Using AI vs Deploying It: What Irish SMEs Must Know

AI Readiness Scan · AI Policy and Governance

Using AI vs Deploying It: What Irish SMEs Must Know

EU AI Act deployer obligations depend on who your AI affects, not where it runs. Here is what Irish SMEs need to know about risk levels and the deadlines that apply.

Eileen Weadick, PhD

Founder, Clear Gate Systems • 29 Jun 2026 • 8 min read

Using AI vs Deploying It: What Irish SMEs Must Know

Under the EU AI Act, the risk level of using AI in your business depends not on whether the AI is internal or customer-facing, but on whether it makes decisions about identifiable people. Using AI to draft emails or summarise reports carries minimal EU AI Act obligations. Deploying AI to screen job applicants, assess creditworthiness, or monitor employee performance triggers full deployer obligations under Article 26 of the EU AI Act (Regulation 2024/1689). Following the Digital Omnibus agreement of May 2026, these obligations now apply from 2 December 2027 for most Annex III high-risk categories.

Most Irish SME owners have heard the phrase "EU AI Act" and assumed it mainly applies to companies that build AI. That assumption is wrong, and it is the most common reason businesses are underprepared. The EU AI Act creates a specific category of regulated business called a "deployer," and if your business uses AI tools built by anyone else, you are almost certainly a deployer with real legal obligations. The good news is that those obligations are proportionate to the risk your AI uses actually create. Understanding where the lines are drawn is the practical work. If you are not sure which category your current AI uses fall into, an AI readiness assessment is the fastest way to find out.


What makes a business a "deployer" under the EU AI Act?

A deployer, under Article 3 of the EU AI Act, is any entity that uses an AI system under its own authority in the course of a professional activity. In plain terms: if your business uses an AI tool (any AI tool, regardless of who built it), your business is a deployer.

The EU AI Act draws a sharp line between providers and deployers. Providers are the companies that develop AI systems and place them on the market: OpenAI, Microsoft, a recruitment technology vendor, an insurance pricing platform. Providers carry the heaviest obligations: technical documentation, conformity assessments, registration in EU databases. Most Irish SMEs are not providers. They buy or license AI tools and use them. That makes them deployers.

Being a deployer does not mean you have no obligations. It means your obligations are proportionate to the risk the specific AI use creates. Article 26 of the EU AI Act sets out exactly what those obligations are for high-risk deployments. Article 50 adds transparency requirements for AI tools that interact directly with people. Article 50 applies from 2 August 2026. Article 26 obligations for most Annex III high-risk categories apply later, from 2 December 2027, following the Digital Omnibus agreement reached in May 2026.

In summary

If your business uses an AI tool built by someone else, you are a deployer under the EU AI Act. Deployer obligations under Article 26 apply from 2 December 2027 for most high-risk categories, regardless of company size.

Why is the "internal vs customer-facing" question the wrong one to ask?

The intuitive way to think about this is: internal AI stays inside the business, so the risk is lower; customer-facing AI touches outsiders, so the risk is higher. That logic is understandable, but it does not match how the EU AI Act works.

The EU AI Act is built around a risk-based approach. The question it asks is not "where does the AI run?" but "what does the AI decide, and who is affected by that decision?" An AI tool that analyses and scores job applicants is classified as high-risk under Annex III of the EU AI Act, regardless of the fact that it runs inside your HR department and never touches a customer. An AI chatbot that answers customer queries on your website may carry only the lighter transparency requirements under Article 50, because it is not making consequential decisions about those customers.

This distinction is significant. An SME that runs its recruitment process through an AI screening tool is a deployer of a high-risk AI system. An SME that has put a simple FAQ chatbot on its website is a deployer with Article 50 transparency obligations. These are very different levels of regulatory exposure, and the difference has nothing to do with whether the AI is facing inward or outward.

The August 2026 EU AI Act obligations for Irish SMEs cover both of these categories, and understanding which applies to your business is the starting point for proportionate preparation.

In summary

The risk level is not determined by where the AI runs. It is determined by what the AI decides and who is affected. An internal recruitment AI carries heavier obligations than a customer-facing FAQ chatbot.

Which AI uses trigger the full Article 26 obligations?

Annex III of the EU AI Act lists the categories of AI systems that are classified as high-risk. The categories most relevant to Irish SMEs are:

Employment and recruitment AI

Point 4(a) of Annex III covers AI systems used for recruiting or selecting people, including tools that place targeted job advertisements, analyse and filter job applications, or evaluate candidates. If your business uses any AI tool that ranks, scores, filters, or screens job applicants, that tool is a high-risk AI system under the EU AI Act and you are a deployer subject to Article 26.

Point 4(b) covers AI systems used to make decisions affecting terms of employment, promotion or termination, task allocation based on individual behaviour, and performance monitoring. AI tools that assess employee performance, flag attendance patterns, or recommend promotion decisions fall into this category.

Credit, insurance, and financial AI

Point 5(b) covers AI systems used to evaluate the creditworthiness of individuals or establish a credit score, with the exception of fraud detection. If your business uses AI to assess whether a customer qualifies for credit or what credit terms they receive, this is a high-risk deployment.

Point 5(c) covers AI used for risk assessment and pricing in life and health insurance. Insurance brokers, advisers, or underwriters who use AI pricing tools are deployers of high-risk AI systems.

For any of these uses, the full obligations under Article 26 apply. If you are using AI in any of these categories, you should also review whether a fundamental rights impact assessment is required in addition to the data protection impact assessment.

In summary

The high-risk categories most relevant to Irish SMEs are recruitment AI, performance management AI, credit scoring, and insurance pricing AI. If your business uses tools in any of these areas, Article 26 obligations apply from December 2027.

What does Article 26 actually require you to do?

Article 26 of the EU AI Act sets out six substantive obligations for deployers of high-risk AI systems. In plain English, they are:

1. Follow the instructions for use. You must use the AI system in the way the provider intended, within the scope of the instructions they have given you. You cannot configure a recruitment AI to score candidates on criteria the provider's documentation says the system was not designed for.

2. Assign genuine human oversight. Under Article 26(2), you must assign oversight to specific people who have the necessary competence, training, and authority to actually intervene. "Someone checked it" is not sufficient. The oversight must be real and documented.

3. Ensure your input data is fit for purpose. Where you control the data that goes into the AI system, you are responsible for making sure it is relevant and representative of the intended purpose.

4. Monitor, log, and report. You must monitor the system's operation, keep records of any serious incidents, and report them to the provider and to the relevant market surveillance authority. Under Article 26(6), you must retain the logs automatically generated by the system for at least six months.

5. Inform your workers. Under Article 26(7), before deploying a high-risk AI system in the workplace, you must inform workers' representatives and the affected workers that they will be subject to the system. This applies to performance monitoring AI, attendance tracking AI, and any other system that affects workers' day-to-day experience.

6. Carry out a GDPR data protection impact assessment (DPIA). Under Article 26(9), where applicable, you must use the information provided by the AI system's provider to carry out a DPIA under Article 35 of the GDPR. In Ireland, the DPC is the relevant supervisory authority for data protection matters related to AI deployments. The Digital Omnibus agreement of May 2026 pushed back the application date for most Annex III high-risk deployer obligations under Article 26 to 2 December 2027. See the full EU AI Act Omnibus breakdown for what changed and what did not.

In summary

Article 26 requires deployers to do six things: follow instructions for use, assign competent human oversight, ensure data quality, monitor and report incidents, keep six months of logs, and carry out a GDPR DPIA where applicable.

What extra layer applies when AI talks directly to your customers?

Even where an AI system does not fall under Annex III, there is a separate and lighter set of obligations if the AI interacts directly with people.

Under Article 50(1) of the EU AI Act, AI systems designed to interact directly with people must inform those people that they are talking to an AI, unless it is obvious from context. This obligation sits with the provider of the AI system. If your business uses a commercial chatbot platform, the platform provider is responsible for ensuring disclosure is built into the system. If your business has built or directly configured a chatbot using an AI API, your business is acting as the provider and Article 50(1) applies to you.

Either way, from 2 August 2026, any AI chatbot or virtual assistant interacting with your customers must include a clear disclosure before or at the first point of interaction. If you are using a commercial chatbot platform, verify with your vendor that their system already includes the required disclosure. If it does not, you need to resolve that before August 2026. There is a separate article covering what you need to tell customers when they are talking to an AI on your website in more detail.

The practical picture, then, is this: most SMEs that use AI at all will have at least one EU AI Act obligation to prepare for. Article 50 transparency obligations apply first, from 2 August 2026. The full Article 26 deployer regime for high-risk AI follows later, from 2 December 2027. The question is which of these applies to your business, and when you need to be ready.

In summary

If your business has a chatbot on its website, Article 50 transparency obligations apply from 2 August 2026. Users must be told they are interacting with AI, before or at the start of the interaction.

What should an Irish SME do to prepare?

The practical preparation is not complicated, but it does require deliberate action. Three steps cover the essentials, whichever deadline applies to you.

Step 1: Build an AI inventory. List every AI tool your business uses, including tools embedded in platforms you already use (AI features in HR software, CRM platforms, accounting tools, recruitment systems). Note what each tool does and who it affects.

Step 2: Check each use against Annex III. For each tool in your inventory, check whether the use case matches any of the Annex III categories: recruitment screening, performance monitoring, creditworthiness, insurance pricing. If it does, you are a deployer of a high-risk AI system and Article 26 applies.

Step 3: Check for customer-facing AI. For any AI tool that interacts directly with customers or other external parties, Article 50 transparency obligations apply. Make sure those interactions include a clear disclosure that the user is talking to AI.

If you have identified high-risk AI uses, the next step is building the Article 26 compliance architecture: human oversight documentation, log-keeping processes, worker notification procedures, and a DPIA. You have until December 2027 to have this in place, which is enough time to build it properly rather than assemble it under pressure. An AI Readiness Scan maps every tool your business uses against the EU AI Act risk categories and tells you exactly what you need to do, and by when. Contact Clear Gate Systems to book one.


This article is for informational purposes only and does not constitute legal advice.

�����������

FAQ

People also ask

What are EU AI Act deployer obligations for small businesses?
Under Article 26 of the EU AI Act, deployers of high-risk AI systems must: use the system according to the provider's instructions; assign competent people to carry out genuine human oversight; ensure input data is fit for purpose; monitor the system and report serious incidents; retain system logs for at least six months; inform affected workers before deploying workplace AI; and carry out a GDPR data protection impact assessment where applicable. Following the Digital Omnibus agreement of May 2026, these obligations apply from 2 December 2027 for most Annex III high-risk categories, regardless of company size.
What is the difference between a provider and a deployer under the EU AI Act?
A provider, under Article 3 of the EU AI Act, is the entity that develops an AI system and places it on the market. A deployer is any entity that uses an AI system under its own authority in a professional context. Most Irish SMEs are deployers: they buy or license AI tools from providers such as OpenAI, Microsoft, or a recruitment technology vendor, and use those tools in their business. Providers carry the heaviest obligations including conformity assessments and EU database registration. Deployers carry proportionate obligations under Article 26 for high-risk uses and transparency obligations under Article 50 for AI that interacts directly with people.
Which AI systems are classified as high-risk under the EU AI Act?
Annex III of the EU AI Act lists the high-risk AI system categories. The categories most relevant to Irish SMEs are: AI used for recruiting or selecting job applicants (point 4a); AI used to make decisions affecting employment terms, promotion, termination, or performance monitoring (point 4b); AI used to evaluate creditworthiness or establish credit scores (point 5b); and AI used for risk assessment or pricing in life and health insurance (point 5c). The full Annex III list also covers AI used in critical infrastructure, education, essential public services, law enforcement, migration, and justice.
Does the EU AI Act apply if I am just using someone else's AI tool?
Yes. Using an AI system built by someone else makes your business a deployer under Article 3 of the EU AI Act. Deployers have real legal obligations under Article 26 if the AI falls into the Annex III high-risk categories. The provider carries their own, heavier set of obligations, but those do not replace yours. If your business uses an AI recruitment platform, an AI performance monitoring system, or an AI credit-scoring tool, Article 26 obligations apply to your business from 2 December 2027, following the Digital Omnibus agreement of May 2026.
What is Article 26 of the EU AI Act?
Article 26 is the core deployer obligations article of the EU AI Act. It sets out what businesses that deploy high-risk AI systems must do: follow the provider's instructions for use; assign genuine and documented human oversight; ensure data quality; monitor operation and report incidents; keep system logs for at least six months; inform workers before deploying workplace AI; and carry out a GDPR data protection impact assessment where applicable. Following the Digital Omnibus agreement of May 2026, Article 26 applies from 2 December 2027 to most deployers of high-risk AI systems as defined in Annex III of the EU AI Act.
Do I need a data protection impact assessment for AI?
Under Article 26(9) of the EU AI Act, deployers of high-risk AI systems must carry out a data protection impact assessment under Article 35 of the GDPR where applicable. A DPIA is required when processing is likely to result in high risk to the rights and freedoms of natural persons, and high-risk AI systems under Annex III typically meet this threshold. In Ireland, the Data Protection Commission is the relevant supervisory authority. If your business deploys AI in recruitment, performance monitoring, creditworthiness assessment, or insurance pricing, a DPIA is likely required.

Clear Gate Systems provides technical governance architecture. This article is for informational purposes only and does not constitute legal advice. Clients requiring legal interpretation of the EU AI Act or other regulation should engage a qualified legal practitioner.