The EU AI Act entered into force on 1 August 2024. It is the world's first comprehensive legal framework governing artificial intelligence. And contrary to what many SME leaders still believe, it does not apply only to Big Tech or deep-tech startups.
The first obligations became effective in February 2025. A new wave of rules followed in August 2025. By August 2026, the bulk of the regulation will be fully applicable, including the obligations covering high-risk AI systems. For SMEs that use AI day to day - chatbots, automations, internal assistants - the clock is ticking.
The penalties are not symbolic: up to 35 million euros or 7% of global annual turnover. The good news is that for most SMEs, achieving compliance is entirely feasible, provided you approach it methodically. This guide explains what applies to you, what you need to do, and where to start.
What Is the EU AI Act and Why Does It Affect Your Business?
The European Artificial Intelligence Regulation (EU AI Act, Regulation EU 2024/1689) is a legislative text adopted on 13 June 2024 by the European Parliament. It applies to any organization that develops, places on the market, or uses an AI system within the European Union.
The operative word is "uses." You do not need to build AI to be in scope. If your company:
- Uses a chatbot for customer service or internally
- Runs AI-based process automation tools
- Uses AI for recruitment, CV screening, or candidate evaluation
- Deploys internal AI assistants connected to your company data
- Uses forecasting, scoring, or recommendation tools
...then the EU AI Act applies to you directly. The CNIL's AI action plan confirms that compliance will be enforced, including for SMEs.
Key distinction
The EU AI Act distinguishes "providers" (those who develop AI) from "deployers" (those who use it). Most SMEs are deployers. The obligations are lighter than for providers, but they are real and enforceable.
The EU AI Act Timeline: What Is Already in Effect?
The EU AI Act does not apply all at once. The legislator built in a phased rollout over three years. Here is the timeline every business leader needs to know:
2 February 2025 - Prohibited Practices & AI Literacy
Prohibited AI practices (manipulation, social scoring, mass biometric surveillance) are banned. The AI literacy obligation (Article 4) comes into force: your teams must understand the AI tools they work with.
2 August 2025 - General-Purpose AI Models (GPAI)
Obligations for providers of general-purpose AI models (such as GPT-4, Claude, Mistral) take effect. This primarily concerns model vendors, but also affects SME users in terms of transparency about the tools they rely on.
2 August 2026 - Core Obligations
The major deadline for SMEs. Rules on high-risk AI systems, transparency obligations for deployers, and the national governance framework become fully applicable. This is the date you cannot afford to miss.
2 August 2027 - Legacy AI Systems
High-risk AI systems already on the market before August 2026 must comply with the new requirements. Final compliance deadline.
Already in force
The AI literacy obligation (Article 4) has been in force since February 2025. If your teams are using AI tools without appropriate training, your company is already potentially non-compliant. An AI audit lets you assess the situation quickly.
The 4 AI Risk Levels: Where Does Your Business Stand?
The EU AI Act classifies AI systems into 4 risk categories. This is the core of the regulation: your obligations depend directly on the risk level of each AI use case in your organization.
| Risk Level | SME Examples | Obligations |
|---|---|---|
| Unacceptable (banned) | Employee social scoring, subliminal manipulation, real-time biometric surveillance | Prohibited. Immediate cessation required. |
| High risk | AI recruitment/CV screening, credit scoring, automated performance evaluation, product safety | Technical documentation, risk management, human oversight, transparency, registration |
| Limited risk | Customer chatbot, AI content generator, deepfakes, recommendation systems | Transparency obligation: inform users they are interacting with AI |
| Minimal risk | Spam filters, AI spell-checkers, internal logistics optimization | No specific obligations (beyond AI literacy) |
The reality for most SMEs: your use cases probably fall in the limited risk and minimal risk categories. A chatbot is limited risk (transparency obligation). An internal process automation with no impact on individuals' rights is minimal risk.
However, if you use AI to screen CVs, evaluate employees, or make decisions that affect people, you may be in the high-risk category, which carries substantially heavier obligations.
Concrete EU AI Act Obligations for SMEs
Here is what the EU AI Act actually requires of SMEs as deployers of AI systems:
1. AI literacy (Article 4) - mandatory since February 2025
This is the most cross-cutting obligation and the most commonly overlooked. Every company that uses AI must ensure that the people who interact with AI systems have a sufficient level of understanding of those tools.
In practice, this means:
- Training employees on the basics of how the AI they use works
- Explaining the limitations and risks (hallucinations, bias, errors)
- Adapting training to each person's technical level and role
- Documenting that this training has been completed
2. Transparency - for limited-risk systems
If your customers or users interact with a chatbot, an AI content generator, or any system where they might think they are talking to a human, you must clearly inform them that they are interacting with an AI.
This is straightforward to implement: a visible notice in the interface is sufficient. In an internal AI assistant or a customer chatbot, a banner reading "You are chatting with an AI assistant" satisfies the obligation.
3. Enhanced obligations - for high-risk systems
If your SME deploys high-risk AI systems, the obligations are significantly more demanding:
Documentation & Traceability
- Register of AI systems in use
- Documentation of the risk assessment
- Retention of usage logs
- Registration in the EU high-risk AI register
Human Oversight & Control
- Effective human supervision of AI decisions
- Ability to intervene and correct in real time
- Fundamental rights impact assessment
- Notification to the affected individuals
Checklist: Is Your SME Compliant with the EU AI Act?
Use this grid to assess your situation quickly. Any unchecked item is a priority action point.
Fewer than 5 boxes checked? It is time to act. An AI audit lets you map the situation in a matter of days and build a realistic action plan.
6 Steps to Bring Your SME into EU AI Act Compliance
Here is the approach we recommend at Tensoria for our SME and mid-market clients. It is progressive, pragmatic, and calibrated to the resources of a mid-sized organization.
Map all your AI use cases
Take a full inventory of every AI system used in your company. This includes the obvious tools (chatbot, assistant) but also the diffuse uses: a sales rep using ChatGPT to draft emails, an accountant using an automated categorization tool, and so on. Our AI audit service covers this mapping in detail.
Classify each use case by risk level
For each identified tool, determine its risk category under the EU AI Act criteria. The central question: does this system have a material impact on the rights or opportunities of the people it affects? An information chatbot = limited risk. A CV pre-screening tool = high risk.
Roll out AI literacy training
Train all employees who use or interact with AI systems. The depth of training must be appropriate: a business leader needs to understand the strategic and regulatory stakes, while an operational user needs to know the concrete limitations of the tool they use every day.
Implement transparency notices
For all limited-risk systems: add disclosure notices to interfaces (chatbots, assistants, AI-generated content). For high-risk systems: document the transparency and notification measures covering the people affected.
Document and formalize
Build your compliance file: AI usage register, risk assessments, training records, AI usage policy. This file is your protection in the event of an inspection. It is also a valuable internal governance tool.
Establish ongoing governance
Compliance is not a one-shot project. Designate an internal AI lead, schedule quarterly reviews of your AI use cases, and embed EU AI Act assessment into your process for adopting any new AI tool. For a structured approach to measuring the value of this work, see our guide on AI audit methodology and cost.
The Role of an AI Audit in EU AI Act Compliance
An AI audit is the best starting point for approaching EU AI Act compliance with confidence. Why? Because it answers the three foundational questions:
Which AI systems are you actually using (including undeclared shadow AI)?
Where do those use cases sit on the EU AI Act risk scale?
How do you close the gap between your current state and compliance?
At Tensoria, we conduct AI audits that specifically address the EU AI Act dimension. Within a few days, we deliver a complete picture: inventory of AI use cases, risk classification, compliance gaps identified, and a prioritized action plan with realistic deadlines.
Field observation
Across the audits we have conducted since early 2025, 80% of SMEs underestimate the number of AI systems they use. Usage of ChatGPT, Copilot, or AI assistants by employees - often without management's knowledge - is the single biggest blind spot for compliance.
EU AI Act Penalties: What Does Your SME Actually Risk?
The penalties provided by the EU AI Act are graduated by severity of infringement. Here is the breakdown:
| Infringement Type | Maximum Fine | Examples |
|---|---|---|
| Prohibited practices | 35M EUR or 7% of global turnover | Use of banned AI (social scoring, manipulation) |
| Non-compliance with core obligations | 15M EUR or 3% of global turnover | Deploying high-risk AI without documentation or human oversight |
| Inaccurate information | 7.5M EUR or 1% of global turnover | Providing false information to supervisory authorities |
The reassuring point for SMEs: the EU AI Act explicitly states that fines must be proportionate to company size. The ceilings above cover the most serious cases. The regulation also mentions reduced fines for SMEs and startups.
Beyond financial penalties, the risks also include:
- Reputational risk: a public compliance failure can erode the trust of your customers and partners
- Commercial risk: large corporates and public entities are starting to require EU AI Act compliance from their suppliers
- Operational risk: an injunction to cease an AI use case can severely disrupt your business if you depend on it
To anticipate these risks and structure your approach, it is essential to launch AI projects with a clear specification, integrating compliance from the outset.
Talk to an engineer
Not sure where your AI use cases stand on the EU AI Act risk scale? We'll assess it in one call.
FAQ: EU AI Act and SMEs
Further Reading
For the full official text, see Regulation (EU) 2024/1689 on EUR-Lex. The European Commission's AI regulatory framework page also provides resources tailored to businesses of all sizes.
