nudgecompliant

← Back to blog

Plain English Guides

7 min read

EU AI Act Compliance Checklist for SMEs (2026)

Small businesses are not automatically exempt from the EU AI Act. The work you need to do depends on your role, your AI systems, and how those systems affect people. For many SMEs using off-the-shelf tools, the immediate work is an inventory, staff AI literacy, and clear notices for customer-facing AI.

This checklist gives you a practical starting point. It is designed for businesses using AI, not companies building foundation models.

1. List every AI system you use

Start with an AI System Register. Include obvious tools such as ChatGPT, Copilot, Gemini, and customer chatbots. Then check software with AI features built in: CRM writing assistants, recruitment screening, fraud detection, call transcription, analytics, and automated recommendations.

For each system, record:

  • The tool and provider
  • What your business uses it for
  • Who operates it
  • Who is affected by its output
  • Whether customers interact with it directly
  • Whether its output is used in the EU
  • The internal owner

Do not wait for a perfect spreadsheet. A complete rough list is more useful than an elegant list missing half your systems.

2. Confirm your role

Most SMEs using a third-party tool are AI deployers. A deployer uses an AI system under its authority in a professional context.

You may be an AI provider if you develop a system, have one developed, and place it on the market under your name or trademark. Adding your branding to a third-party service does not always make you a provider, but substantial modification or marketing the system as your own needs closer review.

Record the role for each system. Different duties attach to providers and deployers.

3. Classify the use, not just the product

The same tool can support low-risk and high-risk activities. ChatGPT used to improve an internal draft is different from ChatGPT used to reject job candidates.

Check whether a system is used in employment, education, credit, essential services, healthcare, law enforcement, migration, or another category listed as high risk. Also check the prohibited-practice rules. Use the risk classification glossary if the labels are unfamiliar.

If a system affects an important decision about a person, pause and obtain specialist advice before relying on a simple checklist.

4. Address AI literacy

Article 4 requires providers and deployers to take measures to ensure an appropriate level of AI literacy among relevant staff and other people operating systems on their behalf.

Your training should fit the actual tools and risks. Cover:

  • What each system can and cannot do
  • Hallucination, bias, privacy, and security risks
  • Approved and prohibited uses
  • When human review is required
  • How to report a problem

Keep the agenda, date, attendees, and completion record. A generic email telling staff to “use AI responsibly” is weak evidence.

5. Add Article 50 notices where needed

From 2 August 2026, Article 50 applies specified transparency duties. Providers carry the direct AI-interaction notice duty. If your business deploys a third-party chatbot or assistant, verify that the provider's notice is implemented clearly in your customer journey rather than assuming the supplier has handled it elsewhere.

Review chat widgets, support assistants, voice bots, and other direct interactions. Article 50 also contains separate rules for emotion recognition, biometric categorisation, deepfakes, and certain AI-generated public-interest content. Do not use one chatbot sentence as a universal solution.

6. Put human oversight around important output

Define when staff must check, reject, or override AI output. The more serious the effect on a person, the stronger the review should be.

Document who owns the decision, what information they review, how they challenge the output, and what happens when the system is wrong. Avoid “human in the loop” policies where the human simply approves every recommendation.

7. Keep evidence and review it

Store your register, training records, notices, provider instructions, risk decisions, incident records, and review dates in an evidence pack. Revisit the pack when a tool, purpose, provider, or affected group changes.

The fastest way to start is to map your real tools and markets. Run the free audit to turn this checklist into a list specific to your business.


This article provides general information, not legal advice.

Run your free EU AI Act audit →

Check my tools →