If you've come across the EU AI Act recently, there's a good chance your first reaction was something along the lines of: "Right… another regulation we need to deal with."
Fair enough. Most founders I speak to don't struggle because the EU AI Act is inherently complex — they struggle because no one explains it in a way that connects to how a company actually operates.
So let's strip it back.
What the EU AI Act actually is
At its core, the EU AI Act is a regulatory framework designed to govern how AI systems are developed, deployed, and used within the EU.
That's the formal definition. In practice, it's much simpler than that:
It's a system for managing risk in AI.
Not all AI is treated the same. The regulation is built around a straightforward idea:
- Low-risk AI → minimal requirements
- High-risk AI → stricter obligations
Everything else flows from that.
If you want the full overview, the EU AI Act guide is a good place to start.
Why the EU introduced it
Let's be honest for a moment. AI has moved faster than most companies — and regulators — expected.
And while a lot of it is harmless (or even useful), some use cases carry real consequences:
- Hiring decisions
- Credit scoring
- Access to services
- Surveillance
The EU AI Act is essentially trying to answer one question: what happens when AI makes decisions that affect people?
How the EU AI Act actually works
This is where things start to get a bit clearer. Instead of regulating "AI" as a whole, the EU AI Act breaks systems into categories based on risk.
1. Minimal risk
Most AI falls into this category. Examples: internal tools, basic automation, low-impact AI features.
Requirements: almost none.
2. Limited risk
This includes things like chatbots, AI-generated content, and user-facing tools.
Requirements: mainly transparency.
3. High risk
This is where things become more serious. Examples: hiring systems, credit scoring, medical AI, critical infrastructure.
Requirements include documentation, risk management, monitoring, and governance.
4. Unacceptable risk
Some use cases are simply banned — certain types of surveillance, manipulative AI systems.
If you're unsure where your systems land, the AI risk classification guide walks you through it.
Why this matters for SMEs
One of the biggest misconceptions is that the EU AI Act is mainly aimed at large tech companies. It isn't.
It applies just as much to SMEs — but the impact depends entirely on what you're building or using.
I worked with a small SaaS company recently — fewer than 20 people — who assumed the regulation would be overwhelming. In reality, once we mapped their use cases, they were almost entirely in minimal and limited risk categories.
What did they actually need to do?
- Add a bit of transparency
- Document a few things
- Assign ownership internally
That was it. No major disruption. No heavy compliance burden. That's far more typical than most people expect.
What the EU AI Act is NOT
This is worth clarifying, because there's a lot of confusion. The EU AI Act is not:
- A blanket ban on AI
- A requirement to document everything
- A one-size-fits-all compliance system
And it's definitely not something that applies equally to every company.
So how should you think about it?
In most companies I've worked with, the ones that handle this well think about it in a very practical way. Not as a legal problem — but as a question of:
"Where are we using AI, and what risk does it carry?"
Once that's clear, everything else becomes manageable.
Where most companies get stuck
Not because they're careless — but because the information out there isn't particularly helpful.
I've seen teams over-engineer compliance processes they don't need — or ignore it entirely until it becomes urgent. Usually because they don't have a clear starting point.
A practical way to approach the EU AI Act
If you want to make this actionable, here's what I'd suggest:
- Identify where AI actually shows up in your business.
- Work out whether the EU AI Act applies to those use cases — check if you need to comply.
- Classify each system by risk.
- Focus only on the obligations that apply to your category.
If you want a structured way to go through that process, the AI Act compliance checklist is useful.
Final thought
The EU AI Act isn't really about controlling AI. It's about making sure it's used responsibly — particularly when it affects people in meaningful ways.
For most SMEs, that doesn't mean doing everything. It means understanding your systems well enough to do the right things.
Related AI Act Tools
- → EU AI Act guide — understand the full regulation
- → AI risk classification — find your risk category
- → Do I need to comply? — check your applicability
- → AI Act compliance checklist — practical execution steps
- → EU AI Act for SMEs — practical SME guidance