What Is the EU AI Act and Why Does It Matter for SMBs?

If you've followed AI-related news in recent months, you've almost certainly come across the term EU AI Act. But what does it actually mean? And more importantly: how does it affect your business?

In this article, we explain the European Union's regulation on artificial intelligence in plain language, cover the most important deadlines, and outline what you need to pay attention to as an SMB.

What Is the EU AI Act?#

The regulation doesn't only apply to big tech companies. It covers every organization that develops, distributes, or uses AI systems within the European Union. This means that if your company uses ChatGPT, an AI-powered customer service chatbot, automatic invoice processing, or any other AI tool, the regulation applies to you too.

Why Was This Regulation Created?#

In the EU, the use of AI tools has exploded in recent years, but regulation hasn't kept pace with the technology. The regulation serves three main goals:

• Safety: AI systems should not cause harm to people or violate their fundamental rights
• Transparency: people should know when they're interacting with AI and how algorithms make decisions
• Innovation: the regulation should provide a predictable framework within which businesses can safely develop and use AI

The point is not that the EU wants to ban AI. Quite the opposite: it wants to create a framework in which artificial intelligence can be used safely and responsibly.

The EU AI Act Timeline#

The regulation doesn't take effect all at once. The rules become mandatory gradually, in several phases:

• August 2024: official adoption of the regulation
• February 2, 2025: entry into force, the ban on prohibited AI practices is immediately applicable, the AI literacy obligation also applies from this date
• August 2, 2025: rules for general-purpose AI models (GPAI, e.g., GPT, Claude, Gemini) become applicable
• August 2, 2026: the full set of rules for high-risk AI systems becomes applicable

This means the ban on prohibited practices and the AI literacy obligation are already in effect. The detailed requirements for high-risk systems will be applicable from August 2026.

Risk Categories: The Core Logic of the AI Act#

The regulation takes a risk-based approach. This means the strictness of rules for AI systems depends on how much risk the given system poses to people's rights and safety.

There are four main categories:

Risk level	Description	Examples	Regulation
Unacceptable	Violates fundamental rights, prohibited	Social scoring, manipulative AI, real-time mass facial recognition	Complete ban
High risk	Significant impact on people's lives	AI-based recruitment systems, credit scoring, biometric identification	Strict requirements, auditing, registration
Limited risk	Transparency obligation	Chatbots, deepfake generators, emotion recognition systems	Disclosure obligation (people must know they're communicating with AI)
Minimal risk	Low risk	Spam filters, AI-based spell checkers, search engine recommendations	No specific obligations (but AI literacy applies at all levels)

What Does This Mean for SMBs?#

If you have a 10-100 person company, you probably think: "This surely only applies to large corporations." Well, not quite.

What You Must Know#

1. The AI literacy obligation applies to you too

Article 4 of the EU AI Act requires every organization that uses AI systems to ensure that its staff has an adequate level of AI literacy. This isn't optional -- it's a legal obligation applicable from February 2, 2025.

We wrote about what this means in practice in a separate article.

2. If you use AI, you need to know what risk category it falls into

Even if you only use ChatGPT or Copilot for internal tasks, you need to be aware of what type of AI system you're using and what risk level it falls under. This is the foundation for future compliance.

3. The "deployer" category is key

The regulation distinguishes between AI providers and AI deployers (users). Most SMBs fall into the deployer category. This comes with fewer obligations than being a provider, but it doesn't mean exemption.

Specific To-Dos for SMBs#

• Create an AI inventory: list what AI tools your company uses (ChatGPT, Copilot, AI-based CRM, automatic translator, etc.)
• Assess risk levels: check which tool falls into which category
• Start an AI literacy program: ensure your staff understands what the AI tools they use actually do
• Document: record what AI systems you use, for what purpose, and how

What Happens If You Don't Comply?#

The regulation prescribes serious sanctions for non-compliance:

• Violation of prohibited AI practices: up to 35 million EUR or 7% of annual turnover
• Violation of high-risk system rules: up to 15 million EUR or 3% of annual turnover
• Other violations: up to 7.5 million EUR or 1.5% of annual turnover

While the regulation states that sanctions must be proportionate and must consider the size of the business, SMBs are not exempt from fines.

Provisions for SMBs#

There is good news too. The regulation specifically takes into account the situation of small and medium-sized enterprises:

• National authorities must provide regulatory sandboxes where SMBs can test their AI systems under favorable conditions
• Certain administrative burdens are reduced for smaller organizations
• The AI Office is preparing supplementary materials and guides specifically targeted at SMBs

Summary#

The EU AI Act is not something from the future -- it's present reality. The ban on prohibited practices and the AI literacy obligation are already in force. If you use AI in your business and haven't dealt with the regulation yet, it's time to start.

The most important things you can do today:

1. Create an inventory of your AI tools
2. Familiarize yourself with the risk categories
3. Start an AI literacy program for your team

You don't have to do it alone. Compliance isn't just a legal question but also a business opportunity: those who prepare early gain a competitive advantage.