· Dark Oak · 7 min read
If you’re running a 30-person ecommerce business in Sligo and you use a chatbot on your support page, the EU AI Act applies to you — but probably not in the way the headlines suggested. The same goes for the manufacturer using an internal copilot to summarise supplier emails, or the accountancy firm running OCR on receipts. The Act is real, it’s in force, and the calendar matters. But for most of the AI work we see Irish SMEs actually doing, the obligations are lighter than the noise around the law would have you believe.
We’ve had this conversation enough times with clients over the last six months that it seemed worth writing down. What follows is the explainer we’d give an SME owner over a coffee: what the law is, what tier your tools probably fall into, what the dates are, and three things worth doing this quarter. We’re an engineering studio, not a law firm, so where the answer is “talk to a solicitor”, we’ll say so plainly.
What the EU AI Act actually is
The EU AI Act is the first broad horizontal law on artificial intelligence anywhere in the world. It entered into force on 1 August 2024 and applies across all EU member states, including Ireland. Rather than regulating every AI system the same way, it sorts them into four risk tiers and assigns obligations based on how risky the use case is. The tougher rules apply to systems that can meaningfully affect people’s safety, livelihood or fundamental rights. The lighter rules apply to everything else. The Act doesn’t all switch on at once — it phases in between February 2025 and August 2027.
The four risk tiers, briefly
The whole law hangs off this classification, so it’s worth getting straight. In one sentence each:
- Prohibited — banned outright. Things like government-run social scoring, certain manipulative biometric techniques, untargeted scraping of facial images to build recognition databases, and a handful of other practices the EU considers incompatible with fundamental rights.
- High-risk — heavily regulated but allowed. CV screening and other employment decisions, biometric identification, AI used in critical infrastructure, credit scoring, certain medical and educational uses. Significant compliance work attached.
- Limited-risk — allowed with transparency obligations. Chatbots, deepfakes, emotion recognition systems, AI-generated content. The headline duty is that users should know they’re interacting with AI or looking at AI-generated material.
- Minimal-risk — no specific obligations under the Act. This covers the large majority of everyday AI uses: spam filters, recommendation engines, document classifiers, the AI features baked into your CRM.
Most SME use cases we see fall into limited or minimal. High-risk is a real category that catches some SMEs, but it’s narrower than people assume.
What this means for the AI most SMEs actually use
It helps to walk through the common patterns one by one.
Customer-facing chatbots and voice agents
These are limited-risk. The main obligation is transparency: a user interacting with your chatbot or AI voice agent needs to know they’re talking to an AI, not a person. In practice this is a short disclosure line in the chat window, or a sentence at the start of a voice call. You don’t need a conformity assessment, you don’t need a notified body, you don’t need a risk management system. Just be honest with your users about what they’re talking to. That’s mostly it.
Document-processing and extraction agents
If you’re running an agent that reads PDFs, extracts fields from invoices, classifies documents, or pulls data out of contracts for a human to review — these are typically minimal-risk. The line moves if your agent starts making automated decisions about people (for example, automatically rejecting applications or claims without a human in the loop). At that point you may be in high-risk territory and you’ll want legal advice. For straightforward “read this document, give me the fields, a human takes the decision” workflows, you’re not picking up new obligations under the AI Act.
Internal copilot tools for staff
A summariser for internal emails, a code copilot for your developers, a tool that drafts first-pass responses for support agents to review — these are minimal-risk in most cases. They sit inside your organisation, a human reviews the output, and they’re not making decisions about people’s rights or access to services. The Act doesn’t really change anything for you here. Your existing GDPR obligations around staff data, training data, and what the tool can see still apply, but that’s not new.
AI-assisted hiring and CV screening
This one’s different. AI systems used in employment decisions — sifting CVs, scoring candidates, ranking applicants — are explicitly listed in the Act as high-risk. The obligations are real: a documented risk management system, data governance procedures, technical documentation, logging, human oversight, transparency to candidates, registration in an EU database, and a conformity assessment before you put the system on the market or into service. Some of these obligations sit with the provider of the system, some with you as the deployer, and the split isn’t always intuitive. If you use one of these tools, or you’re thinking about building one, get proper legal advice now — not from us. The 2 August 2026 deadline sounds far away but the compliance work isn’t trivial.
GPAI models you build on
If you’re building on top of a general-purpose AI model — Mistral, the OpenAI API, Anthropic’s Claude, an open-weights model — most of the model-level obligations fall on the model provider, not on you. The provider has to document training, publish summaries of training data, manage systemic risks if their model is big enough, and so on. You’re a “deployer” in the Act’s language, and your duties depend on what you do with the model. If you wrap it into a customer-facing chatbot, your limited-risk transparency duty applies. If you wrap it into a CV screener, you’ve built a high-risk system and the heavy duties apply. The model underneath doesn’t change your tier — your use case does.
Key dates to put in your calendar
The Act phases in. The dates that matter for most SMEs:
- 2 February 2025: prohibited AI rules applicable. Already in force as of writing. If you were doing anything in the prohibited tier, it needed to stop.
- 2 August 2025: GPAI model obligations applicable. Mostly the model providers’ problem, but worth knowing.
- 2 August 2026: most high-risk system obligations applicable. This is the big one if you’re in the hiring-AI or similar high-risk space.
- 2 August 2027: remaining high-risk obligations applicable, covering certain categories embedded in regulated products.
Three things any SME should do this quarter
You don’t need a compliance programme to make sensible progress. Three concrete steps:
- Make an inventory of the AI tools your business actually uses. Include the obvious ones — your chatbot, any agents you’ve built — but also the AI features tucked inside the SaaS you already pay for. Your CRM, your helpdesk, your email tool, your accounting software probably all have AI features now. Write them down. For each, note who interacts with it and what decisions, if any, it influences.
- Add a clear disclosure to any customer-facing chatbot or voice agent. One sentence is fine. “You’re chatting with our AI assistant — type ‘agent’ at any time to speak to a person” does the job. This is cheap, fast, and gets you ahead of the limited-risk transparency duty.
- If you use AI for hiring decisions, talk to a lawyer — not us — now. The 2026 deadline arrives faster than people expect, and the documentation requirements are not the kind of thing you want to start in July 2026.
A practical note on EU data
The AI Act, GDPR and the EU’s broader data-sovereignty push all overlap. None of them on their own forces you to use EU-hosted AI models, but in combination they make EU residency a sensible default for a lot of SME work — particularly anything touching personal data, customer conversations, or regulated sectors. Where we build agents for clients, we default to EU-hosted open-weights models for routine traffic where the quality is good enough, and to frontier APIs with EU data residency options for the rest. It keeps the data-flow story simple, it tends to satisfy procurement at larger customers, and it doesn’t usually cost more.
Where to go from here
We’re not lawyers, and nothing above is legal advice for your specific situation — particularly if you’re in the high-risk tier. What we can do is help you with the engineering side: walk through the inventory step, look at what your existing tools and agents actually do, and figure out which tier each one sits in. That’s usually a short, useful conversation, and it’s the first thing we do on a Readiness Sprint anyway. If that would help, get in touch and we’ll book a discovery call.