Compliance

EU AI Act Compliance Checklist for SMBs

The EU AI Act affects any business serving EU customers. Here's what SMBs need to know about classification, compliance, and the (newly postponed) high-risk system deadlines.

Peter KwidzinskiPeter Kwidzinski
||6 min read
Editorial photograph: tall European-style stone government building columns at night, lit by a single amber sodium-vapor street lamp
Share:

Update (June 2026): Annex III postponed. This article was originally published in January 2026 when the working assumption was an August 2026 enforcement date for high-risk AI systems. On May 7, 2026, the EU Council and Parliament reached a provisional agreement (the "Digital Omnibus") postponing Annex III high-risk system obligations to December 2, 2027 and Annex I system obligations to August 2028. General-purpose AI model obligations (Article 53) that took effect in August 2025 are unchanged. The strategic message of this post is unchanged — preparation still takes 6–12 months — but the deadline you're racing has shifted. We've updated key references inline. Original publication date preserved for transparency.

The EU AI Act is the world's first comprehensive AI regulation, and it doesn't care where your company is headquartered. If your AI systems affect EU citizens, you're in scope.

For SMBs, this creates both risk and opportunity. The risk is obvious—fines up to €35 million or 7% of global revenue. The opportunity? Getting compliant before your competitors positions you as the trustworthy choice for EU customers.

Here's what you need to know.

Does the EU AI Act Apply to You?

Short answer: Probably yes, if you have any EU customers or employees.

The EU AI Act applies to:

  • AI systems deployed in the EU (regardless of where the provider is based)
  • AI systems whose outputs are used in the EU
  • Providers, deployers, importers, and distributors in the AI value chain

This means:

  • A US company using AI to screen job applicants who may be EU citizens? In scope.
  • A UK fintech using AI for credit decisions for EU customers? In scope.
  • A Canadian manufacturer using AI in products sold in the EU? In scope.

The only way you're clearly out of scope is if you have zero EU touchpoints—no EU customers, employees, partners, or supply chain connections.

The Risk Classification System

The EU AI Act categorizes AI systems by risk level. Your compliance obligations depend on where your AI falls.

Prohibited AI (Banned)

Deadline: February 2025 (Already in effect)

These AI applications are completely banned:

  • Social scoring systems
  • Real-time biometric identification in public spaces (with limited exceptions)
  • AI that exploits vulnerabilities of specific groups
  • Subliminal manipulation techniques

High-Risk AI

Deadline: December 2, 2027 (Annex III, postponed from August 2026 per Digital Omnibus)

AI systems requiring full compliance, including conformity assessments, documentation, and human oversight:

DomainExamples
Employment & HRAI recruitment, performance evaluation, task allocation
Credit & FinanceCredit scoring, loan decisions, insurance pricing
EducationStudent assessment, admissions decisions
Critical InfrastructureAI managing utilities, transportation
Law EnforcementRisk assessment, evidence analysis

SMB implication: If you use AI in hiring, lending, or customer risk assessment, you likely have high-risk obligations.

Limited Risk AI

Deadline: August 2025 (Transparency rules)

AI systems requiring transparency but not full compliance:

  • Chatbots (must disclose AI nature)
  • Emotion recognition systems
  • Deepfake generation
  • AI-generated content

Minimal Risk AI

No specific requirements

Most AI applications fall here:

  • Spam filters
  • Inventory optimization
  • Content recommendations
  • AI-assisted writing (internal use)

The SMB Compliance Checklist

Phase 1: Discovery (Do This Now)

  • Inventory all AI systems in your organization
  • Map data flows for each AI system
  • Identify third-party AI in your supply chain

Phase 2: Classification (By Q1 2026)

  • Classify each AI system by risk level
  • Identify prohibited practices
  • Flag high-risk systems for full compliance

Phase 3: Governance (By Q2 2026)

  • Establish AI governance structure
  • Develop AI policies
  • Implement human oversight

Phase 4: Technical Compliance (By Q3 2027)

For high-risk systems:

  • Conduct conformity assessments
  • Implement quality management systems
  • Create technical documentation
  • Establish monitoring procedures

Phase 5: Ongoing (December 2027 and Beyond)

  • Monitor continuously
  • Maintain documentation
  • Train regularly

Key Deadlines

DateWhat Happens
Feb 2025Prohibited AI practices banned (in effect)
Aug 2025General-purpose AI model rules apply (Article 53, in effect)
Feb 2026Colorado AI Act effective — nearest live US deadline
Dec 2, 2027Annex III high-risk system requirements (postponed from Aug 2026 per Digital Omnibus, provisional agreement May 7, 2026)
Aug 2028Annex I embedded AI in regulated products (postponed from Aug 2027)

The SMB Advantage

Large enterprises are struggling with EU AI Act compliance because they have thousands of AI systems, complex governance structures, and slow-moving compliance processes.

SMBs can move faster:

  • Smaller AI footprint means faster inventory
  • Simpler governance structures mean faster decision-making
  • Direct customer relationships mean you can explain changes clearly

Organizations that achieve compliance early can use it as a competitive differentiator.

Common SMB Mistakes

Mistake 1: "We're not in the EU, so it doesn't apply" Wrong. If your AI affects EU citizens, you're in scope.

Mistake 2: "We don't use AI" You probably do. Check your CRM, HR software, marketing tools, and customer service platforms.

Mistake 3: "Our vendors handle compliance" The EU AI Act creates obligations for deployers, not just providers. You can't outsource responsibility.

Mistake 4: "We'll figure it out when enforcement starts" December 2, 2027 is not the time to start. Compliance takes 6-12 months to implement properly — and Colorado AI Act effective February 2026 is the nearer live deadline for many US-based SMBs.

The Cost of Non-Compliance

Violation TypeMaximum Fine
Prohibited AI practices€35M or 7% of global revenue
High-risk system violations€15M or 3% of global revenue
Documentation failures€7.5M or 1.5% of global revenue

For SMBs, these aren't just theoretical. A €7.5 million fine would end most small businesses.

Getting Started

The EU AI Act is complex, but compliance is achievable for SMBs willing to start now.

Immediate actions:

  1. Take our AI Risk Assessment to identify your AI footprint
  2. Block time in Q1 to complete discovery and classification
  3. Consider professional help for high-risk systems

If you need expert help: Our AI Risk Sprint (with EU AI Act focus) provides comprehensive compliance evaluation including AI classification, gap analysis, and complete remediation roadmap.

Contact us to discuss your compliance needs.


The clock is ticking. December 2, 2027 — and Colorado's February 2026 effective date before it — will arrive faster than you expect.

Share:
#eu-ai-act#compliance#regulation#smb
Peter Kwidzinski

Peter Kwidzinski

Founder, Shadow AI Labs

20+ years architecting platform security at semiconductor leaders Intel and AMD, reaching Fellow — the top rung of the technical ladder. Deep work in confidential computing and hardware attestation. Founded Shadow AI Labs to help SMBs navigate AI security and governance challenges.

Related Articles

Get AI Security Insights

Weekly insights on Shadow AI risks, compliance updates, and governance best practices. No spam, unsubscribe anytime.

We respect your privacy. Read our Privacy Policy.