f in x
EU AI Act: The Definitive Compliance Pillar Guide for SMEs and Developers
> cd .. / HUB_EDITORIALE
Considerazioni legali ed etiche

EU AI Act: The Definitive Compliance Pillar Guide for SMEs and Developers

[2026-06-19] Author: Ing. Calogero Bono

Are you developing an AI application? Even if you are an SME, the EU AI Act applies to you. Many companies ignore their obligations and risk fines up to 7% of global annual turnover. We at Meteora Web have been following the regulation since its proposal – and we have already helped clients classify their systems, draft the required documentation, and implement transparency measures. In this guide you will find everything you need: from risk classification to deadlines, from practical obligations to penalties. No abstract theory – only what you need to become compliant.

What is the EU AI Act and why it matters to you

The EU AI Act is the world's first comprehensive regulation on artificial intelligence. It adopts a risk-based approach: the higher the risk to fundamental rights, safety, or health, the stricter the obligations. It applies to anyone placing AI systems on the European market – including developers, integrators, and SMEs.

The regulation is already partially in force (e.g., transparency provisions), while obligations for high-risk systems will be phased in. Deadlines are approaching, but with a structured approach you can adapt without excessive investment.

We, at Meteora Web, always think in terms of costs and returns. Ignoring the AI Act can be extremely expensive in fines and reputational damage. Investing in compliance builds trust and can become a competitive advantage.

Sponsored Protocol

AI system classification: where does yours fit?

The core concept is a four-tier risk classification:

  • Unacceptable risk – prohibited practices: behavioral manipulation, social scoring, real-time biometric surveillance (with exceptions). If your system falls here, you cannot market it.
  • High risk – systems subject to strict obligations: those listed in Annex III (HR, education, credit, access to essential services, law enforcement, migration, justice, etc.).
  • Limited risk – transparency obligations: chatbots, deepfakes, AI-generated content. You must inform users they are interacting with AI.
  • Minimal risk – no specific obligations: video games, spam filters, non-sensitive applications. However, if your system is used in a high-risk context, classification may change.

Practical example: An AI recruitment tool is considered high risk. You must document its functioning, ensure human oversight, and keep logs. We have assisted companies using AI for resume screening – the first step is always a thorough use-case mapping.

How to classify your system in 3 steps

  1. Identify the main purpose of the system (e.g., "generate text", "evaluate candidates", "recommend products").
  2. Check if it falls under any category of Annex III (high risk) or prohibited practices.
  3. If not, assess whether it is limited risk (interaction, content generation) or minimal.

When in doubt, consult the official AI Act text and the European Commission's guidance. We also offer quick classification audits.

Sponsored Protocol

Obligations for high-risk AI systems

If your system is high risk, you must comply with several requirements before placing it on the market:

  • Risk management system – identify, analyze, and mitigate risks to fundamental rights and safety.
  • Data governance – training data must be relevant, representative, and free from bias (as far as possible).
  • Detailed technical documentation – description, architecture, performance metrics, decision logic.
  • Automatic logging – track system operations during runtime.
  • Transparency and information – provide users with clear information about AI usage.
  • Human oversight – ensure a human operator can intervene and override.
  • Robustness, accuracy, and cybersecurity – the system must be resilient to errors and attacks.

These requirements demand technical and organizational skills. We, at Meteora Web, have implemented AI systems in HR and customer service: we always start with a concrete risk analysis, not abstract checklists.

Sponsored Protocol

Transparency and AI-generated content (Art. 50)

Article 50 requires labeling of AI-generated or manipulated content, including deepfakes and chatbots. If you use a model like GPT, Claude, or Llama to produce text, images, audio, or video intended for the public, you must disclose the artificial nature.

How to implement it? Methods vary: digital watermarks, metadata in files, explicit statements in the interface. For a chatbot, a simple note "You are talking to an AI assistant" suffices. For generated images, add an EXIF tag or a visible overlay. Example HTTP header for an API returning AI content:

X-AI-Generated: true
X-AI-Model: gpt-4o
X-AI-Modified: 2026-03-15T10:00:00Z

It doesn't need to be complex. The key is that users are not deceived. When we integrated an AI text generator into a proprietary platform, we added a badge "AI-generated" and a link to the model documentation. Clients appreciated the honesty.

GPAI – General Purpose AI (foundational models)

Models like GPT-4, Claude, Llama, or Stable Diffusion are classified as General Purpose AI (GPAI). They must provide a model card, respect copyright in training, and implement safety measures. As a developer fine-tuning a pre-trained model, responsibility is shared with the provider. You must ensure your downstream system is compliant.

Sponsored Protocol

In practice, if you integrate APIs from OpenAI or Anthropic, verify that the provider supplies necessary information (model card, transparency policy) and you add Art. 50 labels. We recommend keeping a version log and configuration details of all models used.

Penalties and economic risks

Penalties for violating the AI Act are severe: up to €35 million or 7% of global annual turnover (for prohibited practices), €15 million or 3% for other violations, €7.5 million or 1.5% for incorrect information. SMEs may face reduced fines, but reputational damage can be devastating.

We come from accounting: budgets, balance sheets, VAT calculations. We know what a 7% fine means for a company with slim margins. Investing a few thousand euros in compliance is far better than risking closure. National authorities (in Italy, the Data Protection Authority and digital revenues agency) are already gearing up for controls.

Interaction with GDPR and other regulations

The AI Act does not replace GDPR – they overlap. For example, a high-risk AI system processing personal data must comply with both. The Data Protection Impact Assessment (DPIA) is often required by both. The AI Act also introduces "impact on fundamental rights" assessments beyond privacy.

Sponsored Protocol

If you handle sensitive data, also consider the Data Governance Act and Digital Services Act. We have experience in cybersecurity and compliance: a joint AI Act + GDPR audit is the most efficient way to avoid duplication.

What to do now – operational checklist for SMEs and developers

  • Classify your AI system – use the risk matrix and Annex III. When in doubt, consult an expert.
  • Document everything – create a repository with system description, data used, logic, security measures.
  • Implement transparency – add labels, metadata, declarations for AI content.
  • Train your team – everyone needs to understand AI compliance (developers, marketing, legal).
  • Plan periodic reviews – the regulation requires continuous updates and monitoring.

The AI Act is not a barrier: it is an opportunity to build trust with your users and differentiate from competitors who ignore the rules. We, at Meteora Web, are ready to support you from initial assessment to implementation. If you want a personalised consultation, let's talk.

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere Informatico, co-fondatore di Meteora Web. Esperto in architetture software, sicurezza informatica e sviluppo sistemi scalabili.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> OUR_SERVICES > CONTACT_US

> MW_JOURNAL

2026-06-18

2026 World Cup: Visa Barriers and Geopolitical Tensions Create Tournament of Exclusion

Samsung The Frame Pro 2026: The New Frontier of Art TVs
2026-06-18

Samsung The Frame Pro 2026: The New Frontier of Art TVs

Waymo Recalls 3,871 Robotaxis Over Risk of Driving at Speed into Freeway Construction Zones
2026-06-18

Waymo Recalls 3,871 Robotaxis Over Risk of Driving at Speed into Freeway Construction Zones

New Frontier in the Hunt for Dark Matter: Beyond the WIMP Dead End
2026-06-18

New Frontier in the Hunt for Dark Matter: Beyond the WIMP Dead End

Solar Geoengineering: The Engineering Challenges to Cool the Planet
2026-06-18

Solar Geoengineering: The Engineering Challenges to Cool the Planet

> READ_ALL()