The EU AI Act is now in force, the compliance-services market has gone into overdrive, and Irish SMEs are getting quoted €15,000 to €40,000 for readiness assessments. Most of these quotes are wrong-shaped for the businesses receiving them. This is the honest version of what the Act actually means if you run a small or mid-sized Irish company in 2026.
The Act sorts AI systems into four risk tiers. **Unacceptable risk**, social scoring, real-time biometric ID in public spaces, exploitative manipulation, is banned. Irrelevant to almost every Irish SME. **High-risk** covers AI used for employment screening, credit and insurance decisions, education access, critical infrastructure, and a handful of other defined categories. If you don't build software that makes those decisions, this tier is also irrelevant to you as a *user* of AI. **Limited risk** covers chatbots and AI-generated content, you must disclose that users are interacting with AI. **Minimal risk** is everything else, and it's where the vast majority of SME AI use sits today.
The mistake we see most often is buying high-risk readiness work when you're actually a limited-risk user. Using Claude or ChatGPT to draft documents, summarise emails, or help with code? That's minimal risk on your end. The model providers (Anthropic, OpenAI, Microsoft, Google) carry the general-purpose AI obligations under the Act, not you. Your obligations are: know what you're using, document why, and make sure the staff using it know what not to paste into it.
The actually-useful readiness work for an Irish SME in 2026 is small and concrete. **One**, write a one-page AI use register, what tools, what data they touch, who owns each. **Two**, designate a single person who owns the acceptable-use policy, even if it's a part-time job for the COO. **Three**, set up a 15-minute vendor due-diligence check for any new AI tool before it lands in production. **Four**, train your team on what *not* to paste, client data, regulated financial data, anything covered by an NDA. That's the package. It costs internal time, not a five-figure invoice.
Where the Act will get more demanding is if you start building AI features into your own product, particularly for any of the high-risk categories. At that point you need genuine compliance work, conformity assessments, technical documentation, and post-market monitoring. That's not the shape of work an SME makes the call on lightly. If you're approaching that line, we'd rather have a thirty-minute conversation about whether you actually need to cross it than sell you something you don't.
The takeaway: Irish SMEs in 2026 should treat the AI Act the way they treat GDPR, seriously, but proportionally to what they actually do. Don't pay €15,000 to be told you're minimal-risk. Don't ignore the limited-risk disclosure obligations if you've shipped a chatbot. And if you're not sure which side of the line you're on, an honest second opinion is cheaper than the assessment you're being quoted for.
