EU AI Act for SMBs: What Actually Changes for Your Business in 2025 and 2026?

EU AI Act for SMBs: what actually changes for your business in 2025 and 2026?

The EU AI Act has been in force since August 2024 and rolls out in phases over the coming years. To many SMB owners this sounds like distant regulation, but that's a misconception. If you use AI tools in your business, and you probably already do, you fall within the scope of this law. What the EU AI Act actually requires from small and medium-sized businesses varies a lot depending on the situation. This article explains which obligations apply to you as a user of AI, when they take effect, and what you should already be putting in place. No legal jargon, just concrete steps.

What is the EU AI Act exactly?

The EU AI Act is the first broad European law that regulates AI systems based on risk. The idea is simple: the greater the risk an AI system poses to people, the stricter the rules. The law distinguishes between four risk categories.

Systems with an unacceptable risk are banned outright. Think of AI that manipulates people without their knowledge, or systems that keep social scores like those used in certain authoritarian regimes. This category barely touches SMBs.

High-risk systems are the category you do need to watch as an SMB owner. Low-risk and minimal-risk systems, such as a chatbot on your website or an AI tool that writes text, come with much lighter obligations.

When do the rules take effect for SMBs?

The AI Act follows a phased rollout. The bans on unacceptable risks already took effect in February 2025. The rules for high-risk systems apply in full from August 2026. Providers of general-purpose AI models, such as the companies behind GPT-4o or Claude, were already subject to obligations earlier.

As a user of AI tools, what the law calls a "deployer", you have until August 2026 in most cases to get your affairs in order. But don't wait until the final month. Companies that start with an inventory now will be in a strong position later.

What is a high-risk system, and are you using one?

This is the question that matters most to the majority of SMB owners. An AI system counts as high-risk if it's deployed in one of the designated sectors or use cases. Examples relevant to small and medium-sized businesses:

• AI that plays a role in hiring procedures, such as automatically screening or ranking candidates
• AI used in credit assessment or insurance
• AI that determines access to essential services
• AI in safety-critical environments, such as production processes with physical risks

Do you use GPT-4o through a tool to write job postings? That's probably not a high-risk use case. Do you use that same technology to automatically assess CVs and rank candidates? Then you may well be in the high-risk category. It's not about the model itself, but about how it's applied.

What if you're only a user of existing AI tools?

Most SMBs don't build their own AI systems. They use tools like ChatGPT, Claude, Gemini, or specialized SaaS products with AI built in. As a deployer, meaning a user of someone else's AI, you have fewer obligations than the developer of the system. But you're not exempt.

As a deployer of a high-risk system you must, among other things, make sure you use the system as the provider intended, that your employees are sufficiently trained to work with it, and that you keep a basic record of how and where you deploy the system. You also need to safeguard human oversight: an AI decision that disadvantages someone can't be fully automated without a human being able to correct it.

Which AI Act obligations apply to almost everyone?

Even if you don't use any high-risk systems, there are obligations that apply broadly. The most important ones for SMBs are the transparency requirements and the AI literacy obligation.

Transparency toward customers and users

If you run a chatbot on your website that customers could mistake for a real employee, you have to make clear they're communicating with an AI system. This also applies to AI-generated content that could mislead people about its source. Think of deepfakes or synthetic voices. For most SMB use cases this is straightforward: add a clear notice to your chatbot and you've covered this part.

AI literacy within your team

This is an obligation many business owners don't have on their radar yet. The AI Act requires organizations to ensure that employees who work with AI systems have sufficient knowledge of how those systems work, what their limitations are and which risks exist. This doesn't have to be technical training, but it does mean you can't just roll out a tool without any form of instruction or explanation.

In practical terms this means: document which AI tools you use, who works with them, and provide minimal instructions or a policy. It doesn't need to be a thick handbook, but a simple internal document with ground rules and explanations is already a solid foundation.

What should you already be putting in place?

The law is here, the first deadlines have passed and the big wave arrives in 2026. These are the steps you can take as an SMB owner right now.

Start with an inventory of all the AI tools your business uses. Think of tools for marketing, customer service, HR, finance and operations. Note for each tool what it does and who uses it.

Then assess for each tool whether it involves a high-risk use case. When in doubt, it's wise to get legal advice, but in most cases you'll quickly see that standard productivity tools like an AI writing assistant or automatic email sorting fall outside the high-risk category.

After that, draw up a simple AI policy. Describe which tools are approved, how employees may use them, and which data must stay out (think of customers' personal data or confidential business information). This also touches on the GDPR, which continues to apply alongside the AI Act.

Finally, arrange basic training. Not a full-day course, but a short session where you explain what the tools do, what they can't do and what the ground rules are. Document this, so you can show you're meeting the AI literacy obligation.

AI regulation in the Netherlands: who enforces this?

The supervisory structure in the Netherlands hasn't been finalized yet, but the outlines are clear. The Dutch Data Protection Authority (AP) plays a coordinating role in algorithm and AI oversight, together with the Dutch Authority for Digital Infrastructure (RDI). Don't expect a raid over the first chatbot they spot: enforcement initially focuses on prohibited practices and high-risk systems. Still, the fines are serious, up to 35 million euros or 7 percent of global revenue for the most severe violations.

For SMBs the message is simple: there's no need for panic, but there is a need for preparation. If you inventory your AI tools now, write a short policy and bring your team along, you'll meet the rules later without any stress. Want to know how your current AI use scores and where the attention points are? Book a free discovery call and we'll go through it together.