If you run a small business in the EU and you use ChatGPT, Claude, an AI chatbot on your website, or an automated CV-screening tool, the EU AI Act applies to you. That sentence panics most owners we speak to — and almost always unnecessarily. The vast majority of SMBs fall into the lowest risk tiers, where compliance is essentially a paperwork exercise plus a few sensible internal practices. The problem is that the law is long, the official guidance is dense, and the headlines tend to focus on fines big enough to wipe out a small business overnight.
This guide cuts through the noise. We will walk through what the EU AI Act actually requires for a typical small business, the deadlines you genuinely need to track, and a practical checklist you can complete this week without hiring a lawyer. None of this is legal advice — if you build or sell an AI product, you should still talk to a specialist — but for the 95% of SMBs that simply use AI tools, this is the playbook.
What the EU AI Act actually is (and why it matters)
The EU AI Act is the world's first comprehensive regulation of artificial intelligence. It became law in August 2024, with provisions phasing in gradually through 2027. Like the GDPR before it, it applies to any business that operates in the EU, sells to EU customers, or processes data on EU residents — even if your company is registered elsewhere. UK, US, and other non-EU SMBs that sell into the European market are very much in scope.
The Act takes a risk-based approach. Rather than treating all AI the same, it sorts AI systems into four tiers based on the potential for harm. The tier you fall into determines what you need to do — from doing nothing extra (most SMB use cases) to extensive documentation, audits, and registration (a small minority of high-risk applications). Understanding which tier you are in is the single most important compliance step.
The fines are real. They scale with the severity of the breach: up to €35 million or 7% of global annual turnover for prohibited AI use, up to €15 million or 3% for high-risk system breaches, and up to €7.5 million or 1% for supplying incorrect information to regulators. SMBs and start-ups get the lower of the two figures, which is meant to be proportionate — but a 1% turnover fine on a €500,000-revenue business is still €5,000 you would much rather not pay.
The four risk tiers, in plain English
Tier 1: Unacceptable risk — banned outright
This is a short list of practices the EU has decided are simply not allowed. Examples include social scoring of citizens, real-time biometric identification in public spaces (with narrow law-enforcement exceptions), AI that exploits vulnerabilities of specific groups, and emotion recognition in workplaces or schools. Almost no SMB is doing any of this. If you run a marketing agency, an accounting firm, an e-commerce shop, or a consultancy, you can safely tick this tier off.
Tier 2: High-risk — heavy obligations
High-risk AI is software used in domains where mistakes can harm people materially. The list includes AI used in hiring decisions, credit scoring, education admissions, critical infrastructure, medical devices, and law enforcement. If you build or operate AI in any of these areas, you face the heaviest obligations: risk management systems, data governance, technical documentation, human oversight, accuracy and cybersecurity standards, registration in an EU database, and post-market monitoring.
Crucially, this can pull in SMBs by surprise. If you run a recruitment business and use an AI tool to rank or screen CVs, that is a high-risk use case — even though you are just buying a SaaS tool from a vendor. You become the "deployer" of a high-risk system, and you inherit a meaningful share of obligations: maintaining logs, ensuring human oversight, informing affected candidates, and being able to explain decisions.
Tier 3: Limited risk — transparency obligations
This is where most SMB-facing AI lives. Chatbots, AI-generated content, deepfakes, and emotion-recognition systems all fall here. The obligation is essentially honesty: tell users when they are interacting with AI, label AI-generated images and audio, and disclose deepfakes. If you have a chatbot on your website or use AI to generate marketing copy, this tier applies.
Tier 4: Minimal risk — no specific obligations
Spam filters, AI-enabled video games, basic recommendation engines, and most internal productivity uses of AI sit here. The Act imposes no new obligations beyond existing law. Voluntary codes of conduct are encouraged but not required.
What this means for a typical SMB
Let's translate the tiers into the AI uses we actually see in small businesses every day.
Using ChatGPT, Claude, or Gemini for drafting, research, or analysis. Minimal risk. No specific Act obligations. Your existing duties under GDPR still apply — do not paste personal data into consumer-tier tools without checking the data-processing terms first.
Running an AI chatbot on your website or in your support inbox. Limited risk. You must disclose that users are interacting with an AI. A short line in your chat window or an opening message such as "You're chatting with our AI assistant — type 'human' any time to reach a person" satisfies this.
Generating marketing images, voice-overs, or video with AI. Limited risk. You should label AI-generated content where it could be mistaken for real. A small "AI-generated" caption on synthetic imagery, or a note in the description, is good practice and increasingly an explicit requirement.
Automating CV screening, interview scoring, or hiring rankings. High-risk. This is the single most common way SMBs accidentally end up in the heavy-obligation tier. If you cannot live without an AI screening tool, choose a vendor that explicitly documents their EU AI Act compliance, keep human review in the loop for every shortlisting decision, and inform candidates that AI is part of the process.
Using AI for credit scoring, insurance underwriting, or loan decisions. High-risk. The same logic applies: vendor compliance, human oversight, candidate or customer notification, and documentation.
Internal productivity tools (meeting summarisers, code assistants, email drafters). Minimal or limited risk depending on use. As long as you are not generating outputs presented as if they were human-authored to external parties without disclosure, you are usually fine.
The deadlines that actually matter in 2026
The Act phases in across roughly three years. As of April 2026, three milestones already apply, and a fourth is on the immediate horizon.
2 February 2025 — Prohibited practices. Already in force. The bans on social scoring, manipulative AI, and the other unacceptable-risk practices are live. Compliance for SMBs simply means: do not do these things.
2 August 2025 — General-purpose AI rules. Already in force. These obligations sit primarily with the foundation model providers (OpenAI, Anthropic, Google, Mistral and so on), not their downstream users. As an SMB, your role is to keep using reputable providers and check their terms when they update.
2 August 2026 — The big one. The bulk of the Act's obligations — including transparency duties for limited-risk systems and most high-risk obligations — come into force. This is the deadline to plan against. By August 2026, your chatbot disclosures should be live, your AI-generated content should be labelled, and any high-risk use cases should have a documented compliance approach.
2 August 2027 — Full enforcement. Remaining provisions, including high-risk AI embedded in products already regulated under EU product safety law, become enforceable. Most SMBs will not be affected here; those that are will already know.
Not sure where AI fits in your business?
Take our free 3-minute AI Readiness Quiz to see which tier you are in, where you stand on AI maturity, and what to focus on next.
Take the Free Quiz →A practical SMB compliance checklist
Here is a checklist most SMBs can complete in a single afternoon. It will not turn you into a regulated AI provider — it will simply put you in the position of being able to demonstrate, if asked, that you took the law seriously and acted on it.
- List every AI tool you use. Include consumer-tier tools your team uses informally. Include features quietly powered by AI inside your existing software (CRM, email platform, design tools). You cannot manage what you have not listed.
- Tag each tool with a risk tier. Use the four-tier framework above. Most rows will be minimal or limited risk. Flag anything in hiring, credit, education, or critical infrastructure as high-risk and treat it separately.
- Add an AI disclosure on customer-facing chat. A single sentence on your chatbot welcome message and in your privacy notice is enough. Make sure customers can ask for a human.
- Label AI-generated content. Add a small "AI-generated" or "Generated with AI assistance" tag on synthetic images, voice-overs, and video that could be mistaken for real recordings. Disclose AI-assisted text in newsletters or blog posts where transparency adds trust.
- Update your privacy notice. Briefly explain which AI tools you use, what data flows to them, and the legal basis. This also clears up GDPR overlap that often causes more practical pain than the AI Act itself.
- Train your team in 30 minutes. Three rules: never paste customer personal data, financial data, or confidential strategy into consumer-tier AI tools; always disclose AI use externally where required; flag anything that looks like a high-risk use case to a designated owner.
- Pick an internal AI owner. Even a part-time owner is enough — someone who keeps the tool list up to date, watches for new high-risk use cases, and acts as the contact point if a vendor or regulator gets in touch.
If you complete those seven steps, you will be in better shape than the majority of SMBs we audit. The Act is far less dramatic for a typical small business than the headlines suggest — but it does reward proactive owners who do the basics on time.
Common AI Act mistakes SMBs are making in 2026
Treating it as a problem only big tech needs to worry about. The Act applies to deployers, not just developers. If you use a high-risk AI tool, the obligations partially follow you, regardless of business size.
Assuming GDPR compliance equals AI Act compliance. They overlap, but they are different regimes. GDPR is about personal data; the AI Act is about how AI systems behave. You can be GDPR-compliant and still breach AI Act transparency rules — or vice versa.
Hiding AI use from customers in the hope they will not notice. Customers usually do not mind AI. They mind being deceived. The transparency obligations exist to prevent the second, and they line up neatly with what good marketing already calls for: be honest, build trust, do not pretend a chatbot is a person named Sarah.
Buying a "compliance platform" before doing the basics. SaaS vendors are racing to sell AI Act compliance tooling. For a small business, almost none of it is necessary. A short tool inventory, a chatbot disclosure, a content label, and a trained team will get you 90% of the way there. Spend on tooling only if a specific obligation justifies it.
The EU AI Act is not designed to punish small businesses that use AI thoughtfully. It is designed to push everyone toward the kind of transparency and oversight that should already be a competitive advantage in 2026.
Treat compliance as a trust-building exercise, not a tax. Customers, employees, and partners increasingly want to know how AI is showing up in the products and services they buy. The owners who can answer that question clearly — with a short list of tools, a few simple disclosures, and a named human in charge — will win more business than they lose.
How this fits into your wider AI strategy
Compliance is the floor, not the ceiling. The same audit that gets you AI Act-ready also produces the raw material for a real AI strategy: a clear picture of where AI shows up in your business, where it is delivering value, and where it is creating quiet risk. That is also the starting point for prioritising your next investments — which is why we recommend pairing this checklist with a structured AI implementation plan.
If you have not yet mapped how AI fits into your wider business, our guides on building an AI strategy for a small business, the AI readiness assessment for SMBs, and the most common AI mistakes small businesses make are good companions to this one. Compliance, strategy, and execution work best when they are designed together.
Build your full AI strategy — not just the compliance bit
Our AI Integration Roadmap gives you a step-by-step plan that connects compliance, strategy, and execution — so you can move fast without tripping over the Act.
Take the Free Quiz → View Products →