AI compliance
EU AI Act for SMEs: what you actually need to do
The EU AI Act phases in through 2025 and 2026. This is the practical guide for SMEs using or deploying AI tools, not a regulatory summary.
TL;DR
- The EU AI Act entered into force in August 2024 and phases in across 2025 and 2026. Prohibitions on unacceptable-risk AI applied from February 2025. High-risk AI obligations fully apply from August 2026.
- Most SMEs using commercial AI tools (ChatGPT, Copilot, AI writing assistants) are deployers, not providers. Deployers have lighter obligations than providers but still need an acceptable use policy, user notification, and a complaints process.
- High-risk AI (systems influencing hiring, credit scoring, biometric identification, critical infrastructure) carries the heaviest obligations. Most SMEs do not build or deploy high-risk AI today, but any new AI workflow should be assessed against the risk tier criteria.
- General-Purpose AI (GPAI) obligations apply to the model providers (OpenAI, Google, Mistral, etc.), not to companies using those models via API. SMEs using GPAI model APIs inherit the safety information from the provider but must still apply their own use-case risk assessment.
- See how we build AI automation workflows for European SMEs with compliance guardrails from the start.
The phased timeline
What became mandatory <em>when</em> under the EU AI Act.
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. It does not apply all at once. The implementation is staggered to give businesses time to assess their AI systems and prepare documentation.
**February 2025:** Prohibitions on unacceptable-risk AI systems took effect. These include AI that manipulates behaviour subconsciously, exploits vulnerable groups, uses social scoring by public authorities, and certain real-time biometric surveillance. If your organisation was using any of these, the obligation to stop was immediate.
August 2025: Rules for General-Purpose AI (GPAI) model providers came into force. These apply to companies building and releasing foundation models (the Anthropics, Googles, and Mistral AIs of the world), not to businesses using those models. Most SMEs are not affected by this batch directly.
August 2026: Full obligations for high-risk AI systems apply. This is the deadline that matters most for SMEs that have built or are building AI systems that fall into the high-risk categories (recruitment, credit, education, biometrics, critical infrastructure, product safety).
High-risk AI systems already on the market before August 2026 have a grace period until August 2027 (or 2030 for certain regulated products) before they must be updated to full compliance.
Risk tiers
The four risk levels and what they require.
| Risk tier | Examples | Key obligations |
|---|---|---|
| Unacceptable (prohibited) | Social scoring by public bodies, subliminal manipulation, real-time mass biometric surveillance in public spaces | Fully prohibited. No legal use permitted as of February 2025. |
| High risk | CV screening tools, credit scoring for loans, biometric identification, AI in safety-critical machinery, educational assessment tools | Conformity assessment, technical documentation, human oversight mechanisms, logging and auditability, registration in EU database before deployment. |
| Limited risk (specific transparency obligations) | Chatbots, AI-generated content, emotion recognition systems | Users must be informed they are interacting with an AI. AI-generated content must be labelled as such. Deepfake content must be disclosed. |
| Minimal risk | AI spam filters, AI-assisted document drafting, recommendation systems on personal devices | No specific obligations under the Act. Voluntary codes of conduct encouraged. |
| General-Purpose AI (GPAI) models | GPT-4, Gemini, Claude, Llama, Mistral | Obligations fall on model providers, not API users. Providers must publish technical documentation, comply with copyright law, and (for systemic-risk models) conduct adversarial testing. |
What SMEs need to do
Practical steps by AI use case type.
01
Audit your current AI tools and classify them
Start with a simple inventory: list every AI tool your team uses, including embedded AI features in SaaS tools (Copilot in Microsoft 365, AI assist in Notion, etc.). For each, determine whether you are acting as a provider (you built or deployed it), a deployer (you use it in a professional context), or an end user. Classify the use case against the four risk tiers. Most commercial tools will be minimal or limited risk. High-risk triggers are specific; check the Annex III list in the regulation.
02
For limited-risk AI: add user notifications
If you deploy a chatbot, AI-generated content, or an emotion recognition interface, users must be informed they are interacting with AI. This is not a complex legal process: a clear label or disclosure at the start of an AI interaction is the practical requirement. For AI-generated written content published publicly, a disclosure is also required under the Act. Build this into your content workflow and product UI now, before enforcement begins.
03
For high-risk AI: start documentation now
If your product or workflow falls into a high-risk category (recruitment screening, credit assessment, biometric identification), the full documentation requirement applies from August 2026. That includes a technical file covering system design, training data, performance testing, and human oversight mechanisms. Starting documentation now is far cheaper than reconstructing it from scratch under a deadline. If you are evaluating high-risk AI tools from vendors, check whether the vendor will provide conformity assessment documentation.
04
Write and publish an acceptable use policy
Deployers of AI systems must have internal governance in place. An acceptable use policy for AI tools is the baseline: it defines which tools are approved, for what purposes, what data may be entered into them (and what may not), and who is responsible for reviewing AI outputs before they affect real decisions. This is also the foundation for GDPR compliance when AI tools process personal data.
Common questions
What SMEs ask when they first encounter the EU AI Act.
We use ChatGPT and GitHub Copilot. Does the EU AI Act apply to us?
Probably at the minimal or limited risk level. Using a GPAI model via API or a commercial subscription does not make you a provider under the Act. You are a deployer or end user. Your obligations are lighter: for consumer-facing AI features, notify users they are interacting with AI. For internal tools processing personal data, ensure your GDPR basis for using those tools is in order. Neither ChatGPT nor Copilot is a high-risk system for typical SME use cases (document drafting, coding assistance, summarisation).
We built a CV screening tool. When do we need to comply?
CV screening and candidate ranking tools are explicitly listed in Annex III as high-risk AI systems. Full obligations apply from August 2026. If your tool was already on the market before that date, you have until August 2027. The obligations include a conformity assessment, technical documentation of the training data and performance testing, a human review step in the recruitment process, and registration in the EU database before the system is deployed commercially.
What is GPAI and does it affect what we build with LLMs?
General-Purpose AI (GPAI) refers to foundation models (the large language models themselves) rather than the applications built on top of them. The GPAI obligations in the Act fall on model providers (Anthropic, OpenAI, Google, Mistral, Meta) not on companies using their APIs. If you build a customer service chatbot using the OpenAI API, you are a deployer of a limited-risk AI system, not a GPAI provider. However, you still need to ensure the system is transparent to users and that any personal data sent to the API is covered by a GDPR-compliant DPA with the API provider.
Are there exemptions for small companies?
The AI Act includes some lighter-touch provisions for SMEs (micro, small, and medium enterprises as defined in EU law), particularly around technical documentation formats and access to testing infrastructure. However, these are procedural accommodations, not exemptions from the substance of the law. If your AI system falls into a high-risk category, the high-risk obligations apply regardless of your company size.
What are the penalties for non-compliance?
Fines under the EU AI Act are among the highest in EU digital regulation. Violations of prohibited AI rules: up to €35 million or 7% of global annual turnover, whichever is higher. Violations of high-risk AI obligations: up to €15 million or 3% of turnover. Providing incorrect information to authorities: up to €7.5 million or 1.5% of turnover. For SMEs, the Act specifies proportionate penalties, but the direction is clear: the EU is treating AI safety seriously.
How we approach AI compliance
Guardrails built in from the design phase, not retrofitted at audit time.
When we build AI automation workflows for European clients, compliance is part of the architecture from day one. That means a use-case risk assessment before build, GDPR DPAs in place before personal data flows to any LLM API, user notifications designed into the product UI, and a human review step for any output that affects a real decision. **See how we approach AI automation for European SMEs with compliance as a default, not an afterthought.**
For organisations that already have AI systems deployed and need to assess their EU AI Act exposure, we run structured assessments: inventory of AI systems in use, risk tier classification against Annex III, gap analysis against the applicable obligations, and a remediation plan with timelines. The output gives you a clear view of your compliance position before enforcement begins.
Concrete solution
Bring the operational risk.You get a clear diagnosis and a concrete next step.
We are the right fit if you want a team that pushes back when it matters. See outcomes and metrics →
Reviewing first?
Company evidenceon the site.
Engagements with commercial outcomes on Work. Team bios and operating model on About. Nothing to download. Review it before you commit to a call. Open to review. Commit when ready.