EU AI Act Orientation for SMEs: Risk Classes and What a Normal Business Actually Needs to Do
A plain-language orientation to the EU AI Act for SMEs: how risk classes work, where typical business AI use lands, and sensible next steps.
- The AI Act scales obligations by risk class, and duties fall on companies deploying AI, not just those building it.
- Most internal, human-reviewed assistant use sits in low-risk lanes; chatbots carry transparency duties.
- Employment-related AI such as application screening is high-risk, a category SMEs enter by enabling vendor features unnoticed.
- Run an AI inventory, classify uses, train users, and name an owner, then verify specifics with qualified counsel.
What the AI Act is, and how to read this article
The EU AI Act is the European Union's regulation of artificial intelligence, and its central idea is simple even if the text is not: obligations scale with risk. It does not regulate AI as one thing; it sorts uses of AI into risk categories and attaches duties accordingly, with its provisions phasing in over several years. One point worth absorbing early: the Act places duties not only on companies that build AI systems but also on companies that deploy them, so using AI tools is enough to be in scope. If you use AI anywhere in your business, some part of this concerns you.
Read this article as orientation, not legal advice. The Act's requirements, guidance documents, and enforcement practice are still developing, deadlines and interpretations have shifted, and how a rule applies depends on your specific systems and uses. Use this to build a mental map and an internal to-do list, then verify current requirements with qualified counsel or your industry association before relying on any of it. That caveat is not boilerplate; the practical detail genuinely is still settling.
The risk ladder in plain language
At the top sit prohibited practices, uses the EU considers unacceptable, such as social scoring of people or manipulative systems that exploit vulnerabilities. A normal business is unlikely to be near these, with one classic trap: emotion recognition in the workplace falls into prohibited territory, so an idea like AI analyzing the mood of service calls for employee assessment is one to drop, not to scope. Below that sits the high-risk class, which is where an ordinary company can land without noticing, because it covers AI used in areas like employment decisions, hiring, promotion, and termination, alongside domains like credit scoring, critical infrastructure, and safety components of regulated products.
Below high-risk sit transparency obligations, the class most everyday deployments touch: broadly, people should not be deceived about interacting with a machine, so chatbots need to be recognizable as such, and certain AI-generated content needs to be identifiable. And underneath it all sits minimal-risk use, the large residual category where most internal drafting, summarizing, and search assistants live, carrying no special obligations beyond the laws that always applied, like data protection. The practical skill for an SME is not memorizing the Act, it is recognizing which rung each of your actual uses sits on.
Where typical SME uses probably land, and the traps
Map the common cases. An AI tool drafting quotes or service replies that employees review: this everyday assistant use sits in the low-risk lanes. A customer-facing chatbot: transparency obligations apply, it must be recognizable as AI. AI filtering job applications or scoring candidates: this is the trap, because employment-related AI sits in the high-risk category, and high-risk obligations, risk management, documentation, human oversight, logging, are substantial. Many SMEs wander into this by switching on an AI ranking feature inside their existing recruiting software without ever thinking of themselves as operating a high-risk AI system.
Two further points deserve attention. First, the Act contains an AI literacy expectation: organizations using AI should ensure the people operating it have adequate understanding for their role, which turns AI training from nice-to-have into something with regulatory backing. Second, your exposure often arrives through vendors. When a tool you subscribe to adds AI features, your obligations can change without you deploying anything new, so someone in your company needs to track what your software actually does now, and your vendor contracts should require notice of such changes and the documentation you would need.
A sensible to-do list that doubles as good practice
The reasonable response for a normal business is a short, honest program. Inventory every AI use in the company, including the AI features inside existing SaaS tools and the unofficial tools employees already use. Classify each use against the risk ladder, flagging anything touching hiring, employees, credit, or safety for proper legal review. Kill or redesign anything near the prohibited category. Make chatbots and generated content recognizable where transparency rules apply. Train the people who use AI, keeping simple records of who was trained on what. And assign one named owner for the topic, because a compliance obligation without an owner is a finding waiting to be written.
Notice that almost everything on that list is worth doing even if enforcement never knocks. An AI inventory, risk-based review of sensitive uses, human oversight where decisions affect people, trained users, and a paper trail are simply what competent AI adoption looks like. There is also a commercial angle: larger customers have begun asking suppliers about AI governance in procurement questionnaires, the same way they ask about information security. An SME that can answer with a tidy one-pager, this is what we use, this is how we classified it, this is who is responsible, turns a regulatory chore into a trust signal. Verify the current requirements and dates with counsel, then treat the underlying discipline as permanent.
- The AI Act scales obligations by risk class, and duties fall on companies deploying AI, not just those building it.
- Most internal, human-reviewed assistant use sits in low-risk lanes; chatbots carry transparency duties.
- Employment-related AI such as application screening is high-risk, a category SMEs enter by enabling vendor features unnoticed.
- Run an AI inventory, classify uses, train users, and name an owner, then verify specifics with qualified counsel.
Frequently asked questions
Does the EU AI Act apply to small and mid-sized companies?
Yes. The Act's obligations attach to uses of AI rather than company size, and they cover deployers of AI systems, not only developers, so subscribing to AI tools is enough to be in scope. What varies is the weight of the obligations, which depend on the risk class of each use. Company size affects some support measures, but not whether the Act applies. Verify your specific situation with qualified counsel.
What are the EU AI Act risk classes in simple terms?
Four rungs: prohibited practices such as social scoring and workplace emotion recognition, which are banned; high-risk uses such as AI in employment decisions or credit scoring, which carry substantial obligations; transparency-obligation uses such as chatbots, which must be recognizable as AI; and minimal-risk uses, the large remainder including most internal assistant tools, with no special AI Act duties.
Which AI uses in a normal company are most likely to be high-risk?
Anything touching employment decisions is the most common trap: AI that filters applications, scores candidates, or supports promotion and termination decisions falls into the high-risk category. Many companies enter it unknowingly by enabling AI ranking features in existing recruiting software. Uses around credit, critical infrastructure, and safety components of regulated products are also high-risk. Flag these for proper legal review.
What should an SME actually do about the AI Act right now?
Inventory all AI use including AI features inside existing SaaS tools, classify each use against the risk ladder, redesign or drop anything near prohibited practices, make chatbots recognizable as AI, train employees who use AI and record the training, and name a responsible owner. Then verify current requirements and deadlines with counsel or your industry association, since guidance and enforcement practice are still developing.
Liked this? Get the next play in your inbox.
One signal-driven GTM play every week. No fluff, no spam, unsubscribe anytime.
Operator-built
Built by someone who runs the playbook, not an agency reselling labor.
You own it
Your data, your CRM, your infrastructure. The system is yours.
No lock-in
Start with a free audit. No multi-month retainer to find out it works.
Privacy-first
Your data stays yours. We pen-test our own funnel before we touch yours.
