AI Act Obligations for SMEs: What Small Businesses Must Do Now

A common misconception about the EU AI Act (Regulation 2024/1689) is that it only affects large technology companies and AI developers. In reality, any organization that deploys AI systems — regardless of size — has obligations under the regulation. For small and medium-sized enterprises, the compliance challenge is navigating a regulation written primarily around high-risk use cases and large-scale AI providers, while identifying which parts apply to their situation.

This guide focuses specifically on what SMEs need to know and do, covering the provider-deployer distinction, AI literacy requirements that apply now, available SME support measures, and a practical 10-point compliance checklist.

The Fundamental Distinction: Provider vs Deployer

The AI Act creates different obligations depending on your role in the AI value chain.

Provider (Article 3(3)): A natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under their own name or trademark — whether for payment or free of charge. A software company that builds and sells an AI-powered recruitment tool is a provider.

Deployer (Article 3(4)): A natural or legal person that uses an AI system under its authority, except where that system is used in the course of a personal non-professional activity. A company that uses that recruitment tool to screen job applications is a deployer.

Most SMEs are deployers, not providers. They purchase or subscribe to AI tools built by others. This distinction matters enormously because the heaviest obligations — conformity assessments, technical documentation, registration in the EU database — fall primarily on providers. However, deployers are far from exempt.

What Deployers Must Do

For high-risk AI systems (Annex III of the regulation), deployers have the following obligations:

Before deployment:

• Verify that the AI system has a valid CE marking (where applicable) and that the provider has completed the required conformity assessment
• Implement the provider's instructions for use
• Conduct a data protection impact assessment if the system processes personal data (in coordination with GDPR requirements)
• Assign human oversight responsibility to a competent person

During operation:

• Ensure human oversight is in place (Article 26(1)) — a deployer cannot use a high-risk AI system without qualified human monitoring
• Monitor performance and log usage as specified by the provider
• Report serious incidents to the provider and to market surveillance authorities (Article 73)
• Inform and instruct affected workers where AI is deployed in their context (Article 26(7))

Regarding employees and affected persons:

• Article 26(6): When deploying high-risk AI systems that affect employees, deployers must inform workers' representatives (where applicable under national law) before deployment

For limited risk systems, deployers mainly need to ensure that required transparency disclosures (chatbot identification, AI-generated content labeling) are implemented at the point of user interaction.

AI Literacy: Article 4 Applies to All Organizations Now

Article 4 of Regulation 2024/1689 entered into force on 2 February 2025. It requires all providers and deployers to ensure that their staff and persons dealing with the operation and use of AI systems have a sufficient level of AI literacy, taking into account their technical knowledge, experience, education, and the context in which the AI systems are to be used.

This is a current obligation. It does not wait for 2026.

For SMEs, AI literacy does not mean every employee must become a data scientist. It means:

• Staff who use AI tools should understand what those tools do, their limitations, and the risk of relying on AI outputs without verification
• Staff who make decisions informed by AI systems should understand the basis of those decisions and be able to challenge outputs
• Management should understand the regulatory framework well enough to make informed procurement and deployment decisions

Practical implementation for an SME might include:

• A 2-hour onboarding module covering what AI systems the company uses, how they work at a functional level, and what to do when outputs seem incorrect
• A documented policy on how AI tools may be used (and when human review is mandatory)
• Training records kept to demonstrate compliance if audited

The ENISA (European Union Agency for Cybersecurity) and the European AI Office have both published guidance materials that SMEs can use as training resources.

SME Support Measures in the AI Act

The regulation includes several provisions designed to reduce the compliance burden on SMEs and startups:

Article 55 — Measures for SMEs and startups:

• Member states must establish regulatory sandboxes where SMEs and startups can test AI systems before market deployment in a controlled environment
• SMEs can request guidance from national competent authorities at no cost
• Documentation requirements for high-risk AI systems may be simplified when the deployer is an SME deploying systems under its own name

Article 70 — Confidentiality protection: The AI Act includes strong protections for commercially sensitive information shared during conformity assessments and market surveillance — relevant for SMEs who may be sharing proprietary information with authorities.

Fee structures: Conformity assessment fees charged by notified bodies must be proportionate. The Commission is expected to publish guidance on reasonable fee levels for SMEs.

Registration simplified: SMEs that are deployers (rather than providers) generally do not need to register in the EU database — registration is primarily a provider obligation.

The Provider-Deployer Gray Zone

A significant risk for SMEs is inadvertently becoming a provider. If you:

• Take an existing AI model or tool and significantly modify it (fine-tuning on your data for a new purpose counts)
• Embed a third-party AI into your own product and sell or distribute that product
• Build a custom AI system internally and deploy it in a context where it is used to make or significantly influence decisions affecting third parties

...then you may have provider obligations even without intending to sell an AI product. Many SMEs in SaaS, legal tech, HR tech, and fintech are providers under the AI Act without fully appreciating it.

If there is any doubt, the analysis should consider: who determines the purpose of the AI system and who makes it available to end users? That party is the provider.

10-Point SME AI Act Compliance Checklist

Inventory and classification

• [ ] 1. Build an AI inventory listing every AI system your organization uses, deploys, or has embedded in products
• [ ] 2. Classify each system by risk level (prohibited, high-risk, limited risk, minimal risk) using the Annex III criteria
• [ ] 3. Determine your role (provider, deployer, or both) for each system

Immediate obligations (apply now)

• [ ] 4. Implement AI literacy training for all staff using AI systems (Article 4, applies since February 2025)
• [ ] 5. Audit your AI systems against the prohibited practices list (Article 5) — stop using any prohibited system immediately

For deployers of high-risk AI

• [ ] 6. Verify that your AI vendors have completed required conformity assessments and hold valid CE marking where applicable
• [ ] 7. Assign and document human oversight responsibility for each high-risk AI deployment
• [ ] 8. Implement incident reporting process: know how to report a serious incident to the provider within required timeframes

Documentation

• [ ] 9. Document AI procurement decisions, including how you verified provider compliance
• [ ] 10. Keep records of AI literacy training completion and human oversight assignments

How WarDek Supports SME AI Act Compliance

WarDek is built with the SME context in mind. The AI compliance module provides a guided AI inventory workflow, Annex III risk classification with plain-language explanations, vendor compliance verification tracking, and AI literacy training record management. For deployers, WarDek generates the documentation needed to demonstrate Article 26 human oversight compliance.

Start your AI inventory with WarDek — free for the first 5 AI systems.

Key Takeaways

SMEs are not exempt from the AI Act. The deployer obligations for high-risk AI and the Article 4 AI literacy requirement apply regardless of company size. The provider-deployer distinction is the first thing to determine for every AI system you use. Most SMEs are deployers, which reduces the compliance burden significantly, but deployers still have real obligations — especially around human oversight and incident reporting. The time to build your AI inventory is now, not when the high-risk provisions enter full effect in 2026.

For related reading, see our AI Act risk classification guide and our AI compliance audit checklist.