CSRD and AI Act: What Your SME Needs to Know in 2025

European SMEs are navigating an unprecedented regulatory environment: two landmark pieces of legislation — the CSRD (Corporate Sustainability Reporting Directive) and the AI Act — are converging to fundamentally transform business obligations. Understanding how they interact is now a strategic priority, not just a legal one.

Why This Dual Regulation Concerns Your SME

Many SME leaders mistakenly believe these regulations only apply to large corporations. This is a costly misconception. If your company is a supplier or subcontractor to a large company subject to CSRD, you will be indirectly affected by its reporting obligations. And if you use or deploy AI systems — even HR tools or customer scoring software — the AI Act applies to you right now.

CSRD: Timeline and Thresholds for SMEs

The CSRD introduced mandatory sustainability reporting in three waves:

• 2025: Large companies (>500 employees) already subject to NFRD
• 2026: Large companies (>250 employees OR >€40M turnover OR >€20M balance sheet)
• 2027: SMEs listed on regulated markets (with opt-out clause until 2028)

Unlisted SMEs are not directly subject to CSRD. But beware: large client or partner companies will ask you for ESG data to complete their own reporting. Value chain pressure is real.

The VSME Voluntary Standard

EFRAG developed a simplified standard for unlisted SMEs: the VSME (Voluntary SME Standard). It allows you to respond to partner requests without bearing the full ESRS requirements. Adopting the VSME now gives you a competitive commercial advantage.

The AI Act: What Applies to SMEs from 2025

The AI Act entered into force on 1 August 2024. Its rollout is phased:

• February 2025: Prohibition of unacceptable AI practices
• August 2025: Obligations for general-purpose AI (GPAI) models
• August 2026: Full obligations for high-risk AI systems

Are You Affected by High-Risk Systems?

Annex III of the AI Act lists high-risk domains. Your SME may be concerned if it uses or develops AI systems for:

• Recruitment and HR management (CV scoring, performance evaluation)
• Access to credit (creditworthiness scoring)
• Education and vocational training
• Essential services (water, gas, electricity)
• Product safety in regulated sectors

If you fall into these categories, compliance obligations apply: risk management, technical documentation, event logs, human oversight.

SME-Specific Alleviations

The EU legislator included specific measures to reduce the burden on SMEs:

1. Regulatory sandbox: Priority access to test your AI systems in a secure environment before commercialisation
2. Reduced fees at notified bodies for SMEs and micro-enterprises
3. Simplified documentation for certain categories
4. Additional timelines for providers of high-risk systems already on the market

Convergence Points: CSRD / AI Act

These two texts reinforce each other on several critical points:

1. Data Governance

CSRD requires precise reporting on your environmental and social impacts — which implies rigorous data collection. The AI Act mandates documentation of training data for high-risk systems. A solid data architecture serves both obligations.

2. Transparency and Auditability

Both texts require that your processes be traceable and verifiable by third parties. For CSRD, that's the financial auditor. For the AI Act, it's the market surveillance authorities. Building auditable processes is a shared investment.

3. Human Oversight

The AI Act imposes effective human oversight on high-risk systems. This requirement aligns with the spirit of CSRD, which values responsible governance. Documenting your human control processes over AI decisions addresses both frameworks.

4. Value Chain Due Diligence

CSRD (via CSDDD) imposes due diligence on your impacts throughout the value chain. The AI Act creates similar obligations for deployers using AI systems developed by third parties. Both texts make you responsible for what you buy and use.

A Concrete Action Plan for Your SME

Here is a pragmatic roadmap across three horizons:

Short Term (Now — Q3 2025)

• [ ] Map your AI systems: Identify all tools using AI (including third-party SaaS) and their risk classification
• [ ] Assess your indirect CSRD exposure: Analyse your contracts with large companies to anticipate their ESG requests
• [ ] Designate a regulatory lead: Even part-time, someone must steer these topics
• [ ] Inventory your data: What is the quality, traceability, and governance of your ESG and AI data?

Medium Term (Q4 2025 — Q2 2026)

• [ ] Adopt the VSME standard if solicited by CSRD partners
• [ ] Bring your high-risk AI systems into compliance: technical documentation, risk management, human oversight
• [ ] Train your teams on AI Act basics (including the AI literacy obligation for all staff using AI systems)
• [ ] Review your AI supplier contracts: Your SaaS providers must supply you with the documentation needed for your compliance

Long Term (Q3 2026 and beyond)

• [ ] Integrate ESG and AI governance into your strategy: These topics are no longer peripheral
• [ ] Leverage your compliance with clients and investors
• [ ] Participate in regulatory sandboxes to test innovation in a secure framework

The AI Literacy Obligation: Often Overlooked, Yet Immediate

Article 4 of the AI Act imposes a frequently neglected obligation: ensuring a sufficient level of AI literacy for all staff who use or supervise AI systems. This obligation applies right now, without any transition period.

In practice, this means that if your employees use tools like ChatGPT, AI-based recruitment software, or demand prediction systems, you must be able to demonstrate that they understand the capabilities and limitations of those tools.

Our Recommendations

Do not treat CSRD and the AI Act as two separate projects. The synergies are real, and pooling them significantly reduces your compliance costs. Start with a rapid diagnostic of your exposure to both texts — this is the foundation of any realistic action plan.

If you have questions about your specific situation, our sector analyses and diagnostic tools are available on this platform.

This article is provided for informational purposes and does not constitute legal advice. For your specific situation, please consult a qualified adviser.