Does the EU AI Act apply to SMEs?

Yes. The EU AI Act applies by role and use case, not by company size. An SME that provides or deploys AI systems affecting people in the EU can have obligations under Regulation (EU) 2024/1689.

What should an SME do first for EU AI Act compliance?

Start with an AI inventory, classify each use case by risk tier, identify any Annex III high-risk use, assign owners, train staff under Article 4, and keep evidence for vendor instructions, oversight and decisions.

What is the main AI Act deadline for SMEs?

Article 4 AI literacy obligations have applied since February 2, 2025. Most high-risk AI obligations for Annex III systems apply from August 2, 2026.

Are SMEs only responsible if they build AI systems?

No. SMEs that use AI systems under their authority are deployers. Deployers have obligations such as using systems according to instructions, ensuring human oversight, monitoring operation and keeping evidence.

Regulation (EU) 2024/1689

AI Act deadline for SMEs

EU AI Act deadlines for SMEs, including Article 4 AI literacy, GPAI obligations, high-risk AI enforcement, and evidence tasks by date.

Direct answer

The main AI Act deadline for SMEs using high-risk AI is August 2, 2026. Article 4 AI literacy has applied since February 2, 2025, so SMEs should already have training evidence while building their AI inventory and high-risk compliance file.

Scan AI systems Build readiness plan

AI Act deadline for SMEs

Inventory each AI system and assign an owner.
Classify risk under Article 5, Article 6 and Annex III.
Train relevant staff and retain Article 4 evidence.
Collect vendor documentation and provider instructions.
Prepare high-risk controls before August 2, 2026.

AI literacy	In force since 2025-02-02
High-risk deadline	2026-08-02
Maximum AI Act fine	EUR 35M or 7% for prohibited practices

Source: Official Journal of the EU, Regulation (EU) 2024/1689Reviewed: 2026-05-11

EU AI Act for SMEsRegulation (EU) 2024/1689, Articles 2, 3, 4, 6, 26 and Annex III

The EU AI Act applies to SMEs that provide or deploy AI systems affecting people in the EU. Most SMEs start as deployers: they must inventory AI use, train staff, classify risk, keep evidence, and meet high-risk obligations where Annex III applies.

2026-08-02High-risk AI obligations

Most Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.

Source: Regulation (EU) 2024/1689, Article 113

AI Act SME compliance checklist

Action checklist

Build an AI system inventory

List every internal and customer-facing AI tool, owner, vendor, purpose, data categories, user group and deployment status.

Articles 3, 4, 26

Classify each use case by risk tier

Separate prohibited, high-risk, limited-risk and minimal-risk use. Pay special attention to Annex III areas such as employment, education, credit, health and essential services.

Articles 5, 6, 50 and Annex III

Document deployer responsibilities

Assign a human owner, define intended use, keep logs where available, follow provider instructions and record monitoring decisions.

Article 26

Train staff and keep evidence

Provide AI literacy training to staff who procure, use, supervise or govern AI tools. Retain completion records and training content.

Article 4

Request vendor documentation

Collect provider instructions, risk classification, data information, transparency notices, security controls and incident handling commitments.

Articles 13, 15, 16, 26

Prepare high-risk evidence

For Annex III systems, document human oversight, accuracy monitoring, data governance, incident escalation and fundamental-rights impact assessment triggers.

Articles 9-15, 26, 27, 73

AI Act deadline for SMEs

The deadline question is practical: what must already be done, what must be ready by August 2, 2026, and what evidence will prove the SME acted before enforcement pressure arrives.

Deadline	What applies	SME action	Evidence
2025-02-02	Article 4 AI literacy and Article 5 prohibited AI practice bans apply.	If training records do not exist, run role-based AI literacy training now and document completion.	Training deck, attendance list, completion log and prohibited-practice screening notes.
2025-08-02	General-purpose AI model provider obligations start applying.	For GPAI tools used in your stack, request provider documentation and update vendor records.	Vendor documentation request, provider policy links, model-use notes and contract record.
2026-08-02	Most high-risk AI obligations for Annex III systems apply.	Finish risk classification, human oversight, logging, monitoring and FRIA trigger decisions for high-risk systems.	High-risk control file, oversight procedure, logs, risk-management notes and incident route.
2027-08-02	Certain product-safety and legacy AI obligations apply.	Check whether AI is embedded in regulated products or legacy systems and update the compliance route.	Product-safety applicability note, legacy-system review and provider conformity evidence.

Key deadlines

Date	Obligation	Article
2025-02-02	AI literacy and prohibited AI practicesArticle 4 AI literacy obligations and Article 5 prohibited AI practice bans are already in force.	Articles 4, 5 and 113
2025-08-02	General-purpose AI model obligationsGPAI provider documentation, policy and transparency obligations started applying.	Articles 53 and 113
2026-08-02	High-risk AI obligationsMost Annex III high-risk AI obligations apply, including documentation, oversight, logs and risk management.	Articles 6, 9-15, 26 and 113
2027-08-02	Certain legacy and product-safety AI obligationsAdditional obligations apply for some AI systems connected to Annex I product safety regimes and legacy systems.	Article 113

30/60/90-day action plan

First 30 days

Inventory AI use and assign owners

Evidence needed: AI register, owner list, vendor list, use-case descriptions

Articles 3, 4, 26

Days 31-60

Classify risk and collect vendor evidence

Evidence needed: Risk-tier decisions, Annex III notes, provider instructions, transparency notices

Articles 5, 6, 13, 16, 26, Annex III

Days 61-90

Close high-risk gaps and document controls

Evidence needed: Human oversight procedure, logs, staff training records, incident process, FRIA decision

Articles 4, 9-15, 26, 27, 73

SME AI Act questions answered

When is the AI Act deadline for SMEs?

The key AI Act deadline for SMEs with high-risk AI systems is August 2, 2026. Article 4 AI literacy and prohibited-practice rules have already applied since February 2, 2025.

What should SMEs do if they missed the Article 4 AI literacy date?

If an SME missed the February 2, 2025 Article 4 date, it should run role-based AI literacy training immediately, keep completion evidence, and add a recurring training process for new AI users and buyers.

Turn this guide into a tracked action plan

Use AI X-Ray to classify real systems, then import the result into the dashboard as evidence-backed AI register tasks.

Run AI X-Ray Train staff

EU AI Act compliance for SMEs AI Act SME checklist Full AI Act guide AI readiness roadmap Article 4 academy

Informational only. This page is not legal advice and does not replace a qualified legal review of your AI systems.