Quick answer

The EU AI Act applies to SMEs and startups, but with built-in relief: fines are capped at the lower of the fixed amount or turnover percentage, SMEs get priority free access to regulatory sandboxes, and simplified technical documentation forms are provided. A lean compliance programme is realistic for most small companies.

Updated June 2026 · MmowW AI Compliance

EU AI Act for SMEs and Startups: A Practical Compliance Guide

Does the EU AI Act Apply to Small Companies

Yes. Regulation (EU) 2024/1689 contains no size exemption. A two-person startup providing a high-risk AI system has the same core obligations as a multinational providing the same system. What the law does instead is proportionality: it adjusts penalties, fees, and documentation burdens for small and medium-sized enterprises, including startups, and instructs member states to support them. SME status follows the standard EU definition: fewer than 250 employees and either annual turnover up to 50 million euros or a balance sheet total up to 43 million euros, with micro and small enterprises being smaller subsets. The honest summary for a small business: you are in scope, but the law was written with your constraints in mind, and most small companies face far lighter duties than the headlines suggest.

What Relief Does the Act Give SMEs

Relief measureWhat it means in practice
Capped finesFor SMEs and startups, each fine is capped at whichever is lower of the fixed amount or the turnover percentage, the reverse of the rule for large companies
Regulatory sandboxesPriority and free-of-charge access to national AI regulatory sandboxes, where you can develop and test under supervisory guidance
Simplified documentationThe Commission provides a simplified technical documentation form that micro and small enterprises may use for high-risk systems
Proportionate feesConformity assessment fees must take SME size and market position into account
Training and channelsMember states must organise awareness and training tailored to SMEs and provide dedicated communication channels
Standardisation voiceSME interests must be represented in the standard-setting process that defines the technical detail of compliance

Step 1: Work Out How Exposed You Actually Are

Most SMEs are deployers of off-the-shelf AI, not providers, and most of what they deploy is minimal or limited risk. Run a quick triage. If you only use AI for content drafting, translation, summarisation, coding assistance, or analytics on your own operations, your obligations are essentially AI literacy plus transparency where content reaches the public. If you use AI on people, screening candidates, evaluating staff, scoring customers for credit, you are deploying high-risk AI and have a real but bounded checklist. If you build and sell an AI product, your exposure depends entirely on its intended purpose: a scheduling assistant is a different universe from a CV-ranking tool. The expensive mistake is not knowing which group you are in.

Step 2: The Lean Compliance Programme for Deployers

A small company deploying AI can usually get compliant with a focused effort. Create a one-page inventory of AI tools in use; include the AI features inside your CRM, helpdesk, and HR software, which staff often forget. Classify each tool against the prohibited list and the high-risk categories. For high-risk tools, request the instructions for use from the vendor, name a trained person responsible for oversight, switch on and retain logs for at least six months, and prepare the required notices to workers and affected individuals. For chatbots and generated content, add disclosure. Document the AI literacy training you give staff, even if it is a half-day internal session. For a typical ten-person company this is days of work, not months, and the documents double as sales assets when larger customers ask about your AI governance.

Step 3: The Startup Provider Path

If you are building an AI product, classification drives everything, so settle it before you scale. If your product's intended purpose lands in Annex III, plan for the full provider stack: risk management system, data governance, technical documentation, logging, human oversight design, accuracy and robustness testing, quality management system, conformity assessment, CE marking, and registration in the EU database. Three startup-specific tactics help. First, define intended purpose narrowly and honestly in your documentation, because intended purpose, not technical capability, determines classification. Second, use the sandbox: supervised testing produces documented evidence of compliance work and direct regulator contact, which investors and enterprise buyers increasingly value. Third, use the simplified documentation form if you qualify as a micro or small enterprise, and build documentation as you develop rather than retrofitting it before launch.

How Big Is the Fine Risk Really

The headline numbers, 35 million euros or 7 percent for prohibited practices, 15 million euros or 3 percent for most breaches, 7.5 million euros or 1 percent for misleading authorities, are caps, not fixed tariffs. Authorities must weigh the nature and duration of the breach, its consequences, cooperation, and whether the operator is an SME. For SMEs the cap itself drops to the lower of the two amounts. The realistic near-term risk for a small business is less a headline fine and more an order to stop using or selling a system, which can be commercially worse. That is another argument for getting classification right early: forced withdrawal of a flagship product is the scenario to avoid.

Budgeting and Sequencing for Small Teams

Spread the work. Before August 2026, deployers should finish inventory, classification, vendor document collection, oversight assignment, and staff training; providers of high-risk systems should be deep into documentation and conformity preparation well before the date. Keep one named owner for AI compliance, even part-time, because diffuse responsibility is how deadlines slip. Reuse what you have: GDPR records of processing, security policies, and vendor management processes all feed directly into AI Act work. And resist over-engineering. The Act does not ask a five-person company for an enterprise governance department; it asks for honest classification, basic controls, and evidence that you took the law seriously.

Where SMEs Can Get Help

Each member state must establish at least one AI regulatory sandbox, and several operate already, with SMEs enjoying priority access. National authorities are required to provide SME-specific guidance and channels. The European Commission's AI Office publishes guidelines, templates, and the simplified documentation form. Industry associations and chambers of commerce in several countries run AI Act clinics for members. The support landscape is genuinely tilted toward smaller players; the companies that struggle are usually the ones that never looked.

Reuse Your GDPR Work Instead of Starting Fresh

Small companies that survived GDPR already own most of the raw material for AI Act compliance. The record of processing activities is the natural seed for the AI inventory: any processing entry that mentions automation, profiling, or third-party analytics tools points at a candidate AI system. Existing data protection impact assessments cover much of the ground a fundamental rights impact assessment needs, and the Act explicitly lets deployers build on a DPIA rather than duplicate it. Vendor due diligence questionnaires extend naturally with the four AI questions: classification, instructions for use, logging, and incident handling. Even staff privacy training sessions can absorb the AI literacy module rather than scheduling something separate. Treating the AI Act as an extension of an existing compliance habit, rather than a new discipline, typically cuts the effort for a small deployer by half.

Questions Every SME Should Ask Its AI Vendors

Because most SME exposure flows through purchased tools, vendor answers do much of your compliance work. Ask each vendor: how do you classify this system under the EU AI Act, and what is the reasoning? Can you share the instructions for use and, for high-risk systems, evidence of conformity assessment and database registration? How are logs generated, where are they stored, and can we retain them for at least six months? Will you notify us of serious incidents and substantial modifications? What happens to our obligations if we configure the tool for a new purpose? A vendor that answers crisply is carrying its share of the load. A vendor that cannot answer is transferring risk to you, and that belongs in your renewal decision alongside price and features.

Turning Compliance into a Sales Advantage

For startups selling into Europe, AI Act readiness is becoming a procurement gate rather than a nice-to-have. Enterprise buyers now circulate AI questionnaires the way they circulated security questionnaires five years ago, and a small vendor that can hand over a classification memo, instructions for use, and a clear incident process moves through procurement weeks faster than one that improvises. The same is true upstream: investors performing due diligence on AI startups increasingly ask how the product is classified and what the August 2026 exposure is, because an unplanned conformity assessment is a material cost and timeline risk. A modest, well-documented compliance posture therefore pays for itself twice, once in avoided enforcement risk and once in shortened sales cycles, which is a better return than most marketing spend a company of the same size could buy.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.