The EU AI Act is 144 articles long and comes with multiple annexes. Reading it gives the impression that compliance requires an army of lawyers and a dedicated AI governance team. For large tech companies selling AI systems in the EU, that impression is roughly accurate. For a 20-person company that uses AI tools in its operations, the picture is different.
Here is what the Act actually requires from small businesses, and what you can reasonably set aside.
Does the EU AI Act apply to your small business?
Yes, if:
- Your company is established in the EU, or
- You use AI systems that affect people in the EU
The Act covers deployers, which is the term for companies that use AI systems rather than build them. If you use ChatGPT for customer support, an AI-assisted CRM, AI-powered hiring tools, or any software with meaningful AI functionality, you are a deployer under the Act. Company size is not a threshold.
There is a proportionality principle in the Act: obligations should be proportionate to the risks posed and the size of the company. But the principle does not create an SMB exemption. It affects how you implement obligations, not whether they apply.
What you actually need to do
For most small businesses that use standard AI tools, the obligations reduce to two things:
1. An AI literacy policy
Article 4 requires you to ensure staff who work with AI systems have a sufficient level of AI literacy. The deadline was February 2025. The document this requires is not a compliance manual. It is a straightforward policy that says:
- Which AI tools your company uses
- Which staff roles interact with them
- What those staff need to understand about the tools they use
- Who is responsible for keeping this up to date
A well-written AI literacy policy for a small company can be four to six pages. It does not need external legal drafting if the underlying content is accurate.
2. A risk classification memo
By August 2026, you need to have assessed where each AI system you use sits in the Act’s risk hierarchy. For most small businesses, the conclusion will be: these systems are minimal risk or limited risk, and here is why.
The documentation requirement for minimal-risk systems is low. You need a record that you thought about it and reached a reasoned conclusion. You do not need to produce the same technical documentation required for a high-risk system.
When the obligations get heavier
If your company uses AI in any of these contexts, you are likely dealing with high-risk systems that trigger heavier obligations:
- Hiring: using AI to screen CVs, rank candidates, or score video interviews
- Credit or insurance: using AI to assess financial risk or set pricing
- Education: using AI to evaluate student performance or determine access
- Employee monitoring: using AI for productivity tracking or performance scoring
High-risk AI deployers need a usage policy (defining how the system can be used, who oversees it, and what to do when something goes wrong) on top of the literacy policy and risk classification memo.
What tools typically trigger what obligations
| Tool type | Risk tier | What you need |
|---|---|---|
| AI writing assistant (ChatGPT, Copilot) | Minimal | AI literacy policy |
| AI customer support chatbot | Limited | AI literacy policy + disclosure to users |
| AI-assisted analytics dashboard | Minimal–limited | AI literacy policy |
| AI hiring or CV screening tool | High-risk | Literacy policy + risk memo + usage policy |
| AI performance management tool | High-risk | Literacy policy + risk memo + usage policy |
What you do not need to do (as a deployer)
Several obligations in the Act fall on providers, meaning companies that build and sell AI systems. If you are using AI tools but not developing them:
- You do not need to register your AI use in any EU database
- You do not need to conduct conformity assessments
- You do not need to issue a CE mark or declaration of conformity
- You do not need to maintain technical documentation of the AI model’s architecture
These are provider obligations. Your responsibility as a deployer is to verify that the provider of any high-risk system you use has met their obligations, which in practice means checking they have a CE mark.
The cost of compliance for a small company
The primary cost is time, not money. Producing an AI literacy policy and a risk classification memo requires:
- A clear inventory of which AI tools are in use
- Someone in the organisation who understands how those tools are actually used day to day
- A few hours to write the documents, or a tool that generates a starting draft from your answers
A compliance lawyer should review the final versions before formal adoption. That review typically costs less than an hour of legal time when you come in with a complete draft rather than a blank page.
Get your compliance documents in 30 minutes
Answer 20 questions about your company and AI systems. AIActComply generates all required documents, prefilled with your details, in 11 EU languages. €99 one-time, no subscription.
Check my compliance →The common mistake small businesses make
The most common mistake is waiting. The AI literacy deadline was February 2025. The risk classification deadline is August 2026. Both are approaching or have passed by the time most small businesses start looking into this.
The second most common mistake is over-engineering. Small businesses do not need a 40-page AI governance framework. They need accurate, specific documents that reflect their actual AI use. A generic template that does not mention the real tools in use, or the actual people responsible for oversight, is not compliance.