EU AI Act SME Compliance 2026: Which Obligations Apply to Companies Under 250 Employees
Post #1421 in the sota.io EU AI Act SME Compliance Series
"We are a small company — the AI Act probably does not apply to us." This assumption is costing EU SMEs valuable preparation time. The EU AI Act does not grant blanket exemptions based on headcount. If your product uses, deploys, or provides artificial intelligence systems, your obligations are determined by your role in the AI value chain and the risk level of your AI systems — not by whether you have 10 or 240 employees.
This post is the first in a five-part series on EU AI Act compliance for companies under 250 employees. We start with the foundational question: which obligations actually apply to SMEs, and where does size matter?
What "SME" Means Under EU Law
Before diving into the AI Act, establish whether your organisation qualifies as an SME under the European Commission's standard definition (Recommendation 2003/361/EC):
| Category | Employees | Annual Turnover | Balance Sheet Total |
|---|---|---|---|
| Micro-enterprise | <10 | ≤€2 million | ≤€2 million |
| Small enterprise | <50 | ≤€10 million | ≤€10 million |
| Medium enterprise | <250 | ≤€50 million | ≤€43 million |
The EU AI Act uses this definition when granting support measures and proportionality benefits — but qualifying as an SME does not exempt you from core compliance obligations.
The Core Principle: Obligations Follow Your Role, Not Your Size
The EU AI Act structures obligations around four main roles:
- Provider: you place an AI system on the market or put it into service under your own name or trademark
- Deployer: you use an AI system under your own authority in a professional context
- Importer: you bring an AI system from outside the EU onto the EU market
- Distributor: you make an AI system available on the EU market without being its provider
For each role, obligations exist regardless of whether you have 10 employees or 10,000. The determining factors are:
- Which role(s) you fill — you can be both a deployer of a third-party AI model and a provider of your own AI-powered product
- The risk classification of the AI system — prohibited, high-risk, general-purpose, or limited/minimal risk
- Whether you develop or deploy general-purpose AI models — separate obligations apply
What Applies to ALL Organisations Regardless of Size
Prohibited AI Practices (Art. 5)
The AI Act prohibits certain AI practices unconditionally. These have applied since 2 February 2025 and carry no SME exemptions:
- AI systems that manipulate people through subliminal techniques beyond their awareness
- AI that exploits vulnerabilities of specific groups (age, disability, social or economic situations)
- Real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow exceptions)
- Social scoring systems by public authorities
- AI systems that infer sensitive attributes (race, political opinions, religious beliefs, sexual orientation) from biometric data for general law enforcement purposes
- AI used to predict criminal offences based solely on profiling
If any AI system in your product falls into these categories, you must not deploy it — period. Company size is irrelevant.
GPAI Model Obligations (if you train or fine-tune)
If your company trains, fine-tunes, or releases a general-purpose AI model (think: a foundation model, an embedding model, or a fine-tuned LLM available to third parties), you face provider-level obligations that have applied since 2 August 2025:
- Technical documentation (training data, training compute, capabilities, limitations)
- Copyright compliance policy for training data
- Publishing summaries of training data used
If your GPAI model is deemed to pose systemic risk — typically models trained with very large compute (above a defined threshold) — additional obligations apply including adversarial testing and incident reporting. Most SMEs building on top of existing GPAI models (using the OpenAI API, Anthropic API, or similar) are deployers, not GPAI providers, and do not face these obligations.
What Applies When You Are a Provider of High-Risk AI
The most demanding obligations in the AI Act apply to providers of high-risk AI systems. These apply from 2 August 2026. High-risk AI systems are defined in Annex III and include AI used in:
- Recruitment, CV screening, interview assessment
- Credit scoring and loan assessment
- Insurance risk assessment (life, health)
- Education and vocational training (student assessment, proctoring)
- Law enforcement, border control, justice administration
- Critical infrastructure (water, energy, transport management)
- Employment management, task allocation, performance monitoring
- Access to essential services (social benefits, housing)
If you build a SaaS product that falls into these categories — even as a small team — you face the full suite of provider obligations:
- Quality management system
- Technical documentation (before market placement)
- Conformity assessment procedure
- EU declaration of conformity
- CE marking
- Registration in the EU AI Act database
- Post-market monitoring plan
- Serious incident reporting to your national competent authority
None of these requirements are waived for SMEs. What the AI Act provides instead are support measures to help SMEs meet these requirements — covered below.
What Applies When You Are a Deployer of High-Risk AI
Many SMEs will not build high-risk AI systems but will use them — integrating an AI hiring tool, a credit scoring API, or an AI-powered performance monitoring feature. As a deployer of high-risk AI, your obligations from August 2026 include:
- Using the AI system in accordance with the provider's instructions
- Ensuring human oversight
- Monitoring the AI system for risks during deployment
- Informing the provider if you detect serious incidents or malfunctions
- Maintaining logs where technically possible
- Conducting a fundamental rights impact assessment for certain high-risk uses by public authorities or private entities providing certain services
The fundamental rights impact assessment applies to deployers that are public authorities and to certain private organisations deploying AI in listed high-risk categories. For most SME software companies deploying third-party AI tools in internal operations, the obligations are proportionate and manageable with proper documentation.
The Support Measures That DO Exist for SMEs
The AI Act includes genuine support measures for SMEs and startups. Understanding these can significantly reduce your compliance cost.
Regulatory Sandboxes — Priority Access for SMEs (Art. 57)
EU member states are required to establish AI regulatory sandboxes. These controlled environments allow companies to test and develop AI systems with direct support from national regulators before market placement.
For SMEs and startups, Art. 57 explicitly requires:
- Priority access to regulatory sandbox participation
- Reduced administrative burden for sandbox applications
- Dedicated capacity in national competent authorities to assist small businesses
Within a sandbox, you can test high-risk AI systems on real data, under real conditions, with regulatory guidance — without triggering the full conformity assessment obligations. This is particularly valuable for SMEs that cannot afford extensive legal counsel for each compliance question.
Sandbox participation also provides protection from fines during the testing phase (Art. 57(12)): compliant testing activities in the sandbox do not expose you to enforcement action for the tested AI system.
Check your national competent authority for sandbox application timelines — several member states opened applications in early 2026.
SME-Specific Support Measures (Art. 62)
Article 62 creates a dedicated framework of support measures for SMEs and startups:
- Regulatory sandboxes with priority SME access (cross-reference with Art. 57)
- Reduced administrative burden for conformity assessments
- Standardised templates for SME-specific technical documentation
- Financial support, training, and technical assistance provided by national competent authorities
- Clear, simple information about compliance requirements targeted at SMEs
- Dedicated SME contact points at national competent authorities
The practical implication: before hiring an EU AI Act consultant, contact your national competent authority's SME desk. Many offer free guidance sessions, documentation templates, and pre-assessment support specifically for small businesses.
Commission Guidelines Tailored for SMEs
The European Commission is required to publish implementation guidelines specifically addressing SME compliance challenges. These are expected to cover simplified documentation approaches, practical examples of conformity assessment for common SME use cases, and guidance on when a self-assessment procedure suffices versus when a notified body is needed.
The August 2026 Deadline: What SMEs Must Have Ready
From 2 August 2026, the high-risk AI provisions are fully enforceable. Here is what matters for a typical SME software company:
If you are a provider of high-risk AI:
- Quality management system documented and operational
- Technical documentation completed for each high-risk AI system
- Conformity assessment completed (self-assessment or notified body depending on category)
- EU declaration of conformity signed
- CE marking applied
- Registered in the EU AI Act database
If you are a deployer of high-risk AI:
- Contracts with your AI providers clarifying their compliance status
- Human oversight procedures documented
- Log-keeping system in place
- Staff trained on limitations and risks of deployed AI
If you only use minimal or limited-risk AI:
- Review whether transparency obligations apply (chatbots, deepfakes, emotion recognition) — if so, user-facing disclosure required
- Document your AI inventory (good practice regardless)
Practical First Steps for SMEs
Step 1: Map your AI footprint List every AI system your company builds, uses, or integrates. For each: are you the provider, deployer, or neither? What data does it process? What decisions does it influence?
Step 2: Classify risk For each system: does it match any Annex III category? Does it use any prohibited technique (Art. 5)? Is it a GPAI model you train or fine-tune?
Step 3: Identify your obligations Provider of high-risk → full compliance chain needed by August 2026. Deployer of high-risk → focus on oversight, logs, contracts. GPAI provider → technical documentation and copyright policy since August 2025. Limited/minimal risk → transparency obligations only.
Step 4: Contact your national sandbox If you are building in a high-risk category, apply for the regulatory sandbox now. Priority access for SMEs means shorter queues if you apply early.
Step 5: Start documentation Even simplified SME documentation takes time to build. Begin your quality management system and technical documentation now — the August 2026 deadline is closer than it appears.
Common Misconceptions for SMEs
"We are B2B SaaS, not a consumer AI product — we are exempt." The AI Act applies to AI systems used in professional contexts too. Deployers in commercial settings face obligations. High-risk AI in employment or credit contexts does not become lower-risk because it runs in a B2B environment.
"We use a third-party AI API — the provider handles compliance." The provider (OpenAI, Anthropic, Google, etc.) is responsible for their model's compliance documentation. But you as a deployer are responsible for how you integrate it, what decisions you make with it, and whether you are placing a high-risk AI system on the market under your own name.
"We are too small to be investigated." The AI Act creates rights for individuals affected by AI systems. Customers, employees, and users of your product can trigger investigations with national competent authorities if they believe an AI system has harmed them. Company size does not preclude enforcement.
What's Next in This Series
This post covered the foundational question: which obligations apply to SMEs (the answer: it depends on role and risk, not size). The remaining posts in the EU-AI-ACT-SME-COMPLIANCE-2026 series will cover:
- Post #2: AI Act Art. 62 SME Support 2026 — regulatory sandboxes, testing facilities and priority access in depth
- Post #3: SME Risk Assessment — simplified conformity paths for low and limited-risk AI
- Post #4: Minimal documentation requirements for SMEs deploying non-high-risk AI
- Post #5: SME Compliance Finale — complete August 2026 readiness checklist for small businesses
Quick Reference: AI Act Obligations by SME Role
| Scenario | Applies from | Key Obligation |
|---|---|---|
| Provider of prohibited AI | 2 Feb 2025 | Do not deploy |
| Provider of GPAI model | 2 Aug 2025 | Technical docs, copyright policy |
| Deployer of GPAI model | 2 Aug 2025 | Transparency to end users if needed |
| Provider of high-risk AI | 2 Aug 2026 | Full compliance chain + CE marking |
| Deployer of high-risk AI | 2 Aug 2026 | Oversight, logs, contracts |
| Provider of limited-risk AI | 2 Aug 2026 | Transparency obligations (chatbots etc.) |
| Provider of minimal-risk AI | — | No mandatory obligations (voluntary codes) |
Deploying EU-Compliant AI Infrastructure
If you are building AI-powered products for EU customers and need hosting that matches your compliance posture, sota.io provides EU-native managed PaaS on Hetzner Germany — no US parent, no CLOUD Act exposure, GDPR by architecture. Your AI workloads stay in EU jurisdiction from model serving to data storage.
The next post in this series covers Art. 62 regulatory sandbox priority access for SMEs in detail — practical steps to get your sandbox application accepted before the queues fill up.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.