The EU AI Act entered into force in August 2024. For most SMBs implementing AI for internal operations, the practical obligations are less onerous than the headlines suggest — but they are real, and they apply now for some categories. Here is a grounded summary of what a 50-person business actually needs to think about.
This is not legal advice. For compliance questions that affect specific high-risk use cases, consult a qualified legal practitioner.
The risk-based framework: what tier are you in?
The AI Act classifies AI systems by risk level. Most internal process automation tools used by SMBs fall into one of two categories:
- Minimal risk — AI used for internal process automation (invoice processing, document classification, internal chatbots). No mandatory obligations beyond good practice. This covers the majority of SMB use cases.
- Limited risk — AI systems that interact directly with people (customer-facing chatbots, AI that generates content presented to users). Transparency obligations apply: users must be informed they are interacting with an AI.
High-risk systems (AI used in hiring decisions, credit scoring, employee monitoring) carry significant mandatory obligations and are outside the scope of most first AI projects for SMBs.
What you need to do right now (2025)
The prohibited practices provisions (Article 5) applied from February 2025. These cover AI systems that manipulate people through subliminal techniques, exploit vulnerabilities, or enable social scoring. If your planned use case doesn't involve any of those, you are not affected by these provisions.
The GPAI (general-purpose AI model) provisions and codes of practice apply primarily to providers of large AI models — not to businesses deploying them. If you are using an existing AI model (OpenAI, Anthropic, Mistral, or others) for your internal applications, the compliance burden sits with the model provider, not with you.
What you need to prepare for (2026–2027)
High-risk AI system requirements apply from August 2026. If your roadmap includes AI in recruitment, performance evaluation, or credit decisions, you will need a compliance programme in place before deployment. For most SMBs, this means working with your legal team 12–18 months before planned deployment — not now.
Three things worth doing now regardless
Even if you have no immediate compliance obligations, three practices are worth building into your AI implementations from the start:
- Document your AI systems. What the system does, what data it processes, who makes decisions based on its outputs. This takes an hour per system and makes any future compliance process significantly easier.
- Maintain human oversight for consequential decisions. Design your systems so a human is in the loop for any decision that materially affects a person (an employee, a customer, a supplier). This is good practice independent of regulation.
- Use transparency where AI interacts with people. If a customer is interacting with an AI agent, tell them. This is already a mandatory requirement for limited-risk systems and builds trust regardless.
The honest summary
For an SMB implementing AI for invoice processing, support automation, or internal reporting, the EU AI Act does not currently require you to do anything you wouldn't do anyway under reasonable data governance practice. The compliance burden increases significantly if you move into high-risk categories.
The more important obligation for most SMBs is GDPR compliance in how you process the personal data your AI systems touch. That framework is already in force and already applies to most AI use cases.
Do not let regulatory uncertainty be a reason to delay sensible AI implementations. Do let it be a reason to build good documentation habits from the start.