Most guidance on the EU AI Act is written for enterprise legal teams. This guide is written for a business owner or ops lead at a company with 5–250 employees. It covers what the Act actually requires of SMBs, which SME-specific provisions reduce your burden, and the fastest compliant path to August 2, 2026.
The EU AI Act applies to your business if:
Post-Brexit, the UK is not in the EU — but the EU AI Act has extraterritorial reach. If you sell to EU customers or deploy AI that processes data about EU residents, you are in scope. The UK is developing separate AI regulation that is lighter-touch, but it does not protect you from EU AI Act obligations for EU-facing operations.
Regardless of what AI you use, these five obligations apply to all businesses within scope. Steps 1–4 are the minimum for a business using only off-the-shelf tools.
Eight categories of AI are banned outright since February 2025. The most likely ones to catch SMBs: emotion recognition at work or school, and subliminal manipulation tools. Run through the prohibited practices list and confirm you're not doing any of them.
See the prohibited practices guideList every AI tool and system your business uses or has deployed. For each one, note: what it does, who uses it, what decisions it influences, and whether it processes data about individuals. This takes 1–2 hours and is the foundation for everything else.
Use the compliance checklistOnce you have your inventory, use the classifier to determine whether each system is prohibited, high-risk, limited risk, or minimal risk. This tells you exactly what compliance work is required for each one.
Open the risk classifierMandatory for all businesses with staff who use or oversee AI. "Sufficient AI literacy" means your employees understand what AI is, its limitations, how to spot errors, and when to escalate decisions to a human. Document that the training happened — the documentation is what matters for enforcement.
See the Article 4 AI literacy guideIf you have a customer-facing chatbot or AI assistant, it must identify itself as an AI at the start of every interaction. If you generate synthetic media (AI-generated images or video of real people), label it. Both obligations apply from August 2, 2026.
See the transparency requirements guideFind the scenario that best describes your business. Each has a different compliance burden — most SMBs are in Scenario A.
This is the most common SMB situation. If you use ChatGPT for drafting emails, Canva AI for graphics, or Copilot for productivity — you are a minimal-risk deployer. Your obligations are light: train your staff on what AI is and how to use it responsibly, and you're done. Use the classifier to confirm.
If you have deployed a chatbot or built a feature using an LLM API (OpenAI, Anthropic, Google, etc.), you are a deployer under the EU AI Act. Your primary obligation is transparency: the chatbot must identify itself as an AI. This is simple to implement — one line of text at the start of every conversation. The bigger question is what the system actually does: if it makes decisions affecting individuals' rights, you may be in high-risk territory.
AI used in hiring, promotion, performance management, or credit decisions is listed in Annex III as high-risk. The obligations are real: you need documented risk management, technical records, a fundamental rights impact assessment, and human oversight for every significant AI-assisted decision. If you didn't build the system yourself, your obligations as a deployer are somewhat lighter than a provider's — but they are still mandatory and enforceable from August 2, 2026.
The EU AI Act includes three provisions specifically designed to reduce the burden on SMBs and startups. These do not remove compliance obligations — they provide proportionality on fines, access to support, and regulatory testing environments.
When calculating fines, national competent authorities must consider the financial and economic viability of SMEs and startups. This means fines for small businesses are assessed against their actual turnover and financial situation, not the same absolute cap applied to multinationals.
This provision reduces the fine amount — it does not exempt SMBs from compliance obligations. A small business that is actually non-compliant can still be fined; the proportionality rule only affects the ceiling.
EU member states must establish AI regulatory sandboxes — controlled environments where SMBs and startups can develop, test, and validate AI systems before market launch, with direct guidance from the national authority. Startups and SMBs are explicitly prioritised for sandbox access.
If you are building an innovative AI system and are uncertain about your obligations, the sandbox is designed exactly for this. Apply to your national authority (e.g. the UK ICO's equivalent under DSIT, the German BNetzA, or France's CNIL).
Market surveillance authorities must offer SMEs specific support and channels to raise questions and seek guidance on how to comply with the Act. Authorities are expected to publish simplified guidance targeted at SMBs and provide helplines.
In practice, this is not yet fully implemented across all member states. Watch your national authority's website for SME-specific guidance. The European AI Office publishes guidance that applies across the EU.
Quick reference for the tools most SMBs are already using. These classifications are general guidance — always run your specific use case through the classifier to confirm.
| Tool / Use Case | Typical Classification | Main Obligation |
|---|---|---|
| ChatGPT / Gemini for internal drafting | Minimal risk | AI literacy training only |
| Microsoft Copilot for productivity | Minimal risk | AI literacy training only |
| Canva / Adobe Firefly for image creation | Minimal risk | AI literacy training only |
| Website chatbot (customer service) | Limited risk | AI disclosure to users (Article 50) |
| AI-generated marketing videos | Limited risk | AI-generated label if depicting real people |
| LLM API integration in your product | Limited risk (usually) | AI disclosure + check use case |
| CV / résumé screening AI tool | High risk (Annex III) | Full high-risk deployer obligations |
| AI performance monitoring of staff | High risk (Annex III) | Full high-risk deployer obligations |
| AI credit scoring / loan decisions | High risk (Annex III) | Full high-risk deployer obligations |
| Emotion recognition at work | Prohibited (Article 5) | Must not use — banned since Feb 2025 |
Always verify your specific use case with the risk classifier — these classifications are general and your actual implementation may place you in a different category.
Size does not determine whether the Act applies. What matters is whether you use AI that falls within the Act's scope — particularly any AI that processes data about EU residents or affects their rights. Most very small businesses using standard productivity tools (ChatGPT, Copilot) only need to satisfy the AI literacy requirement (Article 4), which is low-effort. The key obligation is to know what you're using and check it isn't in a prohibited or high-risk category.
Yes, if you have customers in the EU or if your AI systems affect EU residents. The EU AI Act has extraterritorial scope — it applies to AI providers and deployers outside the EU if the outputs of their AI systems are used within the EU. A UK business selling to French, German, or Italian customers whose products or services involve AI must comply. The UK is developing its own AI regulation separately (a lighter-touch, principles-based approach), but it does not insulate you from EU AI Act obligations for EU-facing activities.
Yes, in most cases. When you use an AI-powered product built by another company, you are a deployer. Your obligations depend on the risk level of the underlying AI system. For most productivity and marketing AI, you are minimal or limited risk — your obligation is AI literacy training and confirming the system is not prohibited. If the vendor's AI system is high-risk (e.g. an AI hiring tool), you as the deployer have specific obligations including conducting a fundamental rights impact assessment.
AI used in employment recruitment and worker management is explicitly listed in Annex III as high-risk. As a deployer, your obligations include: (1) conducting a fundamental rights impact assessment; (2) implementing human oversight — a human must be able to review and override AI-assisted decisions; (3) informing affected individuals that AI is used in the process; (4) maintaining logs of system use; (5) documenting that you have verified the system from your provider meets its obligations. This is the most compliance-intensive category for SMBs. If the August 2 deadline is approaching, deprioritise other AI work and focus here first.
National authorities can investigate, require you to bring systems into compliance, or impose fines. For SMBs, fines are proportional to turnover (Article 99(6)), but even proportional fines are significant — a €15M/3% tier violation, scaled to a small business with €2M turnover, is €60,000. More likely in the near term: the first enforcement actions will target larger companies or egregious cases, not every small business simultaneously. That said, the deadline is real, the obligation is legal, and the cost of being non-compliant grows as enforcement ramps up. Starting now is far cheaper than scrambling post-deadline.
Internal-use AI is generally treated the same under the Act if it falls into a regulated category. AI used to make decisions about your own employees (performance monitoring, absence management, internal scoring) is covered by the high-risk category for "employment, workers management and access to self-employment." If you use an AI tool purely for internal productivity (drafting documents, summarising meetings, generating code) with no consequential decisions about people, you are likely minimal risk — AI literacy training and a prohibited practices check are your main obligations.
Use the free risk classifier to get a specific classification and action list for each AI system your business uses. No signup, no legal jargon.
Start the Free Assessment