What is the EU AI Act? A plain-English guide for SMEs

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law on artificial intelligence. It took a risk-based approach: the more risk an AI system poses to health, safety, or fundamental rights, the more obligations apply. It entered into force in August 2024 and rolls out in stages.

The four risk tiers

• Prohibited (Article 5) — banned uses such as social scoring and untargeted facial-image scraping. In force since 2 February 2025.
• High-risk (Annex III / Annex I) — e.g. recruitment, credit scoring, and medical devices. The heaviest obligation set.
• Limited risk (Article 50) — chatbots and generative AI, subject to transparency and labelling.
• Minimal risk — everything else; no mandatory obligations.

Key dates

Prohibited practices apply since February 2025 and GPAI model obligations since August 2025. Following the Digital Omnibus on AI, the high-risk obligations are set to apply from 2 December 2027 (stand-alone, Annex III) and 2 August 2028 (embedded in products, Annex I) — provisional, pending formal adoption. Transparency obligations apply from 2 August 2026.

Penalties

Non-compliance can cost up to €35 million or 7% of global annual turnover for prohibited practices, with lower (but still significant) ceilings for other breaches.

What SMEs should do

Start by classifying each AI system you build or use. If you are high-risk, the documentation and conformity work takes months — begin early. Try our free EU AI Act Risk Checker, browse compliance by use case, or see pricing.