EU AI Act compliance checklist for SMEs: a 9-step roadmap
Published July 18, 2026 · 6 min read
The EU AI Act can feel overwhelming. Broken into steps, it is manageable, even for a small team without a dedicated compliance officer. This is the roadmap we walk SMEs through, with the article behind each step so you can check the source.
First: what already applies today
Not everything is in the future. Three obligations are already enforceable, so treat them as "act now" items:
- Prohibited practices (Article 5) banned since 2 February 2025. No AI system may do them, whatever your size.
- AI literacy (Article 4) since 2 February 2025, providers and deployers must ensure the staff who operate AI have a sufficient level of AI literacy. See our AI literacy guide.
- GPAI model obligations (Chapter V) apply from 2 August 2025, with enforcement from 2 August 2026.
The high-risk obligations, the heaviest lift, were pushed back by the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I), both adopted, pending Official Journal publication. That is breathing room to prepare, not a reason to wait.
The 9-step roadmap
- Build an AI inventory. List every AI system you build or use. This is not a statutory article in itself; it is the practical precondition for everything below, because you cannot classify what you have not catalogued.
- Know your role. The Act assigns different duties to a provider, a deployer, an importer and a distributor (defined in Article 3; provider duties in Article 16, deployer duties in Article 26). Most SMEs are deployers of someone else's AI, a lighter set of duties than a provider's.
- Classify each system's risk. Sort each one into a tier: prohibited (Article 5), high-risk (Article 6 and Annex III), limited-risk or transparency (Article 50), or minimal. GPAI models follow Chapter V. Our risk checker does this in a couple of minutes.
- Cover AI literacy. Give the people who operate your AI enough training to use it responsibly (Article 4).
- Meet the obligations for the tier. For high-risk systems that means risk management, data governance, human oversight (Article 14), and accuracy and robustness (Article 15).
- Keep the technical file. High-risk providers must draw up and maintain the Annex IV technical documentation before the system goes to market (Article 11).
- Add transparency notices. Tell people when they are interacting with an AI system, and label AI-generated or manipulated content (Article 50).
- Log and monitor. Keep records and automatically generated logs (Articles 12 and 19), and run post-market monitoring (Article 72).
- Register high-risk systems. Providers register themselves and their Annex III system in the EU database before placing it on the market (Articles 49 and 71).
Deadlines at a glance
In force now: prohibited practices and AI literacy (2 February 2025) and GPAI obligations (2 August 2025). From 2 August 2026: the Act's general application and the transparency rules. Adopted, pending Official Journal publication: the synthetic-content marking duty and a new prohibition on non-consensual intimate imagery and child sexual abuse material (2 December 2026), high-risk Annex III (2 December 2027) and Annex I (2 August 2028). Our deadlines guide keeps the full table current.
Where the penalties fit
Missing these obligations is what exposes you to fines: up to EUR 35M or 7% of turnover for prohibited practices, though for SMEs the cap is the lower of the two. See what EU SMEs actually risk for the detail.
Start with a 2-minute check
The fastest way to turn this checklist into a plan is to see which of your systems are in scope. Run the free EU AI Act Snapshot, no signup, or explore the plans, which start at EUR 0.