Compliance · AI Act

EU AI Act: what really changes for your SME

Regulation (EU) 2024/1689 affects nearly every company that uses artificial intelligence tools, not just those that develop it. Here you'll find concrete answers on obligations, deadlines and first steps — no alarmism, no jargon.

32 answers

What is the EU AI Act, in plain terms?

The AI Act (Regulation (EU) 2024/1689) is the first European law regulating how artificial intelligence can be developed and used. It entered into force on 1 August 2024 and applies gradually through 2027.

The underlying logic is simple: the more a system can affect people's rights or safety, the more rules it must follow. Some uses are banned outright, others are high-risk and heavily controlled, while most everyday uses (like a writing assistant) carry only minimal obligations.

GiBSeS — Understanding which tier your tools fall into is the starting point of every assessment we do with SMEs.

Does the AI Act apply to my small business too?

Yes, the AI Act makes no exception for size: it applies to anyone who develops, distributes, or simply uses AI systems in a professional activity, including SMEs and freelancers. What matters isn't your revenue, but how you use AI.

The good news is that obligations are proportionate to risk: if you use AI for everyday tasks, the requirements are light. The regulation also includes specific support measures for SMEs and start-ups, such as regulatory sandboxes and calibrated penalties.

GiBSeS — The real work is telling apart what actually applies to you from what doesn't — that's exactly the kind of practical filter we start with.

What's the difference between an AI provider and a deployer?

The provider is whoever develops an AI system or places it on the market under their own name or trademark. The deployer is whoever uses an AI system under their own authority in a professional activity.

Almost all SMEs are deployers, not providers: if you use ChatGPT, Copilot, a CRM with AI features, or an automated recruiting tool, you're a deployer. The heaviest obligations (technical documentation, conformity assessments) fall mainly on providers; deployers have lighter obligations, but not none — especially if they use high-risk systems.

GiBSeS — Knowing whether you're a provider or a deployer for each tool completely changes the list of requirements — it's one of the first things we clarify together.

If our company only uses ChatGPT or Copilot, are we still involved?

Yes, but probably only lightly. By using these tools you're an AI deployer, so you fall within the scope of the regulation. In most cases this is limited- or minimal-risk AI, with obligations mostly around transparency and common sense.

The requirement that almost certainly applies to you is AI literacy for staff (Art. 4): anyone using these tools must have an adequate understanding of how they work, their limitations, and their risks (e.g., confidential data entered into prompts, hallucinations, bias).

GiBSeS — Even the most "harmless" use of a chatbot needs to be framed properly: we help you put in writing exactly what's enough and what isn't.

Am I legally required to train my employees on AI?

Partly, yes. Article 4 of the AI Act, applicable since 2 February 2025, requires providers and deployers to ensure a "sufficient" level of AI literacy among the staff who use these systems. It's a real obligation, but a flexible one.

Note: the law does NOT require a formal certified course or a specific certificate. It asks for a level that is adequate and proportionate to the role, experience, and type of AI used. In practice: people need to know what they're using, along with its risks and limitations. It's advisable to document what you've done (an internal training log, materials, sessions held) so you can demonstrate it in case of checks.

GiBSeS — A proportionate, well-documented literacy plan with no waste is one of the typical deliverables of our AI Act Academy path.

How do I prove I've met the AI training obligation?

There's no official form or mandatory certification. The proof is built internally: keep track of who was trained, on what, when, and with what content. A simple training log, with materials and dates, is already a solid basis.

The goal isn't bureaucracy for its own sake, but being able to show an authority that you acted seriously and proportionately. For a small company, a documented internal session plus a written AI usage policy can be enough.

GiBSeS — Setting up this log in a way that's light but defensible is something we can help you do in a few hours.

What risk levels does the AI Act define?

The AI Act classifies systems into four levels:

1. Unacceptable risk: prohibited practices (Art. 5), not permitted under any circumstances.

2. High risk: heavily regulated systems (e.g., personnel selection, credit, medical devices, critical infrastructure), with strict obligations.

3. Limited risk: obligations mainly around transparency (e.g., telling the user they're talking to a chatbot, labelling generated content).

4. Minimal risk: the vast majority of common uses, with no specific obligations beyond common sense and literacy.

GiBSeS — Correctly placing each tool in the right tier avoids both fines and unnecessary paperwork — it's at the heart of the diagnosis we carry out.

Which uses of AI are banned by the AI Act?

Article 5 lists the practices considered unacceptable risk, banned across the EU since 2 February 2025. These include: subliminal or manipulative techniques that cause harm, exploitation of the vulnerabilities of at-risk people, social scoring (of citizens), certain forms of emotion recognition in the workplace and in schools, untargeted scraping of facial images to build facial recognition databases, and real-time remote biometric identification in public spaces except for very limited exceptions.

For the average SME these bans are rarely an issue, but they're worth knowing before adopting HR analytics tools, "smart" video surveillance, or aggressive behavioural marketing.

GiBSeS — Checking that no tool under evaluation comes close to a banned practice is a quick but essential check we always include.

What does it mean for an AI system to be "high-risk"?

High-risk systems are those listed in the regulation that can significantly affect safety or fundamental rights. Examples include AI used to select or evaluate candidates and employees, to decide on access to credit, in healthcare, in education, or in managing critical infrastructure.

If you use a high-risk system as a deployer, you have concrete obligations: use it according to its instructions, ensure human oversight, monitor its operation, keep logs, and inform affected workers. The stricter rules on these systems become fully applicable from 2 August 2026 (and from 2027 for certain regulated products).

GiBSeS — A recruiting or AI scoring tool can turn you into a high-risk deployer without you realising it — it's a case we check carefully.

Do I have to tell customers when content is AI-generated?

In many cases, yes. Article 50 introduces transparency obligations: anyone generating audio, image, video or text content with AI (including deepfakes) must make it recognisable and label it as artificial. Chatbots, too, must make it clear to the user that they're interacting with a machine, not a person.

For an SME this means, in practice: flagging when a marketing image or video is AI-generated, and clearly indicating when a virtual assistant isn't human. These are reasonable obligations, often solved with a label or a note.

GiBSeS — Translating these obligations into a few operational rules for marketing and customer care is a quick fix we can set up with you.

What penalties do I risk if I don't comply with the AI Act?

Penalties are significant and scale with severity. For prohibited practices (Art. 5), fines can reach up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. For breaches of other obligations, the cap is up to EUR 15 million or 3% of turnover; for providing incorrect information to authorities, up to EUR 7.5 million or 1%.

Important for SMEs: for small and medium-sized enterprises and start-ups, the lower amount between the fixed figure and the percentage applies, not the higher one. Penalties are enforced by the national authorities of each Member State, with operational oversight starting from 2 August 2026.

GiBSeS — Risk needs to be sized to your actual situation, not to alarmist headlines: part of our job is giving you an honest measure of your exposure.

Who enforces the AI Act, and from when?

Oversight and enforcement are entrusted to the competent national authorities designated by each Member State, coordinated at European level by the Commission's AI Office. There's no single European "AI police": who checks on you varies from country to country.

The enforcement powers of national authorities become operational from 2 August 2026. However, some obligations are already in force before then (bans and literacy from 2 February 2025), so "not being checked yet" doesn't mean "not being obligated yet".

GiBSeS — Knowing which authority has jurisdiction over your location and your markets is part of the initial mapping we prepare.

What are the AI Act's key dates and deadlines?

The key milestones are:

- 1 August 2024: the regulation enters into force.

- 2 February 2025: bans on unacceptable-risk practices (Art. 5) and the AI literacy obligation (Art. 4) apply.

- 2 August 2025: rules on general-purpose AI (GPAI) models and governance apply.

- 2 August 2026: most obligations apply, including for many high-risk systems, and authorities gain full enforcement powers.

- 2 August 2027: obligations for AI embedded in products already subject to other regulations.

GiBSeS — Building a small internal calendar with only the deadlines that actually apply to you avoids last-minute scrambles — it's a concrete output of our assessment.

Where do I actually start to get compliant?

The first step isn't buying software or taking courses: it's building an inventory. List which AI tools you actually use (including the ones "hidden" inside your CRM, management software, or marketing tools), for what purposes, and with what data.

Then, for each one: establish whether you're a provider or a deployer, which risk level it falls into, and which obligations follow from that. At that point, three practical actions remain for most SMEs: train staff (Art. 4), write a usage policy for AI tools, and sort out transparency towards customers and users where needed.

GiBSeS — This reasoned inventory is exactly the first step we take together: half a day well spent that avoids both fines and unnecessary expense.

Do I really need a consultant, or can I do it myself?

For an SME with simple AI uses, a lot can be done in-house: an inventory of tools, a usage policy, and a documented training session cover a good part of the obligations. You don't necessarily need a major project.

External support is most useful when there are potentially high-risk tools involved (HR, credit, healthcare), when the data being processed is sensitive, or when you simply want the certainty of not having missed anything without spending days on it. The right goal is proportionality: do enough, not more.

GiBSeS — That's exactly how we work: we give you an independent diagnosis and tell you honestly what you can handle on your own and what you can't.

How much does it cost to bring an SME into compliance with the AI Act?

There's no fixed fee: it depends on how many tools you use and what risk level they reach. For most small businesses, with limited- or minimal-risk uses, compliance is mainly organisational (inventory, policy, training) and has contained costs, often more in internal time than in money.

Costs only rise if you move into high-risk territory, where structured documentation, human oversight, and monitoring are needed. The opposite risk is the one to avoid: spending too much on requirements that don't apply to you, scared into it by oversized consulting engagements.

GiBSeS — Sizing the spend to the real risk, without inflating it, is a guiding principle of our approach: economic discipline first.

Does the AI Act replace the GDPR on privacy?

No, they're two distinct, complementary sets of rules. The GDPR regulates the processing of personal data; the AI Act regulates artificial intelligence systems based on risk. An AI system that processes personal data must comply with both.

In practice: if you use AI on customer or employee data, GDPR rules (legal basis, privacy notice, security) still apply, and the AI Act's obligations are added on top. The two assessments need to be done together, not as alternatives.

GiBSeS — Making AI Act and GDPR compliance work together without duplicating effort is part of how we set up the analysis for SMEs.

Does the AI Act also apply to companies outside the EU, such as in Switzerland?

The AI Act has extraterritorial reach: it also applies to providers and deployers established outside the EU if the output of the AI system is used within the Union, or if you place AI systems on the European market. So a Swiss or non-EU company serving customers or users in the EU can fall within its scope.

If you operate only towards non-EU markets, the AI Act itself might not apply, but it's often still worth aligning with it as a reference standard, because European customers and partners tend to expect it.

GiBSeS — For businesses with customers in Switzerland, Italy and the EU, we assess case by case where the regulation actually bites and where it's worth aligning by choice.

With all these obligations, is it still worth adopting AI?

Yes, but with a method. The AI Act doesn't ban AI: it asks you to use it consciously and in proportion to its risk. The right answer is neither giving up on it nor adopting everything regardless, but deciding case by case whether and where an AI tool delivers a real benefit relative to its risks and costs.

Many AI projects fail not because of the regulation, but because they were adopted as a trend, without a clear problem to solve. AI should be introduced after a risk/benefit analysis, like any other business technology or investment.

GiBSeS — This is at the heart of our independent approach: we don't sell AI, we help you decide where it's actually needed and where it isn't, backed by data.

How do I avoid getting locked into a single AI vendor while becoming compliant?

AI Act compliance doesn't force you to pick a specific vendor. If anything, it's the right occasion to set things up in a neutral way: documenting what each tool does, with what data and what safeguards, makes it easier to switch it tomorrow without being locked in.

Watch out for "all-in-one" solutions that promise compliance but tie you to a single platform: real compliance is a process you own, not a vendor's product. Keep ownership of your data, your policies, and your documentation.

GiBSeS — Vendor independence and anti-lock-in are principles we build every recommendation on: compliance stays yours, not the vendor's.

My company has no registered office or permanent establishment in the EU: does the AI Act still apply?

Yes. Regulation (EU) 2024/1689 (AI Act) has a deliberately extraterritorial scope. It applies to providers who place AI systems on the EU market or put them into service, regardless of where they are established, and even to providers and deployers located outside the EU when the output produced by the AI system is used within the Union.

In practice, what matters isn't where your company is based, but whether your AI systems (or their results) reach European customers and users. If the answer is yes, you're within the scope of the regulation.

GiBSeS — GiBSeS helps non-EU companies understand if and how the AI Act affects them, before it becomes an obstacle to entering the European market.

Do I have to appoint a representative in Europe to sell my AI systems?

It depends on the type of system. If you're a non-EU provider of a high-risk AI system, the AI Act requires you to appoint, through a written mandate, an authorised representative established in the Union before making the system available on the EU market. The same obligation applies to non-EU providers of general-purpose AI (GPAI) models.

The authorised representative is the point of contact for European authorities, keeps the technical documentation, and cooperates with checks. For limited- or minimal-risk systems this specific obligation doesn't apply, but the other applicable requirements still do.

GiBSeS — GiBSeS can guide you on the role of the authorised representative and the leanest way to cover it without weighing down your structure.

I'm a US/Asian AI SaaS provider with customers in the EU: what do I actually need to do?

The first step is to classify your system under the AI Act: prohibited practice, high risk, limited risk (with transparency obligations only), or minimal risk. Most general-purpose AI SaaS falls into limited or minimal risk, but certain use cases (e.g., personnel selection, credit, biometrics, safety components) trigger high-risk status.

If you turn out to be the provider of a high-risk system, you'll need to prepare technical documentation, a risk management system, human oversight, event logging, CE marking, and an authorised representative in the EU. If you're limited-risk, the main obligations are transparency towards the user. In all cases, correctly mapping your EU customers and the flow of your outputs is what determines your real duties.

GiBSeS — GiBSeS supports non-EU SaaS providers in classifying risk and preparing the minimum needed to serve European customers in compliance.

My AI system runs entirely outside the EU, but the results are used by European customers: am I still involved?

Yes. One of the AI Act's key criteria is exactly this: the regulation also applies to providers and deployers established in a third country when the output produced by the AI system is used within the European Union. It doesn't matter whether the software is hosted or run in the EU.

This means a model trained and run, for example, in the US or Asia, whose results feed decisions or services aimed at European users, falls within scope. What matters is the destination and use of the outputs, not the geography of the servers.

GiBSeS — GiBSeS helps trace where the outputs of your systems actually end up and which EU obligations that triggers.

Who is actually responsible before EU authorities: me as the provider, the importer, or the European distributor?

The AI Act distributes distinct responsibilities along the chain. The provider (whoever develops the system and places it on the market under their own name or trademark) carries the heaviest obligations: conformity, technical documentation, CE marking. The EU importer must verify that the non-EU provider has carried out the conformity assessment, drawn up the documentation, and appointed the authorised representative, refusing to place the system on the market if anything is missing.

The distributor must check for the presence of marking and documentation before making the system available. Watch out, though: an importer or distributor who makes substantial modifications or markets the system under their own trademark can be reclassified as a provider, taking on all its obligations. Responsibility doesn't automatically shift downstream.

GiBSeS — GiBSeS helps you clearly define roles and responsibilities with your EU partners, so you don't end up saddled with unexpected obligations.

What is CE marking for AI, and do I really need it to access the European market?

CE marking certifies that a product complies with the applicable EU requirements. For AI systems classified as high-risk, the AI Act requires the provider to complete the conformity assessment, draw up the EU declaration of conformity, and affix the CE marking before placing the system on the market or putting it into service within the Union.

For limited- or minimal-risk systems, CE marking for AI Act purposes isn't required: in those cases, transparency obligations matter most. Understanding which category your product falls into is therefore the step that decides whether this requirement applies to you or not.

GiBSeS — GiBSeS guides you in understanding whether your system requires CE marking and in preparing the technical documentation that supports it.

What do I actually risk if I'm not compliant: fines, market withdrawal, product blocks?

The consequences come in two forms. On the market side, national supervisory authorities can impose corrective measures, withdraw or recall the system from the EU market, and ban it from being made available: in practice, your product gets shut out of European customers.

On the penalty side, the AI Act provides for fines of up to EUR 35 million or 7% of total worldwide annual turnover for prohibited practices, up to EUR 15 million or 3% for breaches of other obligations, and up to EUR 7.5 million or 1% for inaccurate information provided to authorities (the higher of the two amounts applies). For a non-EU company, the most immediate risk is often precisely the loss of market access.

GiBSeS — GiBSeS helps you prevent these scenarios, securing compliance before it turns into a commercial block.

I provide a general-purpose AI model (GPAI/foundation model): do I have additional obligations as a non-EU company?

Yes. The AI Act introduces a specific regime for general-purpose AI models. GPAI providers must prepare technical documentation, provide information to downstream providers who integrate the model, adopt a policy on copyright compliance, and publish a summary of the data used for training. For models with systemic risk, enhanced obligations are added (evaluations, risk mitigation, cybersecurity, incident reporting).

In addition, GPAI providers established outside the EU must appoint an authorised representative in the Union. GPAI rules are among the first to become applicable in the regulation's timeline.

GiBSeS — GiBSeS supports non-EU providers of general-purpose models in mapping GPAI obligations and setting up the required documentation upstream.

In practice, can I still sell into the EU, or does the AI Act risk cutting me out of the market?

You can keep selling: the AI Act doesn't close the market to non-EU providers, but it makes access conditional on complying with risk-based rules. The vast majority of AI systems fall into minimal or limited risk, with modest obligations; only a few well-defined use cases are high-risk or prohibited.

The key is arriving prepared: knowing your risk category, putting in place the right requirements (neither too many nor too few), and, where needed, having a representative in the EU. Non-EU companies that organise themselves in good time turn compliance into a competitive advantage over those who arrive unprepared.

GiBSeS — GiBSeS helps you set up EU market access pragmatically, without tying you down more than necessary.

From when do I need to be compliant? What deadlines apply to me?

The AI Act entered into force on 1 August 2024 and applies in stages. The bans on prohibited AI practices have applied since 2 February 2025. Obligations for general-purpose AI (GPAI) models have applied since 2 August 2025.

Most obligations on high-risk systems become applicable from 2 August 2026, while for certain high-risk systems embedded in products already subject to other regulations the deadline is 2 August 2027. For a non-EU company, it's worth working backwards from these dates, since preparing technical documentation, a conformity assessment, and an authorised representative takes months.

GiBSeS — GiBSeS helps you build a compliance roadmap aligned with these deadlines, so you arrive ready for the EU market.

Where do I actually start to become compliant and access the EU market?

The starting point is an inventory of your AI systems and their classification under the AI Act (prohibited, high risk, limited risk, minimal risk), cross-referenced with the use cases aimed at European customers or users. This mapping defines exactly which obligations apply to you and avoids both gaps and unnecessary requirements.

From there, the operational steps follow: preparing technical documentation where required, clarifying roles along the chain (provider, importer, distributor), assessing whether to appoint an authorised representative in the EU, and setting up transparency obligations. It's better to start from a targeted gap analysis than from generic compliance.

GiBSeS — GiBSeS starts from exactly this gap analysis to bring you to the EU market in compliance, with the right amount of effort and no unnecessary constraints.

I offer a chatbot or generate synthetic content (deepfakes, AI images) for EU users: what transparency obligations do I have?

The AI Act sets transparency obligations for certain systems that interact with people or generate content. AI systems intended to interact directly with natural persons (such as chatbots) must inform the user that they're communicating with artificial intelligence, except in obvious cases. Providers of systems that generate synthetic text, image, audio or video content must ensure that such outputs are marked as artificially generated or manipulated in a machine-readable format.

Those who deploy systems that produce deepfakes must also disclose that the content has been artificially generated or altered. These obligations also apply to non-EU providers whose systems or outputs reach users within the Union.

GiBSeS — GiBSeS helps you implement transparency obligations and content marking in a way that's compliant for a European audience.

This content is informational and does not constitute legal advice.

Let's take stock of your AI Act situation

In a focused session, we map out which AI tools you actually use, what risk level they fall into, and which obligations concretely apply to you — separating what's needed from what's waste. An independent analysis, proportionate to your SME, with no AI sold for its own sake.

Book an AI Act diagnosis