AI Act 2026: The Complete Guide for European SMEs

The EU AI Act is law. Not a proposal, not a draft, not something that might happen — it is an enforceable regulation that has been rolling out in phases since February 2025. If your company uses AI in any form — even a ChatGPT subscription — the AI Act applies to you.

The first obligations are already active. The most consequential ones arrive in August 2026. And the fines for non-compliance can reach EUR 35 million or 7% of your global annual turnover.

This guide explains what the AI Act requires, what is already in force, what is coming, and exactly what your company needs to do to prepare.

What is the AI Act

The AI Act (EU Regulation 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence. Adopted by the European Parliament in March 2024 and published in the Official Journal in July 2024, it regulates the development, deployment, and use of AI systems across the entire European Union.

Unlike the GDPR, which focuses on personal data protection, the AI Act regulates AI systems themselves — regardless of whether they process personal data. It establishes rules for how AI can be built, how it must be documented, how it must be supervised, and how it can and cannot be used.

The regulation applies to:

• AI providers — companies that develop or place AI systems on the EU market
• AI deployers — companies that use AI systems in their operations (this is most businesses)
• Importers and distributors — companies that bring non-EU AI systems into the European market

If your company uses ChatGPT, an AI-powered HR tool, an automated customer service bot, or any other AI system — you are a deployer, and the AI Act applies to you.

The four risk levels

The AI Act classifies AI systems into four tiers based on the risk they pose to fundamental rights and safety:

Level 1: Unacceptable risk (BANNED)

These AI practices are prohibited entirely in the EU, effective February 2025:

• Social scoring by public authorities — rating citizens based on social behavior
• Subliminal manipulation — AI designed to distort behavior beyond a person’s consciousness
• Exploitation of vulnerabilities — targeting people based on age, disability, or socioeconomic status
• Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions)
• Emotion recognition in workplaces and educational institutions
• Untargeted scraping of facial images from the internet for facial recognition databases

What this means for businesses: If any of your AI systems perform these functions, stop immediately. The ban is already in force, and violations carry the highest penalties (EUR 35 million or 7% of turnover).

Level 2: High risk (HEAVILY REGULATED)

AI systems are classified as high-risk when they are used in sensitive domains. The full requirements apply from August 2026. High-risk categories include:

• HR and employment — AI used in recruitment, screening CVs, evaluating job applications, making promotion decisions, monitoring performance, or terminating employment
• Healthcare — AI as a medical device or component, diagnostic assistance, treatment recommendations
• Education — AI for admissions, grading, proctoring, or adaptive learning that determines access to education
• Financial services — creditworthiness assessment, risk evaluation for insurance pricing, fraud detection
• Critical infrastructure — AI managing electricity, water, gas, transport, or digital infrastructure
• Law enforcement — risk assessment, evidence evaluation, criminal profiling
• Migration and border control — visa processing, asylum application assessment

What this means for businesses: If your AI touches any of these domains — even indirectly — it is likely classified as high-risk. An AI chatbot answering general customer questions is limited risk. The same chatbot screening job applications is high risk.

Level 3: Limited risk (TRANSPARENCY OBLIGATIONS)

AI systems that interact with people, generate content, or detect emotions must be transparent about what they are:

• Chatbots must clearly inform users they are interacting with an AI system
• AI-generated content (text, images, audio, video) must be labeled as AI-generated
• Deepfakes must be clearly marked
• Emotion recognition systems (where permitted) must inform users

What this means for businesses: If you deploy an AI chatbot for customer service or internal use, users must know it is an AI. This applies to private ChatGPT deployments as well — compliance is about the interaction, not the hosting model.

Level 4: Minimal risk (NO SPECIFIC OBLIGATIONS)

AI systems that pose minimal risk — spam filters, AI-enhanced video games, inventory optimization — have no specific obligations beyond general product safety laws. Most routine business AI falls here.

What is in force right now

Two critical obligations have been active since February 2, 2025:

AI literacy (Article 4)

Every company that deploys AI systems must ensure that staff and other persons dealing with the operation and use of AI systems on its behalf have a sufficient level of AI literacy. This is not optional. It is not a suggestion. It is an enforceable obligation that has been active for over a year.

AI literacy means your employees understand:

• What AI can and cannot do
• How AI systems work at a conceptual level
• The risks of AI (bias, inaccuracy, data leakage)
• The regulatory framework (AI Act, GDPR) that governs AI use
• Your company’s AI usage policies and procedures

The regulation does not prescribe a specific training format. A one-hour workshop, an e-learning module, a written guide — all can satisfy the requirement, as long as the literacy is appropriate to the context. An HR manager using AI for candidate screening needs deeper training than a marketing assistant using AI to draft social posts.

Are you in compliance? If your company uses any AI tool — including ChatGPT — and has not conducted AI literacy training for relevant staff, you are already in violation.

Prohibited practices (Article 5)

The ban on unacceptable-risk AI practices is also already in force. This primarily affects public authorities and large technology companies, but businesses should verify that no AI system they use falls into a prohibited category — particularly emotion recognition in the workplace or AI systems that manipulate behavior.

What is coming in August 2026

The most consequential deadline for businesses arrives on August 2, 2026, when the full requirements for high-risk AI systems take effect. If your company deploys AI in any high-risk category, you must implement:

Risk management system (Article 9). A continuous process to identify, analyze, evaluate, and mitigate risks throughout the AI system’s lifecycle. This is not a one-time assessment — it is an ongoing obligation.

Data governance (Article 10). Training, validation, and testing datasets must meet quality criteria. If your AI learns from company data (via fine-tuning or RAG), you need governance over that data — relevance, representativeness, accuracy, completeness.

Technical documentation (Article 11 + Annex IV). Comprehensive documentation covering:

• General description of the AI system
• Detailed description of elements and development process
• Information about monitoring, functioning, and control
• Description of the risk management system
• Changes throughout the system lifecycle

Record-keeping (Article 12). Automatic logging of events throughout the AI system’s operation — sufficient to trace decisions and identify risks. This is the audit trail that regulators will request during inspections.

Transparency (Article 13). Deployers must have enough information to interpret the AI system’s output and use it appropriately. Instructions for use must be clear and accessible.

Human oversight (Article 14). AI systems must be designed to allow effective human oversight. A human must be able to understand the system’s capabilities and limitations, monitor operation, intervene when necessary, and decide not to use or override the system.

Accuracy, robustness, and cybersecurity (Article 15). The system must achieve appropriate levels of accuracy, be resilient to errors and inconsistencies, and be protected against unauthorized access and manipulation.

Penalties: what SMEs need to know

The AI Act’s penalty structure is tiered by violation severity:

• Prohibited practices: EUR 35 million or 7% of annual global turnover
• High-risk system obligations: EUR 15 million or 3% of annual global turnover
• Incorrect information to authorities: EUR 7.5 million or 1% of annual global turnover

For SMEs and startups, the regulation includes a proportionality clause: fines are capped at the lower of the two amounts (fixed ceiling or percentage of turnover). A company with EUR 5 million in annual revenue faces a maximum fine of EUR 350,000 for high-risk violations (3% of turnover), not EUR 15 million.

But proportionate does not mean trivial. A EUR 350,000 fine can be existential for a small business. And beyond fines, authorities can order the withdrawal or recall of a non-compliant AI system — disrupting operations that depend on it.

The enforcement landscape is also intensifying. Italy has designated AgID (Agency for Digital Italy) and ACN (National Cybersecurity Agency) as its national AI authorities, with power to conduct inspections and impose sanctions. Italy’s national AI law (Law 132/2025) adds sector-specific obligations for healthcare, labor, public administration, and professional services, plus criminal penalties for AI-enabled deepfake dissemination.

How to prepare: a practical roadmap

Step 1: Inventory all AI systems (Do this now)

Create a complete register of every AI system your company uses, develops, or deploys. Include:

• Commercial AI subscriptions (ChatGPT, Claude, Copilot, etc.)
• AI features embedded in business software (CRM scoring, automated marketing, fraud detection)
• AI tools employees may be using without IT approval (Shadow AI)
• Any AI systems you are developing in-house

For each system, document: what it does, what data it processes, who uses it, and who the provider is. This inventory is the foundation of all compliance work.

Step 2: Classify risk levels (Next 30 days)

For each AI system in your inventory, determine its risk classification:

• Does it perform any prohibited practice? (If yes, stop using it immediately.)
• Is it used in a high-risk domain? (HR, healthcare, finance, education, critical infrastructure — see the full list in Annex III of the regulation.)
• Does it interact directly with people? (If yes, transparency obligations apply.)
• Is it minimal risk? (No specific AI Act obligations.)

Most SMEs will find that their AI systems fall into the limited or minimal risk categories. But any use of AI in hiring, credit assessment, or health-related contexts pushes into high-risk territory.

Step 3: Implement AI literacy training (Immediately — this is overdue)

If you have not already conducted AI literacy training, this is your most urgent action item. The obligation has been active since February 2025. Develop and deliver training appropriate to your staff’s roles:

• General awareness for all employees who interact with AI
• Detailed training for staff who operate or supervise AI systems
• Specialized training for anyone involved in high-risk AI deployment

Document the training — who attended, what was covered, when it occurred. This documentation demonstrates compliance during an inspection.

Step 4: Address high-risk systems (Before August 2026)

For any AI system classified as high-risk:

• Implement or verify the risk management system
• Establish data governance procedures
• Create or obtain technical documentation (from the AI provider, if applicable)
• Verify that automatic logging / audit trail is operational
• Confirm that human oversight mechanisms are in place
• Conduct a conformity assessment

If your high-risk AI system is a third-party product (e.g., an AI-powered HR screening tool), the provider is primarily responsible for technical compliance. But as the deployer, you must ensure the system is used in accordance with its instructions, that human oversight is maintained, and that you can provide records to regulators.

Step 5: Establish ongoing governance (Ongoing)

AI Act compliance is not a one-time project. Establish:

• A quarterly review cycle for all AI systems
• A process for evaluating new AI tools before deployment
• Clear internal responsibility for AI governance (this can be your DPO, a dedicated role, or a committee)
• A channel for employees to report AI-related concerns
• Integration with your GDPR compliance program — the two frameworks overlap significantly

How private AI simplifies compliance

Here is why companies pursuing AI Act compliance are increasingly turning to on-premise, open-source AI platforms:

Transparency by architecture. The AI Act requires that deployers can understand how their AI system works. Proprietary models like GPT-4 are black boxes — you cannot inspect the model weights, training data, or decision process. Open-source models (Llama 3, Mistral, DeepSeek) have publicly available weights, published training methodologies, and transparent architectures. When a regulator asks how your AI system produces its outputs, you can answer fully.

Audit trail by default. A private ChatGPT deployment logs every interaction in your infrastructure. You control the logs, you control retention, and you can produce them on demand for regulators. With a cloud API, you depend on the provider to maintain and share logs — and their interests may not align with yours during an enforcement action.

Human oversight built in. On-premise platforms can be configured with approval workflows, escalation rules, and intervention mechanisms that satisfy Article 14’s human oversight requirements. The company controls the system architecture and can implement oversight measures tailored to its specific risk context.

Version control. Cloud AI providers can update models unilaterally. GPT-4 today may behave differently than GPT-4 six months from now, and you have no control over or visibility into the change. On-premise deployment means the company decides when to update models, can test new versions before deployment, and can roll back if issues emerge. This stability is essential for the reproducibility and consistency that the AI Act’s technical documentation requirements demand.

No dependency on non-EU providers. The AI Act creates compliance obligations that are difficult to fulfill when your AI infrastructure is controlled by a company in another jurisdiction, subject to different laws, with different commercial incentives. On-premise deployment eliminates this dependency entirely.

ORCA by HT-X is designed around these principles. It runs on your infrastructure, uses transparent open-source models, provides a complete audit trail, and includes human oversight mechanisms — delivering AI Act compliance as a system property rather than an afterthought.

The Italian dimension: Law 132/2025

Beyond the EU AI Act, Italy has enacted its own national AI legislation: Law no. 132 of 23 September 2025. The law does not create obligations beyond the AI Act (Article 3, paragraph 5 explicitly states this), but it transposes EU principles into the national context and adds sector-specific provisions:

• Labour (Article 11): AI in the workplace must be safe, reliable, and transparent. Employers must inform workers about AI use. Discrimination via AI is prohibited.
• Intellectual professions (Article 13): AI is permitted only as a support tool. Professionals must disclose to clients which AI systems they use.
• Public administration (Article 14): Government agencies may use AI for efficiency, but the human decision-maker remains solely responsible.
• Criminal penalties (Article 26): AI-enabled deepfake dissemination is punishable by 1-5 years imprisonment.

For SMEs operating in Italy, compliance means satisfying both the EU AI Act and Law 132/2025. An on-premise AI platform with open-source models, audit trail, and human oversight addresses both simultaneously.

The time to prepare is now. The companies that have their governance, documentation, and technical infrastructure in place before August 2026 will be ready. The ones that do not will face a costly scramble — or worse, an enforcement action.