EU AI Act for SMEs: duties and deadlines
By Johannes Jäger, CEO & Founder
The EU AI Act for SMEs in one sentence: if you use AI, you need to know how risky each system is, train your people to work with AI, and disclose where AI is in play. For most small and mid-sized businesses that is doable, not threatening.
This piece frames the essentials: what the law is, whether it affects you, which deadlines apply and what to do now. Important: this is orientation, not legal advice. For your specific case, talk to a specialist lawyer or your data protection officer.
What is the EU AI Act, in short?
The EU AI Act is the EU's first comprehensive AI regulation. It came into force in August 2024 and applies in stages over several years. At its core is a risk-based approach: the higher the risk an AI application poses to people, the stricter the obligations. Four classes:
- Prohibited practices. Social scoring or manipulative systems, for example. Banned since February 2025.
- High-risk systems. AI in hiring, lending or critical infrastructure, for instance. Strict obligations apply here.
- Limited risk. Chatbots, for example. The main duty here is transparency: people must know they are talking to AI.
- Minimal risk. The large majority of applications, such as back office automation. Barely any extra obligations.
Does the EU AI Act affect my business?
Most likely as a deployer, not a provider. The strict obligations land mainly on providers who develop high-risk AI. If you only use AI, your duties are much lighter: train your people (more on that shortly), be transparent where AI interacts with people, and check whether an application falls into the high-risk class at all.
For the typical small business automating proposals, reporting or customer service, this is usually minimal or limited risk. The panic that sometimes gets spread is unfounded for these cases.
Which deadlines apply?
The most important deadline for almost everyone is already here: since February 2025, the AI literacy obligation applies. If you use AI in your business, you have to make sure your own people have a basic understanding of what the systems can do, where their limits are and how to use them responsibly. The strict high-risk obligations mostly take effect from August 2026, some later still.
What should you actually do now?
Four steps that are enough for most small businesses:
- Take inventory. List which AI tools and automations you run and what for.
- Classify the risk. For each application, judge whether it is minimal, limited or high-risk. When in doubt, get expert advice.
- Train your people. A basic understanding of AI across the team has been mandatory since February 2025 and is worthwhile anyway.
- Stay transparent. Where customers interact with AI, say so. It is simple and it builds trust.
Data protection always belongs in the mix. How AI and GDPR fit together is in is AI GDPR compliant, and the full picture is in our guide to AI automation for SMEs.
For most small businesses, the EU AI Act is no reason to panic, it is a task: know which AI you use, train your people, and stay transparent.
The fines are steep, at the top end up to 35 million euros or 7 percent of global annual revenue for prohibited practices. But that hits extreme cases, not cleanly run back office automation. Not sure which class your applications fall into? Book a free call and we will classify your automations with you. And as a reminder: this is orientation, not legal advice.
Key takeaways
- The EU AI Act is risk-based: the higher the risk, the stricter the obligations.
- Most small businesses are deployers with light duties, not providers of high-risk AI.
- Since February 2025, an AI literacy obligation applies to all AI users, meaning you must train your own people.
- Do now: take an AI inventory, classify the risk, train the team, stay transparent. When in doubt, get expert advice.
Free tools
Find your biggest automation lever in 2 minutes
Frequently asked questions
What does the EU AI Act mean for SMEs?+
For most small and mid-sized businesses it means manageable duties: train your own people to work with AI, be transparent where AI interacts with people, and check whether an application counts as high-risk. The strict requirements land mainly on providers of high-risk AI, not typical users.
When does the EU AI Act apply?+
It came into force in August 2024 and applies in stages. Since February 2025, certain practices are banned and the AI literacy obligation applies. Most obligations for high-risk systems arrive from August 2026, some later.
Is my AI automation high-risk?+
Usually not. Typical back office automation like reporting, proposals or email sorting normally falls under minimal risk. It becomes high-risk with things like hiring, lending or critical infrastructure. When in doubt, have it assessed by an expert.
What is the AI literacy obligation?+
Since February 2025, businesses that use AI must ensure their staff have a basic understanding of the systems they use: what they can do, where the limits are, and how to use them responsibly. Short training sessions cover this.
Does this article replace legal advice?+
No. This is orientation so you understand the broad strokes. For your specific case, especially where a high-risk classification is possible, talk to a specialist IT lawyer or your data protection officer.
What's possible
An AI agent that supports you across the board
Not just an automated workflow. An agent that thinks with you, directs your focus and works for you in the background.
This is exactly the kind of agent we build for you, in code that you own.
Book a free callRead next
Ready to automate the work your team shouldn't be doing?
Book a free call and we'll scope what we can take off your team's plate.
Book a free call