The EU AI Act is the first comprehensive regulatory framework for artificial intelligence, and like GDPR many Italian SMEs are discovering it late. It phases in on a staggered timeline through 2027, and by 2026 significant pieces are already live. The typical client reaction, "doesn't apply to us, we don't do dangerous AI", is often wrong. Let's see why, without panic and without selling fear.
The logic: risk, not technology
The AI Act doesn't regulate "AI" in the abstract: it classifies uses by risk level. Four categories: prohibited (social scoring, manipulation), high risk (hiring, credit, medical devices, critical infrastructure), limited risk (chatbots, content-generating systems), minimal risk (most cases). The right question isn't "do I use AI?", it's "which category does my use fall into?".
What touches the average SME in 2026
Transparency obligations (limited risk)
If your product has a chatbot, the user must know they're talking to a machine. If you generate synthetic images, audio or text, they must be labeled as such. It's the obligation that hits the most products, and it's also the easiest to meet: one line of UI and a clear policy.
General-purpose models (GPAI)
Providers of general-purpose models have specific documentation and transparency duties. Good news for SMEs: if you use an OpenAI, Anthropic or Google model via API, most of those duties stay with the provider, not you. But you become responsible for how you integrate it and for what purpose.
The hidden high-risk trap
This is where the SME convinced it's exempt gets caught. An HR tool using AI to screen CVs? High risk. A tool assessing a customer's creditworthiness? High risk. You don't need to build the model: using it for one of those purposes is enough to enter the heavy-obligation perimeter (risk assessment, documentation, human oversight).
What to do now, concretely
- Map your AI uses: list every point in the product where there's AI and assign a risk category. 90% of the time you're in "minimal" or "limited" risk and that's the end of it.
- Fix transparency: disclose chatbots, label synthetic content. Cheap, and it closes the most common obligation.
- Check the HR and credit cases: if you touch hiring or scoring, get someone who knows the rules involved. That's where the risk is real.
- Track your providers: knowing which model you use and under what terms is part of your due diligence. It also serves GDPR.
The GDPR parallel
In 2018 GDPR was lived as an apocalypse and then normalized. The AI Act will follow the same curve: first panic and consultants selling fear, then maturity and standard tooling. The SME that moves now in an orderly way, mapping, transparency, attention to high-risk cases, arrives ready without spending on alarmism.
Verdict
The AI Act isn't a wall for anyone building sensible AI products. For most SMEs it comes down to transparency and a bit of documentation. The real risk is ignoring it and discovering too late that you're in the "high risk" category for an HR or credit use that seemed trivial. Map your uses now: it's an afternoon of work that saves you months of catch-up.