AI Act 2026: Obligations, Deadlines and Fines for SMEs (A Practical Guide)

9 min read · AstraLoop Studio

If you use ChatGPT to write sales emails, have a chatbot on your website, or use a tool that screens CVs during hiring, the AI Act already applies to you. It's not just a big-tech problem. The EU Regulation 2024/1689 (the AI Act's official name) imposes obligations even on those who merely use AI systems, not only on those who build them. And the date to circle on your calendar is August 2, 2026.

The trouble is that, so far, the AI Act has mostly been explained by law firms and compliance blogs in the abstract: articles, recitals, definitions. Useful for understanding the framework, useless when you need to decide what to do Monday morning. This guide does the opposite. It translates the regulation into practical actions for an Italian SME, with deadlines, priorities, and what you actually need. If you're mapping out your broader approach to these topics, start with our complete guide to AI consulting for businesses, which covers the whole picture, governance included.

One necessary caveat: this is informational content, not legal advice. For the formal classification of your systems and the specific requirements for your sector, you need to talk to a professional. What we're giving you here is the map to get there prepared, instead of starting from zero.

Illustration of a person facing a four-level decision tree representing the AI Act's risk categories

What the AI Act is, and why it applies to your SME too

The AI Act is the world's first comprehensive regulation on artificial intelligence. It's a regulation, not a directive: it applies directly across all Member States, with no need for national transposition laws. In Italy, the supervisory authority will be the ACN (National Cybersecurity Agency) alongside AgID, while the Data Protection Authority (Garante) remains responsible for privacy matters, which often overlap with AI use.

Here's the point most business owners miss: the regulation distinguishes between those who build an AI system (the "provider") and those who use it in their own operations (the "deployer"). Most SMEs fall into the second category. If you use a CRM with automatic lead scoring, a text-generation tool, smart video-surveillance software, or a recruiting assistant, you're a deployer, and you have your own obligations, independent of the vendor's.

The logic running through the entire regulation is risk-based classification. Not all AI systems are treated the same way: obligations scale up with the risk the system poses to people's rights.

The AI Act's 4 risk categories (where do you fall?)

This is the single most important operational concept. Before talking about deadlines, you need to understand which tier your systems fall into, because everything else follows from that.

Risk categoryExamplesWhat it means for you
Unacceptable risk (banned)Social scoring, subliminal manipulation, emotion recognition in the workplace, mass facial-scrapingBanned since February 2, 2025. If you're using them, shut them down. Full stop.
High riskAI for candidate screening, creditworthiness assessment, worker management, systems in healthcare or critical infrastructureHeavy obligations: human oversight, transparency, documentation, logging, evaluation. This is where you need dedicated advice.
Limited riskChatbots, text and image generators, deepfakes, conversational assistantsTransparency obligations: tell users they're talking to an AI and label synthetic content.
Minimal riskSpam filters, AI in video games, basic recommendation systemsNo specific obligations beyond good practice. The vast majority of common tools sit here.

The good news is that most SMEs use minimal- or limited-risk tools. The bad news is that many are using at least one high-risk system without knowing it. The most common case is recruiting. If a piece of software filters, ranks, or evaluates candidates based on their CVs, you're almost certainly in the high-risk tier, with all the requirements that come with it. The same goes for anyone assessing customers' creditworthiness.

That's why the first concrete step isn't "read the regulation," but mapping out the AI systems you're already using and classifying them. It's exactly the work of a structured internal audit: inventory, classify, spot the gaps. Without that snapshot, any conversation about obligations and deadlines stays theoretical.

The AI Act's deadlines: the real calendar

The AI Act didn't come into force all at once. It's being rolled out in stages. Here are the dates that actually matter to you.

DateWhat kicks inImpact on your SME
February 2, 2025Ban on unacceptable-risk practices and the AI literacy obligation (Art. 4)Already in force. The staff training requirement is already active today.
August 2, 2025Obligations for general-purpose AI (GPAI) models, governance, and national authoritiesConcerns model providers. Indirect for you, but it defines who supervises.
August 2, 2026General application of the regulation, including rules on high-risk systems and transparency obligationsThe watershed date. From here, most obligations become fully enforceable.
August 2, 2027Obligations for high-risk systems embedded in already-regulated products (machinery, medical devices, and the like)Relevant for anyone manufacturing goods with embedded AI.

The practical takeaway: you already have an active obligation (AI literacy, more on that shortly) and a hard deadline of August 2, 2026 to be compliant on the bulk of the requirements. That's not infinite time. A serious assessment, gap-fixing, and training process takes several months, and it has to be fit in among your other operational priorities.

Illustration of a timeline with growing milestones leading up to the AI Act's main 2026 deadline

The obligation almost nobody thinks about: AI literacy (Art. 4)

This is the most underrated point in the entire regulation. Article 4 of the AI Act requires providers and deployers to ensure a sufficient level of AI literacy among their staff and anyone operating AI systems on their behalf. And this obligation has already been in force since February 2, 2025, not since 2026.

What does that mean in practice? If your company uses AI tools, the people using them need adequate skills to understand how they work, their risks, limitations, and opportunities, proportionate to their role and context of use. You don't need to turn your receptionist into a data scientist. You need whoever uses AI to know what they're using, what data they can or can't feed into it, how to spot a bad output, and when to stop.

The reality check is stark: 73% of companies list AI training and upskilling as a priority, but only 22% have structured programs in place. The majority are technically non-compliant with an obligation that's already active. And this ties into another serious problem, so-called Shadow AI: an estimated 68-76% of employees use AI tools on the sly, with no policy or oversight, creating direct risks under GDPR and the AI Act (think confidential data pasted into a consumer tool). An AI literacy program also helps you get ahead of this, before it becomes an incident.

The good news is that AI literacy is the easiest obligation to meet, and the one that pays off the most, because it also puts you in a position to use these tools better. A structured path to AI adoption for SMEs starts right here: people first, then processes.

Fines: how much are you really risking?

The figures look alarming, but they need context. The AI Act sets out three tiers of administrative fines:

  • Up to €35 million or 7% of global annual turnover (whichever is higher) for violations of the bans on unacceptable-risk practices.
  • Up to €15 million or 3% of turnover for violations of the obligations on high-risk systems, transparency, and other requirements.
  • Up to €7.5 million or 1.5% of turnover for supplying inaccurate or misleading information to the authorities.

Two clarifications that ease the panic without easing the urgency. First: the regulation explicitly states that for SMEs and startups, the lower of the fixed amount and the percentage applies, and that fines must be proportionate. You won't get hit with a €35 million fine if your turnover is €800,000. Second: authorities must take into account company size, good faith, and any measures already taken. A company that has run an assessment and started training is in a radically different position from one that has ignored everything.

So the real risk for an SME isn't so much a catastrophic monetary fine. It's something else: disputes with customers or employees over automated decisions, a production system getting shut down, reputational damage, or problems in a tender or due-diligence process when a large client asks you to prove compliance. Compliance is becoming a commercial requirement, not just a legal one.

Want to know which of your AI tools fall under the AI Act's obligations and what to do before August 2, 2026? Request an operational assessment: we'll map out your systems, identify the gaps to close, and build a compliant training plan.

The 5-step operational roadmap to be ready by August 2, 2026

Enough theory. Here's the concrete sequence that makes sense for an SME. It's the same logic behind a sound AI automation strategy: first understand what you have, then act.

1. Inventory and classification (weeks 1-3)

Inventory every AI tool in use, both official tools and the ones people use informally. For each one, note what it does, what data it processes, who uses it, and in which process. Then classify each system into one of the four risk tiers. This is the foundational deliverable, the snapshot everything else builds on.

2. Gap analysis (weeks 3-5)

For each classified system, compare its current state against the obligations of its tier. High-risk systems (often recruiting or credit) are the absolute priority: they need documented human oversight, disclosure to affected individuals, logs, and evaluations. Limited-risk systems mainly need transparency measures: disclosing that AI is involved and labeling generated content.

3. Corrective actions (months 2-4)

Put the fixes in place: update your privacy and AI notices, introduce human-in-the-loop oversight where it's missing, shut down or replace tools you can't bring into compliance, and formalize an internal AI-use policy (which also serves as the cure for Shadow AI).

4. Staff AI literacy (in parallel, months 1-4)

Roll out the training required by Art. 4, calibrated by role: basics for everyone, in-depth for those managing sensitive systems. Document who completed what, since traceability is part of compliance.

5. Ongoing monitoring (from month 4 onward)

Compliance isn't a project with an end date. Every new tool needs to be classified before it goes into production. Appoint an internal AI point person, keep your system register up to date, and review it periodically. It's the same principle that applies to ongoing cybersecurity oversight: you maintain it over time.

Common mistakes to avoid

  • Thinking "I don't build AI, so it doesn't concern me." False: as a user, you have your own obligations, starting with Art. 4.
  • Ignoring Shadow AI. If employees are using uninventoried tools, you have unclassified systems and potentially exposed data. It's the most common blind spot.
  • Treating the AI Act as a one-time compliance exercise. Every new tool reopens the classification process.
  • Delegating everything to the law firm without the operational piece. Legal advice tells you what you need to do, but someone still has to translate that into changes to processes, tools, and training. You need someone who connects the two.
  • Waiting until summer 2026 to start. An assessment with corrections and training takes months. Whoever starts in June will be late.

Looked at the right way, AI Act compliance isn't just a cost. It's a chance to finally take stock of your AI tools, understand what you're actually using, cut out the noise, and use AI more deliberately and more productively. It's the first building block of a sensible adoption path, not an obstacle. If you don't know where to start, our guide on how to get started with AI in your business gives you the right starting point.

In short

The AI Act applies to you even if you "just" use AI tools. The key date is August 2, 2026, but the AI literacy obligation (Art. 4) has already been active since February 2025. The theoretical fines reach €35 million, but SMEs get the more favorable cap and proportionality: the real risk is commercial and operational. The right move is to start now with an assessment, classify your systems, close the gaps, and train your people. Operational, not abstract.

Frequently asked questions

Does the AI Act apply to my SME if I only use ChatGPT or a chatbot?

Yes. Even those who merely use AI tools (the deployer) have their own obligations. With ChatGPT or a chatbot you typically fall into the limited-risk tier with transparency obligations, but more importantly you're already subject to the staff AI literacy obligation (Art. 4), active since February 2, 2025.

What's the main AI Act deadline for SMEs?

August 2, 2026 is the date of general application of the regulation, when most obligations become fully enforceable, including the rules on high-risk systems and transparency. The AI literacy obligation and the bans on prohibited practices, however, have already been in force since February 2, 2025.

How much are the AI Act's fines?

Up to €35 million or 7% of global turnover for prohibited practices, and up to €15 million or 3% for obligations on high-risk systems and transparency. For SMEs and startups, the regulation provides for the lower cap and fines proportionate to company size and measures taken.

What does the Article 4 AI literacy obligation actually mean?

It means ensuring that anyone using AI tools in your company has enough understanding of how they work, their risks, and their limitations, proportionate to their role. You don't need to train technical experts, just give every person the knowledge to use AI responsibly. It has already been mandatory since February 2025.

How do I know if one of my AI systems is high-risk?

The most common cases for an SME are recruiting software (screening and evaluating CVs) and creditworthiness assessment systems. If a tool makes or supports decisions affecting people's rights in these areas, it's very likely high-risk. Formal classification still needs to be done case by case.

Where should I start to get compliant?

With the inventory and classification of every AI system already in use, including the informal ones employees rely on (Shadow AI). From that snapshot come the gap analysis, corrective actions, and training plan. Waiting until summer 2026 is risky: a full process takes several months.

Don't leave AI Act compliance until the last minute. Talk to us: we'll analyze your systems, classify them by risk, and build the roadmap to August 2, 2026 together, training included.