The EU AI Act Is Here — And SMEs Are Not Exempt
If your company develops, deploys, or imports AI systems that operate within the European Union, the EU AI Act applies to you. This is true whether you have 10 employees or 10,000. Whether you are headquartered in Berlin, Boston, or Bangalore.
The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive AI regulation. It entered into force on August 1, 2024, with obligations phased in over three years. The most significant milestone for most businesses — the enforcement of high-risk AI obligations under Annex III — arrives on August 2, 2026.
That is less than five months away.
For small and medium-sized enterprises, this regulation presents a specific challenge: the obligations are the same, but the resources available to meet them are not.
What Is the EU AI Act?
The EU AI Act establishes a risk-based regulatory framework for artificial intelligence systems. It classifies AI systems into four risk tiers:
- Unacceptable Risk (Prohibited): AI practices banned outright — social scoring, manipulative AI, untargeted facial recognition scraping, emotion recognition in workplaces/schools. Enforceable since February 2, 2025.
- High Risk: AI in employment screening, credit scoring, critical infrastructure, education, law enforcement, migration. Must meet strict compliance requirements. Enforceable from August 2, 2026.
- Limited Risk: Chatbots, emotion recognition, AI-generated content requiring transparency disclosure. Enforceable from August 2, 2025.
- Minimal Risk: No specific obligations — spam filters, recommendation engines, AI search.
You need to know which tier your AI systems fall into before you can determine your obligations.
Key Dates Every SME Must Know
| Date | What Becomes Enforceable |
|---|---|
| February 2, 2025 | Prohibited AI practices (Article 5) — already in effect |
| August 2, 2025 | GPAI obligations, transparency for limited-risk systems |
| August 2, 2026 | High-risk AI obligations under Annex III — main milestone |
| August 2, 2027 | High-risk obligations for AI in regulated products (Annex I) |
What SMEs Specifically Need to Do
Article 62 establishes simplified compliance provisions for SMEs, including regulatory sandboxes and simplified documentation. However, core obligations remain the same:
Step 1: Inventory Your AI Systems
Create a comprehensive registry of every AI system your organization develops, deploys, or uses. Document what each system does, what data it processes, where it is deployed, and who oversees it. Watch for shadow AI — tools employees use without IT approval.
Step 2: Classify Each System by Risk Tier
Map each system against the eight Annex III high-risk categories: (1) Biometrics, (2) Critical infrastructure, (3) Education, (4) Employment, (5) Essential services/credit scoring, (6) Law enforcement, (7) Migration/border control, (8) Justice/democratic processes.
Step 3: Map Your Obligations
For high-risk systems: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15), quality management (Art. 17), conformity assessment (Art. 43), post-market monitoring (Art. 72).
Step 4: Generate Compliance Documents
Produce technical documentation per Annex IV, EU Declaration of Conformity, conformity assessment reports, risk assessments, transparency notices, and Fundamental Rights Impact Assessments where applicable.
Step 5: Establish Ongoing Compliance
Articles 9, 12, 17, and 72 mandate continuous compliance — ongoing risk monitoring, logging, quality management, and post-market monitoring with incident reporting.
Common Mistakes SMEs Make
- Waiting too long to start. Compliance preparation takes months, not days.
- Assuming you are too small to be affected. The Act applies based on what your AI does, not company size.
- Not classifying systems at all. Without classification, you cannot know your obligations.
- Over-relying on legal counsel alone. Compliance requires engineering, product, and compliance collaboration.
- Using spreadsheets for tracking. Manual tracking cannot produce the audit evidence regulators expect.
Penalties Are Severe
- Up to EUR 35 million or 7% of global turnover for prohibited practices
- Up to EUR 15 million or 3% of global turnover for high-risk non-compliance
- Up to EUR 7.5 million or 1.5% of global turnover for incorrect information
Proportionate fines apply for SMEs, but 3% of EUR 5 million revenue is still EUR 150,000.
Start Today
The companies that start preparing now will have a defensible compliance posture. Inventory your AI systems. Classify each one. Map your obligations. Build your compliance infrastructure.
Start your compliance interview with AI Comply Help — classify your AI systems and generate compliance documents in a single conversation.
AI Comply Help supports compliance operations and is not a substitute for legal advice.
Related Reading
- EU AI Act Deadline August 2026
- How to Classify Your AI System
- EU AI Act Penalties and Enforcement
- Provider vs Deployer Responsibilities