Check my compliance →
AIActComply / Blog / EU AI Act for Small Businesses: What Actually Applies to You

EU AI Act for Small Businesses: What Actually Applies to You

The EU AI Act applies to small businesses too — but the obligations depend on what AI you use and how. This guide cuts through the noise and explains what an SMB actually needs to do.

Published 14 April 2026

The EU AI Act is 144 articles long and comes with multiple annexes. Reading it gives the impression that compliance requires an army of lawyers and a dedicated AI governance team. For large tech companies selling AI systems in the EU, that impression is roughly accurate. For a 20-person company that uses AI tools in its operations, the picture is different.

Here is what the Act actually requires from small businesses, and what you can reasonably set aside.

Does the EU AI Act apply to your small business?

Yes, if:

The Act covers deployers, which is the term for companies that use AI systems rather than build them. If you use ChatGPT for customer support, an AI-assisted CRM, AI-powered hiring tools, or any software with meaningful AI functionality, you are a deployer under the Act. Company size is not a threshold.

There is a proportionality principle in the Act: obligations should be proportionate to the risks posed and the size of the company. But the principle does not create an SMB exemption. It affects how you implement obligations, not whether they apply.

What you actually need to do

For most small businesses that use standard AI tools, the obligations reduce to two things:

1. An AI literacy policy

Article 4 requires you to ensure staff who work with AI systems have a sufficient level of AI literacy. The deadline was February 2025. The document this requires is not a compliance manual. It is a straightforward policy that says:

A well-written AI literacy policy for a small company can be four to six pages. It does not need external legal drafting if the underlying content is accurate.

2. A risk classification memo

By August 2026, you need to have assessed where each AI system you use sits in the Act’s risk hierarchy. For most small businesses, the conclusion will be: these systems are minimal risk or limited risk, and here is why.

The documentation requirement for minimal-risk systems is low. You need a record that you thought about it and reached a reasoned conclusion. You do not need to produce the same technical documentation required for a high-risk system.

When the obligations get heavier

If your company uses AI in any of these contexts, you are likely dealing with high-risk systems that trigger heavier obligations:

High-risk AI deployers need a usage policy (defining how the system can be used, who oversees it, and what to do when something goes wrong) on top of the literacy policy and risk classification memo.

What tools typically trigger what obligations

Tool typeRisk tierWhat you need
AI writing assistant (ChatGPT, Copilot)MinimalAI literacy policy
AI customer support chatbotLimitedAI literacy policy + disclosure to users
AI-assisted analytics dashboardMinimal–limitedAI literacy policy
AI hiring or CV screening toolHigh-riskLiteracy policy + risk memo + usage policy
AI performance management toolHigh-riskLiteracy policy + risk memo + usage policy

What you do not need to do (as a deployer)

Several obligations in the Act fall on providers, meaning companies that build and sell AI systems. If you are using AI tools but not developing them:

These are provider obligations. Your responsibility as a deployer is to verify that the provider of any high-risk system you use has met their obligations, which in practice means checking they have a CE mark.

The cost of compliance for a small company

The primary cost is time, not money. Producing an AI literacy policy and a risk classification memo requires:

A compliance lawyer should review the final versions before formal adoption. That review typically costs less than an hour of legal time when you come in with a complete draft rather than a blank page.

Get your compliance documents in 30 minutes

Answer 20 questions about your company and AI systems. AIActComply generates all required documents, prefilled with your details, in 11 EU languages. €99 one-time, no subscription.

Check my compliance →

The common mistake small businesses make

The most common mistake is waiting. The AI literacy deadline was February 2025. The risk classification deadline is August 2026. Both are approaching or have passed by the time most small businesses start looking into this.

The second most common mistake is over-engineering. Small businesses do not need a 40-page AI governance framework. They need accurate, specific documents that reflect their actual AI use. A generic template that does not mention the real tools in use, or the actual people responsible for oversight, is not compliance.

Ready to get compliant?
Get all your EU AI Act documents in 30 minutes
Answer 20 questions. AIActComply generates your AI Literacy Policy, Risk Classification Memo, Usage Policy, and Transparency Notice — prefilled, in 11 EU languages. €99 one-time.
Start now →