Does the EU AI Act apply to SMEs?

Yes. The EU AI Act applies by role and use case, not by company size. An SME that provides or deploys AI systems affecting people in the EU can have obligations under Regulation (EU) 2024/1689.

What should an SME do first for EU AI Act compliance?

Start with an AI inventory, classify each use case by risk tier, identify any Annex III high-risk use, assign owners, train staff under Article 4, and keep evidence for vendor instructions, oversight and decisions.

What is the main AI Act deadline for SMEs?

Article 4 AI literacy obligations have applied since February 2, 2025. Most high-risk AI obligations for Annex III systems apply from August 2, 2026.

Are SMEs only responsible if they build AI systems?

No. SMEs that use AI systems under their authority are deployers. Deployers have obligations such as using systems according to instructions, ensuring human oversight, monitoring operation and keeping evidence.

An AI Act SME checklist should cover inventory, risk classification, Article 4 training, vendor documentation, human oversight, incident reporting, and evidence retention. The practical goal is to prove what AI is used, why it is lawful, who owns it, and what controls apply. • Inventory each AI system and assign an owner. • Classify risk under Article 5, Article 6 and Annex III. • Train relevant staff and retain Article 4 evidence. • Collect vendor documentation and provider instructions. • Prepare high-risk controls before August 2, 2026.

Regulation (EU) 2024/1689

AI Act SME checklist

Use this AI Act checklist for SMEs to map AI tools, classify risk, train staff, collect evidence, and prepare for August 2026 obligations.

Direct answer

An AI Act SME checklist should cover inventory, risk classification, Article 4 training, vendor documentation, human oversight, incident reporting, and evidence retention. The practical goal is to prove what AI is used, why it is lawful, who owns it, and what controls apply.

Scan AI systems Build readiness plan

AI Act SME checklist

Inventory each AI system and assign an owner.
Classify risk under Article 5, Article 6 and Annex III.
Train relevant staff and retain Article 4 evidence.
Collect vendor documentation and provider instructions.
Prepare high-risk controls before August 2, 2026.

AI literacy	In force since 2025-02-02
High-risk deadline	2026-08-02
Maximum AI Act fine	EUR 35M or 7% for prohibited practices

Source: Official Journal of the EU, Regulation (EU) 2024/1689Reviewed: 2026-05-11

EU AI Act for SMEsRegulation (EU) 2024/1689, Articles 2, 3, 4, 6, 26 and Annex III

The EU AI Act applies to SMEs that provide or deploy AI systems affecting people in the EU. Most SMEs start as deployers: they must inventory AI use, train staff, classify risk, keep evidence, and meet high-risk obligations where Annex III applies.

2026-08-02High-risk AI obligations

Most Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.

Source: Regulation (EU) 2024/1689, Article 113

AI Act SME compliance checklist

Action checklist

Build an AI system inventory

List every internal and customer-facing AI tool, owner, vendor, purpose, data categories, user group and deployment status.

Articles 3, 4, 26

Classify each use case by risk tier

Separate prohibited, high-risk, limited-risk and minimal-risk use. Pay special attention to Annex III areas such as employment, education, credit, health and essential services.

Articles 5, 6, 50 and Annex III

Document deployer responsibilities

Assign a human owner, define intended use, keep logs where available, follow provider instructions and record monitoring decisions.

Article 26

Train staff and keep evidence

Provide AI literacy training to staff who procure, use, supervise or govern AI tools. Retain completion records and training content.

Article 4

Request vendor documentation

Collect provider instructions, risk classification, data information, transparency notices, security controls and incident handling commitments.

Articles 13, 15, 16, 26

Prepare high-risk evidence

For Annex III systems, document human oversight, accuracy monitoring, data governance, incident escalation and fundamental-rights impact assessment triggers.

Articles 9-15, 26, 27, 73

AI Act SME checklist

Use this checklist as the working file for AI Act readiness. Each row ties one operational task to the evidence an SME should retain for a regulator, customer audit or board review.

Step	Task	Owner	Evidence	Article
1	List every AI tool and feature	Operations or IT	AI inventory with vendor, purpose, owner and users	Articles 3, 4, 26
2	Screen for prohibited AI practices	Compliance lead	Article 5 screen with decision notes	Article 5
3	Classify each system by AI Act risk tier	Compliance lead	Risk-tier rationale and Annex III notes	Articles 6, 50, Annex III
4	Confirm whether the SME is provider, deployer, importer or distributor	Product or legal owner	Role decision for each system	Articles 3, 16, 23, 24, 26
5	Train staff who procure, use or supervise AI	HR or team leads	Article 4 AI literacy completion records	Article 4
6	Collect provider instructions and transparency notices	Procurement	Vendor documentation pack	Articles 13, 16, 26
7	Define human oversight for material decisions	Business process owner	Human oversight procedure and escalation route	Articles 14, 26
8	Check logs, monitoring and incident reporting	Security or operations	Log availability notes, monitoring cadence and incident workflow	Articles 12, 15, 26, 73
9	Decide whether a fundamental-rights impact assessment is needed	Compliance lead	FRIA trigger decision and supporting notes	Article 27
10	Retain evidence in a single compliance file	Operations	Versioned folder or dashboard record with owner and review date	Articles 4, 26, 72

Key deadlines

Date	Obligation	Article
2025-02-02	AI literacy and prohibited AI practicesArticle 4 AI literacy obligations and Article 5 prohibited AI practice bans are already in force.	Articles 4, 5 and 113
2025-08-02	General-purpose AI model obligationsGPAI provider documentation, policy and transparency obligations started applying.	Articles 53 and 113
2026-08-02	High-risk AI obligationsMost Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.	Articles 6, 9-15, 26 and 113
2027-08-02	Certain legacy and product-safety AI obligationsAdditional obligations apply for some AI systems connected to Annex I product safety regimes and legacy systems.	Article 113

30/60/90-day action plan

First 30 days

Inventory AI use and assign owners

Evidence needed: AI register, owner list, vendor list, use-case descriptions

Articles 3, 4, 26

Days 31-60

Classify risk and collect vendor evidence

Evidence needed: Risk-tier decisions, Annex III notes, provider instructions, transparency notices

Articles 5, 6, 13, 16, 26, Annex III

Days 61-90

Close high-risk gaps and document controls

Evidence needed: Human oversight procedure, logs, staff training records, incident process, FRIA decision

Articles 4, 9-15, 26, 27, 73

SME AI Act questions answered

What should be on an AI Act SME checklist?

An AI Act SME checklist should include AI inventory, Article 5 prohibited-practice screening, Article 6 and Annex III risk classification, role mapping, Article 4 training, vendor documentation, human oversight, monitoring and evidence retention.

How often should an SME update its AI Act checklist?

An SME should update its AI Act checklist whenever a new AI tool is bought, a vendor changes model behavior, a high-risk use case is added, or at least quarterly during the 2026 implementation window.

Turn this guide into a tracked action plan

Use AI X-Ray to classify real systems, then import the result into the dashboard as evidence-backed AI register tasks.

Run AI X-Ray Train staff

EU AI Act compliance for SMEs AI Act deadline for SMEs Full AI Act guide AI readiness roadmap Article 4 academy

Informational only. This page is not legal advice and does not replace a qualified legal review of your AI systems.