The EU AI Act: a plain-English guide for SMBs
The EU AI Act is the world's first broad law on artificial intelligence. This guide explains what it means for a small or medium business that uses AI, without the legalese.
What the EU AI Act is
The EU AI Act (Regulation 2024/1689) is the world's first broad law on artificial intelligence. It entered into force in 2024 and phases in over several years. Rather than regulating AI as one thing, it sorts uses of AI into risk tiers and attaches obligations to each tier.
The higher the risk to people's rights and safety, the heavier the duties. A handful of uses are banned outright, some are high-risk and tightly governed, some need only transparency, and most carry no specific obligation beyond basic AI literacy. The effect is that the law lands lightly on ordinary uses and heavily on the few that can really affect people.
Does it apply to you?
If your organisation operates in the EU and uses AI, the Act most likely applies to you. The key question is your role. A provider builds an AI system or puts it on the market; a deployer uses an AI system in its own activities.
Most SMBs are deployers. Deployer obligations are lighter than provider obligations, but they are real, especially for high-risk uses such as recruitment or credit decisions. The Act can also reach companies outside the EU where their AI's output is used in the EU.
The four risk tiers
The Act's whole structure rests on four tiers, set by what a use could do to people rather than by the tool itself.
Prohibited: a small set of practices banned under Article 5, such as social scoring and certain emotion recognition at work.
High-risk: the Annex III uses, including recruitment, creditworthiness, biometric identification, and access to essential services. These carry the heaviest obligations.
Limited-risk: uses that interact with people or generate content, which trigger transparency duties under Article 50.
Minimal-risk: everything else, where the main expectation is AI literacy under Article 4.
The deadlines that matter
The Act arrives in stages. AI literacy (Article 4) and the prohibitions (Article 5) have applied since 2 February 2025. General-purpose AI obligations apply from 2 August 2025.
The core high-risk obligations apply from 2 December 2027, and certain embedded high-risk systems from 2 August 2028. Both were postponed by the 2026 Digital Omnibus, from 2 August 2026 and 2 August 2027. The date most SMBs meet first is 2 August 2026, when the Article 50 transparency duties apply, so the time before these dates is a runway rather than a grace period.
What a deployer should do
Start with an inventory: list the AI tools you use and what you use each one for. Classify each use into a tier. Then handle the obligations that apply, working the highest-risk ones first.
Everyone needs AI literacy. Customer-facing AI needs transparency disclosures. High-risk uses need human oversight, documentation, risk management, and incident handling. Throughout, keep records you could show an auditor, because being able to show your work is half of compliance.
Penalties
The Act provides for significant fines: up to 35 million euros or 7% of global annual turnover for prohibited practices, and up to 15 million euros or 3% for most other breaches. There is proportionality built in for SMEs and startups, and how any figure applies in practice is for the authorities and qualified counsel.
The more useful framing for a small business is not the headline number but the posture: a current inventory, reviewed classifications, the documents the Act asks for, and an audit trail are what turn a frightening figure into a manageable obligation.
Where to start
The rest of this library breaks each of these pieces down: the risk tiers, the specific articles, and the practical steps to take. Work through the ones relevant to you rather than trying to absorb the whole Act at once.
If you would rather see how the Act lands on your own tools than read about it in the abstract, the free inventory classifies your stack in a few minutes and shows you where you stand.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.