1. Who This Guide Is For
This guide is written for small and medium-sized businesses that use, build, or sell AI systems and need to understand what the EU AI Act requires of them. It covers businesses with fewer than 250 employees, whether established in the EU or outside it with EU customers.
The guide does not assume legal training. It does assume you are running a real business with real AI tools and need to know what the law requires, when it requires it, and what happens if you do not comply.
One preliminary point matters above all others: the EU AI Act applies to you whether you built the AI or bought it. Using a third-party AI tool in your business makes you a deployer under the Act. Building AI and selling it makes you a provider. Both roles carry legal obligations that are already in force.
2. Key Definitions
Understanding the Act starts with understanding its terminology. The definitions below come directly from Article 3 of Regulation (EU) 2024/1689.
| Term | What it means | Where it matters |
|---|---|---|
| AI system | A machine-based system that generates outputs such as predictions, recommendations, decisions, or content from inputs, operating with varying degrees of autonomy | Determines whether the Act applies at all |
| Provider | A business that develops an AI system and places it on the market or puts it into service under its own name | Carries the heaviest obligations |
| Deployer | A business that uses an AI system in a professional context under its own authority | Carries significant obligations if the system is high-risk |
| Authorised representative | An EU-established entity mandated in writing by a non-EU provider to act on its behalf | Required for non-EU businesses selling AI into the EU |
| Importer | An EU-established business that places on the EU market an AI system bearing the name of a non-EU business | Carries pre-market verification obligations |
| Distributor | A business that makes an AI system available on the EU market without being the provider or importer | Carries lighter obligations unless it modifies the system |
| High-risk AI system | An AI system listed in Annex III of the Act or forming a safety component of a product in Annex I | Triggers the Act’s strictest requirements |
| GPAI model | A general-purpose AI model capable of performing a wide range of distinct tasks | Subject to a separate set of obligations from August 2025 |
| Operator | Collective term for providers, deployers, authorised representatives, importers, and distributors | Used when obligations apply across roles |
3. Does the EU AI Act Apply to Your Business?
The Act applies to your business if any of the following are true.
- You develop AI systems or AI-powered products and place them on the EU market or put them into service, regardless of where your business is established.
- You use AI systems in your business operations in a professional context, including tools procured from third-party vendors.
- You import or distribute AI systems in the EU supply chain.
- Your AI system affects people located in the EU, even if your business is based in Canada, the United States, the United Kingdom, or any other country outside the EU.
The table below helps you make an initial determination.
| Your situation | Act applies? | Your likely role |
|---|---|---|
| You built an AI product and sell it to EU customers | Yes | Provider |
| You use ChatGPT, Copilot, or similar tools in your business | Yes | Deployer |
| You use AI for hiring, performance reviews, or HR decisions | Yes | Deployer (high-risk) |
| You resell a third-party AI tool without modification | Yes | Distributor |
| You import an AI system from a non-EU vendor into the EU | Yes | Importer |
| You use AI-powered consumer apps for personal use only | No | Not in scope |
| You are a researcher using AI for scientific research with no market placement | Likely no | Subject to limited provisions only |
If your business is established outside the EU and you sell AI products to EU customers, you are within scope and must appoint an EU-established Authorised Representative if your system is high-risk or you provide a GPAI model.
4. The Four Risk Tiers in EU AI Act
The Act classifies AI systems into four risk tiers. Your compliance obligations depend entirely on which tier applies to your AI system.
| Risk tier | Description | Consequence |
|---|---|---|
| Unacceptable risk | AI that poses a clear threat to fundamental rights, human dignity, or safety | Prohibited outright. Operating these systems is unlawful from February 2025 |
| High risk | AI used in one of eight sensitive domains listed in Annex III, or forming a safety component of an Annex I regulated product | Full compliance obligations including conformity assessment, technical documentation, registration, and human oversight |
| Limited risk | AI with specific transparency risks, such as chatbots or deepfake generators | Disclosure and transparency obligations only |
| Minimal or no risk | All other AI systems | No mandatory obligations under the Act |
Most small businesses fall into one of three categories: they use AI tools that are minimal or limited risk and face only transparency obligations; they use AI in an Annex III context such as hiring or credit decisions and face significant deployer obligations; or they build AI products and are providers with the full compliance burden.
The risk tier is determined by what the AI system does and how it is used, not by how sophisticated the underlying technology is.
5. High-Risk AI: The Eight Domains
If your business uses or builds AI in any of the following eight domains, you are operating in the high-risk tier. This table sets out the domains and the most common small business scenarios within each.
| Domain | High-risk use cases | Common SME examples |
|---|---|---|
| Biometric identification and categorisation | Remote biometric identification, emotion recognition, biometric categorisation by sensitive attributes | Security companies, access control systems |
| Critical infrastructure | AI managing electricity, water, heating, transport, or digital infrastructure | Energy management SaaS, smart building platforms |
| Education and vocational training | Systems determining access to education, assessing students, monitoring during exams | EdTech platforms, online assessment tools |
| Employment and workers management | CV screening, interview assessment, performance monitoring, task allocation, termination decisions | HR software companies, recruitment platforms |
| Access to essential private and public services | Credit scoring, insurance risk assessment, emergency services dispatch, public benefit eligibility | Fintech lenders, insurance tech platforms |
| Law enforcement | Risk assessment of individuals, crime analytics, polygraph-type tools | Not typical for SMEs |
| Migration, asylum, and border control | Risk assessment of applicants, document verification | Not typical for SMEs |
| Administration of justice | AI assisting courts in fact-finding or applying law | LegalTech platforms serving courts |
If your product or use case falls within any of these categories, stop treating compliance as a future problem. The obligations for deployers of high-risk systems are already partially in force, and full enforcement applies from August 2026.
6. Your Obligations by Role
If You Are a Provider
A provider is any business that develops an AI system and places it on the market or puts it into service under its own name. If you build AI software and sell or licence it to others, you are a provider.
| Obligation | Applies to | Deadline |
|---|---|---|
| AI literacy for staff (Article 4) | All providers | February 2025 |
| Technical documentation (Annex IV) | High-risk AI providers | August 2026 |
| Quality management system (Article 17) | High-risk AI providers | August 2026 |
| Conformity assessment (Article 43) | High-risk AI providers | Before market placement |
| CE marking (Article 48) | High-risk AI providers | Before market placement |
| EU Declaration of Conformity (Article 47) | High-risk AI providers | Before market placement |
| EU database registration (Article 49) | High-risk AI providers | Before market placement |
| Post-market monitoring (Article 72) | High-risk AI providers | Ongoing from market placement |
| Serious incident reporting (Article 73) | High-risk AI providers | Within 15 days of becoming aware |
| Appoint Authorised Representative | Non-EU high-risk AI providers | Before August 2026 |
| GPAI technical documentation | GPAI model providers | August 2025 |
| GPAI copyright transparency | GPAI model providers | August 2025 |
If You Are a Deployer
A deployer is any business that uses an AI system in a professional context under its own authority. If your business uses any AI tool, you are a deployer.
| Obligation | Applies to | Deadline |
|---|---|---|
| AI literacy for staff (Article 4) | All deployers | February 2025 |
| Follow provider instructions | Deployers of high-risk AI | August 2026 |
| Implement human oversight measures (Article 26) | Deployers of high-risk AI | August 2026 |
| Fundamental Rights Impact Assessment (Article 27) | Deployers of Annex III high-risk AI | August 2026 |
| Retain operational logs for 6 months (Article 26) | Deployers of high-risk AI | August 2026 |
| Inform affected individuals (Article 26) | Deployers of high-risk AI | August 2026 |
| Report serious incidents (Article 26) | Deployers of high-risk AI | Ongoing |
When a Deployer Becomes a Provider
If you modify a high-risk AI system, place it on the market under your own name, or use it for a purpose outside the provider’s instructions that creates a new high-risk use, the Act treats you as a provider. The full provider compliance burden then applies.
7. What Is Already Enforceable
The most common misunderstanding about the AI Act is that it applies from 2026 or 2027. Three sets of obligations have been enforceable since 2025.
| Obligation | Enforceable since | What it requires |
|---|---|---|
| Prohibited AI practices (Article 5) | 2 February 2025 | Eight categories of AI are banned outright |
| AI literacy (Article 4) | 2 February 2025 | Staff using or operating AI must have sufficient understanding of the systems they use |
| GPAI model obligations (Articles 51-56) | 2 August 2025 | Technical documentation, copyright transparency, systemic risk assessment |
| Authorised Representative for GPAI | 2 August 2025 | Non-EU GPAI providers must have an EU representative |
The AI literacy obligation deserves particular attention for small businesses. Article 4 requires every provider and deployer to ensure that staff dealing with AI systems have a sufficient level of AI literacy, taking into account their technical background, training, and the context of use. This is not a training aspiration. It is a legal obligation that applies now, to every business using AI professionally, regardless of the risk tier of the systems in use.
8. Prohibited Practices: What You Cannot Do
The following AI practices are banned outright under Article 5 of the Act. If your business operates any of these systems, it is already in breach.
| Prohibited practice | What it covers |
|---|---|
| Subliminal manipulation | AI that uses techniques below conscious perception to influence behaviour harmfully |
| Exploitation of vulnerabilities | AI targeting individuals based on age, disability, or social or economic circumstances to distort behaviour |
| Social scoring by public authorities | AI that evaluates individuals based on social behaviour or personal characteristics for public authority decisions |
| Real-time biometric surveillance | AI enabling real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions |
| Biometric categorisation by sensitive attributes | AI inferring race, political opinion, religion, trade union membership, or sexual orientation from biometric data |
| Emotion recognition in work and education | AI inferring the emotional states of individuals in workplaces or educational settings |
| Untargeted facial scraping | AI building facial recognition databases by scraping the internet or CCTV footage without targeting |
| Predictive criminal profiling | AI making risk assessments of individuals based solely on profiling to predict criminal behaviour |
Small businesses are not exempt from these prohibitions. A recruitment tool that uses emotion recognition during video interviews, or a retail platform that categorises customers by inferred emotional state, is already operating an unlawful AI system.
9. The SME Protections in the AI Act
The Act contains specific provisions designed to reduce the compliance burden on small businesses. These do not remove obligations but they do affect how obligations are applied and what financial exposure looks like.
| Protection | What it provides | Legal basis |
|---|---|---|
| Reduced fines | For SMEs and start-ups, fines are capped at the lower of the applicable percentage or fixed amount, whichever is lower | Article 99(6) |
| Priority access to regulatory sandboxes | National authorities must give priority access to SMEs and start-ups in AI regulatory sandboxes | Article 57(3) |
| Free sandbox access | SMEs participating in regulatory sandboxes should not bear fees for participation | Article 57 |
| Simplified technical documentation | The Commission may adopt implementing acts specifying simplified technical documentation requirements for SMEs | Article 11(3) |
| Dedicated support channels | National competent authorities must provide guidance and support specifically directed at SMEs | Article 96 |
| Proportionate conformity assessment | Conformity assessment procedures take into account the size of the provider, including SME status | Article 43 |
The regulatory sandbox provisions are particularly relevant for small businesses building AI products. A sandbox allows you to develop and test AI systems in a controlled environment under regulatory supervision, with reduced compliance obligations during the testing phase. As of May 2026, several EU member states have operational AI sandboxes accepting applications from SMEs.
10. Non-EU Small Businesses Selling to EU Customers
If your business is established outside the EU but your AI systems affect people in the EU, the Act applies to you on the same basis as it applies to EU businesses. The obligation to appoint an Authorised Representative is the most immediate practical consequence.
| Situation | Requirement | Deadline |
|---|---|---|
| Non-EU provider of GPAI model | Appoint EU-established Authorised Representative | 2 August 2025 |
| Non-EU provider of high-risk AI system | Appoint EU-established Authorised Representative | 2 August 2026 |
| Non-EU business using AI tools internally with no EU market placement | No Authorised Representative required | Not applicable |
The Authorised Representative must be established in the EU. A UK-based representative does not qualify post-Brexit. The representative accepts a written mandate and takes on direct regulatory obligations, including holding technical documentation for 10 years, cooperating with authorities, and terminating the mandate and notifying regulators if the provider breaches the Act.
Non-EU small businesses should treat Authorised Representative appointment not as a filing exercise but as a substantive compliance appointment. The representative will be the first point of contact for any regulatory investigation in the EU.
11. Practical Compliance Steps for Small Businesses
The following sequence gives small businesses a structured path to compliance without building a legal team from scratch.
Step 1: Inventory your AI systems
List every AI tool your business uses or has built. Include internally developed systems, vendor-supplied tools, and any AI features embedded in software you use. For each, record the name, the vendor or developer, the business function it supports, and who uses it.
Step 2: Determine your role for each system
For each AI system, determine whether your business is the provider, deployer, importer, or distributor. Use the questionnaire in Section 12 of this guide.
Step 3: Classify each system by risk tier
For each system, determine whether it falls into unacceptable, high, limited, or minimal risk. Cross-reference the Annex III domains in Section 5. If the system is used in an Annex III context, classify it as high-risk regardless of how the vendor describes it.
Step 4: Address AI literacy now
The AI literacy obligation under Article 4 is already in force. Ensure that every member of staff who uses or operates an AI system understands what it does, what risk category it falls into, and what the business’s obligations are as deployer or provider. Document this training.
Step 5: Check for prohibited practices
Review your AI inventory against the prohibited practices in Section 8. If any system falls into a prohibited category, discontinue its use.
Step 6: Map your obligations by role and risk tier
Using the tables in Section 6, identify every obligation that applies to your business. Assign responsibility for each obligation to a named person in your organisation.
Step 7: Prioritise high-risk obligations
If any of your systems are high-risk, begin the conformity assessment, technical documentation, and quality management system work now. These take months. August 2026 is not sufficient lead time if you begin in 2026.
Step 8: Appoint an Authorised Representative if required
If your business is established outside the EU and places high-risk AI systems or GPAI models on the EU market, identify and appoint an Authorised Representative before the applicable deadline.
12. Role Determination Questionnaire
Work through the questions below to determine your role under the Act. Stop when you reach a confirmed answer. You may hold more than one role.
Q1. Did your business develop the AI system and does it operate under your name or trademark?
Yes: You are a provider. If the system is high-risk, full provider obligations apply. If it is a GPAI model, GPAI obligations apply.
No: Proceed to Q2.
Q2. Did your business take a third-party AI system, substantially modify it, and deploy it under your own name?
Yes: You are a provider of the modified system. Return to Q1 outcome.
No: Proceed to Q3.
Q3. Does your business use an AI system in a professional context, including vendor-supplied tools?
Yes: You are a deployer. Proceed to Q4.
No: Proceed to Q5.
Q4. Is the AI system used in any of these contexts: hiring, performance management, credit decisions, medical diagnosis, education access, law enforcement, critical infrastructure, or migration?
Yes: You are a deployer of a high-risk AI system. Article 26 obligations apply, including human oversight, FRIA, log retention, and staff notification.
No: You are a deployer of a lower-risk system. Transparency obligations may apply if the system is a chatbot, deepfake tool, or emotion recognition system.
Q5. Is your business EU-established and do you place on the EU market an AI system under a non-EU vendor’s name?
Yes: You are an importer. Pre-market verification obligations under Article 23 apply.
No: Proceed to Q6.
Q6. Does your business make an AI system available on the EU market without being the provider or importer?
Yes: You are a distributor. Verification obligations under Article 24 apply. If you modify the system or place it under your own name, you become a provider.
No: The Act may not apply to your business in a capacity requiring active compliance obligations. Revisit this assessment whenever you adopt a new AI tool or change how you use an existing one.
13. Frequently Asked Questions
We are a small business with ten employees. Does the EU AI Act really apply to us?
Yes. The Act does not set a minimum employee or revenue threshold for applicability. Size affects the level of fines and your access to regulatory sandboxes, but it does not remove your obligations. If you use AI professionally or build AI products, you are in scope.
We use AI tools from major vendors like Microsoft or Google. Are we not covered by their compliance?
No. Vendor compliance covers the provider’s obligations. As a deployer, you carry independent obligations under Article 26, including human oversight, impact assessments, and log retention if the system is high-risk. A vendor’s EU compliance documentation does not satisfy your obligations as deployer.
We are a Canadian company with EU customers. Which rules apply to us?
The same rules that apply to EU-established businesses, with the addition of the Authorised Representative requirement. If you provide a GPAI model to EU customers, you needed an EU Authorised Representative from 2 August 2025. If you provide a high-risk AI system, you need one from 2 August 2026.
What is the AI literacy obligation and how do we meet it?
Article 4 requires you to ensure that staff who deal with AI systems have a sufficient level of understanding of those systems, assessed against their technical background and the context of use. In practice, this means staff using or overseeing AI tools should be able to explain what the system does, what its risk classification is, and what your business’s obligations are. Document the training you provide and update it when you adopt new AI tools.
We use an AI hiring tool from a vendor who says it is compliant. Are we protected?
Vendor compliance does not transfer to you as deployer. If the hiring tool falls within Annex III (employment and workers management), you must independently conduct a Fundamental Rights Impact Assessment, implement human oversight, retain operational logs for six months, and inform candidates that an AI system is being used. The vendor’s compliance covers their provider obligations. Yours remain yours.
What happens if we do not comply?
Administrative fines for breaching provider, deployer, importer, or Authorised Representative obligations reach up to EUR 15,000,000 or 3% of worldwide annual turnover, whichever is higher. For SMEs, fines are capped at the lower of the applicable percentage or fixed amount. Beyond fines, authorities can require you to withdraw AI systems from the EU market, which for a small business dependent on EU revenue is a more serious consequence than any fixed penalty.
Our AI system is not on the prohibited list and not in Annex III. Do we have any obligations?
Yes. The AI literacy obligation under Article 4 applies to all providers and deployers regardless of risk tier. If your system interacts with end users, transparency obligations under Article 50 may apply. If your system generates content or images, labelling requirements may apply. Minimal or no risk does not mean zero obligations.
We built our product on top of a foundation model. Are we a provider?
Yes. If you integrate a foundation model into a product that you place on the market or put into service under your own name, the Act treats you as the provider of that product. Your obligations depend on what the product does. If it falls within an Annex III domain, you are a provider of a high-risk AI system.
Can we use a regulatory sandbox to test our product before committing to full compliance?
Yes. The Act requires member states to establish AI regulatory sandboxes, and national authorities must give priority access to SMEs and start-ups. A sandbox allows you to develop and test your AI system under regulatory supervision with a reduced compliance burden during the testing period. Contact the national competent authority in the member state where you intend to establish or operate for current sandbox availability.
The Digital Omnibus proposes changes to the Act. Should we wait for those before starting compliance work?
No. The Digital Omnibus proposals are under negotiation as of May 2026 and have not been adopted. Even if they are adopted in a form that adjusts the August 2026 high-risk AI timeline, obligations already in force (prohibited practices, AI literacy, GPAI obligations) will not be affected. The work required to comply with August 2026 obligations takes months. Waiting for regulatory certainty before beginning is not a sound approach.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024 and applicable guidance issued by the European AI Office through May 2026. It is published by Grecta for general informational purposes and does not constitute legal advice. Businesses should obtain advice specific to their products, operations, and markets.
