Do I Need to Comply with the EU AI Act?

If you've landed on this question, you're already ahead of most companies. Because what usually happens is the opposite.

Teams either assume "this probably doesn't apply to us" — or they panic slightly and think they need to sort EU AI Act compliance immediately. Let's be honest: both reactions are common, and neither is particularly helpful.

The short answer

You need to comply with the EU AI Act if:

You build AI systems (you're a provider)
You use AI systems in your operations (you're a deployer)
You sell AI systems into the EU market

If none of those apply — you're probably out of scope. But most SMEs fall somewhere in the middle, which is where things start to get a bit messy.

Why this question is harder than it looks

The mistake most companies make is trying to answer this as a yes/no question. It's not.

The EU AI Act doesn't work like "you are compliant" or "you are not compliant". Instead, it works like: your obligations depend on how you use AI.

That's a very different model. And it's why two companies of the same size, in the same industry, can have completely different compliance requirements.

If you want the full context, it's worth stepping back and reading the EU AI Act guide first. Without that, this question tends to feel more complicated than it really is.

The two things that actually determine if you need to comply

In practice, this comes down to two things.

1. Your role

Under the EU AI Act, you're typically one of the following:

Provider → you build or place AI systems on the market
Deployer → you use AI systems in your business
Importer / distributor → you bring AI into the EU market

Most SMEs are deployers. Some are providers. A few are both. And your responsibilities differ depending on which role you're in.

2. Your AI risk level

This is the part that matters most. Every AI system is classified based on risk:

Minimal risk
Limited risk
High risk
Unacceptable risk

And your compliance obligations scale accordingly. Not your company size. Not your funding. Just the risk profile.

If you haven't worked this out yet, the AI risk classification guide is the place to start. Because without it, you're essentially guessing.

A quick way to sanity-check your situation

In most companies I've worked with, you can get a surprisingly clear answer just by walking through a few questions:

Are we building our own AI system?
Are we using AI to make decisions that affect people?
Would something breaking here actually matter?

If the answers are mostly "no", you're likely in minimal or limited risk territory.

If the answers are "yes" — particularly around decision-making (hiring, credit, access) — then you're likely moving into high-risk AI. That's where compliance becomes more structured.

A real example

I worked with a company recently — about 30 people, B2B SaaS — who were convinced they needed full EU AI Act compliance.

They were using AI-generated summaries, a basic recommendation engine, and some internal automation. Their assumption was: "We use AI → we must comply fully."

When we broke it down properly: no high-risk use cases, no critical decision-making, mostly internal tooling.

They still needed to think about transparency and documentation — but nowhere near the level they expected. A few targeted changes, a bit of structure, and they were in a good place.

That's far more typical than most people realise.

So… do you actually need to comply?

Here's the honest answer:

Yes — if you use or build AI in ways covered by the regulation
But the level of compliance depends entirely on your risk level

For many SMEs, that means some obligations — but not a full compliance burden. The problem is that most guidance doesn't make that distinction clearly enough.

What to do next

If you want to move from "uncertain" to "clear", here's what I'd suggest:

Start by mapping where AI actually shows up in your business.
Then check whether the EU AI Act applies to those use cases.
From there, classify your systems by risk — this is the step that matters most.
Finally, focus only on the obligations that apply to your category.

If you want a structured way to go through that process, the AI Act compliance checklist helps.

Where companies usually get this wrong

Not because they're careless — but because the information out there is confusing.

I've seen teams overcomplicate things and slow themselves down — or ignore it entirely until it becomes urgent. Both tend to create more work later.

The better approach is usually somewhere in the middle — clear, structured, and proportionate to your risk.

Final thought

The EU AI Act isn't trying to catch SMEs out. It's trying to ensure that AI systems are used responsibly — especially where they affect people.

Once you look at it through that lens, the question shifts from "do we need to comply?" to: what level of responsibility do we actually have?

And that's a much more useful question.

Related AI Act Tools

→ EU AI Act guide — understand the full regulation
→ AI risk classification — find your risk category
→ AI Act compliance checklist — practical execution steps
→ EU AI Act for SMEs — practical SME guidance

FAQ

Do all SMEs need to comply with the EU AI Act?

Not automatically. It depends on how you use AI — not how big your company is.

What if we only use off-the-shelf AI tools?

You may still have obligations as a deployer, especially if those tools affect decisions about people.

Does internal AI use count?

It can — but internal productivity use is typically lower risk than customer-facing or decision-making use.

What's the quickest way to check?

Map your AI use cases, classify them by risk, and focus on the obligations that actually apply.

Want to understand where you stand?

Get a fast, practical view of your AI Act exposure. No legal expertise needed.

Run Free AI Act Scan Browse All Guides