The EU AI Act and Georgian Business: What Applies to You

The EU AI Act is the European Union's law for artificial intelligence. It reaches a Georgian company when that company sells AI products into the EU market or processes the personal data of EU users. It sorts AI systems into four risk tiers and attaches duties to each. Customer-facing chatbots fall under a transparency duty: tell the person they are talking to a machine.

TL;DR: The Act bites only if you touch the EU market. 4 risk tiers run from prohibited to minimal. Chatbots sit in the limited-risk band and owe one main thing: a clear AI disclosure. Inside Georgia, your local data law still governs.

Most Georgian SMBs that run a Facebook page bot for Tbilisi customers are not the target of this law. The companies that need to read closely are the ones with EU clients, EU users, or an export product. If you are unsure where your AI tools land, an honest first step is a short scoping review. Our team handles that as part of AI consulting and compliance scoping, and for anything touching contracts or fines you should also retain a Georgian lawyer.

Does the EU AI Act apply to a company in Georgia?

It applies to a Georgian company when that company places an AI system on the EU market, offers it to people in the EU, or its AI output is used inside the EU. Geography of your office does not decide this. Where your users and buyers sit does. A Tbilisi shop serving only local customers usually stays outside its reach.

The practical test has three questions. Do you sell or license AI software to EU customers? Do EU residents use your AI product or chatbot? Does AI you build produce results consumed in the EU? A yes to any of these pulls you into scope, and you then map your systems against the tiers below.

The four risk tiers, in plain terms

The Act ranks AI by how much harm it could cause, then sets duties to match. Here is the structure without the legal jargon.

Tier	What it covers	Your duty
Prohibited	Social scoring, manipulative or exploitative systems	Banned. Do not build or deploy.
High-risk	Hiring, credit scoring, medical, biometric ID, critical infrastructure	Heavy: risk management, documentation, human oversight, logging
Limited-risk	Chatbots, AI-generated content, deepfakes	Transparency: disclose AI, label generated media
Minimal-risk	Spam filters, recommendation widgets, most marketing tools	No specific obligations

Most marketing and support automation lands in limited-risk or minimal-risk. A support chatbot is limited-risk. A spam filter or a product recommender is minimal-risk. You climb into high-risk territory when AI starts making decisions about people: who gets hired, who gets a loan, who gets a diagnosis.

What the Act requires for chatbots

A chatbot in EU scope owes a transparency duty. The person must learn, clearly and early, that they are interacting with an AI system and not a human. You meet this with a plain line at the start of the conversation. No buried footnote, no clever wording.

Three concrete moves cover most of it:

Disclose up front. Open with something like "You are chatting with an AI assistant." A reputable build bakes this into the first message.
Label generated media. AI-generated images, audio, or video aimed at EU users need a marker that the content is synthetic.
Offer a human path. Let the user reach a person when the topic needs one. This also protects your conversion, since trapped customers leave.

The fine structure of the Act is tiered by severity and company size. Public summaries describe penalties scaling into the millions of euros and a share of global turnover for the worst breaches, with lighter bands for limited-risk slips. Treat any exact number you read as indicative and confirm it with counsel before you rely on it.

Your Georgian obligations do not disappear

Even outside EU scope, the Law of Georgia on Personal Data Protection (2011) governs how you collect, store, and use customer data at home. It is Georgia's GDPR-style regime. A chatbot that captures names, phone numbers, and messages is processing personal data, so consent, purpose limits, and security still apply.

Run both checks side by side. The EU AI Act asks "is this AI system safe and transparent for EU users?" The Georgian data law asks "are you handling this person's data lawfully in Georgia?" A bot can clear one and fail the other. Most Georgian SMBs spend more real effort on the local data law than on the AI Act, because the local law applies to every customer they have.

A short compliance path for an SMB

You do not need a legal department to get to a defensible position. You need an inventory and a few decisions.

List your AI systems. Chatbot, content generator, recommender, any scoring tool. One line each.
Mark EU exposure. Note which ones touch EU users or buyers.
Tier each one. Use the table above. Flag anything near high-risk for a lawyer.
Add disclosures. Put the AI line on every customer-facing bot, EU-facing or not. It costs nothing and builds trust.
Document data handling. Write down what each system collects and why, for the Georgian data law.

This is a half-day exercise for a small company. The output is a one-page record you can hand to a lawyer or an auditor. If the inventory surfaces a high-risk system or an EU contract with AI clauses, that is the point to bring in paid legal help and a compliance scoping session rather than guessing.

FAQ

Do I need to comply with the EU AI Act if my business is only in Tbilisi?

Usually no. If every customer and user sits in Georgia and you do not sell AI products into the EU, the Act does not reach you. Your obligation then runs under the Georgian Personal Data Protection Law. The moment you take on EU clients or EU users, run the three-question scope test in this article.

What risk tier is a customer support chatbot?

A standard support or sales chatbot is limited-risk. The duty attached to that tier is transparency: tell the user they are talking to AI and label any AI-generated media. You climb into high-risk only when the system makes consequential decisions about people, such as hiring, lending, or medical assessment.

What happens if my chatbot does not disclose that it is AI?

For EU users, a missing disclosure is a transparency breach. The Act sets tiered penalties by severity and company size, and public summaries describe figures reaching into the millions of euros for serious cases. Treat exact numbers as indicative, fix the disclosure first since it is free, and confirm any specific liability with a Georgian lawyer.

Is the Georgian data law enough on its own?

For a purely domestic business, the Georgian Personal Data Protection Law covers your core duties on consent, storage, and security. It does not cover the EU AI Act's transparency and risk rules for EU-facing systems. If you serve EU users, you need both. Adding the AI disclosure line satisfies the easiest part of the EU side at no cost.

Should I hire a lawyer before deploying an AI chatbot?

For a limited-risk bot serving Georgian customers, a lawyer is optional at launch, though a data-handling review is wise. For anything near high-risk, an EU contract with AI clauses, or a system that scores or screens people, retain a Georgian lawyer first. A compliance scoping session tells you which bucket you are in before you spend on legal fees.