how the EU AI Act intersects with your compliance position in Bulgaria, contact us — we are happy to help you understand where you stand.


Frequently Asked Questions

Does the EU AI Act apply in Bulgaria?

Yes. As an EU regulation it applies directly in Bulgaria without national transposition. It entered into force on 1 August 2024, with obligations phased in over time. The main compliance milestone for many obligations is 2 August 2026.

What is the difference between a provider and a deployer?

A provider develops and markets an AI system. A deployer uses one professionally — which describes most businesses. Providers carry the heavier obligations; deployers have lighter but real responsibilities, particularly around human oversight, vendor documentation, and — for high-risk systems — logging and incident reporting.

Which AI tools are considered high-risk?

High-risk systems are listed in Annex III of the Regulation and include tools used in employment decisions, credit scoring, critical infrastructure, and certain public-sector applications. Most productivity tools, writing assistants, and general business software fall into limited or minimal risk categories and carry lighter obligations.

What are the penalties for non-compliance?

The Regulation provides for significant maximum fines, tiered by infringement type. Prohibited practices carry penalties of up to €35 million or 7% of global annual turnover; material breaches of operator obligations carry penalties of up to €15 million or 3%. Thresholds apply proportionately, with specific provisions for SMEs.


Disclaimer

This article is for informational purposes only and does not constitute tax, legal, or accounting advice. Each case requires individual assessment under Bulgarian and applicable international law.


Last reviewed: June 2026