EU Regulation · source: EUR-Lex

Does the AI Act apply to my SME if I use AI but don't develop it?

In short: yes. Regulation (EU) 2024/1689 also applies to those who use AI in their professional activity — you are a deployer. It is directly applicable in Italy without transposition; prohibitions (Art. 5) and AI literacy (Art. 4) are already operative. Below, the facts verified on EUR-Lex, then our reading.

The facts · fields 1–10

What the official source says.

Verified on EUR-Lex

01 · Name

Regulation (EU) 2024/1689 — "AI Act"

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, laying down harmonised rules on artificial intelligence and amending a number of regulations and directives (Artificial Intelligence Act). Common acronym: AI Act (or AI Regulation).

Official title · EUR-Lex ELI Reg. (EU) 2024/1689

02 · Type of source

European Union regulation

An EU legislative act of general application, adopted by the European Parliament and the Council under the ordinary legislative procedure.

EUR-Lex ELI Reg. (EU) 2024/1689

03 · Nature

Binding and directly applicable

As an EU regulation (Art. 288 TFEU) it is binding in its entirety and directly applicable in every Member State, without any need for national transposition. It is not soft law: it establishes legal obligations and a system of penalties.

Art. 288 TFEU · text of the Regulation on EUR-Lex

04 · Subject matter

A harmonised, risk-based framework

It establishes rules for the placing on the market, putting into service and use of AI systems in the EU, following a risk-based approach: unacceptable risk → prohibited; high risk → stringent obligations; limited risk → transparency obligations; minimal risk → unrestricted. It includes specific rules for general-purpose AI models (GPAI).

EUR-Lex ELI Reg. (EU) 2024/1689

05 · Who it applies to

Providers, deployers, importers, distributors

Principal personal scope: providers, deployers (professional users), importers and distributors of AI systems, as well as product manufacturers.

Territorial scope is extraterritorial: it also applies to entities established outside the EU where the AI system is placed on the EU market or where the output produced is used within the Union.

Art. 2 (scope of application) · EUR-Lex

06 · Key dates

Staggered application (Art. 113)

  1. Prohibited practices (Art. 5) and AI literacy (Art. 4) apply.

  2. Rules on GPAI models and governance apply.

  3. Obligations for stand-alone high-risk systems (Annex III) apply.

  4. Obligations for high-risk systems embedded in regulated products (Annex I) apply.

Note: the original text of Art. 113 set 2 August 2026 (Annex III) and 2 August 2027 (Annex I). The "Digital Omnibus" simplification package replaced those deadlines with fixed, postponed dates (2 Dec 2027 / 2 Aug 2028), no longer conditional on the availability of harmonised standards.

Source: Council of the EU, press release of 29 June 2026 (final green light to the "Digital Omnibus" package; European Parliament endorsement of 16 June 2026) · Regulation (EU) 2024/1689, Art. 113 (original text).

07 · Competent authorities

AI Office and AI Board at EU level; national authorities per State

At EU level: the European AI Office (AI Office) within the European Commission (supervision of GPAI) and the European Artificial Intelligence Board (AI Board).

At national level: each Member State designates its own national competent authorities (notifying authority + market surveillance authority). For Italy the designation is carried out by Law 132/2025 (AgID and ACN — see dedicated brief).

Chapter VII — Governance · EUR-Lex

08 · Status

In force since 1 August 2024, in partial and staggered application

In force (Reg. EU 2024/1689, since 1 August 2024). The application timeline was amended by the "Digital Omnibus" package, adopted definitively by the European Parliament (16 June 2026) and the Council of the EU (29 June 2026); as of the date of this record, publication in the OJEU and entry into force of the amendments are being completed (verify publication). The high-risk application dates shown above (2 Dec 2027 / 2 Aug 2028) are those of the current timeline.

Art. 113 (as amended by the "Digital Omnibus") · EUR-Lex

09 · Relationship with other rules

It coordinates with Law 132/2025, the GDPR and ISO/IEC 42001

  • ↔ Law 132/2025 (Italy): the national law adds to the AI Act, it does not replace it; it designates the Act's national authorities and adapts the domestic legal order.
  • ↔ GDPR (Reg. EU 2016/679): the AI Act applies without prejudice to the GDPR; the processing of personal data remains governed by data protection law, which operates in parallel.
  • ↔ ISO/IEC 42001: voluntary standard (AI Management System). It is not law, but it can support the demonstration of compliance and the internal governance required by the AI Act.

Interface clauses (GDPR) · text of the Regulation on EUR-Lex

10 · Official source

EUR-Lex — ELI identifier

Primary source to be cited: EUR-Lex, ELI identifier reg/2024/1689. Published in the OJEU, L series of 12 July 2024.

Open the official source on EUR-Lex

Primary source · EUR-Lex (official ELI)

NomotecnIA reading · interpretation, not source

Fields 11–12 · own synthesis

Our reading for an SME.

Synthesis

  • The AI Act is a directly effective regulation: an Italian SME is required to comply with it even without any national transposing act.
  • The operational question is not "do I develop AI?" but "what role do I have, and in which risk class does the system I use fall?". Most SMEs are deployers, not providers: the heaviest obligations (high risk) fall mainly on providers, but the deployer still has its own duties.
  • The first deadlines are already operative: prohibitions (Art. 5) and AI literacy (Art. 4) from 2 February 2025. AI literacy is a cross-cutting obligation that is often underestimated.
  • The critical juncture for high-risk is now 2 December 2027 (Annex III); for AI embedded in products, 2 August 2028.
  • The extraterritorial scope (output used in the EU) makes the Regulation relevant also for non-EU providers in the SME's value chain.

Practical obligations for a deployer / SME

  1. Map the AI systems used in the company and classify their risk (prohibited / high / limited / minimal).
  2. Check the prohibitions (Art. 5): immediately rule out prohibited uses (e.g. social scoring, emotion recognition in the workplace in the prohibited cases).
  3. AI literacy (Art. 4): ensure an adequate level of competence among the staff who use the AI systems — documented training.
  4. For the high-risk systems where you are a deployer: use the system in accordance with the provider's instructions, ensure human oversight, keep the logs, inform the workers concerned.
  5. Transparency (limited risk, applicable from 2 August 2026 — Art. 50): inform users when they are interacting with an AI (e.g. a chatbot) and label synthetic/deepfake content.
  6. Put in place internal governance and a register of AI systems; consider voluntary adoption of ISO/IEC 42001 as a readiness framework.

Positioning note (NomotecnIA): NomotecnIA provides guidance and readiness support towards compliance. NomotecnIA is not a notified body and does not issue AI Act conformity certifications.

Meta · fields 13–15

Revision, disclaimer and source

Last revision · 2026-07-06

Disclaimer

This content is for general informational and guidance purposes only; it does not constitute legal advice or an attestation of conformity. For any assessment, the official source (EUR-Lex) always prevails. NomotecnIA is not a notified body.

  • #AIAct
  • #EURegulation
  • #ArtificialIntelligence
  • #RiskBased
  • #GPAI
  • #Compliance
  • #GDPR
  • #ISO42001
  • #SME

Official source · EUR-Lex

From the rule to your business

Which AI Act obligations actually apply to you?

The AI Entry Assessment maps your systems, identifies the risk class and the obligations that follow, and hands you back a prioritised roadmap.