EU AI Act SME Risk Assessment 2026: How to Determine Your Compliance Tier

Post #1423 in the sota.io EU AI Act SME Compliance Series

The most damaging misconception in EU AI Act compliance is binary thinking: either you are fully in scope for the heavy high-risk regime, or you can ignore the regulation entirely. The truth is that the EU AI Act operates on a four-tier risk pyramid, and most SMEs building common AI-powered products sit comfortably in the lower tiers — where the compliance burden is minimal or limited to a few transparency notices.

This post walks you through the risk classification framework, explains what each tier requires, and gives you a five-question self-assessment to determine where your product stands. We also cover which Annex III categories are most likely to catch SME products off-guard.

The Four-Tier Risk Pyramid

The EU AI Act organises AI systems into four risk categories. The higher the tier, the greater the compliance burden.

           ▲
          / \
         /   \
        / (1) \       Prohibited AI (Art.5) — banned outright
       /-------\
      /   (2)   \     High-Risk AI (Art.6 + Annex III) — full conformity required
     /----.------\
    /     (3)     \   Limited-Risk AI (Art.50) — transparency obligations only
   /---------------\
  /      (4)        \ Low-Risk AI — minimal / voluntary obligations
 /-------------------\

Understanding which tier your product belongs to is the single most important compliance decision you will make. Get it right, and you avoid either over-engineering a compliance programme you do not need, or exposing your business to enforcement risk by underestimating your obligations.

Tier 1: Prohibited AI Systems (Article 5)

Article 5 of the EU AI Act bans certain AI practices outright. There are no exceptions, no sandbox options, and no proportionality benefits for SMEs. If your system does any of the following, it cannot be placed on the EU market:

• Subliminal manipulation: AI that exploits subconscious vulnerabilities to distort behaviour in ways that cause harm
• Exploitation of vulnerabilities: systems targeting people based on age, disability, or social situation
• Real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow exceptions)
• Social scoring by public authorities
• Emotion recognition in the workplace or educational institutions (except specific safety use cases)
• Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases
• Biometric categorisation inferring sensitive attributes (race, political opinion, sexual orientation) from biometrics
• Predictive policing based solely on profiling

SME relevance: The vast majority of SME products do not approach these categories. The highest risk for a typical software SME is unintentionally building an emotion recognition feature or a social scoring mechanism. Review your product roadmap against this list once, then move on.

Tier 2: High-Risk AI Systems (Article 6 + Annex III)

This is where the heavy compliance obligations live. Article 6 defines two routes into the high-risk category:

Route A — Safety components: AI systems that are safety components of products covered by existing EU product safety legislation (medical devices, machinery, aviation, automotive). If you are building AI into a CE-marked product and the AI component determines whether the product is safe, you are in high-risk territory regardless of your size.

Route B — Annex III categories: AI systems that fall into one of eight defined categories:

The SME blind spots: Categories 3, 4, and 5 catch more SMEs than expected.

• An HR tech startup building AI-assisted CV screening is building a Category 4 high-risk system
• A fintech offering AI-based credit scoring for micro-loans is building a Category 5 high-risk system
• An edtech company using AI to assess student performance for certification is building a Category 3 high-risk system

If you fall into Tier 2, the obligations include: risk management systems, data governance requirements, technical documentation, logging and record-keeping, transparency to deployers, human oversight mechanisms, and conformity assessment. These requirements apply to you even as an SME — though regulatory sandboxes under Article 57 (covered in Post #1422 of this series) can ease the path.

Tier 3: Limited-Risk AI Systems (Article 50)

Article 50 defines a set of AI systems that do not qualify as high-risk but still carry mandatory transparency obligations. This is the tier that applies to most SMEs building consumer-facing AI products.

The Article 50 transparency obligations apply to four types of systems:

Chatbots and AI-human interfaces (Art.50(1))

Providers of AI systems designed to interact directly with natural persons must ensure users know they are talking to an AI. Exception: when the AI nature is obvious from context.

What you must do: Display a clear disclosure at the start of any AI conversation. A simple "You are chatting with an AI assistant" banner satisfies this.

Synthetic content detection marking (Art.50(2))

Providers of AI systems — including general-purpose AI models — that generate synthetic audio, image, video, or text must mark the output in a machine-readable format as artificially generated.

What you must do: Implement machine-readable watermarking or metadata tagging on generated content. This applies to any product that generates images, writes text at scale, or produces audio/video.

Emotion recognition and biometric categorisation (Art.50(3))

Deployers of emotion recognition systems or biometric categorisation systems must inform users that such a system is being operated.

What you must do: Add a clear notice if your product infers emotional states or categorises individuals by demographic attributes from biometric data.

Deep fakes (Art.50(4))

Deployers using AI to generate or manipulate image, audio, or video constituting a deep fake must disclose that the content is artificially generated or manipulated. Exception: where the content is clearly satirical or fictional.

What you must do: Label synthetic media. This applies even to simple face-swap or voice-clone features in consumer apps.

SME bottom line for Tier 3: The Article 50 obligations are lightweight compared to the high-risk regime. A few notices, some technical metadata marking, and appropriate user-facing disclosures. No conformity assessment, no notified body involvement, no extensive technical documentation.

Tier 4: Low-Risk AI Systems

AI systems that do not fall into Tiers 1, 2, or 3 are low-risk. The EU AI Act imposes no mandatory compliance obligations on low-risk AI systems. Providers may voluntarily adhere to codes of conduct to demonstrate responsible AI practices, but this is optional.

Common low-risk SME products:

• AI-powered search and recommendation within a closed platform
• Spam filters and content moderation tools (when not used in high-risk contexts)
• AI-assisted development tools (code completion, bug detection)
• Predictive analytics for internal business process optimisation (not for decisions about individuals)
• AI-based translation and language tools (not used in judicial or enforcement contexts)

If your product fits squarely here, your August 2026 compliance task is simply to verify that nothing in your roadmap upgrades your risk tier.

The 5-Question SME Self-Assessment

Use this checklist to determine your tier. Work from the top down and stop at the first "yes".

Q1: Does your AI system do anything on the Article 5 prohibited list? → Yes: Stop. The system cannot operate in the EU. Redesign or exit the market. → No: Proceed to Q2.

Q2: Is your AI system a safety component of a CE-marked product, OR does it fall into an Annex III category (especially employment, education, or financial services)? → Yes: You are Tier 2 (High-Risk). You need a full compliance programme. → No: Proceed to Q3.

Q3: Does your AI system interact directly with natural persons via conversation, OR generate synthetic media (images, video, audio, text at scale), OR perform emotion recognition / biometric categorisation? → Yes: You are Tier 3 (Limited-Risk). You need Article 50 transparency measures. → No: Proceed to Q4.

Q4: Does your AI system make or significantly influence decisions about individual natural persons (employment, credit, access to services)? → Yes: Re-check Q2 carefully — you may have missed an Annex III category. → No: Proceed to Q5.

Q5: Do none of the above apply? → You are Tier 4 (Low-Risk). Minimal obligations. Verify your roadmap doesn't shift tiers.

The Deployer vs. Provider Distinction Changes Your Obligations

Your role in the AI value chain matters almost as much as the risk tier.

If you are a provider (you built the AI system and place it on the market): You bear the primary obligation for high-risk compliance under Article 16, including conformity assessment, technical documentation, and post-market monitoring.

If you are a deployer (you integrate a third-party AI system into your own product or internal processes): Under Article 26, your obligations for high-risk AI are lighter — primarily: use the system according to instructions, provide human oversight, monitor for risks, and inform your own users. You do not repeat the provider's conformity assessment.

Practical example: A recruitment SaaS company that integrates an AI CV-screening API from a third-party vendor is a deployer, not a provider. Their Article 26 obligations are more manageable than if they had built the screening model themselves. The API vendor bears the heavier provider obligations under Article 16.

This distinction matters enormously for scoping your compliance programme. Many SMEs acting as deployers of high-risk AI significantly overestimate their burden.

What "Simplified Conformity" Actually Means for SMEs

The EU AI Act does not create a formal "simplified conformity" track separate from the standard regime. What it does instead is:

1. Limit full conformity requirements to Tier 2: Only high-risk AI systems require conformity assessments. Tiers 3 and 4 require no conformity assessment.

2. Allow self-assessment for most high-risk AI: The majority of Annex III categories allow providers to conduct their own conformity self-assessment (internal control procedure under Annex VI) rather than involving a third-party notified body. Notified body involvement is only mandatory for certain biometric identification systems.

3. Provide regulatory sandboxes for SME testing: Article 57 and 62 give SMEs priority access to AI regulatory sandboxes where they can test high-risk systems under NCA supervision without full pre-market obligations.

4. Proportionality in technical documentation: Article 11 documentation requirements must be kept proportional to the complexity and risk of the AI system. A simple AI feature in an SME product does not require the same depth of technical documentation as a large-scale facial recognition deployment.

Common SME Scenarios and Their Correct Tier

Your August 2026 Timeline

The core AI Act obligations apply from 2 August 2026. For SMEs, the preparation path by tier:

Tier 4 (Low-Risk):

• Now: Run the 5-question self-assessment and document it
• June 2026: Verify that your product roadmap does not introduce Tier 2 or Tier 3 features
• August 2026: Ready. No further action required.

Tier 3 (Limited-Risk):

• Now: Audit all user-facing AI features for Article 50 applicability
• June 2026: Implement chatbot disclosures and synthetic content marking
• July 2026: Test disclosures with real users and document implementation
• August 2026: Go-live with compliant transparency layer.

Tier 2 (High-Risk):

• Now: Engage the Article 57 regulatory sandbox programme if available in your member state
• June–July 2026: Complete risk management system documentation
• August 2026: Conformity self-assessment complete, CE marking if applicable (Annex VI)

What Comes Next in This Series

Post #1424 covers the documentation requirements for non-high-risk AI — what you actually need to maintain in writing for Tier 3 and Tier 4 systems, and why it matters even when you have no mandatory documentation obligation.

Post #1425 closes the series with the complete August 2026 readiness checklist for small businesses across all tiers.

Key Takeaways

• The EU AI Act has four tiers: Prohibited, High-Risk, Limited-Risk, and Low-Risk
• Most SME AI products (chatbots, content generators, developer tools) fall into Tier 3 or Tier 4
• Tier 3 (Art.50) requires transparency notices — not conformity assessments
• High-risk (Tier 2) obligations do apply to SMEs building recruitment AI, credit scoring, or edtech grading
• Your role as provider vs. deployer significantly changes your compliance burden
• Use the 5-question checklist to identify your tier now, before August 2026

sota.io helps European SaaS companies stay compliant with EU regulations without building dedicated compliance teams. Check our EU AI Act compliance checklist or explore our platform.