FlowBaasThe EU AI Act is no longer a distant prospect. Since February 2025, certain prohibited practices have already been punishable, and the obligation around AI literacy has applied from that same date. For many SME owners this feels like a sudden wake-up call: you are not prepared, and it turns out you are not alone.
This article gives you a clear overview of what the EU AI Act means, which deadlines you need to know, and above all: what you need to do now to become compliant without turning your business upside down.
What is the EU AI Act (and why should you care)?
The EU AI Act is the first legislation in the world that genuinely regulates artificial intelligence. It is not a handful of guidelines or recommendations. It is binding law, with fines of up to 35 million euros or 7% of your global annual turnover (whichever is higher).
The core idea is clever: the law takes a risk-based approach with four tiers, namely prohibited AI systems, high-risk AI, limited-risk AI, and low-risk AI. Each tier has its own requirements. For SMEs, the key point is this: you do not have to get everything perfect right away, but you do have to be able to demonstrate that you take it seriously.
That evidence is called AI Governance. It is a system that records which AI systems you use, what risks they carry, and how you manage them. Not just to impress regulators (although that helps too), but because your awareness of risk needs to be sharp for the sake of your own business.
The timeline: which rules apply when?
The EU AI Act rolls out in phases. It is essential to have this clear in your mind:
February 2025 – Prohibited practices already in force
This is active now. Certain AI practices are no longer permitted with immediate effect:
- Social scoring systems (AI that gives citizens a 'score' based on their behaviour)
- Real-time biometric identification in public spaces (barring very specific exceptions)
- AI that deliberately exploits minors
- Predictive policing based on personal data
For most SMEs this is not a direct threat, unless you are actively involved in surveillance or public services. Even so, you need to be aware of it and able to prove that you do not use any of these systems.
February 2025 – AI literacy required (Article 4)
Alongside the prohibited practices, the obligation around AI literacy also took effect. Organisations must train their staff in AI risks. Employees need to understand what AI can and cannot do, what biases it may have, and how to deploy it responsibly. This is less technical than you might expect. It is about awareness and a basic level of knowledge.
August 2025 – Penalty rules in force
From August 2025, national regulators can actually impose fines. This date also marks the start of the obligations for providers of general-purpose AI models (think of the companies behind ChatGPT and similar services). The point that matters for SMEs: the enforcement infrastructure is now up and running.
August 2026 – Full compliance
This is the first major deadline. By this date you must have:
- An AI Register (which AI systems do you use, and why?)
- Risk assessments for high-risk systems
- Documentation in order
- Audit trails and logs you can show
- Privacy Impact Assessments where needed
Misconceptions: 'it doesn't apply to me'
There are two big misunderstandings I run into with a lot of SMEs:
Misconception 1: "We don't use AI, so it doesn't apply to us"
This is almost never true. The odds are very high that you and your team do use AI, you just don't call it that. ChatGPT, Copilot, Google Gemini in your Gmail, LinkedIn's recruiter tools, email filters, fraud detection in your payment system. They are all AI systems. The EU AI Act covers those systems too, even when they come from third parties (as the deployer, you then share responsibility).
Misconception 2: "This is regulation for Big Tech"
Partly true. Large companies feel the pressure first. But the law applies to SMEs as well. The upside? SMEs can move far faster. You do not need to set up years of bureaucratic processes. A 12-week AI Governance programme is realistic for an SME; for enterprises it takes years.
What should you, as an SME owner, do NOW?
Three practical steps:
Step 1: Inventory (now to next week)
List every AI system your business uses. A spreadsheet is fine. ChatGPT used by your sales team? Write it down. LinkedIn Recruiter? That too. A chatbot on your website? Also. The scan does not have to be perfect, but it does need to be complete enough.
Step 2: Risk classification (weeks 2 to 3)
For each tool: what risks does it carry? High risk (impact on safety, equality, autonomy), limited risk (transparency required), or low risk? For most SME tools: low to limited. But you need to be able to substantiate it.
Step 3: Start on policy (months 1 to 2)
Write a simple AI Governance policy. Which tools are we allowed to use? Who approves them? How do we handle data? Who owns it? This does not need to be 100 pages. Two to five pages is enough for many SMEs.
Why starting now beats waiting
Companies that start now have a competitive advantage:
- Faster innovation: governance gives you control, and control gives you the freedom to roll out new AI more quickly
- Less panic: you are not caught in the August 2026 rush alongside a thousand others
- Better employee buy-in: your team understands why you do AI governance, not because they have to, but because it makes for safer ways of working
- Insight into your data: governance forces you to know your data assets well, which also helps with other compliance (GDPR, NIS2)
The FAQ for SMEs
Q: Do I have to replace all my tools?
A: No. Most tools are already compliant or can be made compliant with minor adjustments. You do not suddenly need to drop ChatGPT, you only need to establish that you use it responsibly.
Q: Won't this cost millions?
A: Not for an SME. AI Governance is expensive when you approach it like an enterprise (lots of compliance people, lots of processes). Set up efficiently, it costs a small business a few thousand euros; for mid-sized businesses, up to a few tens of thousands. Not free, but absolutely doable.
Q: What if I do nothing at all?
A: You risk enforcement after August 2026. That may begin with warnings, but it can escalate to fines. Worse still: your business runs AI risks without knowing them. That leads to data breaches, bias incidents, or reputational damage. Governance protects you not only legally, but operationally too.
Summary
The EU AI Act is no longer something for next year. It is active, it applies to you, and you have until August 2026 to be compliance-ready. That sounds like plenty of time, but it goes by fast. Companies that start now have the edge: less haste, a better understanding of their AI landscape, and a culture that benefits safely from AI. Curious whether your business is already ready for an autonomous AI agent? Then read 5 signs your business needs an AI co-worker as well.
Start small: take stock of your AI, classify the risks, write a simple policy. That is enough for the first phase. And from there you move from chaos to control.