The EU AI Act, in plain English.

What the Act is, and what it is not

The EU AI Act is a regulation, which means it applies directly across all 27 member states without each country having to write its own version. It became law on 1 August 2024 and enters into force in staged phases through 2027.

It is not a ban on AI. It is not a completion record scheme. It is not the GDPR for AI, though it borrows the structure. The cleanest way to read it is as a risk-tiered product-safety law that happens to also impose obligations on the employers and professionals who deploy AI systems.

If you build AI, it applies to you. If you deploy AI in your work, it applies to you. If your staff use a third-party AI tool to do their jobs, the deployer obligations apply to you.

The four risk tiers

The Act sorts AI systems into four tiers, with different rules for each.

• Prohibited. A short list of use cases the Act bans outright - social scoring by public authorities, real-time biometric identification in public spaces with narrow exceptions, emotion recognition in workplaces and schools, and a few others. Enforceable from 2 February 2025.
• High-risk. The long list - systems used in credit scoring, hiring, medical devices, critical infrastructure, education decisions, law enforcement, and similar. These carry the heaviest obligations: risk management, data governance, technical documentation, human oversight, accuracy standards, and registration in an EU database.
• Limited-risk. Systems that interact with humans or generate content - chatbots, deepfake generators, and similar - with transparency obligations (users must be told they are interacting with AI, synthetic media must be labelled).
• Minimal-risk. Everything else. No specific obligations under the Act, though Article 4 literacy still applies to staff using them.

Most SMB AI use sits in minimal-risk or limited-risk. The traps are the specific use cases - hiring tools, credit decisions, healthcare triage - that jump a general-purpose tool into the high-risk tier the moment you use it that way.

The obligations most SMBs actually face

For the typical European small or mid-sized business using AI at work, three obligation clusters matter.

Article 4 - AI literacy. The short, early-enforcement clause. Staff and contractors dealing with the operation and use of AI systems on your behalf must have a sufficient level of AI literacy. Enforceable since 2 February 2025. Covered in depth on our Article 4 pillar.

Transparency on AI-generated content. If you deploy a chatbot, you have to tell users they are talking to an AI. If you publish synthetic images or video, you have to label them as such. Limited-risk obligations apply regardless of company size.

Vendor due diligence on high-risk tools. If a vendor’s tool is high-risk and you deploy it, you inherit deployer obligations - logging, human oversight, monitoring. A lot of SMBs do not realise this until they read their SaaS contract carefully.

The timeline - what is enforceable when

• 2 February 2025. Article 4 literacy obligations and the prohibited-practice list are in force.
• 2 August 2025. Rules for general-purpose AI models (the underlying models like GPT-class systems) are in force.
• 2 August 2026. High-risk system obligations are in force for most categories.
• 2 August 2027. High-risk rules for AI embedded in regulated products (medical devices, vehicles) are in force.

The staged rollout means the Act is already real, even though the headline high-risk obligations are still more than a year away.

What “sufficient” actually means

Article 4 uses the word “sufficient” and does not define it. That is the question every employer keeps asking us.

The working answer we use with clients:

• Staff can describe, in plain language, what the AI system is doing on their behalf.
• Staff can name the common failure modes for that system - hallucinations, bias, privacy leaks, outdated training data.
• Staff know when to treat AI output as a draft and when to treat it as finished work.
• Staff can document the AI-assisted decision after the fact, if asked.

Those four competencies, applied role by role, is what a defensible literacy programme looks like. Generic “AI awareness” training does not clear the bar.

What regulators are starting to ask for

National competent authorities in several member states have begun issuing guidance. The pattern across them is consistent. Expect to be asked for four things:

1. A written AI literacy policy. What roles, what tools, what training, what cadence.
2. Training records. Who was trained, on what, by whom, with what materials, when.
3. Assessment evidence. How you know the training worked - not a quiz score, but a sample of actual work reviewed.
4. An incident log. When AI use went wrong, what was learned, how the programme was adjusted.

If you cannot produce those four documents today, that is the gap to close before the question is forced by an incident, an audit, or a works council.

Common mistakes

• Treating it as an IT problem. The obligations are on the employer, not the vendor. Procurement alone does not satisfy Article 4.
• One-off training. The tools change every quarter. A once-a-year workshop is not a programme.
• Ignoring contractors and agency staff. “Staff and other people dealing with the operation and use of AI systems on your behalf” is wider than payroll.
• Over-documenting a vague policy. A short, scoped policy tied to real roles holds up better than a long, generic one.
• Waiting for full high-risk rules. Article 4 is already enforceable. The deadline has already passed.

Where to start

Three honest starting points.

• If you want to see where your team stands, take the Article 4 AI Literacy Readiness Scorecard. 10 questions, 4 minutes, a 3-page action plan.
• If you want the deep read on Article 4, our Article 4 pillar is the most-linked page on this site.
• If you want a teacher on the other side of the question, book a 20-minute discovery call. Zero pitch.

Take the Scorecard Read the Article 4 pillar