EU AI Act
A European law about how AI can be built and used, in force since August 2024 and phasing in through 2028. If you run a small business, your duties are almost certainly modest and manageable. Here is what it is, who it affects, and what to actually do.
What it is
The EU AI Act is a single European regulation that governs how AI systems can be built, sold and used across the EU. Because it is a regulation and not a directive, it applies directly in every member state, with no separate national laws needed to bring it in.
It sorts AI by how risky the use is, not by the technology itself. Most everyday tools carry light duties or none, a small number of sensitive uses carry real obligations, and a short list is banned outright. The heavier the potential impact on people, the heavier the rules.
If it helps, think of how the GDPR worked for personal data: one EU-wide, risk-based framework that also reaches companies outside the EU when they serve people inside it. The AI Act follows the same logic for AI.
Who it affects
If your company builds or sells an AI product, or simply uses AI tools at work, you are almost certainly in scope in some way. That includes ChatGPT or Copilot on your team's laptops, an AI feature inside a vendor's tool, or a hiring or support tool with AI under the hood.
It applies regardless of where your company is based. If you have customers or users in the EU, the Act can reach you even with no EU office. What changes from business to business is not whether it applies, but how much it asks of you.
Find out where your business standsThe four risk levels
The Act sorts AI into four levels. Most day-to-day tools sit in the bottom two. The top two are narrow and mostly do not apply to small businesses.
Answer 12 short questions and get an instant, plain-language read on your exposure, your obligations, and your single biggest gap. Free, about five minutes, no account needed.
What you have to do
If your team uses AI at work, you must make sure they have a basic working understanding of what the tools can and cannot do. This has been a live duty since February 2025, and for a small team a short internal guidance note usually covers it.
From August 2026, if you run a customer-facing chatbot or publish AI-generated content, you have to make that clear to the people who see it. Often this just means not hiding a disclosure your vendor already provides.
Formal risk management, technical documentation and independent checks apply only to the small number of businesses building high-risk AI products, and not until December 2027.
For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.
Get your obligations, not the general listWhere things stand
Parts of the Act are already in force and enforceable today, including the banned practices and the rules for general-purpose AI models. One major piece, the timeline for high-risk AI, is being pushed back by an EU reform package known as the Digital Omnibus, which the EU Parliament and Council confirmed in June 2026, with only formal publication still pending.
We keep this page current as the picture changes. For exact dates and the full status of the reform, the key dates page is the source of truth.
Keeping it in proportion
The Act deliberately goes easier on smaller companies. EU law builds in simplified documentation templates, reduced fees, and priority access to regulatory sandboxes for SMEs and start-ups.
Penalties are scaled too. For a small business, a fine is calculated using the lower of the fixed-euro amount or the percentage-of-turnover figure, the opposite of the rule applied to large companies.
The goal is not to convince you this is nothing. It is to show you it is knowable and doable. Start by finding out where you stand.
Almost certainly, in some capacity. If your team uses AI tools at work, or you build or sell anything with AI in it, and you have customers or users in the EU, the Act applies. For most small businesses that only use AI tools, the duties are light. The Exposure Check tells you exactly which ones apply to you.
The duties that are already live, like AI literacy, are real legal obligations even though no fines have been issued for them so far. The bigger near-term item for most SMEs is the transparency duties from August 2026, and for a few, the high-risk rules later. Doing a little now, like a short internal AI-use note, is far cheaper than catching up under pressure.
The shape is similar: one EU-wide, risk-based law that also reaches companies outside the EU serving people inside it. But the AI Act is about how AI systems are built and used, not about personal data as such, and its duties scale with how risky the use is.
It can. The Act reaches you if you place an AI system on the EU market, or if the output of your AI is used by people in the EU, wherever your company is based. A UK or US company with EU customers is often in scope. If you have no EU link at all, treat this as good practice rather than a legal duty.
For a small business that simply uses AI tools, the core steps are a matter of hours: write a short internal AI-use note and check that any customer-facing AI is clearly labelled. Building high-risk AI is a bigger project, but that affects very few SMEs. The Exposure Check gives you a realistic, personal list.
Let's talk
Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.
This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.