Skip to content
easyAI
Products▼
  • AI Foundation Audit
  • AI ROI Calculator
  • GDPR Accountability Snapshot
Insights
  • Products
    • AI Foundation Audit
  • Free Tools
    • AI ROI Calculator
    • GDPR Accountability Snapshot
  • Insights
  1. Home
  2. Insights
  3. EU AI Act Compliance for SMEs: The Documentation Guide

EU AI Act Compliance for SMEs: The Documentation Guide

A deployer-first EU AI Act compliance guide for SMEs: the five-step path, the nine-document pack, and the corrected post-Omnibus 2026 timeline.

EU AI Act Compliance for SMEs: The Documentation Guide
Methodology by Daniela Piskackova — Co-founder & AI Audit Lead·Published July 13, 2026

Ask ten small-business owners whether the EU AI Act applies to them and nine will say "that is for the tech giants." It is not. If your company uses AI — a support chatbot, a CV-screening tool, a sales-call summariser — the Act treats you as a deployer, and deployers carry obligations of their own. This guide is the deployer-first path through them: who is in scope, the five steps to compliant, which documents prove it, and the corrected timeline after the Digital Omnibus.

Quick Answer. The EU AI Act applies to SMEs that use AI — as "deployers" — not only to those that build it. EU AI Act compliance for an SME is five steps: inventory every AI system, classify each by risk, apply the matching obligations, produce the documentation, and train staff. For most SME systems the work is transparency and records, not a conformity assessment.

Last updated: 13 July 2026 · Verified against Regulation (EU) 2024/1689 as amended by the Digital Omnibus (adopted and signed; awaiting Official Journal publication).

Summary

EU AI Act for SMEs — a documentation pack, not a panic
│
├─ You are a deployer, and you are in scope
│   ├─ Use AI at work (chatbots, HR, scoring)? The Act reaches you
│   ├─ Non-EU too — selling into the EU pulls you in
│   └─ Company size is no defence; duties scale by risk, not headcount
│
├─ Five steps to compliant
│   ├─ Inventory → classify → obligations → documents → training
│   ├─ Most SME AI is limited-risk — transparency, not conformity
│   └─ Nine editable documents carry the whole paper trail
│
└─ The clock, corrected after the Omnibus
    ├─ Live now — Art. 5 bans, Art. 4 literacy, penalties applicable
    ├─ 2 Aug 2026 — Art. 50 transparency, NOT delayed
    └─ 2 Dec 2027 — high-risk (Annex III), delayed by the Omnibus

Who does the EU AI Act actually apply to?

The Act splits the world into roles. A provider builds or supplies an AI system; a deployer uses one under its own authority. The obligations differ, and most small and medium-sized companies are deployers — they buy AI, they do not build it. When you switch on a support chatbot, screen CVs with an assistant, or run a credit or fraud score from a vendor tool, you are deploying AI and the Act reaches you [1].

Two facts surprise most owners. First, company size is not a defence. The Regulation classifies systems by use and risk, not by headcount or turnover; a forty-person firm running a CV screener carries the same deployer duties for that system as a multinational [1]. Second, the Act is extraterritorial. A US, UK or Swiss company placing an AI system on the EU market, or whose system's output is used in the EU, is in scope even without an EU office [1]. Selling into the single market brings the rules with the sale.

What SMEs mostly do not need to worry about is the heaviest tier. The Act reserves its most demanding obligations — conformity assessment, technical documentation, registration — for high-risk systems and their providers. The everyday SME toolkit (chatbots, drafting aids, meeting summarisers, general software with AI features) is usually limited-risk or minimal-risk, where the duty is transparency and good record-keeping [2]. Classification, not panic, is the first job.

Take a ninety-person wholesaler running three AI tools: a website chatbot, a CV-screening assistant in HR, and a tool that drafts supplier emails. All three make the firm a deployer. Two of them — the chatbot and the email drafter — are limited or minimal risk, so they need transparency and records. The CV screener, used to filter candidates, is the one to look at hard, because employment screening is a high-risk context. Same company, same afternoon, three different obligation sets — which is exactly why the work starts with a list, not an assumption.

What does "deployer-first" compliance mean?

Because the SME is nearly always the deployer, the practical duties are a short, specific list rather than the full provider regime:

  • Transparency (Article 50). Tell people when they are interacting with an AI system, and label AI-generated or manipulated content such as synthetic media. These rules apply across risk tiers and are among the first to bite [1].
  • AI literacy (Article 4). Ensure staff who use or oversee AI have a level of understanding proportionate to their role. This duty has applied since 2 February 2025 and is easy to miss [1].
  • Human oversight and correct use (for high-risk deployers). Use the system as instructed, keep a competent human able to intervene, and keep logs. This bites only if you deploy a high-risk system, but when it does, it stays with you [1].
  • Vendor due diligence. The provider's paperwork does not become yours automatically. Keeping the model card, terms and any conformity information on file is how you show you chose and use the tool responsibly.

The recurring theme is that a vendor contract does not transfer the deployer's job. Buying an enterprise tier covers what the provider must do; it does not classify your use case, write your policy, train your people, or produce your transparency notices.

The five-step compliance path for an SME

Compliance is less a legal exam than a sequence. For a deployer, it runs from a list of systems to a folder of evidence.

The five-step EU AI Act path for SME deployersA deployer lists every AI system, classifies each by role and risk tier, applies the matching obligations, generates the nine-document pack, trains staff under Article 4, and ends with an evidence pack.

Prohibited

High-risk

Limited / minimal

Every AI system
your company uses

1 · Inventory
list each system

2 · Classify
role & risk tier

Stop — do not deploy
Art. 5

3 · Obligations
full duties + FRIA

3 · Obligations
transparency, Art. 50

4 · Documents
the nine-part pack

5 · Training
Art. 4 AI literacy

Evidence pack ready
register · policy · notices

From every AI system you use to an evidence pack, in five steps — inventory, classify, obligations, documents, training.

In words, the path runs like this:

  1. Inventory. List every AI system in use, including the ones nobody formally approved — the AI features baked into your office suite, browser extensions, and niche SaaS modules. If you have never done this, our companion guide on how to build your AI register in about 90 minutes is the fastest way to a first draft.
  2. Classify. For each system, decide the role (you are almost always the deployer) and the risk tier — prohibited, high-risk, limited-risk or minimal-risk — from how the system is actually used. This step decides everything that follows.
  3. Obligations. Read off the duties for each tier. Prohibited use stops. High-risk use triggers the full set, including a fundamental rights impact assessment. Limited and minimal risk resolve to transparency and records.
  4. Documents. Produce the written evidence — register, policy, notices, training materials — that shows the first three steps were done.
  5. Training. Run the Article 4 AI-literacy programme and keep the training records, so the duty that has been live since February 2025 is actually met.

Nothing here requires a law degree. It requires that the work is done once, written down, and kept current.

How do I classify a system's risk tier?

Classification is the hinge of the whole process, and the Act uses four tiers.

  • Prohibited (Article 5). A short list of banned uses — social scoring, certain biometric practices, manipulative systems that exploit vulnerabilities. If a use falls here there is no compliant version; it stops. Few SME tools land in this tier, but it is worth checking against the list [1].
  • High-risk (Annex III and Annex I). Systems used in sensitive contexts such as employment and worker management, access to essential services, or creditworthiness assessment. A CV-screening tool used to filter candidates is the classic SME example. High-risk use carries the full obligation set, including a fundamental rights impact assessment for many deployers [1].
  • Limited-risk. Systems that interact with people or generate content — chatbots, AI writing aids, synthetic media. The duty here is transparency under Article 50: tell people they are dealing with AI, and label AI-generated content [1].
  • Minimal-risk. Everything else — spam filters, AI features buried in ordinary software. No specific obligations beyond good practice, though the Article 4 AI-literacy duty still covers the staff who use them.

The tier follows the use, not the vendor's label. The same large-language-model assistant is minimal-risk when it drafts marketing copy and high-risk when it scores job applicants. That is why classification is done per system and per use case, and why it is written down: a regulator or a customer will ask how you reached each verdict. Work through your inventory one row at a time, record the tier and the reason, and the remaining obligations read off almost mechanically.

What is the EU AI Act timeline after the Digital Omnibus?

This is where most published advice is now wrong. A large share of ranking content still says high-risk obligations land on 2 August 2026 — the pre-Omnibus date. The Digital Omnibus amendment changed that. It is adopted and signed and awaiting Official Journal publication (Council gave its final green light on 29 June 2026; the act was signed on 8 July 2026, under procedure 2025/0359(COD)) [5][6]. Here is the corrected schedule.

DateWhat applies
2 Feb 2025Article 5 prohibitions + Article 4 AI-literacy duty (already in force)
2 Aug 2025GPAI obligations + Article 99 penalties applicable since this date
2 Aug 2026Article 50 transparency + enforcement machinery — NOT delayed
2 Dec 2026legacy Article 50(2) branch + NCII/CSAM prohibited-practice additions
2 Aug 2027national regulatory sandboxes operational
2 Dec 2027Annex III high-risk obligations (delayed by the Omnibus from 2 Aug 2026)
2 Aug 2028Annex I high-risk obligations

The single most misread point: the Omnibus delayed only the Annex III high-risk regime, from 2 August 2026 to 2 December 2027 [5]. It did not delay Article 50 transparency, and it did not delay the enforcement machinery — both still start on 2 August 2026 [3]. Article 5 bans and Article 4 AI literacy have been live since February 2025, and penalties have been applicable since 2 August 2025 [1][3]. So "we have until 2027" is only true for the high-risk tier that most SMEs do not touch. The transparency and literacy duties an SME actually carries are here now.

What documentation does the EU AI Act require?

Compliance is proven on paper. For a limited-risk SME deployer, a complete evidence set is a small, specific pack of living documents — not a binder of legal theory. The free EU AI Act Documentation tool generates exactly this pack, editable and tailored to the systems you describe. Here is what each part is for.

DocumentFormatWhat it is for
Documentation GuidePDFThe plain-language map of your obligations and how the other documents fit together.
EU AI Act ReportPDFYour systems classified by role and risk, with the obligations and dates that apply to each.
AI systems registerXLSXThe living inventory: each system, vendor, use case, data, risk tier and owner.
Internal AI use policyDOCXThe house rules for staff — what is allowed, what is banned, who signs off.
AI literacy programmeDOCXThe Article 4 training content, scaled to roles from all-staff to AI owners.
Training-record templateDOCXProof the training happened — who was trained, on what, and when.
Vendor checklistDOCXThe due-diligence questions to ask each AI supplier and keep on file.
AI transparency noticesDOCXReady wording to tell users they are dealing with AI, per Article 50.
Roadmap one-pagerPDFThe dated action list — what to do before each deadline that applies to you.

Free checkers tell you if the AI Act concerns you. This tool generates the actual documents — a complete pack, tailored to your systems, in your language, free.

Generate your own EU AI Act report + document pack — free, in ~20 minutes: https://aiprioritymap.com/en/tools/eu-ai-act

How do EU AI Act fines work for SMEs?

Penalties are real, and they have been applicable since 2 August 2025 [1][3]. Article 99 sets three tiers by the seriousness of the breach.

BreachMaximum fine
Prohibited practices (Article 5)€35 million or 7% of total worldwide annual turnover
Most other breaches (e.g. provider or deployer obligations)€15 million or 3% of turnover
Supplying incorrect, incomplete or misleading information€7.5 million or 1% of turnover

For each tier the figure is the higher of the fixed amount or the percentage — except for one rule that matters enormously to smaller firms. For SMEs and start-ups, the fine is the lower of the two figures [1]. A small company is measured against whichever of the fixed sum or the percentage is smaller, not the larger. It is a genuine proportionality carve-out, and it is little known. The way to stay well clear of any tier is the same: an honest inventory, a correct classification, and the documents that show both.

How does the AI Act sit alongside GDPR and your other duties?

The AI Act does not replace your existing obligations; it sits on top of them. If your AI processes personal data — and most HR, support and marketing AI does — the GDPR still applies in full, and the two regimes overlap in practice. A useful way to see how the pieces fit is our cornerstone on how the AI Act sits alongside GDPR and UK data rules, which maps the shared spine of register, oversight and record-keeping.

Be clear about the boundary, though: the AI Act is its own regime. It does not, by itself, deliver GDPR compliance, a NIS2 cybersecurity posture, or a data protection impact assessment. Treat the documentation pack in this guide as the AI-Act layer, and keep your GDPR and security work as their own tracks that it plugs into.

What this guide and the free tool are — and are not

Honesty is part of the method. The free EU AI Act Documentation tool is a genuine head start: a ~20-minute wizard that classifies each system you describe and generates a complete, editable pack, with no trial, no locked pages and no sales call — only an email address for delivery.

It is deliberately not several things. It is not legal advice. It is not an audit or a certification, and it does not perform a conformity assessment or produce CE marking for high-risk systems — that is provider-side work with an independent element. It does not register anyone in the EU database, and it does not cover GDPR or NIS2. Where a system sits on a borderline — a tool that might or might not be high-risk — it is flagged as uncertain, with professional review recommended rather than a false all-clear. A document pack you can defend starts from an honest classification, and honest sometimes means "get a specialist to look."

What to do before 2 August 2026

You do not need a project office. You need to do the five steps once and keep them current. Concretely, before 2 August 2026:

  • Inventory and classify every AI system now, so you know which tier each falls in.
  • Publish transparency notices on customer-facing AI, ready for Article 50 [1].
  • Run the Article 4 literacy training and keep the records — this duty is already overdue if you have not [1].
  • File your vendor and policy documents, so the paper trail exists before anyone asks for it.
  • Diarise the high-risk date of 2 December 2027 only if classification actually put a system in Annex III.

The deadlines that touch an ordinary SME are the ones already here — transparency, literacy, penalties — not the high-risk tier the headlines fixate on. Get the pack in place, and the next questionnaire from a customer or regulator is a file you attach, not a fire drill.

For an SME, the EU AI Act is a documentation exercise, not an engineering project: inventory your AI, classify it, apply the matching obligations, and keep the evidence current. Most systems are limited-risk, so the work is transparency and records.

Generate your own EU AI Act report + document pack — free, in ~20 minutes: https://aiprioritymap.com/en/tools/eu-ai-act

Related insights

  • How to Build an AI Register in About 90 Minutes — the fastest way to complete step one, the inventory that drives every later step.
  • AI Governance from Day One: GDPR and the EU AI Act — how the AI Act sits alongside GDPR and existing data rules for SMEs.

Last updated: July 2026. Version 1.0.

Frequently Asked Questions

Does the EU AI Act apply to small businesses?+
Yes. It applies by role and risk, not company size. If your SME uses AI — a chatbot, a CV screener, a scoring tool — you are a deployer with duties: transparency under Article 50 and AI-literacy training under Article 4. Most SME systems are limited-risk, so the work is records, not certification.
What documentation does the EU AI Act require from an SME?+
For a limited-risk deployer: an AI register, an internal AI use policy, an AI-literacy programme with training records, transparency notices for customer-facing AI, and vendor records. High-risk deployers add a fundamental rights impact assessment. The aim is a written, current paper trail.
What is a deployer under the EU AI Act?+
A deployer is any organisation that uses an AI system in its work, as opposed to a provider, which builds or supplies one. Buying ChatGPT, Copilot or an HR tool makes you a deployer. Deployer duties, such as human oversight and transparency, stay with you and are not transferred by contract.
Did the Digital Omnibus delay the EU AI Act for 2026?+
Only in part. The Digital Omnibus moved the Annex III high-risk obligations from 2 August 2026 to 2 December 2027. It did not move the Article 50 transparency rules or enforcement, which still apply from 2 August 2026. Article 5 bans, Article 4 literacy and penalties have applied since 2025.
How much are EU AI Act fines for a small business?+
Article 99 sets three tiers: up to €35M or 7% of global turnover for prohibited practices, up to €15M or 3% for most other breaches, and up to €7.5M or 1% for supplying incorrect information. For SMEs and start-ups the fine is the lower of the fixed sum or the percentage, whichever is smaller.
Does my SME need a conformity assessment for its AI?+
Usually not. A conformity assessment applies to high-risk systems and is mostly the provider's job. Most SME tools — chatbots, drafting aids, software with AI features — are limited or minimal risk. Classify first; if none is high-risk, you owe transparency and records, not an assessment.
Is the free EU AI Act Documentation tool a substitute for legal advice?+
No. It generates an editable documentation pack tailored to the systems you describe, so you start from drafts, not a blank page. It is not legal advice, an audit, a certification or a conformity assessment, and it does not register you in the EU database. Borderline systems are flagged for review.

Sources

  1. 1.Regulation (EU) 2024/1689 — Artificial Intelligence Act (consolidated text, CELEX 32024R1689) — European Parliament and Council of the European Union · 2024↗
  2. 2.Regulatory framework on AI — European Commission · 2024↗
  3. 3.Timeline for the implementation of the EU AI Act — European Commission — AI Act Service Desk · 2026↗
  4. 4.AI Act — Frequently Asked Questions — European Commission — AI Act Service Desk · 2026↗
  5. 5.Artificial intelligence: Council gives final green light to simplify and streamline rules (29 June 2026) — Council of the European Union · 2026↗
  6. 6.Digital Omnibus on AI — proposal COM(2025) 836 (CELEX 52025PC0836) — European Commission · 2025↗
  7. 7.European AI Office — European Commission · 2024↗
  8. 8.EU AI Act: first regulation on artificial intelligence — European Parliament · 2024↗

Want this run on your business?

AI Foundation Audit — a structured assessment of your AI footprint: integration risks, governance gaps, ROI opportunities. Delivered as a comprehensive report you can act on.

Start your audit →

You receive your Executive Report and Implementation Brief — tailored to your business and delivered immediately.

AI by the math. No deck, no meetings. No call. Just click.

PRODUCTS
  • AI Foundation Audit
  • All products
COMPANY
  • About
  • Contact
  • info [at] easy-audit [dot] ai
LEGAL
  • Terms of Service
  • Privacy Policy
  • AI Transparency
  • Cookie Policy
  • Complaints

© 2026 easyAI · All rights reserved. · easyAI is operated by DDN Consulting s.r.o., based in the EU.

Inspired by ISO/IEC 42001 + NIST AI RMF + EU AI Act principles. easyAI is not a certification body. Our methodology is inspired by ISO 42001 and NIST AI RMF principles; we do not provide formal certification or conformity audits.

easyAI