Does the EU AI Act apply to SMEs that only use AI tools?

Yes. The AI Act distinguishes between providers (developers) and deployers (users). If your business uses AI tools such as chatbots, HR screening software, or automated decision-making systems, you fall under deployer obligations. Company size does not matter.

When do EU AI Act obligations take effect?

The AI Act is phased in gradually. Since February 2025, prohibited AI practices are banned. From August 2025, rules for general-purpose AI and high-risk systems apply. Remaining obligations follow in 2026 and 2027.

How should my SME start with AI Act compliance?

Start by inventorying every AI tool in your organization. Classify them by risk level, check whether your vendors have a conformity declaration, and update your data processing agreements. A tool like ComplianceHive helps you track all of this in one place.

EU AI Act Obligations for SMEs: What You Need to Track and When

AI Act, Compliance, SME

4/7/2026

Your marketing team uses ChatGPT for content. HR runs candidates through a screening tool. Customer service has a chatbot. And accounting is experimenting with automated invoice processing.

Sound familiar? Then your business falls under the EU AI Act.

Many SME owners assume the AI Act only applies to tech companies that build AI. That is not true. The law distinguishes between providers (the builders) and deployers (the users). Most SMEs are deployers. And deployers have their own obligations. Real, concrete obligations.

This article explains what those obligations are, when they kick in, and what you can do about it starting today.

What is the EU AI Act?

The EU AI Act is the world's first comprehensive AI law. The European Parliament adopted this regulation to govern AI systems based on risk. The higher the risk of an AI application, the stricter the requirements.

The law categorizes AI systems into four tiers:

Unacceptable risk: banned outright (e.g., social scoring, workplace emotion recognition)
High risk: strict requirements for both providers and deployers (e.g., AI in recruitment, credit scoring, biometric identification)
Limited risk: transparency obligations (e.g., chatbots, deepfakes)
Minimal risk: no specific requirements (e.g., spam filters, recommendation algorithms in internal tools)

When do the obligations kick in?

The AI Act does not take effect all at once. Here is the timeline:

| When | What | |---|---| | February 2025 | Ban on unacceptable AI systems | | August 2025 | Rules for general-purpose AI (GPAI) and high-risk systems | | August 2026 | Remaining obligations, including sector-specific high-risk applications | | August 2027 | Full enforcement across all categories |

This means you cannot wait until 2027. The most important deployer obligations already apply from August 2025.

Who needs to do what? Provider vs. deployer

This is where it gets real for SMEs. The AI Act places the heaviest obligations on providers, the companies that develop and market AI systems. But deployers (the organizations that put those systems to use) carry responsibilities too.

As a deployer, you need to:

Use AI systems according to the provider's instructions. Sounds simple, but it means you need to actually read and keep the documentation.
Ensure human oversight. Particularly for high-risk systems, you cannot blindly trust the output.
Retain input and output data. For high-risk systems, you must maintain logs so decisions can be reviewed after the fact.
Be transparent with affected individuals. People impacted by AI-driven decisions must know that AI played a role.
Register in the EU database. Deployers of high-risk AI systems must register (Article 49).

None of these are abstract legal theory. They are practical steps that change how you run your business day to day.

The AI system register: your new baseline document

Just as the GDPR requires a processing register, the AI Act points toward an AI system register. There is no prescribed standard format yet, but practice makes clear what belongs in it:

Name and description of the AI system
Vendor and any conformity declaration
Risk classification (unacceptable, high, limited, minimal)
Purpose of use within your organization
What data the system processes (link to your processing register)
Human oversight: who reviews the output?
Data processing agreement and other contractual arrangements

Article 49 of the AI Act requires deployers of high-risk AI systems to register in a public EU database. But even if you do not use high-risk systems, an internal register is essential. It is your evidence that you handle AI responsibly. During an audit, a complaint, or a data breach, you want that overview ready to go.

The connection with GDPR and NIS2

The AI Act does not exist in isolation. Many AI systems process personal data, which means GDPR obligations apply in full. Think about:

Updating data processing agreements for AI vendors
Conducting a Data Protection Impact Assessment (DPIA) when AI systems make automated decisions
Treating GDPR compliance as the foundation on which you build AI Act compliance

And if your organization falls under the NIS2 directive, AI systems also touch your cybersecurity obligations. AI tools with access to business-critical systems or data require a thorough risk assessment.

Practical checklist: 7 steps you can take now

You do not need to wait until the full AI Act is enforced. You can take these steps today:

1. Inventory every AI tool in your organization Walk through each department. Marketing, HR, finance, customer service, IT. Ask: which tools use AI or machine learning? Think broader than ChatGPT. Your CRM with lead scoring, your accounting software with automated categorization, your ATS with CV screening: they all count.

2. Classify by risk Use the four categories from the AI Act. Most SME tools fall into "limited" or "minimal" risk. But HR screening tools, credit assessments, or biometric systems may be high-risk. Be honest in your assessment.

3. Check your vendors Ask your AI vendors whether they have or plan to provide a conformity declaration. Do they have documentation on the intended use? Are there known limitations? This is similar to how you check processing agreements under the GDPR.

4. Update your data processing agreements Your existing DPAs likely do not cover AI-specific requirements. Think about provisions for training data, output ownership, and transparency obligations. Have your DPAs reviewed and updated.

5. Establish human oversight For each AI system, determine who is responsible for reviewing its output. Particularly for systems that make decisions about people (customers, employees, applicants), someone must check the output before it becomes final.

6. Train your team Awareness is half of compliance. Make sure your team knows which AI tools they can use, how to use them, and where the boundaries are. This does not need to be a three-day training program. A clear internal policy document and a quarterly update will do.

7. Build your AI register Start with a simple overview: tool, vendor, purpose, risk classification, responsible person. That is your starting point. Refine it as enforcement gets more concrete and you gain more insight into your AI landscape.

Do not wait for enforcement to begin

The temptation is understandable: "We will deal with it when we have to." But the businesses that map their AI landscape now will not have to scramble later. Just as with the GDPR: starting early means less stress and lower costs.

ComplianceHive helps you set up and maintain your AI system register, alongside your existing GDPR and NIS2 administration. Everything in one overview, so when an audit comes you are not searching but showing.

Start today. Inventory your AI tools. Classify them. Document them. That is not bureaucracy. That is control over your business.