Why you cannot ignore this
There is a genre of EU regulation that is easy to put off. The AI Act is not one of them. Unlike GDPR — which came and went without most small businesses noticing more than a cookie banner — the AI Act affects how the work you do, not just how you store data.
It is about which AI systems you are allowed to use, for what purpose, with what documentation. It is about liability when AI makes decisions that affect people. And it is about a timeline that is already in motion — parts of the law have been in effect since February 2025.
The good news: for most Swedish SMEs, the risk is manageable if you understand your risk classification. The bad news: most SMEs have no idea what risk classification applies to them.
Four risk levels — which one are you?
The AI Act divides AI systems into four categories based on potential harm. The category determines what requirements are imposed.
Unacceptable risk — prohibited
Systems that manipulate behavior without consent, social scoring of citizens, real-time biometric mass surveillance. Illegal from February 2025. Does not affect Swedish SMEs under normal circumstances.
High risk — strictly regulated
This is where it starts to become relevant. High-risk AI includes systems used for: recruitment and selection of employees, credit decisions, access to education, administrative decisions on social benefits, medical diagnostics, and biometric identification.
If your company uses AI to screen job applications — even if you only use a general tool like ChatGPT for it — you are affected by the high-risk rules. It requires documentation, human oversight, and risk assessment before deployment.
Limited risk — transparency requirements
Chatbots and AI-generated content. The requirement is simple: you must tell the user that they are interacting with AI. Applies if you have a customer service bot or publish AI-generated material without labeling it.
Minimal risk — no requirements
Spam filters, AI recommendations, most internal productivity tools. This is where most of what the Swedish SME actually does with AI falls. Writing texts, summarizing meetings, generating ideas, analyzing data internally. No specific requirements beyond existing legislation.
Most SMEs operate in the minimal-risk zone. But a single high-risk application — such as AI-assisted selection during recruitment — changes the entire situation.
The timeline — what applies when?
Feb 2025 — Ban on unacceptable-risk AI takes effect
Aug 2025 — Requirements for GPAI providers (General Purpose AI — ChatGPT, Claude)
Feb 2026 — High-risk rules for financial services, recruitment, etc.
Aug 2026 — All high-risk requirements in effect (full regulations)
2027 — Exemptions for existing high-risk systems expire
Where we are now (May 2026) is the period between GPAI requirements and the full high-risk rules. Since autumn 2025, OpenAI, Anthropic, and Google are required to follow specific requirements for transparency, safety assessment, and incident reporting — these are the problems of the large providers, not yours. But in August 2026, the rules for all high-risk applications take effect regardless of who built the system.
What the GPAI rules actually mean for you
GPAI stands for General Purpose AI — meaning ChatGPT, Claude, Gemini and similar models. The providers of these systems now have documentation requirements, requirements to test for systemic risks, and requirements to report serious incidents.
As users of these systems, your responsibility is limited — but not zero. The law distinguishes between providers, distributors, and deployers. If you build a product on top of a GPAI system — a chatbot, an analysis tool, an automated decision-making process — you are a deployer and have your own obligations.
If you only use Claude to write texts internally, you are neither a provider, distributor, nor a deployer in the sense of the law. You are an end-user. Your responsibility is not to use AI for prohibited purposes — and that's it.
Concrete cases — are you affected?
Case 1: You use ChatGPT internally to write texts
Risk level: Minimal
Requirements: No specific AI Act requirements
Recommendation: Proceed, but document which AI tools you use
Case 2: You have a customer service chatbot on your website
Risk level: Limited
Requirements: Clearly inform that it is AI, not a human
Recommendation: Add "You are chatting with our AI assistant" in the chat window
Case 3: You use AI to screen job applications
Risk level: HIGH
Requirements: Impact assessment, human oversight, documentation, candidate information
Recommendation: Stop until you have compliance processes in place
Case 4: You run AI analysis of creditworthiness for B2B customers
Risk level: HIGH (financial services)
Requirements: Documentation, human review of every decision, logs
Recommendation: Legal advice + AI system documentation required
Five things to do now — regardless of size
1. Conduct an AI inventory
List all AI tools you use, what they are used for and by whom. It doesn't need to be a complex report. An Excel file is enough. Inventory $ ightarrow$ classification $ ightarrow$ gap analysis. That is the sequence.
2. Identify if you deploy high-risk AI
The high-risk list is in Annex III of the law (available on EUR-Lex in all EU languages including Swedish). Cross-reference it against your inventory. If you find a match: seek legal advice before Aug 2026 — not after.
3. Label AI-generated content
If you publish AI-generated content — on the website, in marketing, in reports — start labeling it. It is not a requirement for internal use, but for external communication content, transparency obligations are coming.
4. Add an AI policy to the employee handbook
Nothing needs to be complex. Three points are enough for most: which tools are approved, what data may not be fed into external AI services (customer data, confidential information), and who is responsible for checking AI-generated output.
5. Stay updated
The AI Act is being implemented by the Swedish Authority for Privacy Protection (IMY) in Sweden. Follow them. The EU AI Office publishes ongoing guidelines. The rules are still being fine-tuned — do not wait for the perfect version of the law, but keep an eye on official channels for new guidance.
The big picture
The AI Act is not a threat to AI adoption. It is a framework that distinguishes between responsible and irresponsible use. The companies that win from this are those that early on build an internal process for AI governance — not because authorities require it, but because it builds trust with customers and partners.
The Swedish FSA (SME) has historically handled GDPR well. The AI Act is more complex but the principles are the same: understand what you do with the technology, document it, and have a human who takes responsibility. It's not rocket science. It's decent business practice.
Compliance is not the goal — responsible AI use is the goal. Compliance is the proof.
If you need help conducting an AI inventory or building an internal AI policy for your company — that is exactly the type of work I do with Swedish SME. Contact me directly.