Quick answer: Two EU AI Act obligations already apply to SMEs: the Article 5 bans on prohibited AI practices and the Article 4 AI literacy duty, both in force since 2 February 2025. GPAI model obligations have applied since 2 August 2025. Article 50 transparency rules (telling people they're talking to AI, labeling synthetic content) apply from 2 August 2026. After the 2026 Digital Omnibus agreement, high-risk system obligations were deferred: Annex III standalone high-risk systems by 2 December 2027, and Annex I embedded systems by 2 August 2028. Penalties run up to €35 million or 7% of global turnover.
If you're an SME, the good news is that the heaviest obligations were pushed back. The bad news is that the rules most likely to catch you off guard — literacy, prohibitions, transparency — are either already live or land this August. Here's the full checklist, organized by deadline.
Does the EU AI Act Apply to Your Business?
It applies if you:
- Develop or sell AI systems in the EU (you're a "provider"), or
- Use AI systems in the course of business in the EU (you're a "deployer"), or
- Are based outside the EU but your AI system's output is used in the EU.
There's no SME exemption from the rules themselves — only some lighter-touch measures (simplified documentation options, regulatory sandboxes, proportionate fines). A 15-person agency using an AI screening tool on EU job applicants is a deployer with real obligations.
Most SMEs are deployers, not providers. That matters: deployer duties are lighter, but they're not zero.
Checklist 1 — Already in Force (Since 2 February 2025)
Article 5: Prohibited practices
Confirm nothing you use or build does any of the following:
- Social scoring of individuals
- Emotion recognition in the workplace or education (narrow safety exceptions aside)
- Untargeted scraping of facial images for recognition databases
- Manipulative or exploitative techniques causing significant harm
- Biometric categorization inferring sensitive traits
These sound exotic until you realize "emotion recognition at work" can describe an off-the-shelf call-center analytics feature or an HR sentiment dashboard. Audit your toolset, not your intentions. Violations here carry the top fine tier: up to €35m or 7% of worldwide turnover.
Article 4: AI literacy
- Identify everyone who operates or uses AI systems on your behalf
- Deliver training proportionate to their role and the systems used
- Keep records: training materials, attendance, attestations
This duty applies to essentially every company using AI in the EU. Full details in our Article 4 AI literacy guide.
Checklist 2 — Since 2 August 2025: GPAI Models
Mostly relevant if you build general-purpose AI models (you probably don't). But if you fine-tune or rebrand a model and place it on the market, get advice — you may inherit provider obligations: technical documentation, copyright policy, training-data summaries.
- Confirm whether any of your products place a GPAI model on the EU market
- If yes: documentation, copyright compliance policy, training-content summary
Checklist 3 — By 2 August 2026: Transparency (Article 50)
This is the next live deadline and it touches a lot of SMEs:
- Chatbots: users must be informed they're interacting with AI (unless obvious)
- Synthetic content: AI-generated audio, image, video, and text intended to inform the public must be machine-readable-marked and/or disclosed
- Deepfakes: clearly labeled
- Emotion recognition / biometric categorization systems (where lawful): inform the people exposed to them
Practical translation: if your website has an AI chat widget, add disclosure. If you publish AI-generated marketing imagery or articles at scale, build a labeling step into your workflow now, not in July.
Want this pre-packaged? The EU AI Act SME Compliance Kit ($149) includes a risk classification guide, obligation checklists per role and deadline, an Annex IV documentation template, a FRIA template, and an Article 4 literacy plan — everything in this article as fill-in documents.
Checklist 4 — By 2 December 2027: Annex III High-Risk Systems (Post-Omnibus)
The May 2026 Digital Omnibus agreement deferred standalone high-risk obligations from August 2026 to 2 December 2027. High-risk Annex III categories that commonly touch SMEs:
| Annex III area | SME example |
|---|---|
| Employment | CV screening, automated interview scoring, promotion/termination support |
| Education | Exam proctoring, admission scoring |
| Essential services | Credit scoring, insurance risk pricing |
| Critical infrastructure | Safety components in utilities management |
If you deploy a high-risk system, by 2 December 2027 you must:
- Use the system per the provider's instructions
- Assign trained human oversight
- Ensure relevant, representative input data (where you control it)
- Keep logs (minimum six months, where under your control)
- Inform workers/affected persons where required
- Conduct a FRIA if you're a body governed by public law or provide certain essential services — see our FRIA guide
If you provide a high-risk system, the list is longer: risk management system, data governance, Annex IV technical documentation, logging, transparency to deployers, human oversight design, accuracy/robustness/cybersecurity, conformity assessment, CE marking, registration.
Not sure which tier your systems fall into? Start with the four risk categories explained.
Checklist 5 — By 2 August 2028: Annex I Embedded Systems
AI that is a safety component of products covered by EU harmonization law (machinery, medical devices, toys, lifts) got deferred to 2 August 2028. If that's you, your compliance path runs through your existing product-safety conformity process — coordinate with your notified body early.
Penalties at a Glance
| Violation | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | €35m or 7% of global turnover |
| Most other obligations | €15m or 3% |
| Misleading information to authorities | €7.5m or 1% |
For SMEs the lower of the two amounts applies — a proportionality measure, not a free pass.
Your 5-Step Action Plan
- Inventory every AI system you use, build, or embed (including AI features inside SaaS tools).
- Classify each by risk tier — prohibited, high, limited (transparency), minimal.
- Close the live gaps: Article 5 audit, Article 4 training with records.
- Prepare for August 2026: chatbot disclosure and content labeling.
- Diary the long deadlines: December 2027 (Annex III) and August 2028 (Annex I), and start vendor conversations now — see our AI vendor assessment questionnaire.
FAQ
What EU AI Act rules already apply to small businesses?
Since 2 February 2025: the Article 5 prohibitions and the Article 4 AI literacy duty. GPAI model obligations have applied since 2 August 2025. Article 50 transparency obligations apply from 2 August 2026.
Did the Omnibus delay the whole AI Act?
No. The May 2026 Omnibus agreement deferred the high-risk system obligations — Annex III standalone systems to 2 December 2027 and Annex I embedded systems to 2 August 2028. Prohibitions, literacy, GPAI, and transparency timelines were not pushed back.
Are SMEs exempt from the EU AI Act?
No. SMEs get proportionality measures — simplified documentation options, sandbox access, and fines capped at the lower of the two calculation methods — but the obligations themselves apply.
What should an SME do first?
Build an AI system inventory and classify each system by risk tier. Everything else — which checklist applies, which deadline matters — depends on that classification.
Don't rebuild this from scratch. The EU AI Act SME Compliance Kit ($149) turns this checklist into working documents: classification guide, per-deadline obligation checklists, Annex IV template, FRIA template, and an Article 4 literacy plan. Or get it bundled with policies and governance tools in the Complete AI Compliance Stack ($199).
This article is for general information only and is not legal advice. Consult qualified counsel for your specific situation.