Is my SME covered by the EU AI Act?

Yes, if you use AI to make or assist decisions about people: hiring, credit scoring, legal advice, healthcare or access to essential services. Also if you provide chatbots or deepfakes to citizens (limited risk with transparency requirements). Most knowledge-intensive European SMEs have at least one limited-risk system in use.

What is the difference between high-risk and limited risk under the EU AI Act?

High-risk (Annex III + Art. 6) covers AI systems in critical domains such as HR screening, credit scoring, healthcare and education, with eight comprehensive obligations. Limited risk (Art. 50) covers chatbots, deepfakes and emotion recognition, with only transparency requirements. High-risk requires documentation, risk management and human oversight; limited risk only requires that users are informed they are interacting with AI.

How large are the fines for breaching the EU AI Act?

Up to EUR 35 million or 7 percent of global annual turnover (whichever is higher) for prohibited practices (Art. 5). Up to EUR 15 million or 3 percent for high-risk breaches. Up to EUR 7.5 million or 1.5 percent for incorrect information to authorities. SMEs may benefit from a proportionate reduction, but the rules apply equally.

How long does it take to become EU AI Act compliant?

Realistically 3-9 months depending on exposure and maturity. Quick Check assessment: 1 day. Establishing an AI policy and governance: 2-4 weeks. Implementing the requirements for high-risk systems (risk management, documentation, human oversight): 3-6 months. ISO 42001 readiness: 6-12 months.

What does EU AI Act compliance cost for an SME?

Quick Check assessment: DKK 15,000-25,000. Full Assessment: DKK 50,000-90,000. ISO 42001 readiness: DKK 80,000-150,000. Internal work varies between 50-200 hours depending on exposure. Total: DKK 50,000-300,000 for a typical knowledge-intensive SME in the first phase.

Do I need ISO 42001 to be compliant?

No. The EU AI Act does not require ISO 42001 certification. But ISO 42001 (AI Management System) provides a structured approach to governance that covers many of the EU AI Act requirements. Certification can be a competitive advantage in public sector and enterprise customer relationships, but it is not required for compliance alone.

Which AI tools are covered by the EU AI Act?

The EU AI Act regulates AI systems based on use case, not technology. That means ChatGPT, Claude, Gemini and Copilot are not high-risk by themselves, but the use can be. Example: Claude for internal text editing is minimal risk; Claude for client due diligence that leads to rejection is high-risk. Classification follows the USE CASE.

What is an AI policy and how do I write one?

An AI policy is the organisation's written rules for how AI is used: which tools are approved, which data may be sent, who owns governance, how outputs are handled, which risks are accepted. It should be 3-8 pages, reviewed quarterly, and typically owned by the IT lead and the DPO. EnterpriseIQ provides an AI policy stub as part of the Quick Check.

Where do I start with EU AI Act compliance?

Start with three steps: 1) Map all AI uses including shadow IT (2 weeks). 2) Classify each against the EU AI Act (prohibited, high-risk, limited, minimal). 3) Write a basic AI policy. Those three give a foundation to act from and can be done in-house or via a Quick Check engagement.

What happens if I ignore the EU AI Act?

Risks include: fines (up to 7 percent of turnover), audit requests from national supervisory authorities, reputational damage if a case becomes public, and loss of customers who prioritise compliance. For most SMEs the realistic risk is not the maximum fine but distraction, wasted resources and lost momentum if regulators arrive unprepared.

How do I document AI use for compliance?

At least four documentation layers: 1) AI system inventory (complete list of which AI systems are used, for what, by whom). 2) Risk classification per system with article reference. 3) Audit trail per AI-generated output (model, prompt, date). 4) Human oversight procedure (how people review AI output). This is typically logged in a Google Sheet or a dedicated GRC system.

Pillar · Published 2026-05-13 · 16 min read

EU AI Act for European SMEs

Q: When does the EU AI Act apply in full?

The EU AI Act entered into force on 1 August 2024. Prohibited practices (Art. 5) apply from 2 February 2025. General-purpose AI models from 2 August 2025. High-risk AI systems from 2 August 2026. Remaining rules from 2 August 2027.

Regulation (EU) 2024/1689, better known as the EU AI Act, is the first coherent AI legislation in the world. For knowledge-intensive European SMEs it represents both risk and opportunity. This guide goes through what you need to know, what you need to do, and when.

Written by Jesper Sachmann, founder of EnterpriseIQ. 27 years of IT leadership from Oracle, Logica and Capgemini, combined with hands-on AI work and a GRC background from Archer.

TL;DR

→The EU AI Act applies in full from 2 August 2026 for high-risk systems. Prohibited practices already apply.
→Four risk categories: prohibited, high-risk, limited, minimal. Most SMEs have systems across several of them.
→High-risk systems carry eight obligations (Art. 9-15): risk management, data quality, documentation, logging, transparency, human oversight, accuracy, post-market monitoring.
→Fines up to 7 percent of global turnover or EUR 35 million.
→Start with 3 steps: map AI use, classify against risk categories, write an AI policy.

Why the EU AI Act matters for SMEs

When the regulation was adopted in 2024, media attention focused on the large platforms. But the EU AI Act applies to everyone who develops, deploys or uses AI systems in the EU, including small law firms, accounting firms and IT consultancies across Europe.

Danish AI adoption in SMEs was 14 percent in 2023 (Statistics Denmark), compared to 51 percent among large companies. The picture across the EU is similar: many SMEs are now in the transition between "we have not really used AI" and "we have started to use it seriously". That is the worst place to be when the EU AI Act applies in full.

The EU AI Act is not a technology law. It is a use-case-based risk regulation. That means classification follows what the AI is used for, not which model or vendor is behind it. The same Claude or GPT-4 instance can be minimal risk in one setting and high-risk in another.

Deadlines on the calendar

Date	What	Status
2024-08-01	Regulation entered into force	Passed
2025-02-02	Prohibited practices (Art. 5) apply	Passed
2025-08-02	General-purpose AI (Art. 51-55) applies	Passed
2026-08-02	High-risk AI systems apply in full	Next
2027-08-02	Remaining rules apply in full	Later

The most important date is 2 August 2026 for high-risk systems. That is the deadline that will affect the largest number of SMEs, and the one that requires most preparation.

The four risk categories

Prohibited (Art. 5)

Already in force. These AI uses are prohibited in the EU regardless of who builds them:

Subliminal manipulation causing harm
Exploitation of vulnerability (age, disability, social situation)
Social scoring of people
Real-time remote biometric identification in public spaces
Emotion recognition in workplaces and education
Classifying people based on biometric data (race, politics, etc.)
Predicting criminal risk based on profile alone

For most SMEs, prohibited practices are not a real concern. They mainly hit the large platforms. But if your HR tool categorises candidates by "personality profiles" that come close to biometric data, it is worth getting an assessment.

High-risk (Annex III + Art. 6)

The main task for most SMEs. If you have AI systems in the following categories, they fall under high-risk:

Biometrics and categorisation
Critical infrastructure
Education and vocational training (exams, admissions)
Employment and HR: screening, performance, promotion
Access to essential services: credit scoring, healthcare, insurance
Law enforcement
Migration, asylum, border control
Administration of justice and democratic processes

Limited risk (Art. 50)

Transparency requirements from 2 August 2026. This covers:

Chatbots and dialogue AI: the user must know it is AI
Emotion recognition (where not prohibited)
Biometric categorisation systems
Deepfakes and synthetic content: must be labelled

Limited risk is not a heavy burden, but it must be in place. Example: if you run a customer chatbot on your website, it must be clearly disclosed that the user is talking to AI.

Minimal risk

Everything else. No formal requirements, but voluntary codes of conduct are recommended. Typical examples: ChatGPT or Claude for internal text editing, spam filters, inventory forecasting, code assistance like GitHub Copilot, meeting transcription with Krisp.

Eight obligations for high-risk systems

If you have high-risk systems, the EU AI Act (Art. 9-15 + 49 + 72) requires the following before 2 August 2026:

1. Risk management system (Art. 9)

Establish continuous risk assessment for each high-risk system. Identify, evaluate, mitigate, monitor.

2. Data quality and governance (Art. 10)

Training, validation and test data must be representative and relevant. Bias assessment is required.

3. Technical documentation (Art. 11)

Complete documentation demonstrating compliance, updated on an ongoing basis.

4. Logging (Art. 12)

Automatic event logging. Traceability of inputs, outputs and decisions.

5. Transparency (Art. 13)

Users of the system must be able to understand its output. Instructions for use, limitations, performance.

6. Human oversight (Art. 14)

People must be able to understand AI output and override decisions. No rubber-stamping.

7. Accuracy and robustness (Art. 15)

Consistent performance plus resilience to errors and attacks. Measured and documented.

8. Post-market monitoring (Art. 72)

Ongoing monitoring after deployment. Reporting of serious incidents.

That is a lot. For an SME with 1-3 high-risk systems, we typically see 100-300 hours of internal work over 3-6 months to put it in place, depending on whether you are starting from zero or already have a GRC foundation.

Industry examples

Law firms

Typical AI uses and their classification:

Client due diligence and screening that can lead to refusal → high-risk
AI-generated legal advice delivered directly to the client → high-risk or limited (depending on whether human oversight is in place)
Document research with Perplexity or Claude → minimal risk
Contract review with AI as an assistant → minimal risk (when the lawyer validates)
Time tracking with AI-generated descriptions → minimal risk

Accounting firms

AML screening with consequences for client engagement → high-risk
Risk assessment leading to client rejection → high-risk
Automatic invoice classification → minimal risk
Audit note drafting → minimal risk
Materiality assessment with AI as an assistant → minimal risk (when the auditor validates)

Financial advisers

Credit scoring → high-risk (with certain exceptions for banks)
Customer segmentation that affects pricing or offers → high-risk
AI-based investment advice to retail customers → high-risk
Client report generation → minimal risk

IT services firms

Own use: usually minimal risk
Ticket prioritisation that affects SLAs → can be high-risk
Knowledge base with RAG → minimal risk
GitHub Copilot for code → minimal risk
If you implement AI for clients with high-risk consequences → you have an oversight duty

HR (all industries)

Candidate screening → high-risk
CV parsing that filters → high-risk
Performance evaluation → high-risk
Pay adjustment or promotion recommendation → high-risk

Fines and consequences

Type of breach	Maximum fine
Prohibited practices (Art. 5)	EUR 35 million or 7% of global turnover
High-risk breaches	EUR 15 million or 3% of global turnover
Incorrect information to a regulator	EUR 7.5 million or 1.5% of global turnover

For SMEs the proportionality principle can reduce the fine level, but the rules apply equally. The realistic risk picture is not the maximum fine. It is audit requests, reputational damage and loss of customers who prioritise compliance.

ISO/IEC 42001: when does it make sense?

ISO/IEC 42001 (AI Management System) is a voluntary standard that provides a structured approach to AI governance. It covers many of the EU AI Act requirements, but it is not mandatory for compliance.

ISO 42001 makes sense if you:

Sell to public sector or enterprise customers who require it
Want certification as a competitive advantage
Have multiple high-risk systems and can benefit from scale
Build AI as a product and want to signal maturity

ISO 42001 does NOT make sense if you: have 1-2 limited-risk systems, are a small organisation without enterprise sales, or simply want to meet the EU AI Act minimum. For most SMEs, focused EU AI Act compliance is the first path; ISO 42001 can be revisited later.

Three steps you can take this week

Step 1: Map AI use

List every AI tool in official use
Ask staff which tools they use on personal accounts (shadow IT)
Describe each use in 2-3 sentences
Note the data sent and whether decisions about people are involved

Step 2: Classify against the EU AI Act

Use the four-category model (prohibited, high-risk, limited, minimal)
Be conservative when in doubt (pick the higher risk)
Have a lawyer or AI adviser validate the classification
Note concrete actions for each high-risk system

Step 3: Write a basic AI policy

Describe what staff may and may not send to AI
Define the approval procedure for new AI tools
Name the owner of the AI portfolio (typically IT lead plus DPO)
Share it with staff. Without training a policy is worthless

This is not enough to be fully EU AI Act compliant, but it is the foundation. If you have it in place, the rest is a question of how deep you go, not where you start.

FAQ

When does the EU AI Act apply in full?

The EU AI Act entered into force on 2024-08-01. Prohibited practices from 2025-02-02. General-purpose AI from 2025-08-02. High-risk systems from 2026-08-02. Remaining rules from 2027-08-02.

Is my SME covered?

Yes, if you use AI to make or assist decisions about people, or if you provide chatbots or deepfakes to citizens. Most knowledge-intensive European SMEs have at least one limited-risk system in use.

How large are the fines?

Up to 7 percent of global turnover or EUR 35 million for prohibited practices. 3 percent or EUR 15 million for high-risk breaches. Proportionality principle applies for SMEs.

How long does it take to become compliant?

Realistically 3-9 months. Quick Check: 1 day. AI policy: 2-4 weeks. High-risk implementation: 3-6 months. ISO 42001: 6-12 months.

What does it cost?

Quick Check DKK 15,000-25,000. Full Assessment DKK 50,000-90,000. ISO 42001 readiness DKK 80,000-150,000. Internal work 50-200 hours depending on exposure.

Which AI tools are covered?

The EU AI Act regulates based on use case, not technology. ChatGPT for internal text editing is minimal risk. The same ChatGPT for client due diligence is high-risk.

What is an AI policy?

The organisation's written rules for AI use: approved tools, data policy, governance owners, risk tolerance, controls. 3-8 pages, reviewed quarterly, typically owned by IT lead plus DPO.

Where do I start?

Three steps: map AI use (2 weeks), classify against the risk categories (1 week), write a basic AI policy (2-4 weeks). Or order a Quick Check and have it delivered cleanly in 1-2 weeks.

Next step

Three paths depending on where you stand:

Free

Download the checklist

8-page PDF with a 12-point checklist and industry examples. Hand it to your DPO or legal counsel.

From DKK 15,000

Book a Quick Check

1-day assessment. Complete inventory, risk classification, 10-page report and a 90-day roadmap.

Free

30-minute call

A non-binding screening conversation. We figure out whether a Quick Check fits or something else makes more sense.

About the author

Jesper Sachmann is the founder of EnterpriseIQ. 27 years of IT leadership from Oracle, Logica and Capgemini, combined with hands-on AI experience and a GRC background from Archer.

AI attribution: This article is AI-assisted, produced with Claude Opus 4.7, human review by Jesper Sachmann. See our AI transparency policy for how we use AI across every deliverable.

Citing this article? Use "EnterpriseIQ: EU AI Act for European SMEs (2026-05-13)" or link to enterpriseiq.dk/en/insights/eu-ai-act-sme-guide.