2026-06-01·5 min read·sota.io Team

EU AI Act SME Documentation 2026: What Non-High-Risk AI Actually Requires

Post #4 in the sota.io EU AI Act SME Compliance 2026 Series

EU AI Act documentation tiers for SMEs — minimal requirements for non-high-risk AI systems

The EU AI Act's documentation requirements are often misunderstood in one direction: developers assume they need everything, or assume they need nothing. Both are wrong.

Article 11 of the EU AI Act mandates a full technical documentation dossier under Annex IV — but this obligation applies only to high-risk AI systems. If your AI system doesn't fall into Annex III, you're not required to produce that documentation. The Act does not invent a documentation obligation for non-high-risk AI from thin air.

What the Act does require — even for non-high-risk AI — is more targeted: specific transparency disclosures under Article 50, self-classification evidence if you're near the high-risk threshold, and the good practice of internal records that any reasonable compliance program would maintain anyway.

This post maps exactly what's mandatory versus what's prudent, with a minimal documentation checklist built for EU SMEs with fewer than 250 employees.

The Annex IV Dossier: High-Risk Only

Article 11 states that providers of high-risk AI systems listed in Annex III must draw up technical documentation before placing the system on the market or putting it into service. The content of that documentation is specified in Annex IV and includes:

A general description of the AI system and its intended purpose
Detailed description of system elements, architecture, and design choices
Training, validation, and testing methodologies and datasets
Monitoring, functioning, and control measures including human oversight (Art.14)
Risk management system documentation (Art.9)
Accuracy, robustness, and cybersecurity measures (Art.15)
Quality management system documentation (Art.17)

This is the documentation framework that compliance vendors typically quote as "what the EU AI Act requires." It is substantial — 15+ sections, hundreds of pages for complex systems.

For non-high-risk AI systems, none of this is legally mandated. Article 11's obligation simply does not apply to you.

Where SMEs Actually Stand: The Three Documentation Tiers

Tier 1 — Prohibited AI (Art.5)

If your system falls under Article 5's prohibited practices (social scoring, subliminal manipulation, real-time biometric surveillance in public spaces, etc.), no documentation helps. The system must not exist.

Tier 2 — High-Risk AI (Annex III via Art.6)

Article 6 sets the classification rules. An AI system is high-risk if it falls within one of the categories in Annex III:

Biometric identification systems
Critical infrastructure management
Education and vocational training (access, evaluation, grades)
Employment, workers management (recruitment, promotion, task allocation)
Access to essential private and public services (credit scoring, social benefits)
Law enforcement
Migration, asylum, and border management
Administration of justice

If your AI system fits here: Annex IV documentation is mandatory under Art.11.

Tier 3 — Non-High-Risk AI (the majority of SME use cases)

AI systems that don't fall within Annex III (and aren't prohibited under Art.5) are non-high-risk. This covers:

Customer service chatbots
Recommendation systems (product, content, pricing)
Internal productivity tools (summarization, drafting, classification)
Predictive analytics not tied to Annex III use cases
Code generation and developer tools
Marketing and content AI

No Annex IV documentation required. But the story doesn't end there.

Article 50: Transparency Obligations That Cut Across Risk Levels

Article 50 imposes transparency obligations that apply regardless of high-risk classification. If your AI system does any of the following, specific disclosure requirements apply:

Art.50(1) — Systems Interacting with Natural Persons

AI systems intended to interact with natural persons must inform those persons that they are interacting with an AI system — unless this is obvious from context. This applies to:

Customer-facing chatbots
AI-powered voice assistants
Any automated interaction system where the AI identity isn't apparent

What you must document: That the AI disclosure is present, how it's presented to users, and under what conditions it's shown.

Art.50(2) — Emotion Recognition and Biometric Categorization

Providers and deployers of emotion recognition systems or biometric categorization systems must inform users of the system's operation. The obligation exists independently of high-risk classification.

What you must document: The scope of emotion or biometric analysis, who is informed, and how.

Art.50(3) — Deep Fakes and Synthetic Media

Any AI system that generates or manipulates synthetic content (images, audio, video, text that could be mistaken as authentic) must label the output as AI-generated or AI-manipulated.

News, satire, and artistic work exceptions exist but must be documented.

What you must document: The labeling mechanism, technical implementation, and scope of the synthetic generation capability.

Art.50(4) — Text Published to Inform on Matters of Public Interest

AI-generated text about public interest matters (news, analysis, commentary that audiences may take as human-authored) must be disclosed as AI-generated.

What you must document: The disclosure implementation, publication channels covered, and scope definition of "public interest."

The Minimal Documentation Checklist for Non-High-Risk AI

This checklist is not legally mandated as a document. It is the minimum set of internal records that (a) proves you've done Art.6 self-classification, (b) demonstrates Art.50 compliance, and (c) gives you defensible evidence if a market surveillance authority asks questions under Art.74.

NON-HIGH-RISK AI DOCUMENTATION CHECKLIST
========================================

1. CLASSIFICATION RECORD
   □ Name and version of the AI system
   □ Intended purpose statement
   □ Annex III scan results (which categories were checked and why not applicable)
   □ Decision date and responsible person
   □ Review schedule (recommend: annual or on major update)

2. ART.50 COMPLIANCE RECORD (if applicable)
   □ Chatbot / interaction system: AI disclosure wording + placement
   □ Emotion recognition: user notification text + display context
   □ Synthetic media: labeling mechanism + technical implementation
   □ AI-generated public interest text: disclosure implementation

3. DATA PROCESSING SUMMARY
   □ Data sources used in development or operation
   □ Whether personal data is processed (GDPR scope)
   □ Data retention approach
   □ No need for Annex IV's full data governance documentation

4. CAPABILITY BOUNDARIES
   □ What the system is designed to do
   □ Known limitations and failure modes
   □ Use cases explicitly out of scope
   □ No need for full Art.9 risk management documentation

5. VERSION CONTROL RECORD
   □ System version history
   □ Significant changes that could affect classification
   □ Operator and deployer notification on relevant changes

6. CONTACT RECORD
   □ Provider contact information (for Art.74 market surveillance queries)
   □ EU representative if provider is outside EU (see Art.22)

This checklist takes 1–3 days to complete for a typical non-high-risk AI system. It is not the Annex IV dossier. It is the minimum that demonstrates good faith compliance for systems that sit outside the high-risk category.

Self-Classification: Protecting Your "Non-High-Risk" Determination

The most important documentation decision for non-high-risk AI is the one that justifies the classification itself. Article 6 gives you the classification rules. Market surveillance authorities under Article 74 have the power to request evidence of how you determined your system is non-high-risk.

The self-classification record (item 1 above) should survive scrutiny. Weak examples:

"Our system is just a chatbot."

Strong examples:

"Our customer support chatbot provides product recommendations and handles returns queries. It does not make credit decisions, employment decisions, or educational assessments. Annex III categories reviewed: [list]. None applicable. Determination date: 2026-06-01. Next review: at next major system update or 2027-06-01."

The more consequential your AI system's outputs, the more detailed this justification should be — not because the law requires more detail, but because an authority asking questions wants to see you've done the work.

Article 62: SME-Specific Simplifications

Article 62 directs member states and the Commission to provide measures specifically for SMEs and startups. These include:

Priority access to AI regulatory sandboxes (Art.57) for testing before market
Reduced fees for conformity assessment (relevant only if you're near high-risk territory)
Guidance documents and templates for documentation
Single information points at national level

For the documentation question specifically: Art.62 doesn't reduce what documentation is required, but it does mean national competent authorities must provide free-of-charge guidance and templates. Check your national authority's website — many EU member states are publishing SME-specific AI Act toolkits as the August 2026 deadline approaches.

The August 2026 Timeline for Documentation

The EU AI Act's key documentation obligation dates:

Already in force (February 2025): Article 5 prohibitions apply. If you were doing anything on the prohibited list, that already needed to stop.

2 August 2026: The main wave of obligations applies, including:

Art.11 technical documentation (high-risk AI providers)
Art.50 transparency obligations (non-high-risk AI where applicable)
Chapter III obligations for high-risk AI systems generally

For non-high-risk SMEs, the Art.50 transparency obligations kick in on 2 August 2026. If your chatbot doesn't yet have an AI disclosure, that needs to be in place by that date.

The SME Documentation Reality Check

Here's the practical picture for a typical SME deploying non-high-risk AI:

Before August 2026:

Complete the Annex III self-classification check (2–4 hours)
Document the decision (1–2 hours)
Implement Art.50 disclosures if your system qualifies (1–2 days for chatbot disclosure, more for synthetic media)
Write up the minimal checklist above (1–3 days)

Not required:

Full Annex IV technical documentation (Art.11 doesn't apply)
Conformity assessment (only for high-risk AI)
CE marking (only for high-risk AI)
Notified body involvement (only for specific high-risk categories)
Post-market monitoring plan (Art.72 — only for high-risk AI)

The documentation burden for non-high-risk AI is calibrated. It's not zero — the Art.50 disclosures and self-classification record are real work — but it's nothing like what high-risk AI providers face.

Next in This Series

Post #5 will cover EU AI Act SME Incident Response and Enforcement: what Article 73 incident reporting means for SME deployers, and how Article 99 penalties are calibrated (spoiler: the €15M / 3% revenue ceiling for serious infringements is for providers of prohibited AI — most SME scenarios face the lower tiers).

Previous posts in this series:

Post #1: Which EU AI Act obligations apply to SMEs under 250 employees
Post #2: EU AI Act Art.62 support measures — regulatory sandboxes and priority access
Post #3: EU AI Act SME risk assessment — simplified conformity for low and limited risk AI

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Join the waitlist View pricing