EU AI Act - Article 17(5) - SME guide
EU AI Act simplified compliance for SMEs
Article 17(5) creates a simplified quality-management route for eligible smaller providers. It does not remove AI literacy, prohibited-practice, risk management, or documentation duties when they apply.
Last reviewed: 2026-06-13 - EUR-Lex Regulation (EU) 2024/1689
What does EU AI Act simplified compliance for SMEs mean?
EU AI Act Article 17(5) allows eligible microenterprises to meet quality-management-system requirements in a simplified manner. SMEs should still keep proportionate records: AI inventory, risk assessments, AI literacy evidence, incident logs, version history, and draft Annex IV documentation where high-risk AI obligations apply. Digital Omnibus changes should be checked against final adopted text.
- AI literacy under Article 4 applies regardless of company size.
- Article 17(5) affects QMS formality; it is not an exemption from high-risk duties.
- Most high-risk AI system obligations are scheduled from 2 August 2026.
- Outputs should be reviewed by qualified professionals before regulatory reliance.
| Regulation | EU AI Act, Regulation (EU) 2024/1689 |
| Article 17(5) | Simplified QMS route for eligible microenterprises |
| AI literacy | In force since 2 February 2025 |
| High-risk obligations | Scheduled from 2 August 2026, subject to current legal status |
SME obligation matrix by article
| Article | Obligation | Timing | Simplified? | SME evidence |
|---|---|---|---|---|
| Article 4 | AI literacy | Applies since 2 Feb 2025 | Train and evidence adequate AI literacy for staff who use or oversee AI systems. | |
| Article 5 | Prohibited practices | Applies since 2 Feb 2025 | Avoid banned AI practices such as social scoring and certain biometric or workplace uses. | |
| Article 17(5) | Quality management system | High-risk regime from 2 Aug 2026 | Use proportionate QMS records where the simplification conditions are met. | |
| Article 11 + Annex IV | Technical documentation | High-risk regime from 2 Aug 2026 | Maintain draft technical documentation covering intended purpose, design, data, testing, and controls. | |
| Article 9 | Risk management | High-risk regime from 2 Aug 2026 | Document foreseeable risks, mitigations, monitoring, and review cycles for each high-risk system. |
A check mark means a proportionate approach may be available; it does not mean the obligation disappears.
Five artifacts for a proportionate SME QMS
AI system inventory
List each AI system, role, intended purpose, owner, user group, and Annex III screening result.
Risk assessment
Record foreseeable risks, mitigations, data-quality checks, human oversight, and residual risk.
AI literacy evidence
Keep training records for staff who use, procure, supervise, or deploy AI systems.
Incident and monitoring log
Record errors, near misses, complaints, unexpected outputs, and corrective actions.
Version records
Track model, prompt, dataset, vendor, and policy changes so evidence is reviewable over time.
Create draft AI Act evidence in EuroComply
Build AI inventories, literacy records, risk notes, and review-ready evidence packs for EU SME teams.
Classify your AI roleFrequently asked questions
- What does EU AI Act Article 17(5) mean for SMEs?
- Article 17(5) says microenterprises can comply with the high-risk AI quality management system requirement in a simplified manner, provided they do not have partner or linked enterprises. Policy proposals in the Digital Omnibus process may extend or adjust simplification for SMEs, but teams should verify the final text before relying on it.
- Does the EU AI Act apply to small businesses?
- Yes. The AI Act can apply to providers, deployers, importers, distributors, and product manufacturers regardless of company size. Size can affect proportionality, support measures, and simplified documentation, but it does not remove Article 4 AI literacy, Article 5 prohibited-practice, or high-risk-system obligations when they are otherwise in scope.
- What AI Act obligations already apply to SMEs?
- Article 4 AI literacy and Article 5 prohibited practices have applied since 2 February 2025. GPAI model obligations started from 2 August 2025 for GPAI providers. Most high-risk AI system obligations are scheduled from 2 August 2026, subject to the status of support tools, standards, and any final Digital Omnibus changes.
- What is a simplified AI Act quality management system?
- A simplified QMS is a proportionate set of records and procedures for high-risk AI systems. For SMEs this should normally include an AI inventory, risk management record, testing and monitoring notes, literacy evidence, incident logging, version history, and draft Annex IV technical documentation for professional review.
- Is EuroComply a legal adviser or notified body?
- No. EuroComply is software for source-linked compliance readiness outputs and draft evidence packs. It is not a law firm, auditor, notified body, regulator, or legal adviser. Outputs must be reviewed by qualified legal, compliance, privacy, security, or HR professionals before regulatory reliance or submission.
Related EU AI Act resources
Informational summary only - not legal advice, audit assurance, notified-body assessment, or regulatory approval.