The EU AI Act for Small Business: What 5–50 Person Companies Need to Know in 2026

Updated 19 May 2026. The EU AI Omnibus political agreement of 7 May 2026 deferred the high-risk deadline from 2 August 2026 to 2 December 2027. Article 4 AI Literacy remains in force since February 2026. Read what changed and what didn't.

If you run a small business in Europe and use AI tools — ChatGPT for drafting, Copilot in Word, an AI feature in your CRM — the EU AI Act applies to you. From 2 December 2027, high-risk AI obligations are enforceable, with fines up to €35 million or 7% of global turnover. Article 4 AI Literacy applies today. The good news: SMB compliance is far simpler than the enterprise GRC industry would suggest.

Who counts as a deployer?

The EU AI Act defines a deployer (Article 3(4)) as any natural or legal person using an AI system under their own authority for a professional purpose. A two-person accountancy practice using Vic.ai is a deployer. A 30-person marketing agency using Midjourney is a deployer. A solo founder using ChatGPT for outreach is a deployer. The threshold is not about size — it is about use.

The five documents every SMB deployer needs

Under the proportionality principle the Commission has consistently applied, SMBs need five documents — far less than the 40-page enterprise binders.

1. AI Acceptable Use Policy (AUP)

A 2–4 page policy telling your team which AI tools are approved, for which purposes, with which data. This satisfies Article 4 AI literacy duties and prevents shadow AI.

2. AI Register

A spreadsheet listing every AI system in use, with vendor, purpose, data categories, risk classification, and internal owner. For a typical SMB, 10–30 rows is enough.

3. DPIA + FRIA

Required only for high-risk AI use. The Data Protection Impact Assessment (GDPR Article 35) and Fundamental Rights Impact Assessment (AI Act Article 27) combined into one document.

4. Disclosure Notices

Standard wording for chatbots, AI-generated marketing, AI in hiring, AI transcription. Article 50 obligations are highly visible to customers — get the wording right and consistent.

5. Vendor Log

A tracker showing every AI vendor you use, with signed Data Processing Agreement, hosting region, and training-data status. This is the single document a regulator will ask for first.

When obligations apply (post-Omnibus)

  • 2 February 2026 — Article 4 AI literacy duty already in force.
  • 2 August 2025 — General Purpose AI provider duties applied.
  • 2 December 2026 — Specific nudifier-app prohibition.
  • 2 December 2027 — High-risk AI deployer duties (Annex III) apply. Most SMB compliance work targets this date.
  • August 2028 — Annex I prohibited practices full application.

The shortest path to compliance

If you have 5–50 employees and your AI use is limited to common tools, you can be compliance-ready in 48 hours. Ready AI Act delivers your full personalised pack as a done-for-you service: order online, fill in our 15-question intake, receive your reviewed documentation pack within 48 hours. See packages — from €299.

Back to blog