Skip to content
AImpact
IT EN
AI in business 5 min read

EU AI Act: what an Italian SME actually needs to do in 2025

AI Act explained without legalese. What applies to Italian SMEs, by when, and what fines are at stake. A practical checklist to find out whether your company is at risk.

Published: June 3, 2025

On 2 August 2026 the part of the AI Act that matters most to SMEs comes into force. If your employees use AI at work — or if your software has AI modules for HR, credit, or surveillance — this applies to you too.

You don’t need to hire a lawyer right now. You need to understand which category your use falls into, and what to do based on that.

The 3 categories that affect you

Banned from 2 February 2025. These are already illegal: social scoring, subliminal psychological manipulation, real-time facial recognition in public spaces, systems that infer employee emotions to evaluate them. If you’re doing any of these things, stop.

High risk — August 2026 deadline. Systems that affect significant decisions about people. For an Italian SME the most common cases are: CV screening software with automatic ranking, employee evaluation systems that influence promotions or dismissals, credit scoring on customers or suppliers, AI-powered productivity monitoring. If you use an ATS, an HCM, or a CRM with automatic scoring modules, you probably fall into this category.

Minimal risk — no additional obligations. ChatGPT for writing emails, Copilot for code, spam filters, content recommenders. The vast majority of AI use in business lands here.

There is also limited risk: chatbots that talk to customers. The only obligation is to disclose that it is an AI system. An opening message along the lines of “You are talking to an AI assistant” is sufficient — do it now, don’t wait.

What you need to do if you have high-risk systems

The obligations are real but they are not rocket science. By August 2026 you will need:

  • Technical documentation: a description of the system, the data used to train it, performance metrics, and a risk assessment.
  • Genuine human oversight: a CV screening system that makes final decisions without anyone reviewing them is not compliant. There must be a human who can block or override the decision.
  • Audit trail: the system must log decisions so they can be reviewed later.

If the high-risk system is vendor software (it almost always is), ask them: “Does this fall under Annex III of the AI Act? What is your compliance roadmap?” Document the answer in writing. As a deployer you still have obligations of your own, but responsibility is shared.

Penalties in brief

Breach of absolute prohibitions: up to €35 million or 7% of global turnover. Breach of high-risk obligations: up to €15 million or 3%. For SMEs the authorities take company size into account — that is a mitigating factor, not an exemption.

In Italy enforcement will fall to AGID and the Privacy Guarantor. Initial checks will focus on high-risk systems, not on people using Copilot to write emails. But the real risk for an SME comes not only from public fines: it comes from disputes with employees or customers if an automated system made wrong decisions about them.

What to do

  • Take stock: list all AI use in the company, including AI modules inside third-party software (HR, CRM, ERP). “Our management system uses a model to predict churn” is a relevant AI system.
  • Classify each use: use the table above. For anything unclear, the official portal is artificialintelligenceact.eu.
  • For high risk, bring in a tech lawyer before end of 2025: you don’t need a €50K project — 4–8 hours of consulting (€800–2,000) is enough to know where you stand and what you’re missing.