EU AI Act for SMEs — What Actually Matters (and What Doesn't)

If you run an SME, you've probably had one of two reactions to the EU AI Act: "This doesn't apply to us" or "This is going to be a nightmare."

Both reactions are understandable. And in most cases, both are slightly off.

I've sat with enough founders over the past couple of years — across SaaS, fintech, even fairly traditional industries — to see the same pattern repeat. The regulation itself isn't the real problem. It's the lack of clarity around what it actually means in practice.

What the EU AI Act actually means for SMEs

The EU AI Act for SMEs isn't a separate version of the regulation. You're playing by the same rules as everyone else.

But — and this is the part people often miss — your actual workload depends almost entirely on how you use AI, not how big your company is.

At its core, the EU AI Act is trying to do something quite simple: match regulatory requirements to risk.

If you haven't looked at the broader picture yet, it's worth starting with the EU AI Act guide. Without that context, everything else tends to feel more complicated than it really is.

What most SMEs think (and where it starts to go wrong)

In most companies I've worked with, the thinking tends to fall into one of two camps.

First group: "We're too small — surely this is aimed at big tech?"

Second group: "We use AI in a few places… this is going to require a full compliance team, isn't it?"

Neither is quite right.

I remember working with a mid-sized SaaS company last year — about 40 people, fairly typical setup. They had a couple of AI features: a recommendation engine and some automated customer responses.

Their assumption? High risk, heavy compliance, lots of overhead. In reality, once we mapped their use cases properly, most of what they were doing fell into limited risk. The actual work required was far lighter than they expected — mainly around transparency and some basic documentation.

We stripped it down, built a simple internal process, and they were done in a couple of weeks. That's usually how this plays out when you approach it properly.

The bit that actually matters: AI risk classification

Everything in the EU AI Act comes back to one thing: AI risk classification.

Every system sits somewhere on this spectrum:

• Minimal risk
• Limited risk
• High risk
• Unacceptable risk

And your obligations scale accordingly. Not your company size. Not your revenue. Not how "advanced" your AI feels. Just the risk profile.

If you're unsure where you land, the AI risk classification guide is the place to start. Once that's clear, most of the confusion disappears.

Do SMEs actually need to comply?

Short answer: sometimes yes, sometimes no.

You'll likely need to think seriously about AI Act compliance if you:

• Build AI systems (you're a provider)
• Use AI in decision-making contexts (you're a deployer)
• Sell into the EU market

If you're just experimenting internally, or using off-the-shelf tools in low-risk ways, your obligations may be minimal.

If you're not sure where you stand, check if you need to comply — it tends to clear things up quite quickly.

What compliance actually looks like in a real SME

This is usually where things start to get a bit messy — because people imagine something far heavier than what's actually required.

In practice, for most SMEs I've worked with, compliance looks more like this:

• You document how your AI system works — not in a 50-page legal document, but in a way your own team can understand.
• You identify where the risks are — particularly if your system affects users, decisions, or outcomes in a meaningful way.
• You put in place some basic governance — who owns this, how it's monitored, what happens if something goes wrong.

And if you're in a higher-risk category, you go a bit deeper. That's it.

It's not trivial, but it's also not the kind of thing that should bring your roadmap to a halt.

A practical way to approach the EU AI Act

If I had to reduce this to something actionable — the way I usually explain it to founders — it would be this:

1. Map where AI actually shows up in your product or operations. Not "we use AI", but where, how, and why.
2. Check whether the EU AI Act applies to those use cases. Don't guess — verify it.
3. Classify each system by risk. This is the step that drives everything else.
4. Focus only on the obligations that apply to your category. Ignore the rest — you don't get points for over-compliance.
5. Put some lightweight processes in place, and revisit things as your product evolves.

If you want a more structured version of that, the AI Act compliance checklist is a good place to start.

Where SMEs usually get stuck

Not because they're careless — but because the information out there isn't particularly helpful.

Most guidance is either too abstract, too legal, or tries to cover every possible scenario — which leaves SMEs in a slightly awkward position.

I've seen teams spend weeks overthinking this — building processes they don't need, documenting things no one will ever read — simply because they didn't have a clear starting point.

And I've seen the opposite as well — companies ignoring it entirely until it becomes urgent, usually when a partner or customer asks questions.

Neither approach is ideal.

The strategic view

The companies that handle the EU AI Act well don't treat it as a compliance exercise. They treat it as operational clarity.

• They understand how their systems work.
• They know where the risks are.
• They've built simple processes that scale with them.

Which means when regulation comes in — whether it's the AI Act or something else — they're already most of the way there.

Final thought

For SMEs, the EU AI Act isn't about doing everything. It's about doing the right things, based on your actual risk.

Once that clicks, the whole thing becomes far more manageable — and, in some cases, even useful.