EU AI ActComplianceChecklistSMEs

EU AI Act compliance checklist for SMEs: a 9-step roadmap

Published July 18, 2026 · 6 min read

The EU AI Act can feel overwhelming. Broken into steps, it is manageable, even for a small team without a dedicated compliance officer. This is the roadmap we walk SMEs through, with the article behind each step so you can check the source.

First: what already applies today

Not everything is in the future. Three obligations are already enforceable, so treat them as "act now" items:

  • Prohibited practices (Article 5) banned since 2 February 2025. No AI system may do them, whatever your size.
  • AI literacy (Article 4) since 2 February 2025, providers and deployers must ensure the staff who operate AI have a sufficient level of AI literacy. See our AI literacy guide.
  • GPAI model obligations (Chapter V) apply from 2 August 2025, with enforcement from 2 August 2026.

The high-risk obligations, the heaviest lift, were pushed back by the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I), both adopted, pending Official Journal publication. That is breathing room to prepare, not a reason to wait.

The 9-step roadmap

  1. Build an AI inventory. List every AI system you build or use. This is not a statutory article in itself; it is the practical precondition for everything below, because you cannot classify what you have not catalogued.
  2. Know your role. The Act assigns different duties to a provider, a deployer, an importer and a distributor (defined in Article 3; provider duties in Article 16, deployer duties in Article 26). Most SMEs are deployers of someone else's AI, a lighter set of duties than a provider's.
  3. Classify each system's risk. Sort each one into a tier: prohibited (Article 5), high-risk (Article 6 and Annex III), limited-risk or transparency (Article 50), or minimal. GPAI models follow Chapter V. Our risk checker does this in a couple of minutes.
  4. Cover AI literacy. Give the people who operate your AI enough training to use it responsibly (Article 4).
  5. Meet the obligations for the tier. For high-risk systems that means risk management, data governance, human oversight (Article 14), and accuracy and robustness (Article 15).
  6. Keep the technical file. High-risk providers must draw up and maintain the Annex IV technical documentation before the system goes to market (Article 11).
  7. Add transparency notices. Tell people when they are interacting with an AI system, and label AI-generated or manipulated content (Article 50).
  8. Log and monitor. Keep records and automatically generated logs (Articles 12 and 19), and run post-market monitoring (Article 72).
  9. Register high-risk systems. Providers register themselves and their Annex III system in the EU database before placing it on the market (Articles 49 and 71).

Deadlines at a glance

In force now: prohibited practices and AI literacy (2 February 2025) and GPAI obligations (2 August 2025). From 2 August 2026: the Act's general application and the transparency rules. Adopted, pending Official Journal publication: the synthetic-content marking duty and a new prohibition on non-consensual intimate imagery and child sexual abuse material (2 December 2026), high-risk Annex III (2 December 2027) and Annex I (2 August 2028). Our deadlines guide keeps the full table current.

Where the penalties fit

Missing these obligations is what exposes you to fines: up to EUR 35M or 7% of turnover for prohibited practices, though for SMEs the cap is the lower of the two. See what EU SMEs actually risk for the detail.

Start with a 2-minute check

The fastest way to turn this checklist into a plan is to see which of your systems are in scope. Run the free EU AI Act Snapshot, no signup, or explore the plans, which start at EUR 0.

Related guides