EU AI Act / Obligations

What you actually have to do

The concrete action list, in order, organised by your role and your risk level, with honest effort estimates. For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.

At a glance

Obligations by role and risk level

A quick scanning tool, not the full explanation, which follows below. Most small businesses only need the deployer column, and mostly the minimal and limited rows.

EU AI Act obligations summarised by risk level and role
Risk levelIf you use AI (deployer)If you build AI (provider)
Minimal riskNo specific duties beyond general good practice.No specific duties beyond normal product safety.
Limited riskKeep the vendor's AI disclosure in place; label AI-generated content you publish.Build in the AI disclosure; for generative AI, mark outputs as machine-readable.
High riskUse per the provider's instructions, keep competent human oversight, monitor and report problems, retain logs for at least six months, and inform the people affected.Technical documentation and formal conformity assessment (from 2 December 2027, pending publication).
ProhibitedBanned outright: do not deploy.Banned outright: do not build or sell.

Private-sector deployers have no EU-database registration duty; that one falls on providers of high-risk systems and on public bodies.

Not sure which column is you? Check whether it applies first

If you use AI (most SMEs)

Your two duties, in plain terms

Almost every small business is a deployer. There are really only two things to know, and one of them is already live.

  • AI literacy (Article 4), live since February 2025

    This applies to any AI system your staff use at work, not just high-risk ones. In practice, for a small company, it means a basic working understanding of what the tools can and cannot do (their tendency to make things up, bias, and data-exposure risk), some written or informal internal guidance on appropriate use, and not blindly trusting outputs for consequential decisions. Honestly: there is no dedicated fine mechanism yet, and formal enforcement powers only switch on from 2 August 2026, but the underlying legal duty already exists today.

  • Transparency notices (Article 50), from 2 August 2026

    Your AI vendor, as the provider, has to make sure users know they are dealing with AI and label AI-generated content. Your job is not to strip or hide the disclosure the vendor built into a customer-facing chatbot. And if you publish AI-generated or AI-manipulated image, audio, or video content, the human-facing 'this was AI-generated' notice is on you, as the one putting the content out, not on the AI vendor. This date is confirmed and not delayed.

If you build AI (fewer SMEs)

Mostly not you

Mostly not you

Most readers can skip this. If you do build or sell an AI product, here is the shape of it.

  • Minimal and limited-risk products: light duties

    These carry mainly the same transparency rules as deployers, plus, for generative AI systems, a duty to mark outputs so they can be recognised as machine-generated.

  • High-risk products: the heavy duties, and only for a few

    Technical documentation, a formal conformity assessment (an independent check that the system meets the rules), and EU-database registration only apply if your product is one of the eight defined high-risk categories. Those obligations do not bite until 2 December 2027 (or 2 August 2028 for AI embedded in already-regulated products), and that delay is pending official publication.

  • General-purpose AI models: a separate track

    If you provide a general-purpose AI model, which is not a typical SME situation, separate duties around documentation, training-data summaries, and a copyright policy have applied since August 2025.

How much effort, honestly

Effort scales with the tier

The work is not evenly spread. For most SMEs it lands in the bottom two tiers, which are genuinely light.

  • Prohibited

    No effort to calculate: these are banned outright, so the answer is simply not to do them.

  • High risk

    A genuine project (documentation, risk management, conformity assessment), but this affects a small minority of SMEs and is not due until 2 December 2027 (pending official publication).

  • Limited risk

    A few hours: write and post a transparency notice, and confirm your vendor tools already disclose AI use.

  • Minimal risk

    Essentially nothing formal beyond general good practice.

Relief for smaller companies

The Act goes easier on you on purpose

Smaller companies get real, concrete breaks. SMEs and start-ups get priority (and often free) access to national regulatory sandboxes, reduced conformity-assessment fees, and a simplified technical-documentation template aimed specifically at small and micro enterprises.

Penalties are scaled too. For a small business, a fine is calculated using the lower of the fixed-euro amount or the percentage-of-turnover figure, the opposite of the rule applied to large companies.

Pending, not yet law

The 2026 Digital Omnibus proposes extending some of this relief (simplified documentation and special consideration when setting penalties) to a new, larger 'small mid-cap' band: up to 750 employees and turnover up to 150 million euros. This is part of the not-yet-published omnibus text, so treat it as proposed, not settled law.

A realistic starting point

Three steps, in order

  1. See your actual list

    Take the Exposure Check to get your real obligations instead of the general ones. About five minutes.

  2. Write a short AI-use note

    Cover which tools staff can use and the basic dos and don'ts. For most small teams this alone substantially covers the AI-literacy duty.

  3. Check your customer-facing AI

    Make sure any chatbot or AI-generated content carries a visible 'you are interacting with AI' or 'this was AI-generated' disclosure before 2 August 2026.

Get your obligations, not the general list.

The Exposure Check turns this general guidance into your personal action list in about five minutes. Free, 12 questions, no account needed.

Take the free Exposure Check

Frequently asked questions

  • What do I actually need to do right now?

    If you use AI at work, make sure staff have a basic understanding of the tools' limits (the AI-literacy duty, live since February 2025), and plan to check that any customer-facing AI is clearly disclosed before 2 August 2026. For most SMEs, a short internal note and a quick check of your vendor tools covers it.

  • Do I need to appoint someone like a Data Protection Officer, but for AI?

    No. The Act does not require SMEs to appoint an 'AI officer' or an equivalent of a Data Protection Officer. What it expects is that the people using AI understand it and that someone is accountable for sensible use. For a small team that can simply be an owner or a manager.

  • We use a chatbot from a vendor, not one we built ourselves. Who is responsible?

    The vendor, as the provider, is responsible for building in the 'you are talking to AI' disclosure. Your duty as the deployer is not to remove or hide it. If you also publish AI-generated content yourself, disclosing that it is AI-generated is your responsibility.

  • How much will complying with this actually cost us?

    For most small businesses that simply use AI tools, close to nothing beyond a little time: writing a short internal note and checking your tools disclose AI use. Real costs only arise if you build high-risk AI, which affects very few SMEs. For a figure specific to your situation, take the Exposure Check or book a call.

  • What happens if we get something wrong?

    The duties already live, like AI literacy, are real legal obligations, though no fines have been issued for literacy gaps as of mid-2026 and formal enforcement powers only switch on from 2 August 2026. Penalties for SMEs are scaled to the lower of the two figures. Doing a little now is far cheaper than catching up under pressure.

Let's talk

Thirty minutes. Zero commitment.

Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.

Book a consultation

Denise & Ricardo

Sekit team

  • 30 min · Google Meet
  • cal.com/denise-moreno-sekit

This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.