Skip to main content
Do Small Companies Have to Comply With the EU AI Act?
Compliance Guides

Do Small Companies Have to Comply With the EU AI Act?

AI Comply HQ Team12 min read

The Short Answer: Probably Yes, but Maybe Not the Way You Think

We hear this one almost every week. "We are a five-person start-up. The EU AI Act is aimed at Big Tech, not us." We understand the instinct. It is also one of the most expensive assumptions you can make in 2026.

Here is what the headlines miss. The EU AI Act does not care how many people you employ or how much revenue you book. It is a risk-based law, not a size-based one. Your obligations come down to two questions: what your AI system does, and what role you play around it. A two-person team running an AI hiring tool can carry far more obligations than a 2,000-person company whose only AI is a spam filter.

So "are we too small to be covered?" is the wrong question. The right one is "what does our AI actually do, and are we the provider, the deployer, or both?" Answer that, and your obligations fall into place.

You can get that answer in about 90 seconds. Run the free EU AI Act risk check and you will see your role, your likely risk tier, and the obligations that follow. No signup needed to see your result.

Check your risk level free (90 seconds)

Why "Small" Does Not Get You Off the Hook

The Act sorts every AI system into one of four risk tiers: unacceptable, high, limited, and minimal. The obligations attach to the tier, not to your payroll.

Two more things decide your duties, and neither one is your size.

Your role. If you build an AI system and put it on the market or into service under your own name, you are a provider, and you carry the heaviest set of obligations. If you use an AI system in the course of your business, you are a deployer, with a lighter but real set of duties. Plenty of small companies are both at once: you fine-tune a model and ship it inside your product (provider), and you also run a third-party chatbot internally (deployer).

Where the output lands. The Act reaches beyond EU borders. Under Article 2, it applies to providers that place a system on the EU market, to deployers established in the EU, and to providers and deployers based anywhere in the world when the output of their system is used in the EU. A US start-up with EU users is in scope. So is a UK consultancy whose AI report lands on a client's desk in Berlin.

Headcount is not on that list. Neither is turnover.

Three Duties That Apply No Matter How Small You Are

Even if your AI turns out to be minimal-risk, three obligations can still reach you. Two of them are already enforceable, today, while you read this.

1. You cannot use a banned AI practice (Article 5). Eight practices are flat-out prohibited, including social scoring, manipulative subliminal techniques, and most real-time biometric identification in public spaces. There is no SME carve-out and no grace period left. These rules went live on 2 February 2025.

2. Your team needs AI literacy (Article 4). Every provider and deployer must make sure the people building or operating AI on their behalf have a sufficient level of AI literacy. This one surprises small teams constantly, because it has nothing to do with risk tier and everything to do with training your staff. It also went live on 2 February 2025.

3. If you run a chatbot or generative AI, you owe transparency (Article 50). Users have to be told when they are talking to a machine, and AI-generated images, audio, video, and text have to be marked as artificial. Most small SaaS products ship a chatbot, so this is probably you. The transparency rules apply from 2 August 2026.

Notice the pattern. The duties that catch small companies first are not the heavy high-risk ones. They are the everyday ones that feel too basic to regulate.

The High-Risk Triggers That Catch Small Companies

Before you assume your AI is low-stakes, hold it up against the high-risk list. Annex III names the uses the EU treats as high-risk no matter who runs them, and several are common in small businesses:

  • Hiring and HR: CV screening, candidate ranking, or tools that shape promotions and task allocation.
  • Credit and insurance: scoring someone's creditworthiness or setting risk-based pricing for individuals.
  • Education: software that grades exams, scores assignments, or weighs admissions.
  • Essential services: AI that helps decide access to public benefits or essential private services.
  • Biometrics: identifying or categorising people from biometric data.

If your AI touches any of these, it is most likely high-risk, and the size of your team does not change that. The full obligations apply, softened by the SME relief we cover below. Not sure where your system sits? The risk check settles it in about 90 seconds.

So When Are You Actually Off the Hook?

Here is the genuinely good news. A lot of small-company AI lands in the minimal-risk tier, where the Act asks for nothing mandatory. A recommendation widget on your store, an AI writing assistant your marketing team uses, an analytics model that forecasts churn: most of this carries no formal obligations at all, beyond the three baseline duties above.

The catch is that you have to confirm it. Guessing wrong is the part that costs money.

The penalties are sized to get a boardroom's attention. A prohibited-practice breach can reach €35 million or 7% of global annual turnover. Most other obligations top out at €15 million or 3%. There is real mercy built in for smaller players, which we cover below, but the headline numbers are why "we assumed we were fine" is not a defence anyone wants to test.

And fines are not the only cost. EU enterprise buyers increasingly ask for AI Act compliance during vendor reviews and procurement. For a small B2B company, a missing answer is not only a legal risk, it is a stalled deal. Show your classification and documentation, and compliance becomes a reason buyers pick you over a competitor who shrugs.

This is exactly what the risk check is for. It walks you through the same classification logic an auditor would, and tells you which tier each of your systems falls into before a regulator does.

Find your risk tier in 90 seconds

The Relief the Act Buries in the Fine Print

Most scare-pieces stop at the fines. That always frustrates us, because they skip the best part: the Act was deliberately written to go easier on small companies. The EU did not want compliance costs to crush start-ups, so it wrote in concrete relief for SMEs and microenterprises.

First, the definitions, so you know which bucket you are in (from EU Recommendation 2003/361):

  • Microenterprise: fewer than 10 staff and up to €2 million in turnover or balance sheet total.
  • Small enterprise: fewer than 50 staff and up to €10 million.
  • Medium enterprise: fewer than 250 staff and up to €50 million in turnover.

If you fit one of those, here is what the Act actually gives you:

If you qualify asThe Act gives youWhere it lives
Any SME or start-upSimplified technical documentation. The Commission must publish a reduced Annex IV form built for small and microenterprises.Article 11(1)
Any SME or start-upConformity-assessment fees reduced in proportion to your size, development stage, and market.Article 62
Any SME or start-upPriority access to regulatory sandboxes, plus dedicated awareness and training channels.Articles 57 to 62
Any providerA quality management system scaled to the size of your organisation, not a one-size-fits-all burden.Article 17(2)
MicroenterpriseThe right to meet certain quality-management obligations in a simplified way.Article 63
Any SME or start-upFines capped at the lower of the percentage or the fixed amount, not the higher of the two.Article 99(6)

That last row matters more than it looks. For a large company, a fine is the higher of "X million euros" or "Y% of turnover." For an SME, the Act flips it to the lower of the two. The deterrent stays, but it is scaled so a single mistake will not end a small business.

None of this relief is automatic, though. You only benefit once you know your classification and your role, which loops back to the same first step.

Your Next 90 Seconds

Let us make this concrete. Whether you are a solo founder with one AI feature or a 40-person team with a handful of models, the path is the same:

  1. Find out where you stand. Take the free risk check. In about 90 seconds you will know your role, your risk tier per system, and the specific obligations that attach.
  2. Close the gaps. AI Comply HQ runs a guided, plain-language interview that maps your answers to the exact Articles and Annexes, flags what is missing, and drafts your documentation for you. A compliance consultant typically charges €10,000 or more for the scoping alone, and the full engagement runs for months. The same first pass takes a small team an afternoon, our plans start at $97 a month, and the risk check itself is free.
  3. Stay ready. Your compliance status, deadlines, and any regulatory changes live in one dashboard, so the August 2026 deadline arrives as a non-event.

The deadline for high-risk obligations is 2 August 2026. A delay to parts of the high-risk regime has been proposed in the EU's Digital Omnibus package, but it is not law yet, so the only safe plan is to be ready for August. The prohibited-practice and AI-literacy duties, remember, are already in force.

Start your free 7-day trial

Frequently Asked Questions

Does the EU AI Act apply to companies outside the EU? Yes, more often than founders expect. Article 2 pulls in providers and deployers based anywhere in the world when their AI system's output is used in the EU. If you have EU customers or your AI's results reach people in the EU, location does not save you.

We only use AI tools, we do not build them. Are we still covered? Probably. Using a third-party AI system in your business makes you a deployer, and deployers have their own duties: human oversight, transparency to affected people, and AI literacy for staff, for a start. The obligations are lighter than a provider's, but they are not zero. If your product is built on a general-purpose model such as GPT or Claude, you are a deployer of that model, and those deployer duties apply to how you use it.

Is there a revenue or headcount threshold below which we are exempt? No. The Act has no "you are too small to comply" line. Size affects the relief you receive (simplified documentation, lower fee caps, the lower-of fine rule), not whether the law applies to you.

What happens if we just wait and see? Two of your likely obligations, the Article 5 prohibitions and the Article 4 AI-literacy duty, have been enforceable since February 2025. Waiting on those is already late. For high-risk systems, every month closer to August 2026 is a month less to remediate.

How do we find our risk tier without paying a consultant? Take the free risk check. It runs the same classification logic an auditor would, returns your tier and role, and points you to the obligations that follow, at no cost and with no signup to see your result.

For the full picture, see our EU AI Act FAQ, our guide to risk classification, the breakdown of prohibited practices, the full list of compliance deadlines, and our guide to EU AI Act fines and penalties.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.

Ready to assess your EU AI Act compliance?

Start a guided compliance interview, get your AI system's risk classification, and generate an audit-ready report.

Start Your Free 7-Day Trial

Not ready to sign up? Take the free 90-second risk check →