April 16, 2026·8 min read

EU AI Act Compliance Checklist for SMBs (2026)

Everything a small or medium business must do before August 2, 2026 — without hiring a law firm.

Deadline: August 2, 2026. The high-risk obligations of the EU AI Act become enforceable. Fines reach €35M or 7% of global revenue. 78% of enterprises haven't started.Take the 2-minute check to see where you stand.

1. Figure out if you're in scope

The EU AI Act applies to any business that places an AI system on the EU market, puts it into service in the EU, or whose AI output is used in the EU — no matter where the company is headquartered. Just like GDPR.

If you have any EU customer, user, or employee who interacts with your AI, assume you're in scope until you can prove otherwise.

2. Classify each AI system by risk

The Act divides AI into four tiers:

Unacceptable — banned (e.g., social scoring by governments, real-time biometric ID in public).
High-risk — heavily regulated. Includes AI used for hiring, credit, education, housing, critical infrastructure, healthcare, and law enforcement.
Limited risk — transparency obligations (chatbots, deepfakes must disclose).
Minimal risk — unregulated (most uses, e.g., spam filters, content recommendations).

Start with Annex III of the Act. If your AI touches hiring, lending, insurance, education, or housing decisions, it's almost certainly high-risk.

3. Build (and maintain) an AI inventory

List every AI system you use — including embedded AI in tools like Notion, Grammarly, your CRM, and your support platform. For each entry, record:

Tool name and vendor
Purpose / use case
Risk classification
Data inputs (does it process EU personal data?)
Human oversight mechanism
Vendor's EU AI Act posture (do they self-certify?)

Most SMBs are shocked to find they use 10+ AI tools. An inventory is a 30-minute exercise that prevents most compliance failures.

4. Conduct a risk assessment (for high-risk systems)

A risk assessment needs to cover:

Purpose and intended users
Foreseeable misuse
Data used to train, validate, and test the system
Accuracy, robustness, and cybersecurity measures
Human oversight mechanisms
Residual risks

The EU provides a template in Annex IV. For SMBs, a 2–3 page memo per high-risk system is typically sufficient.

5. Write an AI usage policy

Article 4 requires "AI literacy" across your organization. A written policy should cover:

Which AI tools are approved / prohibited
What data can be entered into external AI tools
When disclosure to users is required
Human review requirements for AI-driven decisions
How to report AI incidents or concerns

6. Add disclosure to user-facing AI

Under Article 50, users must know when they interact with AI. That includes:

Chatbots (disclose the user is talking to a machine)
Generated text / images / video (label as AI-generated)
Automated decisions (explain the logic, offer human review)

7. Set up logging and audit trails

High-risk AI systems must keep automatically generated logs for the life of the system. Minimum fields:

Timestamp of each use
Input data / prompt
Output / decision
Any human override

8. Document human oversight

For any high-risk system, define who reviews outputs, how they can intervene, and what they're authorized to override. "The manager can override" is enough for most SMBs — but it needs to be written down.

9. Check your vendors

If you use an AI vendor (OpenAI, Anthropic, your CRM's AI assistant), check whether they've published an EU AI Act compliance statement. You are not off the hook just because you didn't build the model.

10. Appoint an accountable person

Even a solo founder can be the "accountable person." The point is: one name on a document. Regulators need someone to call.

The shortest version of this checklist

✓ Confirm EU scope
✓ Classify each AI system (use Annex III)
✓ Build and maintain an AI inventory
✓ Write a risk assessment for high-risk systems
✓ Publish an AI usage policy
✓ Add disclosure where users see AI
✓ Turn on logging
✓ Document human oversight
✓ Vet your AI vendors
✓ Appoint one accountable person

Want this turned into a personalized checklist based on your actual business? Take the free 2-minute check. You'll get a 0–100 score, a list of laws that apply to you, and a prioritized action plan.

FAQ

Does the EU AI Act apply to US companies?

Yes — if you have EU users, customers, or your AI output is used in the EU, you're in scope. Extraterritorial, like GDPR.

What are the penalties?

Up to €35 million or 7% of global annual revenue for prohibited practices. High-risk non-compliance can reach €15M or 3%. Even giving regulators incorrect information carries a €7.5M penalty.

Do I need a lawyer?

For most SMBs, no. The standards are documented, the templates exist, and the obligations are procedural. Most businesses can handle 80% of compliance themselves with a checklist.

Get your personalized compliance score

12 plain-English questions. Free. Covers EU AI Act, Colorado SB 205, California, and more.

Take the Free Check →