The EU AI Act: What Your SME Needs to Know
Practical guide to the European Union's AI Act for Italian SMEs. Obligations, risk classification, deadlines, and compliance checklists explained clearly and actionably.
Contents
What the AI Act is and why it affects your SME
The AI Act is the world's first regulation on artificial intelligence, approved by the EU and taking effect progressively from 2024 to 2027. Even if you are an SME that simply uses ChatGPT or a chatbot, the AI Act affects you. The regulation classifies AI systems by risk: unacceptable risk (prohibited), high risk (strict requirements), limited risk (transparency obligations), minimal risk (no obligations).
The good news: most AI uses in SMEs fall under minimal or limited risk. But it is important to know where the boundaries are, especially if you use AI for CV screening, credit scoring, or decisions that impact people.
Risk classification: where does your AI sit?
Unacceptable risk (PROHIBITED): social scoring, subliminal manipulation, mass facial recognition. Not relevant for SMEs. High risk (STRICT REQUIREMENTS): AI for personnel selection and worker management, credit scoring, access to essential services, product safety systems. If your SME uses AI for automated CV screening or employee evaluation, it falls here. Requirements: human oversight, transparency, risk registry, quality data.
Limited risk (TRANSPARENCY OBLIGATIONS): chatbots and AI assistants interacting with people, AI-generated content (text, images), recommendation systems. Main obligation: inform the user they are interacting with AI. Minimal risk (NO SPECIFIC OBLIGATIONS): AI for internal data analysis, process automation without direct impact on people, decision-support tools without autonomy. Most AI uses in SMEs fall here.
Concrete obligations for Italian SMEs
For chatbots and AI assistants (limited risk): 1. Inform the user they are talking to AI: 'You are speaking with an AI assistant. A human agent is available on request'. 2. If you generate content with AI (text, images) for public use, indicate that it is AI-generated. For AI in HR (high risk): 1. Human oversight: no automated decision without human review. AI suggests, humans decide. 2. Transparency: inform candidates about AI use in the selection process.
3. Non-discrimination: regularly test that AI does not discriminate by gender, age, or nationality. 4. Documentation: maintain a registry of high-risk AI systems used, their purposes, and safety measures. For everyone: if you use third-party AI services (ChatGPT, Claude, etc.), verify that the provider is compliant. Major providers already are.
Compliance deadlines and timeline
The AI Act takes effect progressively: February 2025: prohibition of unacceptable-risk systems. August 2025: obligations for general-purpose AI models (concerns providers like OpenAI and Anthropic, not SME users). August 2026: obligations for high-risk systems. This is the most relevant deadline for SMEs using AI in HR or scoring. 2027: full application of all requirements. What to do now: 1. Inventory your AI systems: list all AI tools used in the company and their purpose.
2. Classify the risk: for each, determine if it is minimal, limited, or high risk. 3. For limited-risk systems: add transparency notices ('AI in use' banner). 4. For high-risk systems: begin implementing human oversight and documentation. 5. Train the team: a 2-hour session on responsible AI use is enough to start.
AI Act compliance checklist for SMEs
Immediate checklist (do now): I have an inventory of all AI systems used in the company. For every chatbot/assistant, users are informed it is AI. I do not use AI for automated decisions about people without human review. Customer data used with AI complies with GDPR (consent, purpose). I have verified the terms of service of the AI providers I use. Checklist by August 2026 (if you use high-risk AI): I have documented the purposes and risks of each high-risk AI system.
AI decisions about people (HR, credit) always have human oversight. I have tested AI for bias and discrimination. I maintain logs of high-risk AI decisions for audit. The team is trained on responsible AI use. SME note: the AI Act provides simplifications for SMEs. You are not subject to the same obligations as a large enterprise. However, basic compliance is both a legal obligation and a competitive advantage: customers and partners prefer working with companies that use AI responsibly.
Related guides
Ready to go from theory to practice?
Let's implement AI in your business together. The first call is free.