EU AI Act for SMEs & Startups

The EU AI Act applies if you place an AI system on the EU market, put it into service in the EU, or the system's output is used in the EU — regardless of where you are based. If you only develop AI for internal use, for export outside the EU, or for purely personal non-professional use, you may fall outside scope entirely. Check Art. 2 carefully.

Six categories of AI are banned outright under Art. 5 from February 2, 2025. These include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), systems that exploit vulnerabilities of persons, and subliminal manipulation techniques. If your system does any of these, you must cease development or deployment immediately.

Most SME AI systems will be minimal-risk (chatbots, recommendation engines, spam filters) with no mandatory obligations. High-risk systems are listed in Annex III: HR tools, credit scoring, CV-sorting, medical device software, educational assessment, biometric categorisation. If you supply a general-purpose AI model (GPAI), separate rules apply from August 2025.

Under Art. 9(7), your risk management system must be proportionate to the size of your organisation and the nature and scale of risk. Art. 16(h) explicitly permits SMEs to use simplified technical documentation formats. You do not need the same volume of documentation as a large enterprise — but you must still have a risk management system, technical documentation, data governance practices, and logging.

The majority of high-risk AI systems in Annex III can be self-assessed under Art. 43(2) — you do not need to engage an expensive third-party notified body. Exceptions exist for remote biometric identification systems and a narrow set of Annex III systems where third-party assessment is mandatory. Prepare your technical documentation and EU declaration of conformity in-house.

Art. 57 requires Member States to establish at least one regulatory sandbox, with priority access for SMEs and startups. These sandboxes allow you to develop, test, and validate your AI system in a controlled environment before market placement, with reduced regulatory risk. Sandbox participation is free. The EU AI Office also publishes templates, guidance, and standardisation inputs.

If your high-risk AI system is a standalone product or embedded in a product (e.g. a medical device app, safety component), it must carry CE marking. The CE marking signals conformity with the EU AI Act and any other applicable regulations (MDR, Machinery Regulation, etc.). You affix CE marking after completing your conformity assessment and issuing an EU declaration of conformity.

Art. 72 requires providers of high-risk AI systems to operate a post-market monitoring plan. For SMEs, this does not have to be a complex system — it means tracking performance, collecting user feedback, logging incidents, and reviewing the system against your initial risk assessment at reasonable intervals. If something goes wrong, serious incidents must be reported to national market surveillance authorities.

If you are deploying an AI system built by someone else (e.g. a SaaS HR tool, a credit scoring API), you are a 'deployer' under Art. 3(4). You still have obligations: conduct a fundamental rights impact assessment for certain high-risk deployments, ensure human oversight, report serious incidents, and ensure staff using the system have adequate AI literacy. Check your supplier contracts for provider obligations passed down to you.

If your AI system is minimal-risk — the majority of consumer and B2B AI tools — no mandatory obligations apply. You may voluntarily adopt codes of conduct under Art. 95, which can improve trust with customers and enterprise buyers. The EU AI Office is developing voluntary commitments around transparency, bias testing, and environmental impact. Voluntary compliance is a competitive advantage.