EU AI Act and SMBs: what actually changes for your business in 2025?

EU AI Act and SMBs: what actually changes for your business in 2025?

The EU AI Act is the first broad European law regulating the use of artificial intelligence. For many business owners, that sounds abstract, but the law has direct consequences for companies that use AI tools, even if you only have five employees. This article explains what the EU AI Act means in practice for your business, which risk categories are relevant for SMBs, and where you need to take action now. No legal jargon, just concrete guidance you can actually use.

What is the EU AI Act, and why does it apply to you?

The EU AI Act officially came into force on 1 August 2024. It is being rolled out in phases, with the first obligations taking effect in 2025. The goal is to regulate AI systems based on the risk they pose to people. The higher the risk, the stricter the requirements.

Many business owners assume this law only applies to large tech companies that build AI. That is not correct. The law distinguishes between providers, who develop AI systems, and users, who deploy AI systems in their business processes. If you use an AI tool to analyse customer conversations, screen job applicants, or assess creditworthiness, you fall under the definition of a user and you have obligations.

For AI regulation affecting SMBs, this means: it does not matter whether you build AI yourself or use off-the-shelf tools like GPT-4o, Claude, or Gemini. Once you use those tools for purposes covered by the law, you share responsibility for compliance.

The risk classification: where does your use fall?

The EU AI Act divides AI applications into four categories. Three of them are relevant for SMBs.

Unacceptable risk means a complete ban. Think of social scoring systems or AI that manipulates people through subliminal techniques. This category barely affects regular SMBs.

High risk is the category that is relevant for many business owners. Applications in this category include: AI used in recruitment and selection, assessing creditworthiness, access to education or vocational training, and managing critical infrastructure. In practice: if you use an AI tool to screen CVs or to automatically accept or reject customers for a service, you fall into the high-risk category. That brings obligations around documentation, human oversight, and transparency.

Limited risk applies to applications such as chatbots and AI-generated content. The main obligation here is transparency: users must know they are communicating with an AI system. If you have a chatbot on your website, you need to make that clear.

Minimal risk covers most AI applications that SMBs use daily, such as spam filters, AI writing tools, or recommendation systems in e-commerce. No specific obligations apply here, though the law does expect you to act responsibly as a business owner.

How do you know which category your AI use falls into?

The practical question is: what decisions does your AI system make, or support, that directly affect people? Does it involve access to services, employment, or financing? If so, there is a good chance you are in the high-risk category. If you use AI purely for internal efficiency, such as summarising meetings or drafting quotes, you are probably in the minimal-risk category.

What actually changes in 2025?

The first hard deadline is February 2025. From that point, the rules around unacceptable risks apply. That means prohibited applications must stop immediately.

In August 2025, obligations take effect for providers of so-called general-purpose AI models, such as the companies behind GPT-4o, Claude, and Gemini. This affects you as a user indirectly: the tools you purchase must meet certain transparency requirements, and suppliers are required to provide documentation about the capabilities and limitations of their models.

The high-risk obligations come fully into force in August 2026, but preparation starts now. If you use AI tools for recruitment, credit assessment, or similar processes, it is wise to start mapping which systems you use and how decisions are made.

It is also worth noting that the Dutch Data Protection Authority plays a role alongside the national supervisory authority still to be designated for the AI Act. Privacy and AI compliance overlap significantly, especially if you work with personal data from customers or employees.

What should you as an SMB owner do right now?

Explaining the EU AI Act is useful, but taking action is more useful. There are three concrete steps you can take now as the owner of a business with 5 to 50 employees.

The first step is to take stock of all the AI tools your business uses. This goes beyond the obvious ones. Think about the AI features in your CRM, your HR software, your customer service platform, or your accounting software. A lot of software now includes built-in AI functionality that you may not consciously think of as "AI."

The second step is to determine the risk level for each application. Ask yourself: does this system make or support decisions that directly affect people? And: does it process personal data? If the answer to both questions is yes, include that application in your compliance approach.

The third step is to document human oversight. For high-risk applications this is a legal requirement, but it is good practice regardless to document who in your organisation is responsible for the outcomes of AI-supported decisions. An AI tool that rejects a job applicant or turns away a customer does not relieve you as a business owner of responsibility for that decision.

What if you deliver AI services to clients?

If you build or configure AI applications for clients as a service provider, for example as a marketing agency setting up AI workflows in n8n, or as a software company delivering a chatbot, the law may classify you as a provider. That brings heavier obligations than simply being a user. Think of technical documentation, conformity assessments, and registration requirements. If you actively deliver AI solutions to third parties, it is worth getting legal advice on this.

AI compliance for SMBs: preparation pays off

The EU AI Act is not a paper tiger. Fines for violations can reach €35 million or 7 percent of global annual turnover, depending on the severity of the breach. For SMBs the absolute amounts are lower, but the reputational damage from an incident is not.

The good news is that most SMBs using AI for internal efficiency, such as automating quotes, summarising documents, or speeding up customer service, have little to worry about as long as they act transparently and handle personal data correctly. The law is primarily aimed at applications that pose real risks to people, not at discouraging AI use in general.

If you start now with an honest inventory of your AI use, you will be in a strong position later. Both with clients, who are increasingly asking about AI policies, and with regulators.

Want to know where your business currently stands on AI compliance, or do you want to use AI responsibly without getting buried in regulation? Get in touch via 5cagency.nl for a free discovery call. We will look at your situation together and give you a clear picture of what needs to happen and what is already going well.