The EU AI Act is the world’s first comprehensive AI regulation, and it came into force in 2024 with a phased implementation schedule. For small businesses using AI tools, the practical question is not whether the Act is a good idea — it is what it actually requires of you, when those requirements kick in, and what the realistic compliance burden looks like for an organisation that is using AI but not building it. The answer is more reassuring than most headlines suggest, but there are specific areas worth understanding.
The Risk-Based Framework
The EU AI Act uses a risk-based framework that assigns different requirements depending on the risk level of the AI application. Unacceptable risk systems — social scoring, real-time biometric surveillance in public spaces — are prohibited entirely. High-risk systems — AI used in employment decisions, credit scoring, educational assessment, critical infrastructure — face the most stringent requirements: conformity assessments, documentation, human oversight, and transparency obligations. Limited risk systems — chatbots, AI-generated content — must disclose that users are interacting with AI. Minimal risk systems — the vast majority of AI applications — have no specific requirements beyond existing law.
What Most Small Businesses Actually Do
Most small businesses using AI fall into the limited risk or minimal risk categories. Writing assistants, customer service chatbots, marketing content generation, productivity tools, data analysis — these are generally minimal risk applications under the Act. The primary obligation for limited risk applications (chatbots, AI-generated content) is transparency: users should know they are interacting with AI, and AI-generated content should be identifiable as such where relevant.
High-risk applications that small businesses might use include: AI-assisted CV screening or hiring decisions, AI used in credit or financial assessments, and AI used in certain educational contexts. If your business uses AI in these areas, the compliance requirements are more significant and worth reviewing with a lawyer familiar with the Act.
EU AI Act: Risk Categories at a Glance
| Risk Level | Examples | Key Requirement |
|---|---|---|
| Unacceptable | Social scoring, mass surveillance | Prohibited |
| High risk | CV screening, credit scoring | Conformity assessment + docs |
| Limited risk | Chatbots, AI-generated content | Transparency / disclosure |
| Minimal risk | Most productivity AI tools | No specific requirements |
The Implementation Timeline
The EU AI Act has a phased implementation. Prohibited practices applied from February 2025. Obligations for general-purpose AI model providers apply from August 2025. High-risk system requirements apply from August 2026. This phased approach means small businesses have time to understand and prepare for the requirements most relevant to their use cases.
Practical Steps for Small Businesses
The practical compliance steps for most small businesses are modest. Audit your AI use cases against the risk category framework — most will be minimal risk, requiring nothing beyond existing obligations. For chatbot deployments, ensure users know they are interacting with AI (most well-configured chatbot platforms do this by default). For any AI used in employment or financial decisions, get legal advice on whether high-risk category requirements apply and what they specifically require.
The EU AI Act’s compliance burden falls primarily on AI system providers (the companies building the AI tools) rather than deployers (businesses using those tools). Your AI tool vendors are responsible for their products’ compliance with the Act; your responsibility is primarily to use those tools in ways consistent with their intended purpose and to implement appropriate human oversight where the Act requires it.
Practical Compliance Steps for Small Businesses
The EU AI Act’s compliance burden falls primarily on AI system providers — the companies that build and sell AI systems — rather than on deployers, which is what most small businesses are. Your obligations as a deployer are significantly lighter than the headlines suggest. For minimal risk applications (most productivity AI, writing assistance, data analysis), there are no specific requirements beyond existing law. For limited risk applications (customer-facing chatbots), you must ensure users know they are interacting with AI — most well-configured chatbot platforms do this by default. For high-risk applications (CV screening, credit scoring), you need to implement human oversight, maintain documentation, and in some cases conduct a conformity assessment.
The practical first step is a simple classification exercise: list your AI use cases and classify each against the risk tiers. Most small businesses will find that 90% or more of their AI use cases fall into the minimal risk category. Address the limited risk cases with disclosure requirements. Flag any high-risk cases for legal review. This exercise takes two to three hours and produces a clear picture of your compliance obligations under the Act.
Documentation Requirements for High-Risk Use Cases
If you use AI in any high-risk context — employment screening, credit assessment, educational evaluation — the Act requires documentation that most businesses do not currently maintain. You need records of: which AI system is used, how it was validated for your use case, what human oversight mechanism is in place, and how decisions can be reviewed and challenged by affected individuals. Building this documentation does not require significant technical infrastructure, but it does require deliberate process design. The human oversight mechanism, in particular, needs to be genuinely functional — not a checkbox that an AI recommendation is technically “reviewed” by a human who always approves it, but an actual process where the human reviewer applies independent judgment and occasionally overrides the AI.
Preparing for the August 2026 High-Risk Deadline
High-risk system obligations under the EU AI Act fully apply from August 2026. For businesses using AI in employment decisions, financial assessments, or other high-risk contexts, this deadline is relevant. The preparation required is not technically complex for most small businesses: identify the high-risk applications, ensure human oversight is genuinely in place, document the process, and verify that your AI vendors’ products comply with the Act’s requirements for high-risk providers. Most major AI vendors are actively building compliance into their products ahead of this deadline — review your vendors’ AI Act compliance documentation to understand what they are providing and what you need to supplement.
Classifying your AI use cases against the EU AI Act risk tiers this month gives you a clear picture of your compliance obligations and plenty of time to address any gaps before the August 2026 deadline for high-risk systems.
Working With Your AI Vendor on Compliance
For businesses using enterprise AI tools from major providers, the vendor’s compliance programme does significant heavy lifting. Major providers maintain ISO 27001 certification, SOC 2 Type II reports, and published EU AI Act compliance roadmaps. Request these documents from your vendors and include them in your own compliance documentation — they demonstrate that the AI systems you use have been built and operated with appropriate controls, which is relevant to both internal governance and external audits.
When evaluating new AI tools for business use, add compliance credentials to your evaluation criteria alongside capability and cost. A tool that lacks SOC 2 certification, does not offer a DPA, or has not published its EU AI Act compliance approach represents an additional compliance burden — you cannot rely on the vendor’s programme and must assess the risk yourself. Tools with strong compliance programmes reduce your compliance overhead; those without increase it. Factor this into your evaluation accordingly.
Documentation as Compliance Infrastructure
For businesses with any high-risk AI use cases, compliance documentation is not a one-time exercise — it is an ongoing operational practice. Every change to an AI system used in a high-risk context should be documented: what changed, why, what testing was done before deploying the change, and what human oversight mechanism remains in place. This documentation does not need to be elaborate — a changelog in Notion with one to three sentences per entry is sufficient for most small businesses. The key is consistency: every change documented at the time it is made, rather than reconstructed after the fact when an audit or incident requires it. The habit of contemporaneous documentation is what transforms compliance from a periodic scramble into a manageable ongoing practice.
Building Proportionate AI Governance
AI governance for a small business should be proportionate to its AI risk profile — not modelled on the compliance frameworks of large enterprises with dozens of high-risk AI applications. A small business using AI primarily for content generation, productivity assistance, and basic automation needs a one-page acceptable use policy, a brief annual review of use cases against the risk category framework, and a named point of contact for AI-related questions. This is governance, not bureaucracy. It satisfies the spirit of the Act’s requirements for minimal and limited risk applications, creates a clear internal reference for employees, and establishes the foundation for more rigorous governance if high-risk applications are added in the future.