EU AI Act 2026: What SMEs Need to Know Now About AI Compliance
EU AI Act for SMEs in 2026: deadlines from August, risk classes, obligations even for mere users of AI, looming fines, and a practical checklist to get prepared.
The EU AI Act is the EU's first comprehensive AI regulation. From 2 August 2026, core obligations apply – including for SMEs that only use AI. If you rely on AI in recruiting, accounting, customer service or sales, now is the time to assess risk classes, train your staff and document how you use it.
The most common misconception: "We don't develop AI, so this doesn't concern us." That's not true. The EU AI Act explicitly addresses deployers as well – that is, companies that use finished AI systems in their day-to-day operations.
What is the EU AI Act?
The EU AI Act regulates the use of artificial intelligence based on a risk-based approach: the higher the risk an application poses to people and fundamental rights, the stricter the requirements. The goal is trustworthy AI – with transparency, human oversight and accountability.
Does the EU AI Act apply to SMEs too?
Yes. It affects not only providers and developers, but also mere users of AI. If you use AI, for instance to pre-screen applications, assess creditworthiness or in customer service, you fall under the regulation – with tiered obligations that are, in part, eased for SMEs.
What risk classes are there?
| Risk class | Examples | Requirement |
|---|---|---|
| Unacceptable | Social scoring, manipulative systems | prohibited |
| High | Recruiting, creditworthiness, critical infrastructure | strict obligations & documentation |
| Limited | Chatbots, generated content | transparency and labelling obligation |
| Minimal | Spam filters, simple recommendations | no special obligations |
What obligations do SMEs have as users of AI?
Even those who only operate AI have concrete tasks:
- Designate trained oversight personnel for the systems in use.
- Log usage – retain relevant logs for at least six months.
- Secure input data and document the purpose of use.
- Create transparency wherever people interact with AI.
What fines are at stake?
For deployers and SMEs, the relevant maximum amounts run up to 15 million euros or 3% of global annual turnover. Reduced fines and simplified evidence requirements are provided for SMEs and start-ups.
Checklist: Prepared in 6 steps
- Inventory: Which AI systems do we use – including ones hidden in SaaS tools?
- Classification: Which risk class does each use case belong to?
- Oversight: Who is responsible and trained?
- Documentation: Record purpose, data flows and logging.
- Policy: Adopt a lean internal AI policy.
- Review: Check regularly – both the law and the systems change.
This diligence aligns with a core principle of good automation: the human stays in the loop. Read more in our articles on AI automation for mid-sized companies and AI agents.
Want to introduce AI in a legally compliant and finance-grade way? Talk to us.
Frequently asked questions
- Does the EU AI Act apply to small companies too?
- Yes. The EU AI Act applies not only to providers, but also to companies that merely use AI – for example in recruiting, accounting, customer service or sales. SMEs benefit from relief measures such as simplified documentation, but the obligations do not disappear.
- When does the EU AI Act take effect?
- Core obligations apply from 2 August 2026, particularly around high-risk systems. Some deadlines have recently been adjusted via the so-called Digital Omnibus – companies should check the current status for their specific use case.
- What happens if you ignore the EU AI Act?
- Violations can get expensive. For deployers and SMEs, the relevant maximum amounts run up to 15 million euros or 3% of global annual turnover – whichever is higher.
- Do we need an AI policy in our company?
- For most SMEs a lean AI policy makes sense: it defines which systems are used, who oversees them, how usage is logged, and who decides in case of doubt. This creates accountability and reduces risk.