EU AI Act Compliance Checklist for SMBs (August 2026)
A practical, step-by-step checklist covering every EU AI Act obligation relevant to small and medium businesses — from prohibited practices to AI literacy. Work through each section in order.
Key Deadlines
Step 1: Determine If You Are Affected
The EU AI Act applies if your company is a provider or deployer of AI systems that are placed on the EU market or otherwise affect EU residents. This is true regardless of where your company is headquartered.
Your company is based in the EU or EEA
Your company is outside the EU but sells to EU customers
Your company is outside the EU but its AI outputs affect EU residents (even indirectly)
Your staff use AI tools (ChatGPT, Copilot, Gemini, AI-powered SaaS, etc.) in their work
If yes, you are a deployer and Article 4 AI literacy applies to you.
Your company develops, fine-tunes, or markets AI systems to others
If yes, you are a provider and additional obligations apply.
Outcome: If any of the above apply, continue with the checklist. If none apply, the EU AI Act does not currently affect you — but monitor for changes.
Step 2: Prohibited Practices Check (Article 5)
Before anything else: check whether any AI system you operate or plan to operate falls into a prohibited category. These are banned outright — no compliance programme can make them legal.
You do NOT use AI that performs real-time remote biometric identification in publicly accessible spaces
Narrow law-enforcement exceptions exist; seek legal advice if you think one applies.
You do NOT use AI that detects emotions in workplaces or educational institutions
This includes workplace productivity sentiment detection and student emotion monitoring.
You do NOT use AI that categorises individuals by race, ethnicity, political opinions, religious beliefs, or sexual orientation from biometric data
You do NOT use AI that exploits psychological vulnerabilities or subconscious manipulation to alter behaviour
You do NOT use AI to create social scoring systems (government or private entities assigning scores that determine access to services)
You do NOT use AI to predict individual criminal behaviour based solely on profiling
Outcome: If you ticked all of the above: you are clear of prohibited practices. If you could not tick any item, stop and take immediate legal advice — continued use risks fines up to €35 million or 7% of global annual turnover.
Step 3: Classify Your AI Systems
For each AI system you operate, determine its risk level. Use our free classifier tool or follow these questions.
You have created a list of all AI systems your business uses or provides
Include embedded AI features in SaaS tools (e.g. AI-powered recruitment screening in your HR platform).
For each system, you have identified whether it operates in an Annex III domain: employment, education, financial access, healthcare, law enforcement, border control, public services, or critical infrastructure
If yes to any, that system is high-risk.
For each system, you have identified whether it performs biometric processing (not just basic face unlock)
For each system that interacts with users, you have checked whether it clearly identifies as AI
If not, a transparency obligation applies.
For each system that generates content depicting real people, you have checked whether labelling is in place
Deepfakes and synthetic voices of real people require disclosure labelling.
Outcome: Document the risk classification of each system. Keep this record for at least 10 years for high-risk systems.
Step 4: High-Risk AI System Compliance (if applicable)
If you identified any high-risk AI systems in Step 3, these additional obligations apply. If all your systems are minimal or limited risk, skip to Step 5.
You have implemented a risk management process covering identification, evaluation, and mitigation of foreseeable risks
Must cover the entire AI lifecycle, from design to decommissioning.
Technical documentation is prepared and maintained (provider obligation)
Includes description of the system, training data, performance metrics, and known limitations.
Automatic logging of system operation is enabled with sufficient retention period
Deployers must maintain logs for at least 6 months; longer for some categories.
Human oversight mechanisms are implemented for all high-risk system outputs
Humans must be able to understand, monitor, and override the AI's output.
A conformity assessment has been conducted or obtained from the provider
The system has been registered in the EU AI database (deployers of high-risk AI must register)
The database is publicly accessible at the EU level.
A fundamental rights impact assessment has been conducted (deployers in public services, financial access, and employment)
Outcome: High-risk compliance requires meaningful investment in documentation and process. If you are using a third-party high-risk AI tool, ask your provider for their compliance documentation.
Step 5: Transparency Obligations (Article 50)
These obligations apply to any AI system that directly interacts with people or generates content — regardless of risk level.
Any AI chatbot or virtual assistant clearly discloses to users that they are interacting with AI
The disclosure must be clear and timely — ideally at the start of interaction.
AI-generated or AI-modified images, video, or audio depicting real, identifiable people are labelled as AI-generated
The C2PA standard is an acceptable technical labelling method.
Where users express a desire to interact with a human, this preference is not overridden without their consent
AI-generated content used for commercial communication or advertising is labelled
This includes AI-generated social media posts published by your business.
Outcome: Transparency obligations are low-cost to implement. Most can be addressed with a clear disclosure message in your product or content.
Step 6: Article 4 AI Literacy
This applies to ALL companies using AI tools — regardless of risk level. It has been in force since February 2, 2025.
You have created an inventory of AI tools used by your staff
You have written a brief AI usage policy for your organisation
Covers acceptable use, data handling rules, and who to contact with concerns.
Staff who operate or rely on AI outputs have completed AI literacy training
Minimum: what AI is, how your tools work, risks and limitations, privacy rules.
You keep a record of who completed training and when
An email confirmation, LMS record, or sign-in sheet all count.
New employees complete AI literacy training before working with AI tools
Training content is reviewed and updated at least annually
Outcome: AI literacy is the most universally applicable obligation. If you have done nothing else, start here.
Summary: Your Minimum Viable Compliance
For most SMBs that use AI tools but do not build high-risk systems, the most important actions are:
Check you are not using any prohibited AI practices (Step 2)
Create a list of AI tools your business uses
Write a short AI usage policy
Deliver Article 4 AI literacy training to staff who use AI, and keep records
If your AI systems interact with users, ensure they identify as AI
If you use any AI in employment, education, or financial decisions — seek legal advice about high-risk obligations
Official Resources
EU AI Act official text
Full text with article-level navigation and compliance tools
EU AI Act Compliance Checker
Official interactive tool for basic AI system classification
EU AI Service Desk
Free guidance from the European Commission for classification questions
IAPP EU AI Act Resource Centre
In-depth analysis and practitioner guidance
Classify Your AI System in 5 Minutes
Our free tool walks through your specific situation and tells you exactly which obligations apply.
Start Free Assessment