truck8.ai

The EU AI Act for SMEs: What You Need to Know

The AI Act is not just for tech companies and multinationals — as an SME that uses AI tools, you are already subject to new obligations.

8 min readTom Mekenkamp

What Is the AI Act?

The AI Act (officially: EU Regulation 2024/1689) is the first comprehensive European law regulating the use of artificial intelligence. The regulation entered into force on 1 August 2024 and — like the GDPR — applies directly in all EU member states without requiring national transposition.

Its aim is twofold: to protect citizens from high-risk AI applications, while leaving room for innovation through a clear and predictable framework. To achieve this, the legislator chose a risk-based approach: the higher the potential risk, the heavier the obligations.

The AI Act takes effect in phases. Not all obligations apply immediately — some are already active, while others will become binding during 2025, 2026, and 2027. That makes it straightforward to look at what is already in play and what is coming, step by step.

Disclaimer: this article provides an informational overview and does not constitute legal advice. For guidance on how the AI Act applies to your specific situation, consult a lawyer or compliance specialist.

The Risk-Based Approach: Four Tiers

The AI Act classifies AI systems into four risk categories. Which category applies determines which obligations you face. Here is a concise overview.

Prohibited AI Practices

Certain AI applications are outright banned in the EU — systems that pose an unacceptable threat to fundamental rights or human dignity.

  • Social scoring systems operated by public authorities based on behaviour.
  • Real-time remote biometric identification in publicly accessible spaces (with narrow exceptions for law enforcement).
  • AI that manipulates behaviour subconsciously or exploits vulnerable groups.
  • Untargeted scraping of facial images to build recognition databases.

High-Risk AI Systems

High-risk systems are permitted, but carry heavy requirements: conformity assessment, registration in an EU database, technical documentation, a risk-management system, and mandatory human oversight. This applies to AI used in sectors such as medical devices, biometric identification, critical infrastructure, education, and HR.

  • Recruitment screening and CV evaluation via AI.
  • AI systems used in credit scoring or insurance underwriting.
  • AI in courts, border control, or policing.
  • Medical diagnosis or treatment support systems.

Limited Risk: Transparency Obligations

AI systems in this tier face lighter obligations, primarily around transparency. Users must know they are interacting with AI.

  • Chatbots and virtual assistants: disclose that the user is talking to AI.
  • Deepfake images or videos: label them as AI-generated.
  • Emotion-recognition systems: inform the people concerned.

Minimal Risk

The vast majority of AI applications fall here: spam filters, AI-powered search, product recommendations, grammar tools. No specific AI Act obligations apply, though other laws (GDPR, sector regulation) continue to apply.

What Is Already in Effect — and What Is Coming?

The AI Act has a phased implementation schedule. Here is the timeline at a glance.

Since February 2025: Prohibited Practices and AI Literacy

From February 2025, the prohibited AI practices are enforceable. Anyone using or offering a banned application risks a sanction. At the same time, Article 4 of the AI Act already applies: the AI-literacy obligation.

Article 4 requires organisations — both providers and deployers of AI systems — to ensure that staff who work with AI have sufficient knowledge and skills to understand AI systems and use them responsibly. The law does not prescribe a specific certificate, but 'adequate AI literacy' must be demonstrable. An internal AI policy backed by training is the practical way to meet this requirement.

2025–2026: High-Risk Obligations and General-Purpose AI Models

During 2025 and 2026, the obligations for providers of high-risk AI systems and general-purpose AI models (GPAI — such as large language models) come into force. For most SMEs acting as deployers (users), the direct obligations are limited — but you do need to know whether the systems you procure are compliant.

2027: Fully in Force

From 2027 the AI Act is fully in force, including extended obligations for high-risk AI systems covered by the Machinery Regulation. The transition periods are designed to give businesses time to grow into compliance — not an excuse to do nothing, but also no reason to panic.

What Does the AI Act Mean in Practice for Your SME?

I often hear directors assume the AI Act only applies to tech companies or large platforms. That is a misconception. The AI Act applies to everyone who provides or uses AI systems in the EU — including an SME that uses ChatGPT, Copilot, or an AI recruitment tool.

The good news: most SMEs are deployers (users) of AI systems, not providers (developers). That means a lighter regime. And most tools you use day-to-day — text generators, AI-powered search, email assistants — fall into the limited or minimal risk categories. The heavy high-risk obligations rarely apply directly to most SMEs.

What does apply:

  • Prohibited practices: check whether you use AI anywhere for social scoring, manipulative systems, or real-time biometric identification. Probably not — but be certain.
  • AI-literacy obligation (Art. 4): ensure staff who work with AI understand the basics. This is already in force.
  • Transparency for chatbots: if you have an AI chatbot on your website, this must be visible to users.
  • High-risk check: do you use AI for recruitment screening, credit assessment, or medical support? Stricter requirements apply — potentially handled via the provider who carries out the conformity assessment.
  • Supplier check: if you procure high-risk AI, the provider must supply conformity documentation. Ask for it.

A Practical Action Plan to Become Compliant

You do not need to have everything in order all at once. Here is a workable sequence I recommend.

  • Step 1 — Take stock of your AI use: which tools are in use, by whom, and for what purposes? This gives you an AI inventory that also serves as the foundation for your AI policy.
  • Step 2 — Determine the risk category for each application: use the four tiers as your guide. Most tools are minimal or limited risk. Note the exceptions.
  • Step 3 — Address AI literacy: Article 4 is already in force. Run an awareness session, put an internal AI policy in place, and designate a point of contact.
  • Step 4 — Check suppliers for high-risk AI: ask your AI vendors whether their systems are classified as high-risk and what conformity documentation is available.
  • Step 5 — Draft an AI policy: document which tools are approved, how personal data is handled, and how human oversight is organised. Align this with your GDPR policy.
  • Step 6 — Schedule an annual review: the AI Act evolves and implementing acts will follow. Set a recurring moment each year to test your compliance.

Common Misconceptions About the AI Act

Quite a few misunderstandings are circulating about the AI Act. The ones I encounter most often:

  • "The AI Act only kicks in a few years from now." Incorrect: the prohibited practices and the AI-literacy obligation have been in force since February 2025.
  • "We don't build AI ourselves, so it doesn't affect us." Incorrect: the law also applies to deployers — companies that use AI systems built by third parties.
  • "Only tech companies need to do something." Incorrect: the AI Act cuts across every sector. An HR system, a credit check tool, or an AI chatbot on your website can already bring you into scope.
  • "We'll wait for our supplier to sort it out." Partly true for conformity documentation — but the AI-literacy obligation and the ban on prohibited practices rest with you as the user.
  • "Fines are only for large companies." The AI Act sets graduated fines based on the infringement, not exclusively on company size — though regulators are likely to enforce proportionately.
  • "Using ChatGPT is high risk." No: a text generator is minimal or limited risk. High risk is context-dependent — it is about the purpose for which you deploy AI, not the tool itself.

Key takeaways

  • The AI Act (EU 2024/1689) entered into force in August 2024 and is being phased in through to 2027.
  • Prohibited AI practices and the AI-literacy obligation (Art. 4) have been in force since February 2025.
  • Most SMEs are deployers of limited or minimal risk AI — the heavy high-risk obligations rarely apply to them directly.
  • The AI-literacy obligation is already in force: make sure staff who work with AI understand the basics.
  • Start with an AI inventory, determine the risk category of your applications, and put an internal AI policy in place.
TM

Written by

Tom Mekenkamp

AI consultant & founder of truck8.ai

15+ years leading transformations at AB-InBev, Royal BAM and beyond — now building AI products and helping SMEs implement AI.

About Tom LinkedIn

Tackle Your AI Strategy and Governance Together?

In the boardroom workshop, we spend one day building a concrete AI strategy for your organisation — including the conditions, roles, and first steps for working AI governance aligned with the AI Act.

View the Boardroom Workshop