AIFAIS Logo
AI Privacy & Security

EU AI Act: What Does It Mean for SMEs?

Quick answer

The EU AI Act is the world's first comprehensive AI legislation. The law classifies AI systems based on risk and takes effect in phases between 2025 and 2027. For SMEs, this means you must assess which category your AI applications fall into.

What is the EU AI Act? 7 key facts

The EU AI Act is the world's first comprehensive AI legislation. Here are the key facts:

  • 1. Adopted by the European Parliament in 2024, taking effect in phases between 2025-2027
  • 2. Regulates the AI system itself, not just data (unlike the GDPR)
  • 3. Applies to all organizations that develop or use AI systems in the EU
  • 4. Risk-based approach: the higher the risk, the stricter the requirements
  • 5. Fines up to 35 million euros or 7% of global annual revenue
  • 6. Specific alleviations for SMEs, including regulatory sandboxes
  • 7. Start inventorying now to prevent surprises when enforcement begins

The 4 risk categories of the AI Act

The AI Act works with a pyramid of four risk levels. Each category has its own obligations:

  • 1. Unacceptable risk (PROHIBITED): social scoring by governments, manipulative AI, real-time biometric identification in public spaces
  • 2. High risk (STRICT REQUIREMENTS): AI for HR selection, credit assessment, education, biometrics, critical infrastructure, and law enforcement
  • 3. Limited risk (TRANSPARENCY): chatbots and deepfake generators. Users must know they are communicating with AI
  • 4. Minimal risk (NO OBLIGATIONS): spam filters, AI recommendation systems, AI games. Good news: most SME applications fall here
  • High risk is the category that deserves the most attention for SMEs
  • The complete list of high-risk applications is in Annex III of the regulation
  • When in doubt about classification: have an assessment conducted

9 obligations for SME businesses

The AI Act contains specific provisions for SMEs. These are your obligations:

  • 1. Access to regulatory sandboxes to test AI systems in a controlled environment
  • 2. Simplified conformity assessment procedures for small businesses
  • 3. As a user of high-risk AI: use the system according to the provider's instructions
  • 4. Ensure human oversight in high-risk decisions
  • 5. Retain relevant logs of high-risk AI systems
  • 6. As a developer: set up a quality management system
  • 7. As a developer: maintain technical documentation and have systems assessed
  • 8. Train employees in AI literacy (mandatory for high-risk systems)
  • 9. Document your AI use in an AI register

Timeline: 4 crucial deadlines

The AI Act is being implemented in phases. Mark these dates:

  • 1. February 2025: prohibitions on unacceptable risk AI systems are in effect
  • 2. August 2025: rules for general-purpose AI models (GPT, Claude, Gemini) take effect
  • 3. August 2026: full enforcement of high-risk provisions begins
  • 4. August 2027: all provisions are fully in effect
  • Enforcement by the Dutch DPA and sector-specific supervisory authorities
  • Fines vary: up to 35M/7% (prohibited), 15M/3% (other), 7.5M/1.5% (incorrect info)
  • Companies that start compliance now have a competitive advantage

5 practical steps to prepare

Start preparing today. Follow these steps:

  • 1. Conduct an AI inventory: which AI systems does your organization use?
  • 2. Classify each system according to the four risk categories
  • 3. Start an AI register with per system: provider, purpose, risk classification, and measures
  • 4. Train employees in AI literacy and compliance awareness
  • 5. Plan a compliance roadmap toward enforcement deadlines
  • AIFAIS offers a structured AI Act assessment that shows you exactly where you stand
  • Average preparation time for SMEs: 3-6 months

Frequently Asked Questions about EU AI Act: What Does It Mean for SMEs?

Related Articles

AI Privacy & Security

GDPR and AI: What You Need to Know

GDPR sets strict requirements for the use of personal data in AI systems. Organizations must be transparent about automated decision-making, have a lawful basis for data processing, and respect data subject rights.

Lees meerAI Privacy & Security

Data Ownership in AI Implementation

Data ownership in AI revolves around three layers: the input data you provide, the training data the model is built on, and the outputs the model generates. Clear contractual agreements with your AI provider are essential.

Lees meer

Questions about AI for your business?

Our experts are ready to help. Start with a free consultation and discover what AI can do for your business.

Free ConsultationView Services
Free intake
Live within 8 weeks
ROI guarantee
EU AI Act: What Does It Mean for SMEs? | AIFAIS