Most companies don't struggle because the EU AI Act is impossible to understand.
They struggle because they don't know where to start.
If you're an SME, the goal is not to "solve compliance" overnight. The goal is to understand what applies to you and take the next step in a structured way.
This guide breaks that down into a simple process you can actually follow.
If you want the fastest way to get clarity:
Step 1: Map where you use AI
Start with a simple question:
Where are we actually using AI today?
This can include:
- internal tools (e.g. ChatGPT, copilots)
- product features
- automated workflows
- decision support systems
Don't overthink it. Just list your current use cases.
Example:
- Using AI to summarize notes → internal, low impact
- Using AI to rank candidates → external, high impact
The goal is visibility, not perfection.
Step 2: Identify if people are affected
The next step is understanding impact.
Ask: Does this AI system affect people directly?
This includes:
- hiring decisions
- customer treatment
- access to services
- prioritization or scoring
If the answer is yes, that's where you should focus.
If it's purely internal productivity, the pressure is usually lower.
If you want help assessing this:
Step 3: Estimate your risk level
Now you connect your use cases to risk.
At a high level:
- Internal use → often low risk
- Decision-making AI → often higher risk
- Systems affecting people → more regulated
You don't need perfect classification yet. You need a reasonable estimate.
If you want a clearer breakdown:
Step 4: Focus only on what applies
This is where many companies go wrong.
They assume they need to comply with everything.
You don't.
Focus on:
- relevant use cases
- realistic risks
- applicable requirements
Ignore the rest for now.
Compliance is about scope, not completeness.
Step 5: Add basic structure and documentation
Once you understand your situation, start putting light structure in place.
This can include:
- documenting how AI is used
- describing decision logic at a high level
- defining internal guidelines
- ensuring basic oversight
You don't need heavy processes early on.
You need clarity and consistency.
Step 6: Review and adjust over time
Compliance is not a one-time task.
As your product evolves, your use of AI will change.
Set a simple rhythm:
- review your AI use periodically
- update your understanding of risk
- adjust where needed
This keeps things manageable.
What this looks like in practice
Two SMEs can take very different paths:
Company A: uses AI internally → minimal effort needed
Company B: uses AI in hiring → needs more structure
Same regulation. Different impact.
That's why a step-by-step approach works better than trying to apply everything at once.
The most common mistake
Most SMEs either:
- ignore the AI Act completely
- overcomplicate it from day one
The better approach is in the middle:
Understand your exposure first, then act.
A faster way to get started
If you don't want to go through this manually, you can shortcut the process.
The checklist walks you through:
- where AI is used
- what risk level you're likely in
- what to do next
Want the bigger picture?
If you want to understand how this fits into the full regulation:
If you want to understand whether the AI Act applies to you at all:
FAQ
Do SMEs need full compliance programs?
Not usually at the start. Most SMEs should focus on understanding their exposure and acting proportionally.
Is this a legal process or an operational one?
It starts as an operational process. Legal input may come later, but clarity comes first.
How long does compliance take?
The first step can take minutes. Full compliance depends on your use case and risk level.
What is the easiest next step?
Run a structured check based on your actual use of AI.