The EU AI Act and Irish SMEs

The EU AI Act is now in force. Most Irish SMEs are affected as AI users, not providers. Here's what the risk tiers mean and what you're required to do.

The EU AI Act and Irish SMEs: What It Means If You Use AI Tools in Your Business

The EU AI Act entered into force in August 2024 and its obligations are now rolling out in phases. It is the world's first binding, comprehensive legal framework for artificial intelligence — and unlike some EU legislation that primarily affects large multinationals, the AI Act has direct implications for Irish SMEs, even those that have never written a line of AI code.

The reason is simple: most Irish businesses are not building AI systems. They are using them. And the AI Act creates obligations for users — referred to in the legislation as "deployers" — not just for the companies that develop AI.


What the EU AI Act Is

The AI Act classifies AI systems by risk level and applies different obligations at each tier. The higher the risk that an AI system poses to people's rights and safety, the heavier the obligations on those who develop and deploy it.

The Act applies to any organisation that deploys an AI system in the EU — regardless of where the AI provider is based. If your Irish business is using an AI tool that affects people in Ireland, the AI Act is relevant.


The Four Risk Tiers

Unacceptable Risk — Prohibited

These AI practices are now illegal in the EU. They include real-time remote biometric identification in publicly accessible spaces, AI that exploits vulnerabilities of specific groups to cause harm, social scoring systems, and AI that manipulates individuals through subliminal techniques.

For most Irish SMEs, none of this is directly relevant — you are not building these systems.

High Risk — Significant Obligations

High-risk AI covers systems used in specific sectors defined in Annex III. The categories most relevant to Irish SMEs include:

  • Recruitment and HR decisions: AI used to screen CVs, shortlist candidates, assess job applicants, monitor employee performance, or make promotion decisions
  • Credit and financial scoring: AI systems that assess creditworthiness
  • Biometric categorisation: systems that categorise people based on biometric data
  • Access to essential services: AI that determines access to education, training, or essential private services

If your business uses AI for any of these purposes — including via off-the-shelf tools — you are likely deploying a high-risk AI system with significant compliance obligations.

Limited Risk — Transparency Requirements

This tier covers AI systems that interact with humans in ways they might not realise:

  • If you deploy a chatbot on your website, you must ensure users know they are interacting with an AI system, not a human
  • If you use AI-generated content (images, audio, video) in a way that could mislead, you must label it as AI-generated

These are legally binding. An undisclosed AI chatbot on your customer service platform is non-compliant.

Minimal Risk — No Specific Obligations

The vast majority of AI use by Irish SMEs falls here. Using ChatGPT, Microsoft Copilot, or similar tools to draft emails, summarise documents, or generate marketing copy is minimal risk AI use. No mandatory obligations under the AI Act, though responsible use principles apply.


Where Most Irish SMEs Actually Sit

For most Irish SMEs using common AI tools — ChatGPT, Microsoft Copilot, Google Workspace AI features, AI-powered CRM tools, or AI customer service chatbots — you are predominantly in the minimal or limited risk tier.

Your practical obligations are:

  1. Disclose AI chatbots. If you have a chatbot on your website, it must identify itself as an AI. A simple "Powered by AI" or "This is a virtual assistant, not a human" message is sufficient.

  2. Label AI-generated content where required. AI-generated images, audio, and video must be disclosed in contexts where users could be misled.

  3. Know what you are deploying. As a deployer, you are expected to understand the AI systems you use sufficiently to assess their risk.


If You Are Using AI in Recruitment

This is where Irish SMEs most commonly drift into high-risk territory without realising it.

If you are using an AI tool to screen CVs, score applications, or shortlist candidates, you are almost certainly deploying a high-risk AI system. The obligations include:

  • Conducting due diligence on the AI system (your AI provider should provide conformity documentation)
  • Ensuring human oversight — a human must be involved in consequential decisions
  • Maintaining logs of system use
  • Informing candidates that AI is being used in their assessment (this also aligns with GDPR transparency requirements)
  • Providing a means for candidates to seek human review

If you are using a commercial recruitment platform with AI screening built in, contact your vendor and ask what their AI Act compliance position is.


The GDPR Overlap

The AI Act and GDPR overlap significantly where AI processes personal data — which is most of the time.

  • Automated decision-making: GDPR Article 22 already restricts purely automated decisions that significantly affect individuals. The AI Act adds additional requirements for high-risk AI.
  • Data minimisation: AI systems processing large volumes of personal data must still comply with GDPR's data minimisation and purpose limitation principles.
  • Data subject rights: Individuals retain the right to explanation, correction, and challenge under both GDPR and the AI Act.

GDPR compliance does not automatically mean AI Act compliance, but if you are already GDPR-compliant, you have a meaningful head start.


Honest Assessment of Enforcement Timeline

The AI Act is real and binding, but enforcement is phased. The EU AI Office and national competent authorities are still being stood up. Significant enforcement action against SMEs for limited-risk AI use in the near term is unlikely.

That said, prohibited practices and transparency obligations are already in force. High-risk AI obligations are coming quickly. The time to assess your position is now, while you can address gaps without pressure.


Practical First Steps for Irish SMEs

Step 1: Inventory your AI tools. List every AI-powered tool your business uses — including features embedded in Microsoft 365, your CRM, your recruitment platform, your customer service software. Most businesses use more AI than they realise.

Step 2: Classify by risk tier. For each tool, assess whether it falls into high, limited, or minimal risk based on what it is used for.

Step 3: Fix the easy things now. Disclose AI chatbots. Review any AI use in recruitment, HR, or credit decisions.

Step 4: Document your assessment. A defensible position under the AI Act requires evidence that you assessed the risk and made a proportionate response.

Step 5: Keep the inventory current. AI tool adoption is moving fast. Build AI governance into your annual review cycle.


If you want help assessing your AI tools against the Act's requirements, get in touch.


James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He advises Irish SMEs on cybersecurity compliance including NIS2, GDPR, and emerging AI regulation.