EU AI Act Art.60 Measures for SMEs and Startups — Innovation Support Developer Guide (2026)

EU AI Act Article 60 recognises a practical reality: the compliance obligations imposed on high-risk AI system providers are designed for large organisations with dedicated legal teams, quality management systems, and conformity assessment budgets. Small and medium-sized enterprises (SMEs) and startups building high-risk AI systems face the same obligations — but with a fraction of the resources.

Art.60 creates a mandatory support framework that member state authorities must implement. It is not a compliance exemption — SMEs still need to satisfy Arts.9–15 for high-risk systems. What Art.60 provides is access infrastructure: priority access to the testing environment (Art.57 sandboxes), guidance channels, simplified documentation formats where possible, reduced fees, and targeted training.

For developers at startups and SMEs, understanding Art.60 means understanding the concrete benefits available to your organisation — and how to claim them before spending significant resources on conformity assessment processes that a dedicated support channel could have simplified.

Art.60 became applicable on 2 August 2025 as part of Chapter VI (Measures in Support of Innovation) of the EU AI Act (Regulation (EU) 2024/1689).

Art.60 in the Chapter VI Framework

Art.60 operates alongside Art.57, not instead of it. An SME wanting to develop a high-risk AI system in a controlled environment still applies for an Art.57 sandbox — but Art.60(1)(a) requires that their application receives priority consideration. The sandbox framework is the same; the queue position is different.

Who Qualifies: SME and Startup Definition

Art.60 references "small and medium-sized enterprises" (SMEs) and "start-ups" as defined under EU law. The operative definitions come from Commission Recommendation 2003/361/EC (the EU SME definition), which the EU AI Act adopts by reference.

SME Classification Criteria

Important: These thresholds apply to the enterprise as defined under EU rules — which includes partner enterprises and linked enterprises. A 40-person startup that is 30% owned by a €500 million fund must aggregate the fund's data when calculating SME status. The investor relationship can disqualify SME status even with a small headcount.

The Startup Category

The EU AI Act uses "start-ups" as a distinct category alongside SMEs. The EU does not have a formal legal definition of "startup" comparable to the SME Recommendation. In the EU AI Act context, "start-up" is understood as a newly established enterprise with a growth-oriented innovative business model — even if it does not strictly qualify as an SME (some well-funded startups exceed SME turnover thresholds).

In practice, the distinction matters primarily for priority scoring within sandbox application processes, which national authorities implement differently. Most authorities treat early-stage high-growth technology companies as startups for Art.60 purposes even absent a precise statutory definition.

Partner and Linked Enterprise Rules

from dataclasses import dataclass, field
from typing import List, Optional

@dataclass
class EnterpriseRelationship:
    """Partner or linked enterprise relationship for SME calculation."""
    enterprise_name: str
    relationship_type: str  # 'partner' or 'linked'
    ownership_percentage: float
    headcount: int
    turnover_eur: float
    balance_sheet_eur: float

@dataclass
class SMEStatusVerifier:
    """
    Art.60 EU AI Act SME status verification.
    Applies Commission Recommendation 2003/361/EC aggregation rules.
    """
    applicant_headcount: int
    applicant_turnover_eur: float
    applicant_balance_sheet_eur: float
    relationships: List[EnterpriseRelationship] = field(default_factory=list)
    
    def _aggregate_headcount(self) -> int:
        """Aggregate headcount including partner/linked enterprises."""
        total = self.applicant_headcount
        for rel in self.relationships:
            if rel.relationship_type == 'linked':
                total += rel.headcount
            elif rel.relationship_type == 'partner':
                total += int(rel.headcount * rel.ownership_percentage / 100)
        return total
    
    def _aggregate_financials(self) -> tuple[float, float]:
        """Aggregate turnover and balance sheet."""
        turnover = self.applicant_turnover_eur
        balance = self.applicant_balance_sheet_eur
        for rel in self.relationships:
            if rel.relationship_type == 'linked':
                turnover += rel.turnover_eur
                balance += rel.balance_sheet_eur
            elif rel.relationship_type == 'partner':
                pct = rel.ownership_percentage / 100
                turnover += rel.turnover_eur * pct
                balance += rel.balance_sheet_eur * pct
        return turnover, balance
    
    def classify(self) -> dict:
        """Classify enterprise and check Art.60 eligibility."""
        headcount = self._aggregate_headcount()
        turnover, balance = self._aggregate_financials()
        
        # Apply SME thresholds (Recommendation 2003/361/EC)
        if headcount < 10 and turnover <= 2_000_000 and balance <= 2_000_000:
            category = 'micro'
        elif headcount < 50 and (turnover <= 10_000_000 or balance <= 10_000_000):
            category = 'small'
        elif headcount < 250 and (turnover <= 50_000_000 or balance <= 43_000_000):
            category = 'medium'
        else:
            category = 'large'
        
        is_sme = category in ('micro', 'small', 'medium')
        return {
            'category': category,
            'is_sme': is_sme,
            'art60_eligible': is_sme,
            'priority_sandbox_access': is_sme,
            'aggregated_headcount': headcount,
            'aggregated_turnover_eur': turnover,
            'aggregated_balance_sheet_eur': balance,
            'note': 'Verify investor relationships — linked/partner rules may affect status'
        }

Art.60(1): The Six Support Measures

Art.60(1) requires national competent authorities to implement six specific support measures for SMEs and startups. These are mandatory — "shall take the following measures" — not discretionary.

Measure (a): Priority Access to AI Regulatory Sandboxes

Art.60(1)(a): Member states shall ensure SMEs and startups have priority access to AI regulatory sandboxes established under Art.57, to the extent they satisfy the sandbox admission criteria.

Priority access means that where a national sandbox has limited capacity and must choose between applicants, SME/startup applications receive preferential consideration over large enterprise applications. It does not guarantee admission — SMEs still must satisfy the Art.57(3) admission criteria including having a concrete AI system to develop or test and a sandbox plan.

Practical implication: An SME with a viable sandbox application should not be disadvantaged relative to a large enterprise with a comparable application. If your application is rejected while a large enterprise with a similar profile is admitted, Art.60(1)(a) is relevant.

What to document when applying:

• Explicit claim of SME/startup status with supporting evidence (headcount, turnover, balance sheet for most recent accounting year)
• Investor relationship analysis confirming SME classification after aggregation
• Clear statement that you are invoking Art.60(1)(a) priority access

Measure (b): Targeted Training and Information

Art.60(1)(b): National authorities shall provide SMEs and startups with targeted training courses, workshops, and targeted information on applying Chapter III obligations (high-risk AI requirements) to their specific context.

This measure creates an entitlement to access SME-specific guidance. The EU AI Office and national authorities are required to produce simplified, SME-oriented explanations of compliance requirements — not just the full regulatory text.

For developers: This means there should be (or should exist soon) official guidance documents explaining, for example, "what does Art.9 risk management mean for a 15-person startup?" rather than only the full conformity assessment specification designed for ISO 9001-compliant enterprises.

Where to look:

• EU AI Office website (digital-strategy.ec.europa.eu/en/policies/eu-ai-office)
• National Digital Innovation Hubs (DIHs) — many EU member states have DIHs with AI-specific support
• National competent authority websites (BNetzA in Germany, ANSSI in France, etc.)

Measure (c): SME-Specific Guidelines

Art.60(1)(c): When developing and updating technical specifications, standards guidance, and practical guidelines under Arts.40, 41, and 56, national authorities and the Commission shall take into account the specific interests and needs of SMEs and small-scale users.

This is a process obligation rather than a direct SME benefit — it means that official guidance documents should include SME-relevant sections. Over time, the guidelines produced under Arts.40–41 (common specifications, harmonised standards) should include SME-proportionate implementation paths.

Measure (d): Proactive Communication

Art.60(1)(d): National competent authorities shall proactively communicate relevant information to SMEs and startups, including on enforcement priorities, conformity assessment requirements, and new obligations.

The implication: you should not need to actively track every regulatory development yourself. If your national authority has your contact details from a sandbox application or registration, they have an obligation to proactively notify you of relevant changes.

Practical step: Register with your national competent authority's SME/startup notification service if one exists. If one does not exist, this is a gap you can flag through the dedicated channel (Measure f).

Measure (e): Standardisation Participation

Art.60(1)(e): Member states shall facilitate participation of SMEs and startups in European and international standardisation activities related to AI.

The harmonised standards developed under the AI Act (primarily by CEN-CENELEC) determine what constitutes "presumption of conformity" for high-risk AI systems. Large enterprises routinely participate in standards bodies; SMEs typically cannot afford the time and cost. Art.60(1)(e) creates an obligation to create participation pathways.

What this looks like in practice:

• Subsidised participation fees for SME representatives at CEN-CENELEC working groups
• Observer status programs for startups
• Digital participation options reducing travel costs

For most developers, the direct impact is limited — but it means the standards that determine compliance requirements should increasingly reflect SME implementation realities rather than only large enterprise capabilities.

Measure (f): Dedicated SME Guidance Channel

Art.60(1)(f): National competent authorities shall establish a dedicated point of contact to provide guidance and answer queries from SMEs, startups, and small-scale users regarding Chapter III compliance.

This is one of the most practically useful Art.60 measures for developers. Instead of submitting formal regulatory inquiries or relying on expensive consultants for every compliance question, SMEs have a direct channel to the regulatory authority.

How to use it:

1. Identify the national competent authority for AI in your member state
2. Locate the dedicated SME/startup contact point on their website
3. Submit specific, written compliance questions — ask about Art.9 risk management scope, Art.13 transparency requirements, or Art.14 human oversight design for your specific system
4. Document the responses — authority guidance can be relevant to demonstrating good-faith compliance

Art.60(2): Cooperation Between Authorities

Art.60(2) requires that where the competent authority responsible for Chapter V (sandboxes, Art.57–59) is not the same authority as the market surveillance authority for Chapter VIII, the two authorities shall cooperate to ensure SMEs and startups receive coherent guidance.

This provision addresses a practical fragmentation risk: in some member states, digital economy regulators handle sandbox admission while product safety authorities handle market surveillance. An SME that went through the sandbox process should not then face contradictory guidance from the market surveillance authority.

For developers: If you receive conflicting guidance from different authorities in the same member state, Art.60(2) gives you a basis to request coordination between them.

Art.60(3): Information on Testing Facilities

Art.60(3) requires member states to provide SMEs and startups with information about AI regulatory sandboxes, testing and experimentation facilities, and relevant digital innovation hubs in their territory.

This creates a public information obligation. Member states must maintain accessible registries or directories of:

• Established AI regulatory sandboxes (with admission contacts)
• Testing and experimentation facilities (hardware, compute, datasets)
• Digital Innovation Hubs offering AI support services

The EU-level facility: The Commission is establishing a network of EU AI testing and experimentation facilities (TEFs) — sector-specific facilities for AI testing in robotics, manufacturing, healthcare, and agriculture. SMEs can access these facilities under Art.60 support frameworks.

Art.60(4): Union-Level Testing Facilities

Art.60(4) provides that member states may make Union-level testing and experimentation facilities available to SMEs and startups at reduced or zero cost, to the extent compatible with State aid rules.

The "may" language makes this discretionary rather than mandatory, unlike the "shall" measures in Art.60(1). However, several EU-funded AI TEFs have built SME access programs using Horizon Europe funding, providing:

• GPU compute time for model training
• Pre-qualified datasets for testing
• Expert advisory support for compliance documentation

Interaction with Art.57: Claiming Priority Sandbox Access

The Art.60 benefit that most directly affects developers building high-risk AI systems is priority sandbox access under Art.60(1)(a). Understanding how to claim this benefit requires understanding how Art.57 sandbox applications work.

The Art.57 → Art.60 Application Path

from dataclasses import dataclass
from datetime import date, timedelta
from typing import Optional

@dataclass
class SandboxPriorityRequest:
    """
    Art.60(1)(a) priority sandbox access request.
    Attach to Art.57 sandbox application as a separate exhibit.
    """
    applicant_name: str
    applicant_registration_number: str
    member_state: str
    sme_category: str  # 'micro', 'small', 'medium', or 'startup'
    headcount: int
    last_annual_turnover_eur: float
    last_annual_balance_sheet_eur: float
    accounting_year_end: date
    investor_relationships: list  # EnterpriseRelationship list
    sme_verified_by: str  # self-declaration or third-party
    
    # The Art.57 application this attaches to
    sandbox_application_reference: str
    sandbox_purpose: str
    ai_system_description: str
    
    def generate_priority_claim(self) -> dict:
        """Generate Art.60(1)(a) priority claim for submission."""
        return {
            'claim_type': 'art60_1a_priority_sandbox_access',
            'legal_basis': 'Regulation (EU) 2024/1689, Art.60(1)(a)',
            'sme_classification': {
                'category': self.sme_category,
                'headcount': self.headcount,
                'turnover_eur': self.last_annual_turnover_eur,
                'balance_sheet_eur': self.last_annual_balance_sheet_eur,
                'accounting_year_end': self.accounting_year_end.isoformat(),
                'aggregation_applied': len(self.investor_relationships) > 0,
            },
            'supporting_documents': [
                'Last annual accounts (signed)',
                'Corporate structure chart with ownership percentages',
                'Self-declaration of SME status per Commission Recommendation 2003/361/EC',
            ],
            'priority_access_requested': True,
            'sandbox_application_ref': self.sandbox_application_reference,
        }

@dataclass
class SMESandboxBenefitsTracker:
    """Track claimed and active Art.60 benefits."""
    enterprise_name: str
    sme_status_confirmed: bool
    art60_benefits_claimed: list = None
    sandbox_application_status: Optional[str] = None
    dedicated_channel_contact: Optional[str] = None
    
    def __post_init__(self):
        if self.art60_benefits_claimed is None:
            self.art60_benefits_claimed = []
    
    def claim_benefit(self, measure: str, claimed_date: date, 
                      authority: str, notes: str = '') -> dict:
        """Record an Art.60 benefit claim."""
        claim = {
            'measure': measure,
            'claimed_date': claimed_date.isoformat(),
            'authority': authority,
            'notes': notes,
            'status': 'pending'
        }
        self.art60_benefits_claimed.append(claim)
        return claim
    
    def get_active_benefits(self) -> list:
        """List all claimed and active Art.60 benefits."""
        return [b for b in self.art60_benefits_claimed 
                if b['status'] in ('pending', 'active')]

SME Compliance Strategy: Using Art.60 to Reduce Costs

The compliance cost of bringing a high-risk AI system to market is substantial. For an SME, the major cost items are:

The Art.57 + Art.60 combined strategy:

1. Apply for the Art.57 sandbox early — claim Art.60(1)(a) priority. Use the sandbox to develop your Art.9 risk management system under regulatory supervision rather than guessing at requirements independently.

2. Use the Art.60(1)(f) guidance channel for scope questions before commissioning expensive compliance work. "Does our system fall under Annex III, point 5(a)?" is a question the dedicated channel can answer; getting it wrong and building a full Art.9 system for a system that does not need one wastes resources.

3. Document all authority guidance received through Art.60 channels. If your compliance approach was informed by official guidance, that guidance is directly relevant to any future supervisory review.

4. Request SME-specific training materials under Art.60(1)(b). If the national authority has not yet produced these, put the request in writing — creating a record and potentially accelerating production.

CLOUD Act Implications for SME Compliance Records

Art.60 does not create new data sovereignty obligations — but the compliance records that SMEs generate while claiming Art.60 benefits are relevant to CLOUD Act analysis.

SME status documentation includes financial records, corporate structure charts, investor relationship analysis, and self-declaration forms. If these are stored in US-cloud infrastructure (AWS, Azure, Google Cloud), they are subject to the CLOUD Act (18 U.S.C. § 2713), which allows US law enforcement to compel disclosure of data stored on US-provider infrastructure regardless of where the data is physically located.

For an SME claiming priority sandbox access and working with a national regulatory authority on a high-risk AI system, the compliance record including:

• Investor relationship analysis (potentially commercially sensitive)
• AI system description in the sandbox application
• Authority correspondence through the Art.60(1)(f) guidance channel
• Technical documentation developed in the sandbox

...represents a significant corpus of sensitive business information. EU-sovereign cloud infrastructure eliminates the CLOUD Act exposure entirely for this data.

@dataclass
class SMEComplianceDataInventory:
    """
    Data sovereignty assessment for SME Art.60 compliance records.
    Maps document types to storage locations and CLOUD Act exposure.
    """
    enterprise_name: str
    storage_provider: str  # e.g., 'aws-eu-west', 'hetzner-de', 'sota-io'
    is_us_cloud_provider: bool
    
    def assess_cloud_act_exposure(self, documents: list) -> dict:
        """Assess CLOUD Act exposure for SME compliance documents."""
        sensitive_docs = [
            'sme_status_declaration',
            'investor_relationship_analysis', 
            'sandbox_application',
            'authority_correspondence',
            'technical_documentation',
            'risk_management_records',
        ]
        
        exposed = []
        if self.is_us_cloud_provider:
            for doc in documents:
                if doc in sensitive_docs:
                    exposed.append(doc)
        
        return {
            'storage_provider': self.storage_provider,
            'cloud_act_exposure': self.is_us_cloud_provider,
            'exposed_documents': exposed,
            'recommendation': (
                'Migrate to EU-sovereign infrastructure to eliminate CLOUD Act exposure'
                if self.is_us_cloud_provider
                else 'EU-sovereign storage: CLOUD Act exposure eliminated'
            ),
            'affected_authorities': ['US DOJ'] if self.is_us_cloud_provider else [],
        }

For SMEs, EU-sovereign infrastructure is not just a compliance cost — it is often cheaper than equivalent US-cloud infrastructure (no transatlantic data transfer fees, no currency risk) while eliminating CLOUD Act exposure for regulatory correspondence.

Practical Timeline: SME Building a High-Risk AI System

Here is a recommended sequence for an SME or startup that has determined its AI system falls under Annex III (high-risk):

Month 1–2: Status Confirmation and Initial Outreach

1. Confirm SME/startup status — run the Commission Recommendation 2003/361/EC analysis, including investor relationship aggregation
2. Identify national competent authority — varies by member state and product sector
3. Locate Art.60(1)(f) dedicated channel — contact for compliance scope questions
4. Submit initial scope questions: Does this system actually fall under Annex III? Which Art.43 conformity assessment pathway applies?

Month 2–4: Sandbox Application (if applicable)

1. Prepare Art.57 sandbox application — system description, sandbox plan, intended regulatory interactions
2. Attach Art.60(1)(a) priority claim — SME status documentation, explicit Art.60 invocation
3. Await admission decision — typically 4–12 weeks depending on national authority capacity

Month 4+: Compliance Development (with or without sandbox)

1. Develop Art.9 risk management system — using sandbox supervision if admitted, official SME guidance if not
2. Build Art.10 data governance — using guidance channel clarifications for scope questions
3. Draft Art.11 technical documentation — using SME-specific templates if available
4. Implement Art.12 logging — audit trail for high-risk system operation
5. Art.13–15: Transparency, human oversight, robustness — implement and document
6. Art.43 conformity assessment — claim reduced fees; provide sandbox testing results as evidence

Common SME Mistakes Under Art.60

Mistake 1: Not Claiming Priority Access Explicitly

Art.60(1)(a) priority access does not apply automatically. SME/startup status must be explicitly claimed in the sandbox application with supporting documentation. A sandbox application that does not reference Art.60 and SME status will be processed as a standard application.

Mistake 2: Assuming SME Status Without Investor Analysis

Many early-stage startups with VC or corporate venture backing do not qualify as SMEs under the Commission Recommendation 2003/361/EC partner/linked enterprise rules. Claiming SME status without completing the aggregation analysis creates a false priority claim that could undermine regulatory relationships.

Mistake 3: Using Art.60 as a Compliance Shortcut

Art.60 reduces compliance costs and provides support infrastructure — it does not reduce compliance obligations. An SME with a high-risk AI system still needs Arts.9–15 compliance. Art.60 helps build that compliance more efficiently; it does not substitute for it.

Mistake 4: Not Using the Guidance Channel Early

The Art.60(1)(f) dedicated channel can resolve Annex III classification uncertainty — a question that determines whether the entire high-risk compliance stack (Arts.9–15) applies. Getting a written guidance response early saves months of potentially unnecessary compliance work.

Mistake 5: Ignoring Sandbox Post-Admission Obligations

Sandbox admission under Art.57 comes with obligations: a sandbox plan, regular authority reporting, and compliance with sandbox exit requirements. SMEs that gain priority access through Art.60(1)(a) and then fail to meet sandbox obligations risk losing not just sandbox access but regulatory goodwill relevant to future conformity assessment.

Art.60 Compliance Checklist (30 Items)

SME Status Verification

• Headcount calculated (most recent accounting year)
• Turnover calculated (most recent accounting year, EUR)
• Balance sheet total calculated (most recent accounting year, EUR)
• Partner enterprises identified (25–50% ownership threshold)
• Linked enterprises identified (>50% ownership threshold)
• Partner enterprise data aggregated (proportional to ownership)
• Linked enterprise data aggregated (100%)
• SME/startup classification confirmed (micro/small/medium/startup)
• SME status self-declaration prepared (per Commission Recommendation 2003/361/EC)
• Supporting documentation assembled (annual accounts, corporate chart)

Sandbox Priority Access (Art.60(1)(a))

• Art.57 sandbox application prepared
• Art.60(1)(a) priority claim explicitly stated
• SME status documentation attached to sandbox application
• National competent authority sandbox contacts identified
• Sandbox application tracking reference obtained

Guidance Channel Use (Art.60(1)(f))

• National Art.60 dedicated guidance channel identified
• Initial scope questions submitted (Annex III classification)
• Conformity assessment pathway question submitted
• All authority responses documented with date and reference
• Guidance correspondence stored in EU-sovereign infrastructure

Training and Information (Art.60(1)(b))

• Available SME-specific training materials identified
• Training completion documented
• Remaining guidance gaps identified and raised with authority

Data Sovereignty

• Compliance record storage location identified
• CLOUD Act exposure assessed for US-cloud storage
• EU-sovereign storage considered for regulatory correspondence
• SME status declaration stored in EU jurisdiction

Ongoing

• SME status re-verified annually (financial thresholds change)
• Investor relationship changes monitored for SME status impact
• Art.60(1)(d) proactive authority communications monitored

Art.60 Summary Table

Conclusion

Art.60 is not a compliance exemption — but it is a significant compliance cost reducer for SMEs and startups building high-risk AI systems in the EU. The six mandatory measures in Art.60(1), properly claimed, give SMEs:

• Priority access to the testing infrastructure (Art.57 sandboxes) that makes Arts.9–15 compliance both verifiable and less costly
• Direct regulatory guidance through dedicated channels, replacing expensive consultant opinions with authoritative authority answers
• Simplified documentation paths through SME-specific training and guidelines
• Proactive regulatory communication so compliance requirements are not discovered late

The key practical action is to explicitly claim Art.60 benefits early — SME status in the sandbox application, guidance channel queries before commissioning compliance work, and documentation of all authority responses. The regulatory authorities have obligations under Art.60; exercising them is how SMEs and startups make those obligations real.

For data sovereignty: EU-sovereign infrastructure for compliance records eliminates CLOUD Act exposure while reducing infrastructure costs — a rare combination where the secure choice is also the economical one.

Art.60 became applicable on 2 August 2025. National competent authorities are still building the infrastructure it requires — dedicated channels, SME training materials, priority sandbox processing. The provisions are legally binding now; the implementation quality varies by member state and will improve as enforcement pressure builds.

See Also

• EU AI Act Art.57: AI Regulatory Sandboxes — Developer Guide — Art.60(1)(a) grants SMEs priority access to Art.57 sandboxes; the two articles work as a pair for SME compliance cost reduction
• EU AI Act Art.58: Real-World Testing Outside AI Regulatory Sandboxes — Developer Guide — SMEs can combine Art.60 priority sandbox access with Art.58 real-world testing to cover both controlled and field validation phases
• EU AI Act Art.59: Personal Data Processing in AI Development Sandboxes — Developer Guide — SMEs using Art.60-expedited sandbox access can leverage Art.59 personal data provisions inside the sandbox for training data acquisition
• EU AI Act Art.96: Commission Guidelines for SME Implementation — Developer Guide — Art.96 Commission guidelines complement Art.60 by providing the practical implementation guidance that dedicated channels must deliver
• EU AI Act Art.43: Conformity Assessment for High-Risk AI Systems — Developer Guide — sandbox testing under Art.60 priority access produces the conformity evidence required for Art.43 assessment, making this the direct SME compliance path