Independent Consultant | Cybersecurity Architect & vCISO

Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist

EU AI Act · Compliance · SME Security · AI Regulation · AI Security

The EU AI Act for Small Companies: What You Actually Have to Do

Petr Pospíšil
5 min read
The EU AI Act for Small Companies: What You Actually Have to Do

SME takeaway

Most small companies use AI. Very few build it. That distinction decides almost everything.

If your company uses tools like ChatGPT, Copilot, or an AI feature inside software you already pay for, your duties under the EU AI Act are lighter than the headlines suggest - but they are not zero.

You run a small company. You use AI the way everyone now does: drafting emails, summarising documents, writing a bit of code, answering customers faster. Then you read that the EU AI Act carries fines in the millions, and you wonder whether you have a problem.

For most small companies, the honest answer is: a small, manageable one. This post is the starter version - what the law asks of a company that uses AI, in plain terms, with nothing you do not need.

First question: are you a user or a maker?

The Act treats two roles very differently.

  • A provider builds or substantially modifies an AI system and puts it on the market. Heavy obligations live here.
  • A deployer uses an AI system under its own authority, in the course of business. This is almost every SME.

If you bought the AI, or it came bundled inside software you already use, you are a deployer. The provider (OpenAI, Microsoft, your software vendor) carries the heavy compliance load. Your job is narrower: use the tool responsibly and know where the lines are.

That single distinction removes most of the fear. You are not expected to document a model you did not build.

What actually applies to a small company that uses AI

Four things. None of them require a legal department.

1. Do not use banned AI

A short list of AI practices is prohibited outright across the EU, and has been since February 2025. The ones a normal workplace could stumble into:

  • Emotion recognition of employees at work (outside narrow safety or medical cases).
  • Social scoring of people based on behaviour or characteristics.
  • Manipulative or deceptive systems that push people into decisions they would not otherwise make.

If a vendor pitches you “AI that reads your staff’s mood from their webcam,” that is not a productivity feature. That is a legal problem. Walk away.

2. Make sure your people have basic AI literacy

This is the requirement most small companies miss, and it already applies. The Act expects any company using AI to ensure the staff who operate it have a sufficient level of AI literacy - enough understanding to use it sensibly and spot when it goes wrong.

For many SMEs, this does not need to become a big training project. It is a short, honest internal briefing: what the tools can and cannot do, that AI confidently invents facts, that you do not paste customer data or secrets into a public chatbot, and who to ask when unsure. Write it down. That note is your evidence.

3. Be honest that it is AI

If you put a chatbot in front of customers, people should be able to tell they are talking to a machine. If you publish AI-generated images, audio, or video that could pass for real, it should be labelled. The rule is simple: do not let AI quietly impersonate a human or pass synthetic content off as genuine. These transparency duties apply from 2 August 2026. Some technical marking and watermarking obligations have transitional timing, especially for systems already placed on the market before that date.

4. If you ever deploy a high-risk system, follow the instructions

Some AI counts as high-risk - systems used for hiring, access to education, credit, essential services, and similar decisions that affect people’s lives. The heaviest obligations live here, and they fall mainly on the provider. Their timeline has also slipped: a 2026 reform package (the “Digital Omnibus”, approved by the European Parliament on 16 June 2026, with formal Council adoption still required before it takes effect) pushes the full high-risk rules back to 2027 and 2028, so they are not in force yet. As a deployer, your part stays practical: use the system as instructed, keep a human in the loop, retain the logs it produces, and monitor that it behaves. Most small companies will never deploy one. If you think you might, that is the moment to get advice.

The Act decides what is illegal. It does not decide what is safe. An AI tool can sit far below the high-risk line and still leak data, follow a poisoned instruction, or take an action it should not. Prompt injection, data leakage, and unsafe tool use are business risks whether or not a regulator is watching.

The bigger day-to-day exposure for most SMEs is not the model - it is unmanaged use of it. I wrote about that in Shadow AI: the risk is secrecy, not AI itself. And if you are putting an AI feature in front of customers, testing how it behaves under attack is worth more than any policy document.

Your starter checklist

Six steps for a small company

  • List every AI tool your team actually uses
  • Check none of them fall in the banned list
  • Give staff a one-page AI literacy briefing
  • Label customer-facing chatbots and AI content
  • Set a simple rule on what data never goes in
  • Name one person who owns AI questions

That is a morning of work, not a project. Do it once, keep the note, and you are ahead of most companies your size.

The verdict

If your small company uses AI rather than builds it, the EU AI Act is mostly common sense written into law: do not use the banned stuff, make sure your people know what they are doing, be honest that it is AI, and keep an eye on the systems that matter. Start with an inventory this week - everything else follows from knowing what you actually run.

Sources

Found this useful?

Join the 2027 waitlist

I work with organisations across Europe on NIS2 compliance, penetration testing, and security strategy. I'm currently fully booked and onboarding new engagements from early 2027 - join the waitlist and I'll be in touch as slots open.