The EU AI Act (Regulation EU 2024/1689) classifies AI systems into 4 risk levels: unacceptable (banned), high risk (heavy obligations), limited (transparency) and minimal (no obligations). Key deadline: 2 August 2026 for full application. Covers AI builders (providers) and professional users (deployers).
A date worth marking on the calendar
2 August 2026. From that day, Regulation (EU) 2024/1689, known as the EU AI Act, will be in full application. It's not an announcement, it's not a draft: it's a law already in force, with a roadmap of progressive deadlines, most of which have already passed.
The problem is that most Italian companies, especially SMEs, are still approaching this regulation as if it were for big tech companies. It's not. The Regulation also applies to those who use AI systems in a professional context, not just those who develop them. Anyone using a predictive CRM, a chatbot or HR software with automated functions is already subject to the regulation.
Let's clarify what has already happened, what kicks in in a few months and what it means concretely for those developing AI software or using it in business.
What's already in force (and many don't know)
The AI Act didn't arrive all at once. The first critical deadline was 2 February 2025, when the absolute ban on AI systems with unacceptable risk kicked in, like social scoring, subliminal manipulation and mass biometric surveillance. The second deadline, 2 August 2025, concerned obligations for general-purpose AI (GPAI) models, which applies directly to those using LLMs like GPT, Claude or Gemini in production.
There's also an obligation that passed almost unnoticed: the AI Act requires that all employees using AI systems have an AI literacy level proportionate to their role. It's not an advanced technical course, it's an awareness obligation. Those who haven't done anything on this front yet are already late.
The point is these obligations are not theoretical. They are already active.
The distinction everyone must understand: provider vs deployer
This is perhaps the most important thing to internalise, and also the one most confused about.
The AI Act mainly distinguishes between providers and deployers, that is, those who develop the AI system and place it on the market under their own responsibility, and those who use it. On paper the distinction seems clear, but in concrete application the boundary between the two figures is often hard to identify.
For a software house like us, the distinction is anything but academic. An agency or software house that develops a virtual assistant for a client, using an existing model's API and adding code, interface and branding, in the eyes of the Regulation is no longer a simple AI user: it's a provider, with much heavier obligations than someone using ChatGPT as an operational tool.
In practice: if you integrate an AI model into a product you then deliver to a client, you're probably a provider. If you use AI tools internally to work better, you're a deployer. Beware though: if you customise a model via fine-tuning for a specific use case, you can be considered a provider even if you didn't develop the base model.
And for deployers? Obligations are lighter but concrete: human oversight, staff training, risk management and transparency toward end users. It's not an exemption, it's a different perimeter.
The four risk levels: where do you fit
The AI Act classifies systems into four categories. The risk level determines which obligations apply, and here the difference is substantial.
Systems with unacceptable risk are banned from February 2025: behavioural manipulation, government social scoring, real-time biometrics in public spaces. No adjustment possible, you simply can't do them.
High-risk systems are those used in sensitive sectors: HR selection, credit, education systems, safety components. For companies using them, the operational deadline is 2 August 2026, when full obligations kick in: technical documentation, conformity assessment, registration in the European database and post-market monitoring.
Systems with limited risk, like chatbots that must declare they are AI, mainly have transparency obligations. Those with minimal risk, like spam filters or generic content recommendation systems, have no specific obligations.
The practical question every company should ask now: which category does the AI software I develop or use fall into?
What kicks in August 2026 and what comes next
From August 2026, all AI Act provisions become fully applicable. Anyone developing or using AI systems in their processes must comply with all obligations, with sanctions up to 35 million euros or 7% of annual global turnover.
Sanctions follow precise three-tier logic:
- Violating bans (unacceptable-risk systems): up to 35 million euros or 7% of global turnover
- Violating obligations for high-risk systems: up to 15 million or 3% of turnover
- False information to authorities: up to 7.5 million or 1% of turnover
For SMEs, the lower amount always applies. But financial penalties aren't the worst risk. Authorities can order suspension or withdrawal from the market of the non-compliant system, with operational impacts potentially more serious than the fine itself.
The roadmap doesn't stop in August 2026. On 2 August 2027 Article 6(1) becomes applicable, with related classification rules for high-risk AI systems acting as safety components of products already regulated. For models on the market before August 2025, providers have until 2027 to comply.
What to do now, concretely
No need to panic, but you need to move. Three practical actions we recommend to anyone developing or using software with AI components:
- Map your AI systems in use or in development. Identify what you use internally and what you deliver to clients. For each, ask: which risk category does it fall into? Am I provider or deployer?
- Review contracts with vendors and clients. Many current SaaS contracts don't clarify provider/deployer roles. Before August 2026 is the time to align them. Who is responsible for what, in case of dispute?
- Start an internal AI literacy plan. Not a 40-hour course, but basic awareness of what's used and why. It's already mandatory, not optional.
At Redergo we're already integrating these assessments into projects with AI components, from design phase to technical documentation delivered to the client. If you're developing or evaluating a system with AI functions and want to understand where you stand regarding the regulation, tell us about your project.
