Vai al contenuto principale
All resources
AI Compliance · · 9 min read

The EU AI Act for SMEs: what really changes (and what doesn't)

Do you too have to comply with the AI Act? For almost all SMEs the answer is calmer than expected. Deployer versus provider, the four risk tiers, when the burden becomes serious, the link with GDPR and DPIA and the Italian framework of the Garante — in plain language and without scaremongering.

Since the EU AI Act came into force, the question we hear most often from SME entrepreneurs and managers is a single one, and it comes from anxiety: "do I have to comply too? And how much will it cost me?". The short answer, for the vast majority of small and medium-sized Italian companies, is more reassuring than the press suggests — but it needs to be understood well, because "calm" doesn't mean "it doesn't concern me".

Let's try to bring order, in plain language, to what really changes for an SME and — just as important — to what does not change.

First distinction: you're a user, not a producer

The AI Act sharply separates two roles, and to understand your obligations you need to know which one you're in. The provider is the one who develops or places an AI system on the market: OpenAI, Google, a software house that sells its own model. The deployer is the one who that system uses in their own business — the company that adopts a sales copilot, an assistant for customer support, a tool to generate marketing content.

Almost all SMEs are deployers, not providers. That's good news: the obligations of article 26 of the AI Act, those that fall on whoever uses AI, are real but much lighter than those imposed on whoever builds it. The bulk of the regulatory weight stays upstream, on the provider.

The four risk tiers (and where almost all of an SME's AI ends up)

The heart of the AI Act is a risk-based approach: not all uses of AI are treated the same way. The official summary of the regulation defines four tiers:

  • Unacceptable risk — banned. Systems like government-style social scoring or behavioural manipulation. It's not business territory: they simply cannot be used.
  • High risk — permitted, but with serious obligations. It concerns "sensitive" uses listed in Annex III: staff recruitment and management, credit scoring, biometric identification, education, essential services. Here AI decides on people's rights and opportunities.
  • Limited risk — transparency obligations. The typical case: a chatbot must declare to the user that they're talking to a machine; AI-generated content must be flagged as such.
  • Minimal risk — no specific obligation. Spam filters, internal suggestions, the bulk of productivity copilots.
The four risk tiers of the AI Act
  1. Unacceptable risk

    Banned — social scoring, behavioural manipulation. Outside the realm of business.

  2. High risk

    Permitted, but with serious obligations (Annex III): personnel, credit, biometrics, essential services.

  3. Limited risk

    Transparency obligations — a chatbot must declare itself as such, AI-generated content must be flagged.

  4. Minimal risk

    No specific obligation. This is where almost all AI at an SME falls: copilots, drafts, spam filters.

The base is the widest on purpose: the vast majority of an SME's AI uses fall in the minimal and limited tiers. Source: the official summary of the EU AI Act (artificialintelligenceact.eu).
The point that overturns the initial anxiety: the most common AI uses in an SME — an assistant for sales, generating marketing drafts, an internal support bot, automating operations tasks — almost always fall in limited or minimal risk. The heavy machinery of article 26 kicks in only for high-risk uses.

When the burden really becomes serious

It's worth knowing when you enter the demanding tier, because that's where a project must be designed carefully from the start. If you use AI for personnel decisions (CV screening, evaluations, promotions), to assess a customer's creditworthiness, or for biometric identification, you're most likely in high-risk territory. In that case article 26 asks the deployer, among other things, to:

  • use the system according to the provider's instructions;
  • ensure effective human oversight of the decisions;
  • make sure the input data are relevant to the purpose;
  • monitor its operation and keep logs for at least six months;
  • report serious incidents.

It's not an impossible undertaking, but it's not "switch on the tool and go" either. The practical rule is simple: high-risk uses must be kept distinct from the very design of the project, not discovered downstream. It's the reason why, in our method, every workflow carries a declared risk level even before choosing the tool.

Careful: the GDPR hasn't vanished

A frequent mistake is to think the AI Act replaces privacy law. It's the opposite: it adds to it. If your use of AI processes personal data — and it almost always does — the GDPR stays in play, with a step often overlooked: the impact assessment (DPIA) of article 35. It's mandatory when the processing is "likely to be high risk", and three cases trigger it automatically: automated decisions with legal or significant effects, large-scale processing of special categories of data, systematic monitoring of public areas.

There's a detail that generic DPIA templates get wrong: they were born before AI and don't cover risks specific to intelligent systems — model opacity, memorisation of the training data, drift of the answers over time, the conflict between the right to erasure and an already-trained model. A serious DPIA for AI needs a section dedicated to these risks, not the usual copied form.

In Italy: the Garante is already at work

In Italy the picture isn't only European. Italy's data-protection authority (Garante Privacy) keeps a topic page on artificial intelligence that it updates frequently, and it is actively engaged in checks on the use of AI. On the legislative front, the country has given itself its own framework of general principles on AI which, among other things, extends the scope of the impact assessment beyond the GDPR base alone. It's an area in motion: before taking a specific obligation for granted, it's always worth checking the text in force, because the rules and the penalties are being defined right now.

And the deadlines? The truth is they're a moving target

Many alarmist articles revolve around a precise date. The reality is more nuanced: the AI Act didn't come into force all at once, but in stages spread over several years, and part of the calendar has been reopened and renegotiated by the European institutions — some deadlines for high-risk uses have been pushed back as we write. Translated for whoever runs a business: chasing the single date is less useful than knowing the direction.

The direction is clear and won't change: transparency on visible uses, human oversight on the uses that touch people, traceability of what AI decides. Whoever sets these three things up well is ready whatever the final date.

What to do now, in practice

You don't need a big-enterprise compliance project. For an SME the sensible path is short:

  • Take inventory of where you already use AI (often more than you think: writing tools, CRM, support). For each, ask yourself which risk tier it falls into.
  • Isolate the sensitive uses — personnel, credit, biometrics: they're the only ones that require the machinery of article 26. Handle them separately, with dedicated controls.
  • Put transparency and human oversight where AI talks to customers or affects a decision. They're the controls with the highest return and the lowest cost.
  • Check whether you need a DPIA and, if so, that it covers AI-specific risks and not just the generic GDPR.

It's exactly the logic of our compliance overlay: to every AI Workflow Design we design we wire the AI Act risk level, the DPIA check, the risk label according to a recognised taxonomy (MIT AI Risk Repository) and the Italian note where needed. Compliance isn't a separate chapter to tackle later: it's part of the design, from day one.

The starting point is always the same

Even before compliance comes the position: understanding where you are and which department is best to start from. If you haven't done it yet, the first step is to measure your AI readiness — then, department by department, you choose what to automate and with what controls around it. Automating without controls is the fastest way to have to stop later; automating with the right controls is what makes a graft able to take and to last.

We've turned this first step into a self-serve, free assessment: a few questions and an indication of where to start, with how much attention to compliance. Take the AI-readiness assessment — then, if it makes sense, let's talk.

This article is purely for orientation and reflects the regulatory framework at a phase in which several EU AI Act deadlines are still being defined: it does not constitute legal advice or a compliance assessment. For your company's concrete obligations, refer to the text in force of the regulation, to the Garante's guidance and to qualified legal support.

From theory to your business. We graft AI in.

Want to know which department to start from in your company? The free assessment gives you a first answer in two minutes — then, if it makes sense, we talk.

We use cookies

We use cookies and similar technologies to improve your experience, analyse traffic and personalise content. You can accept all cookies or customise your preferences.

Cookie preferences

Necessary cookies Always on

Essential for the site to work. They cannot be disabled.

Analytics cookies

They help us understand how you use the site so we can improve your experience.

Marketing cookies

Used to show you relevant ads and measure campaigns.

Personalisation cookies

They let us personalise content and features.