EU AI Act for Small Businesses and SMEs: What Actually Applies to You

Most EU AI Act analysis targets large enterprises. This guide covers what small businesses and SMEs actually need to do — which obligations apply, which exemptions exist, and what the real compliance burden looks like.

Key Takeaways

The EU AI Act categorises AI by risk: prohibited (banned), high-risk (strict obligations), limited-risk (transparency requirements), and minimal-risk (no mandatory requirements). Most SME AI use falls into limited-risk or minimal-risk.
High-risk AI covers Annex III use cases: AI in hiring, credit scoring, education, critical infrastructure, and law enforcement. Using ChatGPT for marketing is not high-risk. Using AI to screen job applications is.
From August 2026, all EU businesses must ensure chatbots disclose they are AI, AI-generated images and video are labelled, and emotion recognition AI is disclosed to users.
SMEs benefit from specific support provisions: reduced conformity assessment fees, simplified documentation requirements, priority access to regulatory sandboxes, and dedicated SME guidance from the European AI Office.
The EU AI Act does not replace GDPR — they operate in parallel. For any AI that processes personal data, full GDPR obligations remain in force.
SMEs with high-risk AI use cases (hiring tools, credit scoring, educational assessment) need to be building compliance infrastructure now — Annex III high-risk obligations apply from August 2026 under current law (an AI Omnibus proposal from May 2026 may push this to December 2027, pending formal adoption).

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

Does the EU AI Act apply to small businesses?

Yes — size does not determine whether the EU AI Act applies to your business. The Act applies to any provider or deployer of AI systems that places systems on the EU market or puts them into service within the EU, regardless of company size. The AI Act explicitly mentions SMEs 38 times and includes a range of measures designed to reduce compliance costs for smaller businesses — but it does not exempt them from substantive obligations.

What the Act does distinguish is role. Whether you are a provider (you develop an AI system or have one developed and place it on the market under your name or brand) or a deployer (you use an AI system in a professional context) determines what you must do. Most SMEs are deployers — they use AI tools built by others. Deployer obligations are significantly lighter than provider obligations, but they are real, enforceable, and already partly in force.

What is already in force for SMEs

The AI Act came into force on 1 August 2024 and applies in phases. Two obligations that apply to all organisations — including SMEs — are already in effect.

Article 4 — AI literacy (since 2 February 2025). Every organisation that uses AI systems must ensure that staff who work with AI have a sufficient level of AI literacy. This means understanding how the AI tools they use work, what their limitations and risks are, and how to oversee them appropriately. There is no prescribed training format — awareness sessions, written guidance, and practical onboarding are all valid — but compliance must be demonstrable. If a supervisory authority asks how you have implemented Article 4, you need documentation showing what you did, for whom, and when.

Prohibited practices (since 2 February 2025). Eight categories of AI use are banned outright. Most SMEs do not use these, but the prohibition worth checking for smaller businesses is emotion recognition in workplaces and educational institutions. If you use video interview tools that analyse facial expressions or voice tone to assess candidates, that system is prohibited under the AI Act. Other prohibited practices include subliminal manipulation, social scoring by public authorities, and real-time mass biometric identification in public spaces.

Under the Omnibus agreement reached on 7 May 2026, a new prohibition on AI systems that generate non-consensual intimate imagery will apply from 2 December 2026.

The Omnibus simplification — what changed for SMEs

On 7 May 2026, the European Parliament and Council reached a political agreement on the AI Omnibus (Omnibus VII), a package of amendments designed to simplify AI Act implementation. The Omnibus introduces two significant changes relevant to SMEs:

Extended timeline for high-risk AI obligations. Under the original Act, full obligations for high-risk AI systems listed in Annex III (employment tools, credit scoring, biometrics, essential services, and others) were due to apply on 2 August 2026. The Omnibus extends this to December 2027 for standalone Annex III systems. This gives SMEs additional time to prepare, but does not change what they must eventually do.

SME protections extended to mid-caps. The simplified compliance framework previously available only to SMEs (under 250 employees, under €50m turnover) is now extended to small mid-cap companies — businesses with up to 750 employees and up to €150m in annual revenue. Benefits include simplified technical documentation templates, reduced administrative fees, regulatory sandbox access free of charge, and proportionally capped fines.

The Omnibus is pending formal adoption, expected before August 2026, but organisations should plan against the simplified deadlines it introduces.

The August 2026 deadline — what SMEs deploying AI must do

For SMEs using AI systems that fall into Annex III high-risk categories — which includes automated CV screening, employee performance assessment tools, credit scoring systems, and AI in education — the full deployer obligations will apply. Under the Omnibus, the deadline for standalone Annex III systems is December 2027; for AI embedded in products covered by existing EU product safety regulation (such as machinery), the deadline is August 2028.

As a deployer of a high-risk AI system, an SME must: use the system in accordance with the provider's instructions; assign a human to oversee the system and be capable of intervening; ensure input data is relevant and appropriate; keep the automatically generated logs for the legally required period; inform the provider and authorities immediately if a risk or serious incident is identified; and conduct a Fundamental Rights Impact Assessment (FRIA) where the system is used in a public-facing context that significantly affects individuals.

The transparency obligation under Article 50 — requiring disclosure to users that they are interacting with an AI system — applies from 2 August 2026. Under the Omnibus, AI-generated content watermarking applies from 2 December 2026.

Practical compliance steps for SMEs — prioritised

Step 1: Build your AI inventory. List every AI tool your business uses — including SaaS tools, plugins, CRM features, and any employee use of tools like ChatGPT or Copilot. Note what each tool is used for and who uses it. The European Commission's free AI Act Compliance Checker for SMEs (available via the AI Office's Single Information Platform) can help assess each tool's risk level.

Step 2: Document your Article 4 compliance. Record what AI literacy training or awareness activities you have provided, when, and to whom. This is already overdue if not yet done — the obligation has been in force since February 2025.

Step 3: Check for prohibited practices. Review your AI tools against the eight prohibited categories. The highest-risk area for SMEs is AI-powered video interview analysis (emotion recognition). If you use such tools, they must be discontinued.

Step 4: Classify your AI systems by risk. Most AI tools used in SMEs — spam filters, productivity assistants, content recommendations — are minimal risk with no specific obligations beyond Article 4. If any tools fall into Annex III categories (hiring, credit, benefits, essential services), begin preparing for deployer obligations ahead of the December 2027 deadline.

Step 5: Review vendor contracts. Your AI vendors have obligations as providers. Ensure contracts include commitments to provide instructions for use, technical documentation on request, and notification of significant issues. Ask vendors whether their systems have been classified under the EU AI Act risk framework.