EU AI Act compliance for small and medium-sized enterprises. SME-specific provisions, sandbox access, reduced fees, and practical guidance for AI deployers and developers.
EU AI Act and SMEs — The Good News
The EU AI Act (Regulation (EU) 2024/1689) applies to all organisations placing or using AI systems within the EU market, regardless of size. However, the regulatory reality for most small and medium-sized enterprises is considerably less burdensome than headlines suggest, for one fundamental reason: the vast majority of SMEs use AI rather than build it.
An SME that subscribes to an AI-enhanced CRM, deploys a chatbot from a SaaS vendor, or uses cloud-based demand forecasting software is, in EU AI Act terminology, a deployer — not a provider. Deployer obligations are systematically lighter than provider obligations. Providers bear the principal burden of conformity assessment, technical documentation, CE marking, and registration. Deployers have a more targeted obligation set focused on correct use, human oversight, and incident reporting.
Beyond the deployer/provider distinction, the EU AI Act contains a discrete package of SME-specific provisions that provide structural support: priority access to regulatory sandboxes, reduced conformity assessment fees, and a dedicated single point of contact at national level. These provisions reflect the legislature's explicit intention to prevent the AI Act from becoming a disproportionate barrier to smaller market participants.
This guide sets out what the EU AI Act means in practice for an SME — whether you use third-party AI tools, deploy AI in customer-facing contexts, or are yourself building and commercialising an AI product.
SME-Specific Provisions in the Regulation
The EU AI Act includes four provisions that apply specifically to SMEs (enterprises meeting the Commission Recommendation 2003/361/EC threshold: fewer than 250 employees and either annual turnover not exceeding €50 million or a balance sheet total not exceeding €43 million) and to startups.
Art. 55 — Priority Access to Regulatory Sandboxes
Art. 55 establishes that regulatory AI sandboxes — supervised environments for developing and testing AI before market placement — shall be accessible by priority to SMEs and startups. Access is free of charge or subject to reduced fees, and participating organisations receive direct guidance from the competent authority. Sandbox access enables pre-market risk identification and regulatory dialogue in a protected setting, without the consequences of a non-compliant market placement. SMEs building AI systems should regard sandbox participation as both a compliance tool and a mechanism for engaging directly with the supervisory authority before product launch.
Art. 96 — Reduced Fees for Conformity Assessment
Where a high-risk AI system requires third-party conformity assessment by a notified body (applicable to systems listed in Annex III points 1, 6, and 7, and medical device AI under Art. 6(1)), Art. 96 requires member states to establish reduced fees for small enterprises. Micro-enterprises — those with fewer than 10 employees and annual turnover or balance sheet not exceeding €2 million — are entitled to even greater reductions. The exact fee schedules are set at member state level and vary by jurisdiction; the relevant national AI authority or the Enterprise Europe Network can provide current figures.
Art. 85 — Single Point of Contact
Art. 85 obligates national AI supervisory authorities to establish a dedicated single point of contact for SMEs. This means an SME seeking guidance on AI Act obligations does not need to navigate multiple regulatory departments or coordinate across fragmented authorities. The single point of contact provides information, routes queries to the appropriate function, and facilitates sandbox applications. This provision significantly reduces the administrative cost of understanding regulatory obligations.
Art. 9(5) — Proportionate Risk Management
Art. 9(5) provides that the risk management system required of providers of high-risk AI systems may be implemented proportionately, taking into account the organisation's size and structure. For an SME acting as provider of a high-risk system, this means that while all substantive requirements of the risk management system must be met, the documentation format, process complexity, and governance structure may be scaled to the organisation's actual capacity — provided this does not undermine the protection objectives of the framework.
Are You a Provider or Deployer? — Decision Framework for SMEs
The single most important preliminary determination for any SME engaging with the EU AI Act is whether it acts as a provider or a deployer with respect to each AI system it uses or offers.
Provider (Art. 3(3)): An organisation that develops an AI system, or has an AI system developed, and places it on the market or puts it into service under its own name or brand — whether for payment or free of charge. This includes SMEs that:
- Build a software product incorporating AI (including AI models accessed via API) and sell or licence that product to customers;
- Develop an AI model or application internally and deploy it as a service to end users outside the organisation;
- Substantially modify a third-party AI system in a way that changes its intended purpose.
Deployer (Art. 3(4)): An organisation that uses an AI system under its own authority for a professional purpose. This covers SMEs that:
- Subscribe to SaaS products with embedded AI features (AI-enhanced CRM, ERP, accounting software);
- Use a third-party chatbot or conversational AI on their website;
- Access cloud AI APIs (natural language processing, image classification, recommendation engines) solely to automate internal workflows or enhance their own services without offering the AI capability as a product feature to third parties;
- Procure HR software, inventory forecasting, or customer analytics tools from external vendors.
The critical boundary case: An SME that integrates an external AI API into its own customer-facing product and markets that capability as a feature of its product is a provider with respect to that AI functionality — not merely a deployer of the underlying API. The legal entity that defines the intended purpose, controls the user experience, and places the product on the market bears provider obligations under Art. 16, regardless of where the AI model originates.
Key Deployer Obligations for SMEs Using Third-Party AI
For the majority of SMEs — those deploying third-party AI tools rather than building their own — the following obligations apply under Art. 26 and related provisions.
Use AI Systems per Provider Instructions
Deployers must use high-risk AI systems only in accordance with the provider's instructions for use as supplied under Art. 13. Using an AI system for purposes beyond its documented intended purpose, or in configurations the provider has not validated, transfers a portion of compliance liability to the deployer and may vitiate the system's conformity assessment.
Designate Responsible Human Oversight
Art. 26(1) requires deployers to assign responsibility for AI oversight to a qualified person within the organisation. For most SMEs, this will be a named individual (not necessarily a dedicated AI compliance officer) who understands the system's function, its known limitations, and the circumstances in which human intervention is required. This designation should be documented.
Retain Operational Logs
Where high-risk AI systems generate logs automatically (Art. 12), deployers must retain those logs for the legally required period — generally six months under the AI Act, unless sector-specific law requires a longer retention. Deployers must verify that their vendor contract grants access to logs and confirms their format and completeness.
Report Serious Incidents to the Provider
Art. 26(5) requires deployers to notify the provider of any serious incidents or malfunctions discovered during use. Where the deploying organisation is a public body, notification obligations extend to the national AI supervisory authority. For SME deployers in the private sector, the primary channel is direct notification to the provider, which then carries its own obligations to notify the authority under Art. 73.
Conduct a Fundamental Rights Impact Assessment Where Applicable
Art. 27 requires public bodies deploying high-risk AI to complete a fundamental rights impact assessment before deployment. Private-sector SMEs deploying high-risk AI — particularly in HR, credit assessment, or customer-facing decision contexts — are strongly recommended to complete an equivalent assessment, as it demonstrates due diligence and materially reduces enforcement risk.
Review Vendor Contracts
SME deployers must ensure that their contracts with AI vendors include: conformity documentation and instructions for use; confirmation of EU database registration where required; specification of the logging capability and access rights; vendor commitment to incident notification and remediation; and information on update or modification obligations that may affect the system's conformity status.
If You Are Building AI — SME Provider Obligations and Support
SMEs that develop and commercialise AI systems are providers and bear full provider obligations under Chapter III for any system that is high-risk. The scope of those obligations is substantial: quality management system (Art. 17), technical documentation per Annex IV, data governance per Art. 10, logging per Art. 12, transparency requirements per Art. 13, human oversight design per Art. 14, and accuracy and robustness standards per Art. 15. For Annex III systems requiring notified body assessment, the conformity route follows Art. 43.
The practical entry point for an SME provider is the risk classification determination:
- Is the AI system covered by Art. 5 (prohibited practices)? If so, development must cease or be fundamentally restructured before any market activity.
- Does the system qualify as high-risk under Art. 6(1) (safety component of a regulated product) or Annex III (listed application areas including biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, justice)?
- Does the system qualify only as a general-purpose AI model governed by Art. 51–56, without high-risk classification?
- Is the system subject only to the transparency obligations of Art. 50 (emotion recognition, deepfake, chatbots)?
For SMEs whose systems fall outside the high-risk and prohibited categories, compliance is considerably lighter: Art. 50 transparency disclosures, GDPR alignment, and sector-specific obligations under applicable national or EU law.
For SMEs developing high-risk AI, the Art. 55 regulatory sandbox is the most important available tool. Sandbox participation enables pre-market testing under regulatory supervision, provides documented evidence of good-faith compliance effort, and can identify corrective actions before they become enforcement matters. Applications are submitted to the national single point of contact (Art. 85).
Practical Steps for SME Compliance
Step 1 — Inventory all AI systems in use or under development. List every AI tool, SaaS product, cloud API, and internally developed model. Note the vendor, the function, and whether the SME acts as provider or deployer for each.
Step 2 — Classify each system by risk category. Apply the Art. 5 / Art. 6 / Annex III / Art. 50 framework to each system. Where classification is uncertain, use the Art. 85 single point of contact for guidance.
Step 3 — For deployer roles: audit vendor contracts. Verify that each AI vendor has supplied the documentation required under Art. 13 and that the contract addresses logging, incident notification, and update obligations. Flag gaps for renegotiation.
Step 4 — For provider roles: initiate the conformity pathway. Determine whether your high-risk AI system requires self-assessment (Art. 43(2)) or third-party notified body assessment (Art. 43(1)). Apply for sandbox access under Art. 55 if the system is in development. Engage the notified body early to understand timeline and fee implications, noting your entitlement to SME fee reductions under Art. 96.
Step 5 — Implement Art. 26 deployer obligations across all high-risk systems. Designate oversight persons, document their responsibilities, verify log retention procedures, and confirm incident notification channels.
Step 6 — Establish an AI Act review cycle. The EU AI Act is a living framework. Designate a responsible person to monitor guidance from the EU AI Office, national authority updates, and changes to Annex III classifications. Schedule an annual internal review of the system inventory and compliance status.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Yes. If your SME integrates a third-party AI model (including via API) into a product or service that you place on the market or put into service under your own name or brand, you are classified as a **provider** under **Art. 3(3)** of the EU AI Act. This applies regardless of whether the underlying model was built by another company. Provider obligations — including technical documentation, conformity assessment, CE marking (for high-risk systems), and registration — are your responsibility. Where the upstream model provider supplies conformity documentation and usage instructions, those documents support your compliance effort but do not replace it. Art. 55 and Art. 96 provide SME-specific support mechanisms to ease the compliance burden.
It depends on two factors: the nature of the chatbot and what it does. First, if the chatbot is a **general-purpose AI-powered system** that interacts with users, it must comply with the **Art. 50 transparency obligation**: users must be informed they are interacting with an AI system, unless this is obvious from context. Second, if the chatbot performs functions that qualify as high-risk — for example, screening job applicants, assessing creditworthiness, or making decisions with legal or significant personal effects — additional high-risk obligations apply. A simple FAQ or product-navigation chatbot using a third-party SaaS provider (where you are the deployer) primarily triggers the Art. 50 transparency requirement and the deployer obligations under Art. 26, particularly correct use per instructions and incident notification.
A **regulatory AI sandbox** is a supervised testing environment established by national AI supervisory authorities, in which AI providers — including startups and SMEs — may develop, test, and validate AI systems before market placement, with direct regulatory guidance. Sandboxes are governed by **Art. 57–63** of the EU AI Act. **Art. 55 grants SMEs and startups priority access**, and participation is free of charge or subject to reduced fees. Applications are made directly to the national authority responsible for the AI Act in your member state. Within a sandbox, the authority may grant limited derogations from specific requirements to enable genuine testing; any product placed on the market after the sandbox period must subsequently meet all applicable obligations. Contact your national single point of contact for SMEs (**Art. 85**) to obtain application procedures.
Registration in the **EU database for high-risk AI systems** under **Art. 49** is required only if your system is classified as **high-risk** under Art. 6 or Annex III. Providers of high-risk systems must register before market placement; deployers who are public bodies must also register before use. Most SMEs that deploy third-party AI systems (as SaaS or API consumers) are not required to register — that obligation rests with the provider. If your SME is the provider of a high-risk AI system, registration is mandatory regardless of company size, although Art. 55 and 96 support provisions apply to reduce related costs and procedural complexity. The database is publicly accessible and managed by the EU AI Office.
Before deploying a third-party AI system, especially one that may be high-risk, your SME should contractually require and obtain: (1) the **EU Declaration of Conformity** or equivalent conformity documentation; (2) **instructions for use** as required by Art. 13, including intended purpose, known limitations, and human oversight requirements; (3) confirmation that the system has been **registered in the EU database** where required; (4) information on the system's **logging capabilities** and how logs can be accessed or retrieved; (5) the vendor's **incident notification procedures** and their obligations to notify you of malfunctions or updates affecting compliance; and (6) information about the system's **data processing characteristics** relevant to your GDPR obligations. Absence of these documents from a vendor offering an AI system in a sensitive domain is a material compliance risk.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.