What is the EU AI Act?
The EU AI Act is a European regulation that sets rules for how AI systems are developed, sold, and used.
What makes it different from many other regulations is that it is based on risk. The higher the potential impact on people's safety, rights, or opportunities, the stricter the requirements become.
That means not every company faces the same obligations. A team using AI internally for light productivity work is in a very different position from a company using AI in hiring, credit decisions, healthcare, or other sensitive contexts.
The practical question is not just what AI tool you use. It is how that tool affects people and decisions.
Do you need to comply with the EU AI Act?
In many cases, yes.
A lot of smaller companies assume the AI Act is mainly aimed at big tech or large enterprises. That is a mistake. SMEs and startups can absolutely fall within scope.
If your business:
- uses AI in hiring or screening
- makes decisions that affect customers or employees
- offers AI features inside a software product
- automates recommendations or judgments
- relies on generative AI in customer-facing workflows
…then the AI Act may already be relevant.
The easiest way to find out is not to guess. It is to run a structured check based on how your business actually uses AI.
→ Check if your business needs to comply
EU AI Act risk classification, explained simply
The regulation groups AI systems into different risk levels.
At a high level, these are:
- Unacceptable risk — not allowed at all
- High risk — strict requirements
- Limited risk — mainly transparency
- Minimal risk — very few obligations
What matters is that risk classification depends on context.
The same underlying technology can be low risk in one situation and much more heavily regulated in another. Using a generative AI tool internally for brainstorming is not the same as using AI to filter job applicants or influence access to essential services.
→ See AI Act risk classification with examples
A practical AI Act checklist for SMEs
Most companies do not need to start with a giant compliance project.
They need to answer a few practical questions first:
- Where are we using AI today?
- Does any of it affect people in a meaningful way?
- Are we building, selling, or simply using these systems?
- Which obligations are actually relevant to us?
That is why a checklist-based approach works so well. It gives you a structured way to assess exposure without turning the whole thing into a legal research project.
→ Use the free AI Act checklist
When does the EU AI Act apply?
The rollout happens in stages, which means enforcement does not arrive all at once.
That does not mean companies should wait. It means there is a window right now to understand your position before obligations become more pressing.
For most SMEs, that is the smart move. Get clarity early, focus on what applies, and avoid scrambling later. Check the EU AI Act timeline for key dates.
What happens if you ignore it?
There are potential fines and legal consequences, but for many growing companies the more immediate problem is uncertainty.
When you do not know whether the regulation applies, product decisions slow down. Customer conversations get harder. Internal teams work without clear boundaries. And future compliance becomes more expensive than it needed to be.
A lot of the value comes from understanding your exposure early.
How to approach compliance without overcomplicating it
This does not need to begin as a legal project.
A practical first step looks more like this:
- identify where AI is used
- understand whether it affects people or decisions
- estimate the level of risk
- focus only on what applies
- document as you go
That is a much more realistic path for SMEs than trying to solve everything at once.
Key EU AI Act dates companies should track
The AI Act entered into force in August 2024, but the obligations apply in phases. That matters because preparation windows are different depending on the type of obligation.
- 2 February 2025: prohibited AI practices started applying.
- 2 August 2025: several governance and general-purpose AI obligations began applying.
- 2 August 2026: many core high-risk AI obligations are scheduled to apply under the original framework.
- 2027–2028: later dates may matter for certain high-risk systems, regulated products, and potential Omnibus changes.
For SMEs, the practical message is simple: do not wait for the final enforcement date before mapping systems. The useful work now is system inventory, role analysis, risk classification, documentation and basic governance ownership.
Provider, deployer, importer and distributor roles
The AI Act does not only ask whether you use AI. It asks what role your company plays in relation to an AI system.
A provider develops or places an AI system on the market under its own name. A deployer uses an AI system in a professional context. Importers and distributors can also have obligations where systems are made available in the EU market.
This distinction is critical for software companies. If your SaaS product includes an AI feature, you may be closer to a provider role than a company simply using AI internally. If your team uses a third-party AI tool to support internal work, you may mainly be a deployer. The same company can also have different roles for different systems.
How the AI Act connects to GDPR
GDPR and the AI Act often apply together, but they answer different questions. GDPR focuses on personal data. The AI Act focuses on AI system risk, system use and impact on people.
If an AI hiring system processes candidate data, GDPR is relevant because personal data is processed. The AI Act may also be relevant because the system affects access to employment. That means GDPR compliance is not automatically AI Act compliance.
For a structured comparison, read EU AI Act vs GDPR.
Common SME examples
Here are typical patterns where SMEs should pause and assess:
- HR and recruitment: CV screening, candidate ranking, interview scoring or employee evaluation can create high-risk exposure.
- SaaS products: AI recommendations, automated scoring, decision support or customer-facing chatbots can create transparency or risk-management obligations.
- Financial services: creditworthiness, fraud scoring, eligibility assessment or risk ranking may require closer review.
- Customer support: chatbots and generated content may trigger transparency obligations, especially where users may not know they are interacting with AI.
- Internal productivity: drafting, summarising and brainstorming are often lower pressure, but GDPR and confidentiality still matter if sensitive data is entered.
What documentation should SMEs start with?
A practical documentation set does not need to be complex at first. Start with an AI system inventory, a short description of each system, who owns it internally, what data it uses, who is affected, whether a human reviews outputs, and whether the system influences decisions.
For potentially higher-risk systems, add more detail: intended purpose, limitations, oversight process, logging, incident handling, vendor information, and the basis for your risk classification. This creates a defensible internal record even before a full compliance programme exists.
Where to go next
Use this guide as the hub. If you need applicability first, read Do I need to comply with the EU AI Act?. For concrete steps, use the AI Act compliance checklist. For examples, see EU AI Act examples. If you build software, read EU AI Act for SaaS companies. If deadlines are your concern, check the EU AI Act timeline and the Omnibus update.
Start with a free AI Act compliance check
If you want a faster answer, start with the compliance check.
It is a simple way to understand whether the AI Act may apply to your business, where your risk may sit, and what to look at next.