The EU AI Act is an EU regulation that sets rules for artificial intelligence based on how much risk a specific use poses to people's safety or rights, rather than regulating AI as a technology category. It applies to Irish businesses as either a provider, an organisation that builds or sells an AI system, or a deployer, an organisation that uses one, and most Irish SMEs are deployers.
The EU AI Act (Regulation (EU) 2024/1689) is already partly in force, and it already applies to your business if you use AI in any professional capacity, whether or not you built the tool yourself.[1] Many Irish SME owners have heard the phrase without ever getting a straight answer to the two questions that actually matter: are you a provider or a deployer, and which of the Act's four risk levels covers what you are doing. This article answers both, in plain English, without assuming any legal background.
Do you know which of the AI tools your team already uses would count as high risk under the Act? An AI Readiness Scan starts by answering exactly that, for your business specifically.
What is the EU AI Act, in plain terms?
The EU AI Act is the European Union's law on artificial intelligence, and it works by sorting specific uses of AI into four risk levels rather than regulating AI as a single category of technology.[1]
The Act entered into force on 1 August 2024, with 2 August 2024 as the baseline from which the phased application timetable is calculated.[1] It does not try to regulate every possible use of AI with the same rulebook. Instead, it asks one question about each specific use: how much risk does this pose to a person's safety, health, or fundamental rights? The answer determines which, if any, obligations apply.
This matters because it means the Act does not automatically require anything of a business just because that business uses AI. A spam filter, an AI-powered scheduling tool, or a generative AI assistant used to draft emails will typically fall into the lowest risk category, with no extra legal obligations at all. A tool used to screen job applicants or decide who gets a loan sits in a much higher risk category, with real obligations attached. The rest of this article walks through how to tell the difference for your own business.
In summary
The EU AI Act does not regulate AI in general. It regulates specific uses of AI according to risk, so the first question for any tool in your business is not "is this AI" but "what is this specific use of AI actually doing, and to whom."
Is my business a provider or a deployer under the EU AI Act?
Most Irish SMEs are deployers under the EU AI Act, meaning they use AI systems that someone else built, rather than providers, who build or sell the AI system itself.[2]
The EU AI Office's own example is the clearest one: a company that develops a CV screening tool is a provider. A business, such as a recruitment agency or an HR department, that buys and uses that tool to screen candidates is a deployer.[2] If your business uses Microsoft Copilot, a customer service chatbot, or any AI feature built into software you did not build yourselves, you are a deployer for that tool. Being a deployer does not mean you are exempt from the Act. It means a different, generally lighter, set of obligations applies to you than would apply to the company that built the tool, and those obligations depend on which risk level the tool falls into, covered in the next section.
There are two exemptions worth knowing. AI developed and put into service solely for scientific research and development, or for development activities prior to market release, is not covered. Note that real-world condition testing is explicitly not covered by this exemption: a live pilot deployment with actual customers or employees falls within the Act's scope. Neither is AI built exclusively for military, defence, or national security purposes.[2] Outside those two situations, if your business is using AI in professional activity in the EU, the Act applies to you in some form, even if that form turns out to be no additional obligation at all because the use is low risk.
The obligations that actually apply to a deployer look quite different depending on whether the AI stays inside your business or reaches your customers directly. See how those obligations differ between internal and customer-facing use for the practical breakdown.
In summary
If you did not build the AI tool yourself, you are almost certainly a deployer, not a provider. That is the normal position for an Irish SME, and it is not a loophole. It is simply a different set of obligations than the company that built the tool carries.
What are the four risk levels under the EU AI Act?
The EU AI Act sorts AI uses into four risk levels: unacceptable, high, limited or transparency risk, and minimal or no risk, with obligations that get lighter as the risk gets lower.[1]
Unacceptable risk covers eight practices banned outright since 2 February 2025: manipulative or deceptive AI, exploiting vulnerabilities linked to age, disability, or financial hardship, social scoring, predicting the likelihood someone will commit a crime based on profiling alone, scraping the internet or CCTV footage to build facial recognition databases, emotion recognition in workplaces or schools, biometric categorisation to infer characteristics such as race or religion, and real-time remote biometric identification by law enforcement in public spaces.[1] Very few Irish SMEs will come near these, but a marketing or sales chatbot configured to manipulate customers into decisions against their own interests could stray into this category, so it is worth ruling out deliberately rather than assuming.
The Digital Omnibus on AI, adopted in June 2026, adds two further prohibitions: AI systems used to generate or manipulate non-consensual intimate imagery, and AI systems that produce child sexual abuse material. These apply from 2 December 2026, bringing the total number of prohibited practices to ten once the Omnibus enters into force.
High risk covers specific listed uses under Annex III of the Act, including AI used in recruitment and CV screening, credit scoring, and access to education or essential public services.[1] Certain uses of AI in insurance that amount to evaluating creditworthiness or access to essential services may also fall under Annex III, but this requires a case-by-case assessment. These carry the heaviest obligations: risk management, human oversight, and detailed technical documentation. Bodies governed by public law, or private entities providing public services, must also complete a Fundamental Rights Impact Assessment under Article 27. Most private-sector SME deployers are not subject to this requirement. The Digital Omnibus on AI, formally adopted by the European Parliament on 16 June 2026 and by the Council on 29 June 2026, moved the compliance date for Annex III high-risk systems from 2 August 2026 to 2 December 2027.
Limited or transparency risk covers situations where someone needs to know they are dealing with AI. If your business runs a chatbot on its website, there are specific rules on what you need to disclose to customers, and those rules take effect 2 August 2026.
Minimal or no risk is where most everyday business AI use sits. AI-assisted spam filters, scheduling tools, and general productivity features carry no extra obligations under the Act at all.[1]
In summary
Ruling out the top two risk tiers for your own AI use, in a single afternoon, tells you almost everything you need to know about whether the EU AI Act requires anything further from your business right now.
What is already in force, and what changed in 2026?
Several EU AI Act obligations are already in force today, while the obligations most people associate with "the deadline" will not apply until December 2027.[1]
It helps to separate what is already law from what is still coming. The eight prohibited practices have applied since 2 February 2025. So has Article 4, which originally required any business using AI to ensure staff have a sufficient level of AI literacy for the tools they use. The Digital Omnibus on AI, formally adopted in June 2026, updated this to a softer effort obligation: providers and deployers must take measures to support the development of AI literacy among staff, proportionate to roles and context. The requirement to do something demonstrable about staff AI literacy has not been removed.[1] Neither of these obligations waited for a single "go live" date.
What changed in 2026 was narrower than headlines suggested. The Digital Omnibus on AI, a package of amendments to the Act, was formally adopted by the European Parliament on 16 June 2026 and by the Council on 29 June 2026. It awaits publication in the Official Journal, after which it enters into force. The main effect was to move the compliance date for Annex III high-risk systems from 2 August 2026 to 2 December 2027, giving businesses more time to prepare for the heaviest obligations.[1] It did not touch the prohibited practices already in force. The chatbot disclosure obligation under Article 50(1) also remains at 2 August 2026. For the full breakdown of exactly which obligations apply on which date for your sector, see the December 2027 deadline for high-risk systems.
If your business is not using AI in a high-risk category, the December 2027 shift changes very little for you in practice. What has not moved, and does apply to you now, is the requirement to make sure your staff understand the AI tools they are using.
In summary
The 2026 news was about the timeline for high-risk systems, not a general pause on the Act. If your business has not addressed staff AI literacy under Article 4, that obligation has already applied for well over a year.
Who enforces the EU AI Act in Ireland?
Ireland enforces the EU AI Act through 15 existing sectoral regulators rather than a single new AI authority, so which body oversees your business depends on your sector.[3]
Ireland chose a distributed model of implementation, building on regulators that already exist rather than creating one AI mega-regulator. The 15 designated National Competent Authorities include the Central Bank of Ireland, the Data Protection Commission, the Workplace Relations Commission, the Health and Safety Authority, and the Competition and Consumer Protection Commission, among others.[3] A financial services firm's AI use is most likely to draw attention from the Central Bank of Ireland; financial services firms face extra documentation requirements as a result. A business whose AI use touches customer personal data, which covers most AI tools in most SMEs, has the Data Protection Commission as a live regulator regardless of sector.
The AI Office of Ireland becomes operational on 1 August 2026, established under the Regulation of Artificial Intelligence Bill 2026, which is currently progressing through the Oireachtas. It will not replace the sectoral regulators. Its job is to coordinate them, act as a single point of contact for AI Act queries, and host Ireland's AI regulatory sandbox.[3] From 1 August 2026, the AI Office is the primary coordination point for queries that do not fall under a specific sectoral regulator.
In summary
There is no single Irish AI regulator to write to. Start with whichever existing regulator already oversees your sector, and assume the Data Protection Commission has an interest too if your AI use touches customer data.
What should an Irish SME do first?
The first practical step is a short internal audit: list every AI tool in use across the business, then classify each one as provider or deployer, and against which of the four risk levels described above.[3]
This does not need to be a formal compliance exercise to start with. A single page listing every AI tool your team uses, who uses it, and what it is used for, gives you the raw material to check against the four risk levels covered above. Most of what you find will land in the minimal risk category and need nothing further. Anything that touches recruitment, credit, insurance, or access to services deserves a closer look against the high-risk criteria.
It is also worth knowing that the Act treats SMEs differently in one specific, useful way: penalties scale with turnover, and for every penalty band, SMEs are assessed at the lower of the two possible thresholds rather than the higher.[3] This is not a reason to delay. It is a reason to treat this as manageable rather than as a fire to put out this afternoon.
Once you know which tools are provider versus deployer, and which risk level applies to each, you know exactly which of the Act's specific obligations to focus on, and which of them you can safely set aside for now.
In summary
A one-page AI tool inventory, honestly filled in, is worth more than an hour spent reading the regulation itself. It tells you exactly which parts of the Act are relevant to your business and which are not.
If you are not sure whether any of your AI tools would count as high risk, or what that would mean in practice, an AI Readiness Scan is where that gets worked out, specifically for your business rather than in the abstract.
