Quick answer: Two EU AI Act obligations already apply to SMEs: the Article 5 bans on prohibited AI practices and the Article 4 AI literacy duty, both in force since 2 February 2025. GPAI model obligations have applied since 2 August 2025. Article 50 transparency rules apply from 2 August 2026. After the 2026 Digital Omnibus agreement, high-risk system obligations were deferred: Annex III standalone high-risk systems by 2 December 2027, and Annex I embedded systems by 2 August 2028. Penalties run up to €35 million or 7% of global turnover.
If you're an SME, the good news is that the heaviest obligations were pushed back. The bad news is that the rules most likely to catch you off guard — literacy, prohibitions, transparency — are either already live or land this August. Here's the full checklist, organized by deadline.
Does the EU AI Act Apply to Your Business?
It applies if you develop or sell AI systems in the EU (provider), use AI systems in the course of business in the EU (deployer), or are based outside the EU but your AI system's output is used in the EU. There's no SME exemption from the rules themselves — only some lighter-touch measures.
Checklist 1 — Already in Force (Since 2 February 2025)
Article 5: Prohibited practices
- [ ] Social scoring of individuals
- [ ] Emotion recognition in the workplace or education (narrow safety exceptions aside)
- [ ] Untargeted scraping of facial images for recognition databases
- [ ] Manipulative or exploitative techniques causing significant harm
- [ ] Biometric categorization inferring sensitive traits
Article 4: AI literacy
- [ ] Identify everyone who operates or uses AI systems on your behalf
- [ ] Deliver training proportionate to their role and the systems used
- [ ] Keep records: training materials, attendance, attestations
Full details in our Article 4 AI literacy guide.
Checklist 2 — Since 2 August 2025: GPAI Models
- [ ] Confirm whether any of your products place a GPAI model on the EU market
- [ ] If yes: documentation, copyright compliance policy, training-content summary
Checklist 3 — By 2 August 2026: Transparency (Article 50)
- [ ] Chatbots: users must be informed they're interacting with AI (unless obvious)
- [ ] Synthetic content: AI-generated audio, image, video, and text intended to inform the public must be marked and/or disclosed
- [ ] Deepfakes: clearly labeled
Want this pre-packaged? The EU AI Act SME Compliance Kit ($149) includes a risk classification guide, obligation checklists per role and deadline, an Annex IV documentation template, a FRIA template, and an Article 4 literacy plan.
Checklist 4 — By 2 December 2027: Annex III High-Risk Systems
High-risk Annex III categories that commonly touch SMEs:
| Annex III area | SME example |
|---|---|
| Employment | CV screening, automated interview scoring |
| Education | Exam proctoring, admission scoring |
| Essential services | Credit scoring, insurance risk pricing |
If you deploy a high-risk system, by 2 December 2027 you must: follow the provider's instructions, assign trained human oversight, keep logs, and in some cases complete a fundamental rights impact assessment. If you provide one: risk management, data governance, Annex IV technical documentation, conformity assessment, CE marking, registration.
Not sure which tier your systems fall into? Start with the four risk categories explained.
Checklist 5 — By 2 August 2028: Annex I Embedded Systems
AI that is a safety component of products covered by EU harmonization law got deferred to 2 August 2028. If that's you, coordinate with your notified body early.
Penalties at a Glance
| Violation | Maximum fine |
|---|---|
| Prohibited practices (Art. 5) | €35m or 7% of global turnover |
| Most other obligations | €15m or 3% |
| Misleading information to authorities | €7.5m or 1% |
Your 5-Step Action Plan
- Inventory every AI system you use, build, or embed.
- Classify each by risk tier — prohibited, high, limited, minimal.
- Close the live gaps: Article 5 audit, Article 4 training with records.
- Prepare for August 2026: chatbot disclosure and content labeling.
- Diary the long deadlines: December 2027 and August 2028, and start vendor conversations now — see our AI vendor assessment questionnaire.
FAQ
What EU AI Act rules already apply to small businesses?
Since 2 February 2025: the Article 5 prohibitions and the Article 4 AI literacy duty. GPAI model obligations since 2 August 2025. Article 50 transparency from 2 August 2026.
Did the Omnibus delay the whole AI Act?
No. The Omnibus deferred the high-risk system obligations — Annex III to 2 December 2027 and Annex I to 2 August 2028. Prohibitions, literacy, GPAI, and transparency timelines were not pushed back.
Don't rebuild this from scratch. The EU AI Act SME Compliance Kit ($149) turns this checklist into working documents. Or get it bundled with policies and governance tools in the Complete AI Compliance Stack ($199).
This article is for general information only and is not legal advice. Consult qualified counsel for your specific situation.