Skip to main content
← Back to Blog
Regional·7 min read·

Small Business Guide to EU AI Act Compliance in 2026

If you are a small business in the EU using AI, here is what you actually need to do by August 2026 — without hiring a compliance team.

#small business#EU#AI Act#SME

Quick answer

Most small businesses in the EU do not operate high-risk AI systems themselves — they use AI as a deployer (e.g. an HR tool with automated CV screening, a customer-service chatbot, or a credit-scoring SaaS). Your compliance load is a fraction of what providers carry, but it is not zero. This guide covers the four things a small EU business must do before 2 August 2026.

Are you a provider or a deployer?

You are a deployer if you use an AI system under a third party's name and branding. You are a provider if you develop or place an AI system on the market. Most small businesses are deployers. The obligations are very different.

Four things every small EU business must do

1. AI system inventory (low cost)

List every AI system in use: HR tools, marketing analytics, chatbots, CRM scoring, accounting automation. For each, record: vendor, use case, who is affected (employees, customers, applicants), and whether any automated decisions are made.

2. Risk-tier each system

Most SME uses are limited risk (chatbots, content generation — transparency obligations only) or minimal risk (spam filters, game AI — no obligations). If you use AI for recruitment, employee management, credit scoring, or essential services, you may be using a high-risk system and have deployer obligations (Article 29).

3. Deployer obligations for high-risk AI

  • Use the system in accordance with instructions for use
  • Ensure human oversight is by a qualified person
  • Ensure input data is relevant and representative
  • Monitor operation and inform the provider of incidents
  • Keep automatic logs for 6 months (or as required by law)
  • Inform affected workers before deployment (Article 26(7))
  • Complete a FRIA if you are a public body or provide essential services

4. Vendor diligence

Ask vendors for their EU Declaration of Conformity, CE marking, and instructions for use. Serious vendors have these. If they don't by Q3 2026, they are not compliant — that is a red flag for you too.

What small businesses don't need to do

  • Build a full QMS (that is the provider's job)
  • Produce Annex IV technical documentation
  • Register systems in the EU database (provider job)
  • Conduct conformity assessments

SME support under the AI Act

Article 62 explicitly requires the Commission and Member States to provide support to SMEs and startups — priority access to regulatory sandboxes, reduced fees for notified body services, and awareness-raising activities. Check with your national authority for the specific programmes available in your country.

Cost of non-compliance

Fines for SMEs and startups are calculated on a sliding scale (Article 99(6)), with the lower of the percentage or fixed amount applied. But fines are not the only risk: reputational damage and contract-loss (enterprise customers will demand AI Act evidence from vendors of any size) are often bigger.

Related reading

2026 deadline overview · GDPR + AI Act overlap · Gera Services portfolio