EU AI Act (Reg. EU 2024/1689): What SMEs Must Do Before August 2026 on High-Risk Systems
On 2 August 2026, Regulation (EU) 2024/1689 becomes fully applicable to AI systems listed in Annex III. If your company uses CV screening software, credit scoring, or employee performance evaluation, you are already a deployer with specific obligations — regardless of who developed the system.
Regulation (EU) 2024/1689, known as the AI Act, has a layered application timeline that many Italian SMEs have misread. This is not a regulation solely for those who develop artificial intelligence: it applies equally to those who use it. And the most operationally significant deadline for most companies is 2 August 2026 — less than two months away.
Companies reaching September without a completed system inventory and technical documentation will have no valid regulatory excuse. The Digital Omnibus — the amendment proposal that would delay some deadlines — has not yet been formally adopted as of this article's publication date.
What Applies from 2 August 2026 (and What Waits Until 2027)
The most common confusion stems from an imprecise reading of Art. 113, which sets out the phased application dates.
From 2 August 2026, full obligations apply to:
- High-risk AI systems listed in Annex III (Art. 6(2)) — credit scoring, HR, education, biometric identification, justice
- Transparency obligations towards end users for interactive systems such as chatbots, and for AI-generated content (deepfakes, synthetic images, audio, video) — Art. 50. We cover the transparency angle in depth in AI Act: mandatory transparency from 2 August 2026.
From 2 August 2027, only Art. 6(1) will apply: AI systems integrated as safety components in products subject to harmonised Annex I legislation (medical devices, machinery, vehicles) requiring third-party conformity assessment. This deadline applies to manufacturing product makers, not to service-sector SMEs.
Note on the Digital Omnibus: on 7 May 2026, the European Commission reached a provisional agreement to extend certain deadlines by 16 months (Annex III → 2 December 2027; Annex I → 2 August 2028). The European Parliament plenary vote is scheduled for 20 June 2026. Until formal adoption and publication in the EU Official Journal, the August 2026 dates remain in force. We analysed the simplification package in the AI Act Omnibus package.
Who Falls Under Annex III — Typical Cases for SMEs
Annex III lists eight categories of high-risk AI systems. The most common in Italian SMEs:
Credit and Insurance (Points 5b and 5c)
Software that evaluates the creditworthiness of natural persons for mortgages, leasing, or loans (point 5b). Software that calculates individual insurance risk for life or health policies (point 5c). If you use an external scoring engine integrated into your CRM or banking software, you fall into this category as a deployer.
Recruitment and Personnel Management (Point 4)
Systems for automated CV screening, candidate filtering, performance evaluation, or employee activity monitoring. This category covers the AI modules embedded in many widely used SaaS HR platforms on the Italian market.
Education and Vocational Training (Point 3)
Systems for admissions to educational programmes, skills assessment, or online exam proctoring. Relevant for vocational training bodies, private schools, and e-learning platforms.
Justice and Democratic Processes (Point 8)
Decision-support systems for judicial matters. Rare in general SMEs, but relevant for law firms or consultants using predictive legal analytics tools.
The fundamental operational distinction: the SaaS provider who built the system is the provider; your company that uses it in its operations is the deployer. Both have distinct obligations, and those of the deployer are enforceable from 2 August 2026.
The Operational Calendar — What Is Already in Force and What Falls Due in August
Already Expired
- 2 February 2025: prohibition of forbidden AI practices (Art. 5) — social scoring, subliminal manipulation, systematic bias based on protected characteristics
- 2 August 2025: sanctions applicable, GPAI governance (general-purpose AI systems such as large language models)
Deadline 2 August 2026 — Obligations for Annex III Deployers
Deployer obligations are defined in Art. 26 of the Regulation and include:
- Human oversight: designate a person responsible for supervising the system and ensure they receive adequate training
- Ongoing monitoring: verify the system performs as indicated by the provider; report anomalies
- Log retention: retain automatically generated logs for at least 6 months
- Serious incident reporting: notify competent authorities in the event of serious incidents
- Information to workers: if the system affects employees, inform them of its use before deployment
The provider (typically the SaaS vendor) must in turn have provided technical documentation, the EU declaration of conformity, and — for Annex III systems — registered the system in the EU database (Art. 49 and Art. 71). As a private deployer, your task is to verify that your vendor has fulfilled these obligations. Private SME deployers are not directly required to register in the EU AI Office database themselves.
What to Do Now — Six Operational Steps
- AI system inventory: map every application purchased or in use that might fall under Annex III, including SaaS HR modules, CRM with scoring, and training platforms. The criterion is the function, not the commercial label.
- Review contracts with your vendor: the contract must provide for the provider to supply technical documentation and the declaration of conformity. If the vendor cannot deliver this by August 2026, part of the compliance risk falls on you as the deployer.
- Appoint the human supervisor: Art. 26 requires formal designation of a responsible person. It is not sufficient to have "someone look at the results" — documented duties and traceable training records are required.
- Activate log retention: verify that the system automatically records relevant decisions and that you have access to these logs for at least 6 months.
- Inform your workforce: if you use AI in HR, update union and individual notices. Art. 26 requires this explicitly before the system is put into operation.
- Update notices for interactive systems: if your company website or customer service uses chatbots, update end-user notices (Art. 50 — obligatory from 2 August 2026).
Sanctions — Art. 99
The Regulation's sanctions are structured on three levels:
| Type of infringement | Absolute ceiling | % of global turnover |
|---|---|---|
| Prohibited AI practices (Art. 5) | €35,000,000 | 7% |
| High-risk / deployer obligations | €15,000,000 | 3% |
| False information to authorities | €7,500,000 | 1% |
For SMEs, the lower of the absolute ceiling and the percentage threshold applies (Art. 99(6)). Concrete examples:
- SME with €5M turnover: maximum sanction for high-risk infringement = €150,000
- SME with €10M turnover: maximum sanction = €300,000
- SME with €20M turnover: maximum sanction = €600,000
At national level, Law 23 September 2025, no. 132 (Italian Official Gazette no. 223, 25/09/2025, in force from 10 October 2025) designated ACN (National Cybersecurity Agency) as the Italian national competent authority for enforcement of the Regulation.
Sources
- Regulation (EU) 2024/1689 — official EUR-Lex text
- Annex III — annotated text (artificialintelligenceact.eu)
- Art. 113 — application dates
- Art. 26 — deployer obligations
- Art. 50 — transparency obligations
- Art. 99 — sanctions
- Italian Official Gazette — Law 132/2025
- ANSA — EP committees approve AI Omnibus, plenary vote in June
- Agenda Digitale — Digital Omnibus and AI Act: what can be delayed
- AI Act Service Desk (EU)
Editorial note: this article will be updated following the European Parliament plenary vote on the Digital Omnibus (scheduled 20 June 2026) to reflect any deadline extensions.