The smallness paradox, seen from Pescara #
I work at a small-to-medium tech company in Pescara. We’re about a dozen people, not fifty, not two hundred. We build software for different clients, from public administration to SAAS platforms, and the thing that has kept us afloat, forever, is a kind of obsession with solidity. Thought-through architectures, code that holds up, systems that don’t crumble when someone feeds them real data, real money, real decisions.
And yet, in recent months, I’ve found myself thinking something a bit bitter: this is a brutal time to have ideas. Not because creativity is lacking—quite the opposite. The problem is that creativity often comes with a feeling of powerlessness.
The “someone already did it” syndrome #
It happens like this, with an almost comical regularity.
Monday morning, brainstorming. Someone throws out an idea. We get fired up, we start imagining how to do it properly, what the right architecture would be, where the risks are, how we’d sell it without lying to ourselves.
Then Wednesday evening arrives. A scroll on LinkedIn, or on Hacker News, and there it is: the announcement. Google, Microsoft, OpenAI, or a startup that just got funded with numbers we only ever see in rounds talked about on podcasts, has just launched the same thing. Or something close enough that, in the market’s eyes, our idea becomes a late clone.
It’s not even a “they copied us” thing. It’s more banal and more depressing: they have scale. And in this historical phase, scale seems to matter more than anything.
I often wonder whether we’re entering an era in which real innovation becomes almost a luxury reserved for those who can afford to fail fast and in public.
When they don’t beat you because they’re better, but because they’re faster #
Up to here, it would already be frustrating. But there’s another level, harder to swallow.
Because they don’t always beat you to market with a better product. Sometimes they beat you with something mediocre, shipped quickly, with minimal tests and an almost arrogant confidence that the brand will hold up anyway.
“Vibe coding,” which until recently seemed like a game for indie hackers, has entered enterprises. And I’m not talking about the junior who uses copilot to write a component. I’m talking about entire teams generating huge chunks of an application with prompts, doing a couple quick checks, and then pushing everything to production.
In recent months I’ve seen platforms with vulnerabilities that give you chills. Xss you can catch in five minutes, api without rate limiting, payment flows without idempotency, personal data handling that would probably make anyone who’s ever been a serious DPO turn pale.
And yet they’re there. On the market. With users. With revenue.
The implicit message, that hits you even if you don’t want to hear it, is this: quality doesn’t matter, speed matters.
And if quality doesn’t matter, then we small players—who build our reputation and often our survival on quality—what room do we have?
The Brussels epiphany (that I didn’t expect) #
Here comes the part that, until a couple of years ago, I never would have thought I’d write.
For a long time I looked at European regulation with annoyance. GDPR in 2018 felt like a boulder: lots of effort for those who were already working well, while the big players kept doing whatever they wanted and, at most, paid fines that were pocket change to them.
But then I started looking at the picture that’s forming now. And I had a strange, almost counterintuitive feeling: maybe Brussels is one of the few weapons we have left.
Not because “bureaucracy is beautiful,” obviously. But because what’s taking shape isn’t an isolated regulation. It’s an integrated regulatory ecosystem that changes the yardstick by which competition happens.
If Europe is 80% SMEs, and if it wants those SMEs to survive in the AI era, then it has to do one simple and extremely hard thing: prevent size from being the only competitive advantage.
And, for better or worse, that’s exactly what it’s trying to do.
Seven laws, one direction #
I’m listing them, yes, but with a specific idea: don’t read them as “seven obligations.” Try to read them as an industrial strategy.
AI Act, the great leveler upward #
The AI Act has been in force since 1 August 2024, with progressive application. Bans from February 2025, obligations for high-risk systems from August 2026.
The interesting thing is that it doesn’t say “don’t do AI.” It says “do it well.” It classifies systems by risk, and where the risk is high it asks for things that, honestly, should be normal: risk management, data quality, human oversight, documentation, transparency.
For an SME that already works in an orderly way, compliance is often a manageable delta. Not free, sure. But manageable.
For those who put a critical system into production built in three weeks without really knowing what it does, it becomes an abyss. You have to rethink processes, governance, architecture. You have to slow down.
And that’s where the AI Act becomes, paradoxically, pro-SME. Not because it protects small players just because they’re small, but because it rewards those who already have a “let’s do it properly” culture.
There’s also a point I care a lot about regarding general-purpose models: transparency and documentation obligations for providers, especially for models with systemic risk. Translated: if I build a product on a foundational model, I have more right to know limits, risks, and boundaries. Today you often only figure it out by reading papers and corporate posts.
Cyber Resilience Act, the end of “it works, don’t touch it” #
The CRA has been in force since 10 December 2024. Reporting obligations from September 2026, full application from December 2027.
Here the music really changes: if you put a product with digital elements on the European market, you’re responsible for security across the lifecycle. Security updates for at least five years, documented vulnerability handling, fast reporting, and above all sbom.
Sbom, without any romanticism, is an inventory: knowing what’s inside your software, including dependencies. When a critical CVE comes out, you don’t have to do archaeology. You know.
And you know who’s often already set up like this? SMEs with modern stacks, decent pipelines, tracked dependencies.
Who suffers instead? Huge organizations with years of technical debt, untouchable legacy applications, components frozen in 2016, and nobody who really has the map of the territory.
The CRA makes maintenance no longer a “if there’s time left” thing, but a duty. And suddenly the obsessive attention to updates stops being a personal fixation and becomes a competitive posture.
Product Liability Directive, software is no longer untouchable #
The new PLD was adopted in 2024 and member states must transpose it by December 2026.
Here I’ll admit I’m a bit scared. Because it extends defective product liability to software as well. And in some cases it introduces mechanisms like the reversal of the burden of proof: if there’s a plausible link between defect and damage, the producer must prove that the product was not defective.
Now, imagine a company that shipped a financial app without serious tests, without code review, without documentation. If damage happens, how do they prove it?
An SME that works with CI, automated tests, traceable reviews, documented architectural decisions, changelog and release notes, ends up with something valuable it hadn’t called that: a defensive file.
The PLD, in practice, turns process quality into a legal shield.
European Accessibility Act, the web isn’t only for people who see well #
The EAA already applies from 28 June 2025.
Accessibility means WCAG 2.1 AA as a reference: semantics, contrast, keyboard, screen reader, text alternatives. Not the “pretty page,” the page that’s usable even by people with disabilities.
Those who have always treated accessibility as a requirement start ahead. Those who built gorgeous interfaces that are unusable with a screen reader have to run.
And here there’s a very concrete opportunity: accessibility becomes a service. Audits, remediation, accessible design systems. There’s also the exemption for micro-enterprises, which is an interesting detail: you can be small enough not to be obligated in certain cases, but competent enough to help others.
NIS2, cybersecurity is no longer optional #
NIS2 was supposed to be transposed by October 2024, and in Italy the transposition has arrived. Application is progressive.
The part that hits SMEs isn’t just “are you in scope or not.” It’s the supply chain effect. If your customer is subject to NIS2, they’ll ask you for guarantees. Procedures. Incident response. Measures.
Security becomes a commercial prerequisite. If you can’t demonstrate a serious posture, you don’t work with certain customers. Period.
And here too, those who invested earlier, maybe with effort and without glory, find themselves ahead.
Data Act, the data generated is yours too #
The Data Act has been in force since 11 January 2024 and applies from 12 September 2025.
The concept, put simply, is this: data generated by the use of a connected product must be accessible to the user and, on request, shareable with third parties.
For those who live off lock-in, it’s a shock. For SMEs it can be a huge opening: if data must be portable, someone has to build the infrastructures, the API, the connectors, the formats.
It’s almost an anti-lock-in law. And many SMEs, plainly, never had the strength to do aggressive lock-in. Now that “lack” can become an advantage.
DMA and DSA, gatekeepers with different rules #
The DMA has been fully applicable since March 2024, the DSA since February 2024.
Here the point is political but very concrete: gatekeepers can no longer play with the same impunity as before. Interoperability, bans on self-preferencing, more transparency.
Is it enough? Probably not. I expect loopholes, creative interpretations, very well-paid lawyers.
But it changes a principle: being big doesn’t automatically give you the right to cheat.
Taken together, it’s not compliance: it’s a change of metric #
If I look at these laws as a whole, I see a pretty clear message.
In the European market, the idea is that the winner is the one who does things well.
Well means: transparent and supervised AI, maintained and secure software, real accountability when you cause harm, accessibility as a requirement, cybersecurity as a daily practice, less locked-in data, more controlled dominant platforms.
And, almost unintentionally, this direction values some typical traits of serious SMEs: attention to detail, closeness to the customer, more up-to-date stacks, less untouchable legacy, fewer incentives to “ship it and we’ll see.”
But reality isn’t all sunshine #
It would be dishonest to say compliance is free. It costs time, it costs money, it costs focus. And in a medium (or small) company every hour spent on documentation and processes is an hour not spent on product.
There’s also a real risk: that compliance becomes, once again, an advantage for big players, the ones who can afford legal departments and governance platforms.
But here, maybe, Europe has understood a point: proportionality. Many laws differentiate by risk and size. And then there’s another path, which seems very concrete to me: turning compliance into a service.
If you truly understand CRA, AI Act, NIS2, EAA, not just as “checkboxes,” but as technical implications, you can sell it. Sbom, audit, hardening, AI governance, accessibility assessments. Compliance stops being only a cost and becomes a market skill.
What I’d do Monday morning, for real #
I don’t want to close with the moral. I’d rather close with practical things, because maybe that’s where SMEs can help each other.
We’re trying to build a single internal framework, not seven separate processes. We have to—we’re small. And this time being small is an advantage, because we can’t afford silos. The documentation needed for the CRA also helps with the PLD. The sbom is needed for CRA, but it also becomes a useful base for NIS2-style requests. The AI Act’s risk-based logic fits well with the GDPR approach.
We’re also trying to treat compliance as a product, not just as an obligation. If a customer has to adapt, someone has to guide them. And if you guide them well, you’re not selling “bureaucracy.” You’re selling risk reduction, operational continuity, reputation.
Then there’s training. Not the kind made of slides only. Training to understand the why behind the rules, because if you understand the why, you need the checklist less. You reason better when the weird case arrives, the one that isn’t written anywhere.
And finally the network. Shared templates, processes, lesson learned. Compliance isn’t a zero-sum game. If your ecosystem is more solid, so are you.
Maybe this is the point: we don’t have to apologize for being small #
I have no illusions. Big tech will invest in compliance, they’ll find ways to adapt, they’ll lobby, they’ll look for favorable interpretations.
But something has changed: Europe is saying that, in its market, speed without responsibility is no longer a superpower.
And for those who, like us, have always built with care not out of virtue but out of necessity, that’s a strange and beautiful piece of news. Maybe we don’t have to become bigger. Maybe we just have to keep doing things with attention and responsibility.
Only now, finally, there’s someone trying to make that choice count.