EU AI Act / Obligations
The concrete action list, in order, organised by your role and your risk level, with honest effort estimates. For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.
At a glance
A quick scanning tool, not the full explanation, which follows below. Most small businesses only need the deployer column, and mostly the minimal and limited rows.
| Risk level | If you use AI (deployer) | If you build AI (provider) |
|---|---|---|
| Minimal risk | No specific duties beyond general good practice. | No specific duties beyond normal product safety. |
| Limited risk | Keep the vendor's AI disclosure in place; label AI-generated content you publish. | Build in the AI disclosure; for generative AI, mark outputs as machine-readable. |
| High risk | Use per the provider's instructions, keep competent human oversight, monitor and report problems, retain logs for at least six months, and inform the people affected. | Technical documentation and formal conformity assessment (from 2 December 2027, pending publication). |
| Prohibited | Banned outright: do not deploy. | Banned outright: do not build or sell. |
Private-sector deployers have no EU-database registration duty; that one falls on providers of high-risk systems and on public bodies.
Not sure which column is you? Check whether it applies firstIf you use AI (most SMEs)
Almost every small business is a deployer. There are really only two things to know, and one of them is already live.
This applies to any AI system your staff use at work, not just high-risk ones. In practice, for a small company, it means a basic working understanding of what the tools can and cannot do (their tendency to make things up, bias, and data-exposure risk), some written or informal internal guidance on appropriate use, and not blindly trusting outputs for consequential decisions. Honestly: there is no dedicated fine mechanism yet, and formal enforcement powers only switch on from 2 August 2026, but the underlying legal duty already exists today.
Your AI vendor, as the provider, has to make sure users know they are dealing with AI and label AI-generated content. Your job is not to strip or hide the disclosure the vendor built into a customer-facing chatbot. And if you publish AI-generated or AI-manipulated image, audio, or video content, the human-facing 'this was AI-generated' notice is on you, as the one putting the content out, not on the AI vendor. This date is confirmed and not delayed.
If you build AI (fewer SMEs)
Mostly not youMost readers can skip this. If you do build or sell an AI product, here is the shape of it.
These carry mainly the same transparency rules as deployers, plus, for generative AI systems, a duty to mark outputs so they can be recognised as machine-generated.
Technical documentation, a formal conformity assessment (an independent check that the system meets the rules), and EU-database registration only apply if your product is one of the eight defined high-risk categories. Those obligations do not bite until 2 December 2027 (or 2 August 2028 for AI embedded in already-regulated products), and that delay is pending official publication.
If you provide a general-purpose AI model, which is not a typical SME situation, separate duties around documentation, training-data summaries, and a copyright policy have applied since August 2025.
How much effort, honestly
The work is not evenly spread. For most SMEs it lands in the bottom two tiers, which are genuinely light.
Relief for smaller companies
Smaller companies get real, concrete breaks. SMEs and start-ups get priority (and often free) access to national regulatory sandboxes, reduced conformity-assessment fees, and a simplified technical-documentation template aimed specifically at small and micro enterprises.
Penalties are scaled too. For a small business, a fine is calculated using the lower of the fixed-euro amount or the percentage-of-turnover figure, the opposite of the rule applied to large companies.
The 2026 Digital Omnibus proposes extending some of this relief (simplified documentation and special consideration when setting penalties) to a new, larger 'small mid-cap' band: up to 750 employees and turnover up to 150 million euros. This is part of the not-yet-published omnibus text, so treat it as proposed, not settled law.
A realistic starting point
Take the Exposure Check to get your real obligations instead of the general ones. About five minutes.
Cover which tools staff can use and the basic dos and don'ts. For most small teams this alone substantially covers the AI-literacy duty.
Make sure any chatbot or AI-generated content carries a visible 'you are interacting with AI' or 'this was AI-generated' disclosure before 2 August 2026.
The Exposure Check turns this general guidance into your personal action list in about five minutes. Free, 12 questions, no account needed.
If you use AI at work, make sure staff have a basic understanding of the tools' limits (the AI-literacy duty, live since February 2025), and plan to check that any customer-facing AI is clearly disclosed before 2 August 2026. For most SMEs, a short internal note and a quick check of your vendor tools covers it.
No. The Act does not require SMEs to appoint an 'AI officer' or an equivalent of a Data Protection Officer. What it expects is that the people using AI understand it and that someone is accountable for sensible use. For a small team that can simply be an owner or a manager.
The vendor, as the provider, is responsible for building in the 'you are talking to AI' disclosure. Your duty as the deployer is not to remove or hide it. If you also publish AI-generated content yourself, disclosing that it is AI-generated is your responsibility.
For most small businesses that simply use AI tools, close to nothing beyond a little time: writing a short internal note and checking your tools disclose AI use. Real costs only arise if you build high-risk AI, which affects very few SMEs. For a figure specific to your situation, take the Exposure Check or book a call.
The duties already live, like AI literacy, are real legal obligations, though no fines have been issued for literacy gaps as of mid-2026 and formal enforcement powers only switch on from 2 August 2026. Penalties for SMEs are scaled to the lower of the two figures. Doing a little now is far cheaper than catching up under pressure.
Let's talk
Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.
This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.