Does the AI Act apply to my SME if I use AI but don't develop it?
In short: yes. Regulation (EU) 2024/1689 also applies to those who use AI in their professional activity — you are a deployer. It is directly applicable in Italy without transposition; prohibitions (Art. 5) and AI literacy (Art. 4) are already operative. Below, the facts verified on EUR-Lex, then our reading.
The facts · fields 1–10
What the official source says.
01 · Name
Regulation (EU) 2024/1689 — "AI Act"
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, laying down harmonised rules on artificial intelligence and amending a number of regulations and directives (Artificial Intelligence Act). Common acronym: AI Act (or AI Regulation).
Official title · EUR-Lex ELI Reg. (EU) 2024/1689
02 · Type of source
European Union regulation
An EU legislative act of general application, adopted by the European Parliament and the Council under the ordinary legislative procedure.
EUR-Lex ELI Reg. (EU) 2024/1689
03 · Nature
Binding and directly applicable
As an EU regulation (Art. 288 TFEU) it is binding in its entirety and directly applicable in every Member State, without any need for national transposition. It is not soft law: it establishes legal obligations and a system of penalties.
Art. 288 TFEU · text of the Regulation on EUR-Lex
04 · Subject matter
A harmonised, risk-based framework
It establishes rules for the placing on the market, putting into service and use of AI systems in the EU, following a risk-based approach: unacceptable risk → prohibited; high risk → stringent obligations; limited risk → transparency obligations; minimal risk → unrestricted. It includes specific rules for general-purpose AI models (GPAI).
EUR-Lex ELI Reg. (EU) 2024/1689
05 · Who it applies to
Providers, deployers, importers, distributors
Principal personal scope: providers, deployers (professional users), importers and distributors of AI systems, as well as product manufacturers.
Territorial scope is extraterritorial: it also applies to entities established outside the EU where the AI system is placed on the EU market or where the output produced is used within the Union.
Art. 2 (scope of application) · EUR-Lex
06 · Key dates
Staggered application (Art. 113)
-
Prohibited practices (Art. 5) and AI literacy (Art. 4) apply.
-
Rules on GPAI models and governance apply.
-
Obligations for stand-alone high-risk systems (Annex III) apply.
-
Obligations for high-risk systems embedded in regulated products (Annex I) apply.
Note: the original text of Art. 113 set 2 August 2026 (Annex III) and 2 August 2027 (Annex I). The "Digital Omnibus" simplification package replaced those deadlines with fixed, postponed dates (2 Dec 2027 / 2 Aug 2028), no longer conditional on the availability of harmonised standards.
Source: Council of the EU, press release of 29 June 2026 (final green light to the "Digital Omnibus" package; European Parliament endorsement of 16 June 2026) · Regulation (EU) 2024/1689, Art. 113 (original text).
07 · Competent authorities
AI Office and AI Board at EU level; national authorities per State
At EU level: the European AI Office (AI Office) within the European Commission (supervision of GPAI) and the European Artificial Intelligence Board (AI Board).
At national level: each Member State designates its own national competent authorities (notifying authority + market surveillance authority). For Italy the designation is carried out by Law 132/2025 (AgID and ACN — see dedicated brief).
Chapter VII — Governance · EUR-Lex
08 · Status
In force since 1 August 2024, in partial and staggered application
In force (Reg. EU 2024/1689, since 1 August 2024). The application timeline was amended by the "Digital Omnibus" package, adopted definitively by the European Parliament (16 June 2026) and the Council of the EU (29 June 2026); as of the date of this record, publication in the OJEU and entry into force of the amendments are being completed (verify publication). The high-risk application dates shown above (2 Dec 2027 / 2 Aug 2028) are those of the current timeline.
Art. 113 (as amended by the "Digital Omnibus") · EUR-Lex
09 · Relationship with other rules
It coordinates with Law 132/2025, the GDPR and ISO/IEC 42001
- ↔ Law 132/2025 (Italy): the national law adds to the AI Act, it does not replace it; it designates the Act's national authorities and adapts the domestic legal order.
- ↔ GDPR (Reg. EU 2016/679): the AI Act applies without prejudice to the GDPR; the processing of personal data remains governed by data protection law, which operates in parallel.
- ↔ ISO/IEC 42001: voluntary standard (AI Management System). It is not law, but it can support the demonstration of compliance and the internal governance required by the AI Act.
Interface clauses (GDPR) · text of the Regulation on EUR-Lex
10 · Official source
EUR-Lex — ELI identifier
Primary source to be cited: EUR-Lex, ELI identifier reg/2024/1689. Published in the OJEU, L series of 12 July 2024.
Open the official source on EUR-Lex
Primary source · EUR-Lex (official ELI)
Fields 11–12 · own synthesis
Our reading for an SME.
Synthesis
- The AI Act is a directly effective regulation: an Italian SME is required to comply with it even without any national transposing act.
- The operational question is not "do I develop AI?" but "what role do I have, and in which risk class does the system I use fall?". Most SMEs are deployers, not providers: the heaviest obligations (high risk) fall mainly on providers, but the deployer still has its own duties.
- The first deadlines are already operative: prohibitions (Art. 5) and AI literacy (Art. 4) from 2 February 2025. AI literacy is a cross-cutting obligation that is often underestimated.
- The critical juncture for high-risk is now 2 December 2027 (Annex III); for AI embedded in products, 2 August 2028.
- The extraterritorial scope (output used in the EU) makes the Regulation relevant also for non-EU providers in the SME's value chain.
Practical obligations for a deployer / SME
- Map the AI systems used in the company and classify their risk (prohibited / high / limited / minimal).
- Check the prohibitions (Art. 5): immediately rule out prohibited uses (e.g. social scoring, emotion recognition in the workplace in the prohibited cases).
- AI literacy (Art. 4): ensure an adequate level of competence among the staff who use the AI systems — documented training.
- For the high-risk systems where you are a deployer: use the system in accordance with the provider's instructions, ensure human oversight, keep the logs, inform the workers concerned.
- Transparency (limited risk, applicable from 2 August 2026 — Art. 50): inform users when they are interacting with an AI (e.g. a chatbot) and label synthetic/deepfake content.
- Put in place internal governance and a register of AI systems; consider voluntary adoption of ISO/IEC 42001 as a readiness framework.
Positioning note (NomotecnIA): NomotecnIA provides guidance and readiness support towards compliance. NomotecnIA is not a notified body and does not issue AI Act conformity certifications.
From the rule to your business
Which AI Act obligations actually apply to you?
The AI Entry Assessment maps your systems, identifies the risk class and the obligations that follow, and hands you back a prioritised roadmap.