A lot of SMB leaders heard “EU AI Act” and assumed it did not apply to them. It is a long law, aimed at big platforms, with a staggered timeline that stretches into 2027. It was easy to park.
It was also wrong. One clause is already enforceable. Several more will land inside 18 months. And the obligations that reach small and mid-sized employers are narrower but sharper than the headlines suggest.
Here is the 10-minute version.
What the Act is
A product-safety-style regulation for AI systems, passed in 2024, directly applicable across all 27 EU member states. It sorts AI systems into four risk tiers and imposes obligations on the providers (the builders) and the deployers (the people who use the systems at work).
Most SMB use sits in the lower tiers. The traps are in the specific use cases - hiring tools, credit decisions, healthcare - that can jump a general-purpose tool into a higher tier the moment it is used that way.
Why SMBs thought they were exempt
Two reasons.
First, the early conversation was dominated by the high-risk tier, which does apply more to large institutions. Small employers read the headlines and assumed “not us.”
Second, the Act does not have a size carve-out in Article 4. SME-specific accommodations exist in narrow parts of the law, but the core literacy obligation applies to every employer whose staff use AI at work.
The four things that matter
For the typical EU SMB, four obligations cluster matter.
Article 4 - AI literacy. Enforceable since 2 February 2025. Your staff and contractors have to have a sufficient level of AI literacy. You have to be able to show it. More on the pillar page.
Transparency on AI-generated content. If you run a customer-facing chatbot, you have to tell users they are talking to AI. If you publish synthetic images or video, you have to label them. Applies regardless of company size.
Vendor obligations on high-risk tools. If a vendor’s tool is classified high-risk and you deploy it, you inherit deployer obligations - logging, human oversight, monitoring. Read your SaaS contracts. Several of them have been quietly updated.
The prohibited list. A short list of uses you cannot do at all - social scoring, real-time biometric identification in public spaces with narrow exceptions, emotion recognition in workplaces and schools, and a few others. Check that none of your tools are drifting into these.
What most SMBs are skipping
Three common gaps.
A written AI literacy policy. Most SMBs do not have one. A short policy tied to the actual tools your team uses is the cheapest audit-readiness artefact.
An inventory of AI in use. Shadow AI is real - staff using personal ChatGPT accounts on company work. You cannot write a literacy programme without knowing where the tool is being used.
Evidence that training worked. Quiz scores do not count. A sample of real work, reviewed against clear criteria, does.
The timeline - what is enforceable when
- Already in force (2 February 2025): Article 4 literacy, prohibited practices.
- 2 August 2025: Rules for general-purpose AI models.
- 2 August 2026: High-risk system obligations for most categories.
- 2 August 2027: High-risk rules embedded in regulated products.
Article 4 is the one on your desk now. The rest are planning horizons.
What to do this quarter
Four moves, in order, most SMBs can do inside a quarter without a consultant.
- Inventory your AI use. A one-page list - tool, what it does, who uses it, for what task. Update it quarterly.
- Write a one-page acceptable-use policy. Short is fine. What is allowed, what is not, who to ask if unsure.
- Assign an owner. One named person responsible for the literacy programme. Not as a side project.
- Schedule the first literacy session. Role-specific, tied to real work, with an assessment built in.
Everything else is nice-to-have.
The honest read
The EU AI Act is not a crisis for most SMBs. It is an administrative obligation that has quietly become real, and the cost of ignoring it is much higher than the cost of closing it - especially the literacy piece, which is inexpensive if you do it early and expensive if you do it under audit pressure.
If you want to see where your team actually stands, take our Readiness Scorecard. 10 questions, 4 minutes. If you want 20 minutes with a teacher, book a discovery call.